Which of the following lost or stolen device options are available to employees when MDM is integrated with
ISE? (Select 3 choices.)
A.
report device as lost or stolen
B.
initiate a PIN lock
C.
initiate a full or corporate wipe
D.
quarantine the device
E.
revoke the device’s digital certificate
Explanation:
When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine
(ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number
(PIN) lock, or initiate a full or corporate wipe. A corporate wipe, which is also known as a selective wipe,
removes only corporate data and applications from the device. A full wipe, which is also known as a factory
reset, removes all data from the device. An employee is also capable of reinstating a device to gain access
without having to reregister the device with ISE. Each of these options is available to the employee by using
ISE’s My Devices portal.
ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated
posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM
frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with native
supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act
as agents that enable you to perform various functions on the network device, such as installing software or
locking the screen with a PIN lock.
Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However,
administrators are also capable of performing wipes and PIN locks without user notification or intervention.
Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator
initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full
wipe or a corporate wipe depends on the MDM server policies and configuration. In a Bring Your Own Device
(BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on a
device. If the device is a corporate device that an employee is simply allowed to use, an administrator might be
able to perform a full wipe from the Endpoints screen by selecting Full Wipe from the MDM Access dropdown
menu. Administrators can additionally force connected devices off the network, add devices to the Blacklist
Identity Group, and disable the device’s RSA SecurID token.Cisco: Managing a Lost or Stolen Device (PDF)
Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory: Secure Access