Which of the following lost or stolen device options are available to employees when MDM is integrated with ISE? (Select 3 choices.)
- report device as lost or stolen
- initiate a PIN lock
- initiate a full or corporate wipe
- quarantine the device
- revoke the device’s digital certificate
When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine
(ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number (PIN) lock, or initiate a full or corporate wipe. A corporate wipe, which is also known as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also known as a factory reset, removes all data from the device. An employee is also capable of reinstating a device to gain access without having to reregister the device with ISE. Each of these options is available to the employee by using ISE’s My Devices portal.
ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated
posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a PIN lock.
Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However, administrators are also capable of performing wipes and PIN locks without user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policies and configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on a device. If the device is a corporate device that an employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpoints screen by selecting Full Wipe from the MDM Access dropdown menu. Administrators can additionally force connected devices off the network, add devices to the Blacklist Identity Group, and disable the device’s RSA SecurID token.