Your corporate network uses MobileIron as an MDM for ISE. You have been informed that a user has lost his phone and that you must perform a selective wipe on the device.
Which of the following will not be removed from the device during the selective wipe? (Select the best answer.)
- the MobileIron app
- the CA certificate for the WiFi profile installed by ISE
- corporate applications installed by MDM
- the MDM profile and all of its subprofiles
The certificate authority (CA) certificate for the WiFi profile installed by Cisco Identity Services Engine (ISE) is not removed when you perform a selective wipe. ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated posture assessment, network access control, and client provisioning. ISE integrates with a number of Mobile Device Management (MDM) frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a personal identification number (PIN) lock.
For devices like phones, ISE relies on MDM servers to carry out the specific administrative actions selected in ISE. For example, when a selective wipe is selected for a device in ISE, a request is made to the appropriate MDM server to carry out the action. The MDM server communicates with its corresponding agent and removes all corporate applications and installed profiles, including any subprofiles. The selective wipe also removes the MDM agent, which in this scenario is the MobileIron App. Through an MDM server, ISE can perform a full wipe, a selective wipe, or a PIN lock depending on the severity of the security risk of the lost phone.
An administrator can also initiate a selective wipe if an employee is terminated. However, the administrator should also take steps to blacklist the device within ISE and remove the user accounts privileges so that the user cannot reenroll the device. The administrator can then force the user’s device to attempt an immediate reauthentication against ISE by revoking the user certificate on the CA server. This will cause the device to match the blacklist upon its attempt to reenroll.