MDM Integration Remote Site Survivability

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Considering Aerohive and JAMF or Airwatch integration but have a few questions. In regards to remote site survivability, if MDM enrollment is being used to say JAMF or Airwatch, what happens if the connection to JAMF or Airwatch is down? The system must check if the device is enrolled so if it can’t perform that check, what happens? Does the system cache previous enrollments for a certain period of time or must it check every time a device comes on?
Photo of KFern

KFern

  • 3 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi, The system can cache enrollment status, but only for the length of the auth cache (I think the default is 30 minutes; this is configurable in HiveManager). If access to the external MDM service is unavailable, and the platform is checked as required for enrollment (note for JAMF especially, if a Windows or Android device joins the SSID we already do not enforce enrollment and only the network-based controls based on identity, device type, location, and time of day are applied. Same thing for AirWatch - based on the OS's selected, we will only enforce enrollment for selected operating systems, all others get Aerohive context-based access but no enforced profile install) - so back to if the MDM service is unavailable, users matching the selected OS's will not be able to access anything but the enrollment server and any servers/services you've allowed in the walled garden configuration until AirWatch/JAMF are available again.

You may want to consider a Guest SSID with basic internet access and limited bandwidth/application permissions to allow for some degree of survivability on what could potentially be compromised or insecure machines.
Photo of Chris Brower

Chris Brower

  • 1 Post
  • 0 Reply Likes
Hi Abby, sorry to hi-jack the thread. I was hoping you might be able to help us with a situation we are experiencing with Aerohive and our Casper MDM. We have about 1000 ipads that connect to a PPSK SSID. The SSID is set to check enrollment against casper. We are currently running Aerohive 6.1r2 and Casper 9.12.

We have noticed that every 45 minutes when our classes change at the school here. Our Casper MDM CPU utilization goes to 100%. We have a hunch that it has to do with the iPads moving around the building and reconnecting to 1 of the 100 APs in the building.

I noticed you mentioned an Auth Cache setting but I was unable to find it in the HiveManager.

Have you seen or heard of anything like this? It happens like clock work though when our students transverse throughout the building. It normally takes Casper 10 minutes to catch up after the students make it to class. Meanwhile they cannot access the internet and the Casper MDM can't keep up with the requests and starts returning 503 Internal Server Errors.

Thanks,
Chris
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi Chris! I haven't seen this so far, and I'm trying to think why it would happen. Have you also checked with JAMF? All we are doing with the API is checking an XML file found at https://jssurl.company.com:8443/JSSRe... and searching on MAC address. This seems like a very minimal process. Could we possibly be running into file permissions issues causing a race condition? We'd need someone from JAMF to confirm this. My only guess for this behavior would be we're trying to query the file the same time JSS is trying to write to it and it's spiking the CPU while JSS waits to write to the file. I can confirm that we did not intentionally change anything in HiveOS to affect our query behavior.