Skip to content
Concepts

Capabilities

This page enumerates the functional capabilities of Endpoint Manager for ISE. Each capability is described in declarative terms — what it does, what it depends on, and what is included.

A managed Endpoint Identity Group in Endpoint Manager is a 1:1 reflection of a Cisco ISE Endpoint Identity Group. The ISE group remains authoritative; the platform applies a delegated-administration layer on top.

Capabilities:

  • Browse all Endpoint Identity Groups exposed by Cisco ISE — connected and not-connected — from a single list.
  • Connect an existing ISE Endpoint Identity Group to bring it under managed administration.
  • Create a new Endpoint Identity Group from the platform; it is provisioned in Cisco ISE and connected in a single step.
  • Rename a connected group; the change propagates to Cisco ISE.
  • Disconnect a group, removing its delegated-administration layer (and associated Self-Service Users and managed settings). Cisco ISE retains the group and its endpoints unchanged.

Per-endpoint administration inside a managed group:

  • Add a single endpoint with MAC address, description, optional device type and Managed Attribute values.
  • Modify description, device type, and Managed Attribute values.
  • Move an endpoint to another connected group within the same Context.
  • Revoke (remove) an endpoint from a group. If the endpoint is no longer a member of any group, it is removed from Cisco ISE entirely.
  • Live session data, read directly from Cisco ISE’s Monitoring API: NAS device, port, VLAN, IPv4 address, session duration, data usage (up/down), and current connection state.

All endpoint operations are pushed into Cisco ISE through its standard APIs.

Cisco ISE’s Endpoint Custom Attributes can be exposed for delegated administration. The Context owner controls which attributes are eligible; the group owner sets the value:

  • Context-level definition — name + type, matching an Endpoint Custom Attribute defined in Cisco ISE under Administration → Identity Management → Endpoint Custom Attributes.
  • Group-level value assignment — each connected group sets its own value for each defined Managed Attribute, applied automatically to every endpoint in the group.

Typical attribute shapes: vendor-owner (String), vlan-id (Int), maintenance-window (String), Security Group Tag (SGT) selectors. Because a Managed Attribute carries one value per group, it suits attributes that are uniform across a group’s endpoints. Any custom attribute that is meaningful in Cisco ISE’s authorization policy can be made managed.

Bulk onboarding of endpoints from a CSV file. Available to administrators on the Netgraph admin side as well as Group Administrators in the Self-Service portal:

  • Four-step wizard — file selection, validation, preview, and submit.
  • Preview before commit — every row is validated before any change reaches Cisco ISE.
  • Auto-move of existing MACs — a MAC address that already exists in another Endpoint Identity Group is moved into the target group (with explicit user confirmation), rather than rejected.
  • Audited — each row is recorded individually in the Context’s audit log.

Trigger a CoA on a live endpoint to force Cisco ISE to re-evaluate its authorization policy. Typically used after moving an endpoint to a different group or after changing a Managed Attribute that affects authorization. CoA is available to Organization administrators only — Self-Service Users cannot issue CoA.

A dedicated web portal for delegated administrators. Capabilities:

  • Per-group scope. Each Self-Service User sees only the groups they belong to.
  • Endpoint CRUD — add, modify, move, revoke endpoints inside the assigned group.
  • Live session view for each endpoint.
  • Batch import via the same CSV wizard as the admin side.
  • Group Users management — Group Administrators can invite, modify, and revoke other Self-Service Users on the same group.
  • No Cisco ISE access — the portal never exposes Cisco ISE’s admin surface, credentials or policy configuration.
  • Email invitation link — a magic-link login sent to the invitee’s email address.
  • SAML 2.0 Single Sign-On — federated login via the customer’s Identity Provider. Optional Self-Service Enrollment automatically provisions users on first login if the group permits it.

Three roles, each scoped to where it operates:

RoleScopeCapability
Organization administratorThe Organization and all Contexts.Connect Contexts, define Managed Attributes, manage groups, review audits, issue CoA.
Group AdministratorOne Endpoint Identity Group.Full endpoint CRUD on the group; invite, modify and revoke Self-Service Users on it.
User (default)One Endpoint Identity Group.Endpoint CRUD on the group; cannot manage other Self-Service Users.

A single individual can hold different roles on different groups simultaneously without conflict.

Outbound event delivery to customer systems for change-tracking and integration:

  • Event type: ise.configuration.audit — emitted for every configuration change inside a Context.
  • Subscription: per Context, with one or more HTTPS endpoints.
  • Payload: structured JSON with timestamp, actor, action, target and field-level diff where applicable.
  • Typical consumers: SIEM (Splunk, Elastic, Microsoft Sentinel), change-management systems, chat (Slack, MS Teams) via a small bridge.

A complete record of every change inside a Context:

  • API credential updates.
  • Managed Attribute definitions.
  • Group connect / disconnect.
  • Endpoint add / update / move / delete.
  • Change of Authorization triggers.
  • Self-Service User invitations, role changes and removals.

Each entry carries timestamp, acting user, action, target and field-level diff where applicable. Available in the admin UI and via webhooks.

  • Multi-language UI — admin and Self-Service portals support multiple languages.
  • SAML 2.0 SSO — for administrator sign-in to the Netgraph admin portal.
  • Multiple Contexts per Organization — each binding to a separate Cisco ISE deployment (e.g. production + lab).

Endpoint Manager shares Organization-level infrastructure with the other Netgraph Connectivity Platform modules — administration portal, Self-Service portal, audit logging, multi-language UI, SAML SSO, and Organization administrators. Customers running Endpoint Manager alongside Sign In, EntryPoint or EasyPSK get a single, unified administrative surface.

Next