Capabilities
This page enumerates the functional capabilities of Endpoint Manager for ISE. Each capability is described in declarative terms — what it does, what it depends on, and what is included.
Endpoint Identity Group administration
Section titled “Endpoint Identity Group administration”A managed Endpoint Identity Group in Endpoint Manager is a 1:1 reflection of a Cisco ISE Endpoint Identity Group. The ISE group remains authoritative; the platform applies a delegated-administration layer on top.
Capabilities:
- Browse all Endpoint Identity Groups exposed by Cisco ISE — connected and not-connected — from a single list.
- Connect an existing ISE Endpoint Identity Group to bring it under managed administration.
- Create a new Endpoint Identity Group from the platform; it is provisioned in Cisco ISE and connected in a single step.
- Rename a connected group; the change propagates to Cisco ISE.
- Disconnect a group, removing its delegated-administration layer (and associated Self-Service Users and managed settings). Cisco ISE retains the group and its endpoints unchanged.
Endpoint operations
Section titled “Endpoint operations”Per-endpoint administration inside a managed group:
- Add a single endpoint with MAC address, description, optional device type and Managed Attribute values.
- Modify description, device type, and Managed Attribute values.
- Move an endpoint to another connected group within the same Context.
- Revoke (remove) an endpoint from a group. If the endpoint is no longer a member of any group, it is removed from Cisco ISE entirely.
- Live session data, read directly from Cisco ISE’s Monitoring API: NAS device, port, VLAN, IPv4 address, session duration, data usage (up/down), and current connection state.
All endpoint operations are pushed into Cisco ISE through its standard APIs.
Managed Attributes
Section titled “Managed Attributes”Cisco ISE’s Endpoint Custom Attributes can be exposed for delegated administration. The Context owner controls which attributes are eligible; the group owner sets the value:
- Context-level definition — name + type, matching an Endpoint Custom Attribute defined in Cisco ISE under Administration → Identity Management → Endpoint Custom Attributes.
- Group-level value assignment — each connected group sets its own value for each defined Managed Attribute, applied automatically to every endpoint in the group.
Typical attribute shapes: vendor-owner (String), vlan-id (Int), maintenance-window (String), Security Group Tag (SGT) selectors. Because a Managed Attribute carries one value per group, it suits attributes that are uniform across a group’s endpoints. Any custom attribute that is meaningful in Cisco ISE’s authorization policy can be made managed.
Batch import (CSV)
Section titled “Batch import (CSV)”Bulk onboarding of endpoints from a CSV file. Available to administrators on the Netgraph admin side as well as Group Administrators in the Self-Service portal:
- Four-step wizard — file selection, validation, preview, and submit.
- Preview before commit — every row is validated before any change reaches Cisco ISE.
- Auto-move of existing MACs — a MAC address that already exists in another Endpoint Identity Group is moved into the target group (with explicit user confirmation), rather than rejected.
- Audited — each row is recorded individually in the Context’s audit log.
Change of Authorization (CoA)
Section titled “Change of Authorization (CoA)”Trigger a CoA on a live endpoint to force Cisco ISE to re-evaluate its authorization policy. Typically used after moving an endpoint to a different group or after changing a Managed Attribute that affects authorization. CoA is available to Organization administrators only — Self-Service Users cannot issue CoA.
Self-Service Portal
Section titled “Self-Service Portal”A dedicated web portal for delegated administrators. Capabilities:
- Per-group scope. Each Self-Service User sees only the groups they belong to.
- Endpoint CRUD — add, modify, move, revoke endpoints inside the assigned group.
- Live session view for each endpoint.
- Batch import via the same CSV wizard as the admin side.
- Group Users management — Group Administrators can invite, modify, and revoke other Self-Service Users on the same group.
- No Cisco ISE access — the portal never exposes Cisco ISE’s admin surface, credentials or policy configuration.
Sign-in options
Section titled “Sign-in options”- Email invitation link — a magic-link login sent to the invitee’s email address.
- SAML 2.0 Single Sign-On — federated login via the customer’s Identity Provider. Optional Self-Service Enrollment automatically provisions users on first login if the group permits it.
Role-based access control
Section titled “Role-based access control”Three roles, each scoped to where it operates:
| Role | Scope | Capability |
|---|---|---|
| Organization administrator | The Organization and all Contexts. | Connect Contexts, define Managed Attributes, manage groups, review audits, issue CoA. |
| Group Administrator | One Endpoint Identity Group. | Full endpoint CRUD on the group; invite, modify and revoke Self-Service Users on it. |
| User (default) | One Endpoint Identity Group. | Endpoint CRUD on the group; cannot manage other Self-Service Users. |
A single individual can hold different roles on different groups simultaneously without conflict.
Webhooks
Section titled “Webhooks”Outbound event delivery to customer systems for change-tracking and integration:
- Event type:
ise.configuration.audit— emitted for every configuration change inside a Context. - Subscription: per Context, with one or more HTTPS endpoints.
- Payload: structured JSON with timestamp, actor, action, target and field-level diff where applicable.
- Typical consumers: SIEM (Splunk, Elastic, Microsoft Sentinel), change-management systems, chat (Slack, MS Teams) via a small bridge.
Audit log
Section titled “Audit log”A complete record of every change inside a Context:
- API credential updates.
- Managed Attribute definitions.
- Group connect / disconnect.
- Endpoint add / update / move / delete.
- Change of Authorization triggers.
- Self-Service User invitations, role changes and removals.
Each entry carries timestamp, acting user, action, target and field-level diff where applicable. Available in the admin UI and via webhooks.
Administration
Section titled “Administration”- Multi-language UI — admin and Self-Service portals support multiple languages.
- SAML 2.0 SSO — for administrator sign-in to the Netgraph admin portal.
- Multiple Contexts per Organization — each binding to a separate Cisco ISE deployment (e.g. production + lab).
Cross-product integration
Section titled “Cross-product integration”Endpoint Manager shares Organization-level infrastructure with the other Netgraph Connectivity Platform modules — administration portal, Self-Service portal, audit logging, multi-language UI, SAML SSO, and Organization administrators. Customers running Endpoint Manager alongside Sign In, EntryPoint or EasyPSK get a single, unified administrative surface.