Skip to content
Deployment

Requirements and dependencies

This page lists what the customer needs to provide and prepare in their environment for Endpoint Manager for ISE to function. The service itself is delivered as SaaS and requires no on-premises components.

Endpoint Manager integrates with Cisco ISE through the API v1 surface introduced in ISE 3.2 Patch 2 and later. Earlier patch levels may work but are not formally supported.

Three Cisco ISE API families must be enabled on the Primary Administration Node and must be reachable from the Netgraph service:

API familyAccess requiredUsed for
ERS (External RESTful Services)Read / WriteEndpoint Identity Group management; bulk endpoint listing.
Open APIRead / WritePer-endpoint create, read, update and delete; bulk operations; Endpoint Custom Attribute synchronisation.
MnT (Monitoring) APIReadLive session data lookup; Change of Authorization triggering.

API calls made by Endpoint Manager, per operation. The HTTP method matters as much as the path: a WAF or API gateway that only permits GET and POST breaks endpoint updates and deletions.

ERS API

MethodEndpointPurpose
GET/ers/config/endpointgroupList and search Endpoint Identity Groups
GET/ers/config/endpointgroup/{id}Read a single Endpoint Identity Group
POST/ers/config/endpointgroupCreate an Endpoint Identity Group
GET/ers/config/endpointList endpoints in bulk

Open API

MethodEndpointPurpose
GET/api/v1/endpointSearch and list endpoints
GET/api/v1/endpoint/{id}Read a single endpoint
POST/api/v1/endpointCreate an endpoint
PUT/api/v1/endpoint/{id}Update an endpoint
DELETE/api/v1/endpoint/{id}Delete an endpoint
POST/api/v1/endpoint/bulkCreate endpoints in bulk
PUT/api/v1/endpoint/bulkUpdate endpoints in bulk

Endpoint Custom Attribute values travel inside the endpoint calls above; there is no separate custom-attribute API traffic.

Monitoring (MnT) API

MethodEndpointPurpose
GET/admin/API/mnt/Session/MACAddress/{mac}Retrieve endpoint session data
GET/admin/API/mnt/CoA/Reauth/...Issue a Change of Authorization

In addition, a single HEAD request is sent to the ISE base URL when the connection is saved, to validate the TLS certificate. The complete method set Endpoint Manager requires is GET, POST, PUT, DELETE and HEAD.

The integration uses a dedicated Cisco ISE administrative user with the following privileges:

  • ERS Admin — for ERS-API operations.
  • Open API admin — for Open API operations.
  • MnT Admin — for Monitoring API operations.

The credentials for this user are configured once per Context in the platform’s API Configuration. They are stored secret-encrypted and never displayed back to administrators.

Endpoint Manager stores several pieces of metadata on each endpoint by way of Cisco ISE’s Endpoint Custom Attributes. The following attributes must be defined in Cisco ISE under Administration → Identity Management → Endpoint Custom Attributes before a Context is connected:

Attribute nameTypePurpose
ngCreatedByStringThe Self-Service User or admin who created the endpoint
ngCreatedAtStringCreation timestamp
ngUpdatedByStringThe user who last updated the endpoint
ngUpdatedAtStringLast update timestamp
ngDeviceTypeStringEndpoint device-type tag

In addition to these platform-internal attributes, the customer can define any number of Managed Attributes — additional Endpoint Custom Attributes (e.g. vendor-owner, vlan-id, maintenance-window) whose value is set per group and applied to every endpoint in that group.

Endpoint Manager connects to Cisco ISE over HTTPS (TLS). The customer’s network must permit:

  • Outbound HTTPS (TCP 443) from the Cisco ISE Primary Administration Node — or from the network segment that hosts it — to the platform’s egress FQDN, which is shown in the API Configuration card of each Context.
  • Inbound API connectivity from the platform’s egress IPs to ISE’s ERS, Open API and MnT endpoints.

The platform’s egress FQDN and IP range depend on the chosen SaaS delivery option (Global Cloud or Nordic Sovereign Cloud).

If a reverse proxy, WAF or API gateway sits in front of the Cisco ISE admin node, it must pass through the ERS, Open API and MnT calls listed under Cisco ISE APIs above — both the paths and their HTTP methods (GET, POST, PUT, DELETE and HEAD). Method filtering is a common cause of partial failures: the Context connects and reads groups, but updates and deletions fail.

For administrators and Self-Service Users to access the platform, the customer can use one of:

  • Email invitation — magic-link login (default; no customer-side configuration required).
  • SAML 2.0 Single Sign-On — integration with the customer’s Identity Provider (Microsoft Entra ID, Okta, ADFS, others). SAML can drive admin sign-in, Self-Service sign-in, and optional Self-Service Enrollment for auto-provisioning of new users on first login.

The administration portal and Self-Service portal are web-based and support current versions of the major evergreen browsers: Chrome, Edge, Firefox and Safari.

  • Cisco ISE availability. Endpoint Manager requires the Cisco ISE deployment to be reachable. Operations that target ISE will fail while ISE is unavailable; the audit log reflects each failed attempt.
  • Customer-managed credentials. The Cisco ISE API user is owned by the customer and may be rotated at any time through the platform’s API Configuration view.

Next