Requirements and dependencies
This page lists what the customer needs to provide and prepare in their environment for Endpoint Manager for ISE to function. The service itself is delivered as SaaS and requires no on-premises components.
Cisco ISE version
Section titled “Cisco ISE version”Endpoint Manager integrates with Cisco ISE through the API v1 surface introduced in ISE 3.2 Patch 2 and later. Earlier patch levels may work but are not formally supported.
Cisco ISE APIs
Section titled “Cisco ISE APIs”Three Cisco ISE API families must be enabled on the Primary Administration Node and must be reachable from the Netgraph service:
| API family | Access required | Used for |
|---|---|---|
| ERS (External RESTful Services) | Read / Write | Endpoint Identity Group management; bulk endpoint listing. |
| Open API | Read / Write | Per-endpoint create, read, update and delete; bulk operations; Endpoint Custom Attribute synchronisation. |
| MnT (Monitoring) API | Read | Live session data lookup; Change of Authorization triggering. |
API calls made by Endpoint Manager, per operation. The HTTP method matters as much as the path: a WAF or API gateway that only permits GET and POST breaks endpoint updates and deletions.
ERS API
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /ers/config/endpointgroup | List and search Endpoint Identity Groups |
| GET | /ers/config/endpointgroup/{id} | Read a single Endpoint Identity Group |
| POST | /ers/config/endpointgroup | Create an Endpoint Identity Group |
| GET | /ers/config/endpoint | List endpoints in bulk |
Open API
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /api/v1/endpoint | Search and list endpoints |
| GET | /api/v1/endpoint/{id} | Read a single endpoint |
| POST | /api/v1/endpoint | Create an endpoint |
| PUT | /api/v1/endpoint/{id} | Update an endpoint |
| DELETE | /api/v1/endpoint/{id} | Delete an endpoint |
| POST | /api/v1/endpoint/bulk | Create endpoints in bulk |
| PUT | /api/v1/endpoint/bulk | Update endpoints in bulk |
Endpoint Custom Attribute values travel inside the endpoint calls above; there is no separate custom-attribute API traffic.
Monitoring (MnT) API
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /admin/API/mnt/Session/MACAddress/{mac} | Retrieve endpoint session data |
| GET | /admin/API/mnt/CoA/Reauth/... | Issue a Change of Authorization |
In addition, a single HEAD request is sent to the ISE base URL when the connection is saved, to validate the TLS certificate. The complete method set Endpoint Manager requires is GET, POST, PUT, DELETE and HEAD.
Cisco ISE API user
Section titled “Cisco ISE API user”The integration uses a dedicated Cisco ISE administrative user with the following privileges:
- ERS Admin — for ERS-API operations.
- Open API admin — for Open API operations.
- MnT Admin — for Monitoring API operations.
The credentials for this user are configured once per Context in the platform’s API Configuration. They are stored secret-encrypted and never displayed back to administrators.
Endpoint Custom Attributes in Cisco ISE
Section titled “Endpoint Custom Attributes in Cisco ISE”Endpoint Manager stores several pieces of metadata on each endpoint by way of Cisco ISE’s Endpoint Custom Attributes. The following attributes must be defined in Cisco ISE under Administration → Identity Management → Endpoint Custom Attributes before a Context is connected:
| Attribute name | Type | Purpose |
|---|---|---|
ngCreatedBy | String | The Self-Service User or admin who created the endpoint |
ngCreatedAt | String | Creation timestamp |
ngUpdatedBy | String | The user who last updated the endpoint |
ngUpdatedAt | String | Last update timestamp |
ngDeviceType | String | Endpoint device-type tag |
In addition to these platform-internal attributes, the customer can define any number of Managed Attributes — additional Endpoint Custom Attributes (e.g. vendor-owner, vlan-id, maintenance-window) whose value is set per group and applied to every endpoint in that group.
Network reachability
Section titled “Network reachability”Endpoint Manager connects to Cisco ISE over HTTPS (TLS). The customer’s network must permit:
- Outbound HTTPS (TCP 443) from the Cisco ISE Primary Administration Node — or from the network segment that hosts it — to the platform’s egress FQDN, which is shown in the API Configuration card of each Context.
- Inbound API connectivity from the platform’s egress IPs to ISE’s ERS, Open API and MnT endpoints.
The platform’s egress FQDN and IP range depend on the chosen SaaS delivery option (Global Cloud or Nordic Sovereign Cloud).
If a reverse proxy, WAF or API gateway sits in front of the Cisco ISE admin node, it must pass through the ERS, Open API and MnT calls listed under Cisco ISE APIs above — both the paths and their HTTP methods (GET, POST, PUT, DELETE and HEAD). Method filtering is a common cause of partial failures: the Context connects and reads groups, but updates and deletions fail.
Identity sources and authentication
Section titled “Identity sources and authentication”For administrators and Self-Service Users to access the platform, the customer can use one of:
- Email invitation — magic-link login (default; no customer-side configuration required).
- SAML 2.0 Single Sign-On — integration with the customer’s Identity Provider (Microsoft Entra ID, Okta, ADFS, others). SAML can drive admin sign-in, Self-Service sign-in, and optional Self-Service Enrollment for auto-provisioning of new users on first login.
Browser support
Section titled “Browser support”The administration portal and Self-Service portal are web-based and support current versions of the major evergreen browsers: Chrome, Edge, Firefox and Safari.
Operational dependencies
Section titled “Operational dependencies”- Cisco ISE availability. Endpoint Manager requires the Cisco ISE deployment to be reachable. Operations that target ISE will fail while ISE is unavailable; the audit log reflects each failed attempt.
- Customer-managed credentials. The Cisco ISE API user is owned by the customer and may be rotated at any time through the platform’s API Configuration view.