Endpoint Manager for Cisco ISE
Endpoint Manager lets an organization that already runs Cisco ISE delegate the day-to-day administration of endpoints to the teams or vendors that own the equipment, without giving any of them an ISE login. It sits alongside Cisco ISE, not in front of it.
Service at a glance
- Purpose
- Delegated administration of Cisco ISE endpoint identity groups, without exposing the ISE admin interface
- Position
- Works alongside Cisco ISE. ISE continues to perform all authentication and authorization
- Best for
- MAB and Identity PSK endpoints (IP phones, cameras, IoT) maintained by vendors or internal owners
- Licensed by
- Per Cisco ISE installation
- Key prerequisite
- An existing Cisco ISE deployment with the required APIs enabled
- Data location
- Global Cloud, or Nordic Sovereign Cloud (data in Sweden)
1. Purpose and use cases
Section titled “1. Purpose and use cases”Endpoint Manager is for organizations that operate Cisco ISE as their authentication and authorization platform and authorize non-802.1X endpoints (IP phones, cameras, IoT, lab equipment) by MAC or Identity PSK, where the per-endpoint record matters more than a credential. It lets internal owners, vendors, contractors, and agencies maintain their own endpoint groups, with a transparent audit trail, while never granting them Cisco ISE access.
2. Service scope
Section titled “2. Service scope”An Endpoint Manager service context connects to one Cisco ISE deployment and surfaces its endpoint identity groups. Each group can be opted in to managed administration, and one or more self-service users can be invited per group. The organization administrator keeps a single, audited view of every managed group, owner, and endpoint.
Endpoint Manager covers only the per-endpoint, per-group administrative work the organization chooses to delegate. It is a single service edition; there are no variants.
3. Key functions
Section titled “3. Key functions”- Surfaces Cisco ISE endpoint identity groups for delegated administration.
- Per-group self-service for owners to add, move, update, and remove endpoints by MAC.
- Managed attributes defined centrally and applied per group.
- Batch import of endpoints by file.
- Change of Authorization to have Cisco ISE re-evaluate policy for an endpoint (administrator action).
- Audit logging of every endpoint and configuration change.
4. Architecture and how it works
Section titled “4. Architecture and how it works”Endpoint Manager connects to Cisco ISE through the ISE APIs and reflects selected endpoint identity groups. Delegated users work in the Self-Service Portal; their changes are written to ISE through the API, and ISE continues to authenticate and authorize every endpoint on the wire using its own identity sources, certificates, and policy sets. Endpoint Manager does not sit in the authentication path.
5. Customer requirements and prerequisites
Section titled “5. Customer requirements and prerequisites”| Item | Requirement |
|---|---|
| Cisco ISE | An existing deployment, Cisco ISE 3.2 Patch 2 or later |
| ISE APIs | ERS, Open API, and MnT enabled |
| API account | An ISE API account with ERS and MnT administrator rights |
| Connectivity | HTTPS between the platform and the ISE APIs |
| Custom attributes | Five endpoint custom attributes defined in ISE: ngCreatedAt, ngCreatedBy, ngUpdatedAt, ngUpdatedBy, ngDeviceType |
Network connectivity is summarized in Network Requirements.
6. Integrations and dependencies
Section titled “6. Integrations and dependencies”Endpoint Manager integrates with Cisco ISE through its APIs and depends on the customer’s ISE being reachable. While ISE is unreachable, endpoint operations cannot complete, and the condition is recorded in the audit trail. See Integrations.
7. Roles and responsibilities
Section titled “7. Roles and responsibilities”| Role | Surface | Capabilities |
|---|---|---|
| Organization administrator | Administration Portal | Connect ISE, opt groups in, invite owners, see all managed groups and endpoints |
| Group administrator | Self-Service Portal | Manage endpoints in their own group: add, move, update, remove, set attributes |
| User (default) | Self-Service Portal | View the endpoints in their own group |
Change of Authorization is an administrator action and is not available to self-service users. See Roles and Administration Levels.
8. Licensing and activation
Section titled “8. Licensing and activation”Endpoint Manager is licensed per Cisco ISE installation on top of the platform delivery license, with the full feature set regardless of the number of endpoints or groups. Authoritative product codes and terms are on the Endpoint Manager License page; the model is summarized in Licensing and Service Levels. Licenses are sold through authorized partners.
9. Security, logging, and data protection
Section titled “9. Security, logging, and data protection”Delegated users never reach Cisco ISE or the Administration Portal. Every endpoint and configuration change is recorded in the audit log with actor, action, and before and after values. ISE API credentials are held securely and can be rotated by the administrator. Platform-wide protections are described in Security and Data Protection and Logging, Reporting, and Retention.
10. Limitations and exclusions
Section titled “10. Limitations and exclusions”- Not a RADIUS service. Cisco ISE continues to authenticate and authorize every endpoint.
- Not a replacement for the Cisco ISE admin interface. Policy work, identity sources, certificates, and profiling rules stay in ISE.
- Change of Authorization is available to administrators only.
- The service depends on the customer’s Cisco ISE being reachable.
11. Related services
Section titled “11. Related services”- EntryPoint is a cloud RADIUS service, including Identity PSK served over RADIUS. Use EntryPoint when you need RADIUS itself rather than delegated administration of an existing ISE.
- EasyPSK delivers per-unit residential Wi-Fi keys on Cisco Meraki. It is unrelated to ISE endpoint administration.
12. When to use, and when not to use
Section titled “12. When to use, and when not to use”Use Endpoint Manager when you run Cisco ISE and want to delegate the maintenance of MAB or Identity PSK endpoint records to their owners, with a single audited view and no ISE logins handed out. Do not use Endpoint Manager when you need a cloud RADIUS service (use EntryPoint), or per-unit residential Wi-Fi keys (use EasyPSK).