Two colleagues reviewing device data on a laptop in an industrial facility office
Endpoint Manager · for Cisco ISE

Hand out endpoint admin — without handing out ISE.

Endpoint Manager sits next to Cisco ISE over a secure IPSec API tunnel. Per Endpoint Identity Group, the vendors and contractors who actually own those devices manage them from a self-service portal — ISE stays untouched, no admin seats handed out, no exposed API.

Your network team owns the policy. The vendors own their devices.

Cisco ISE keeps doing what it does best — 802.1X, MAB, iPSK, profiling, authorization policies. Endpoint Manager sits next to ISE, not in front of it, and hands per-group endpoint administration to the people who actually own those devices.

The telephony vendor manages IP_Phones. The security contractor manages Cameras. The AV integrator manages Conference_Room_Displays. None of them log in to ISE.

No ISE seats handed out. No tickets to add a new printer. No quarterly access review chaos.

Challenges with device management

Why ISE alone isn't enough.

Healthcare Time-Consuming Processes

We have around 4,200 medical devices across seven sites. Every infusion-pump swap used to sit in our ISE backlog for two weeks. The network team had basically become a data-entry function.

IT Operations Lead Regional hospital group
Municipality Permission Management

We couldn't hand helpdesk an ISE login — the audit risk was too high — but they were still first in line every time a port got blocked. Tickets sat over weekends. Security blocked service.

IT Security Lead Swedish municipal government
Enterprise Increased IT Workload

Twelve contractors emailing MAC addresses to a shared inbox. Every Friday afternoon disappeared into registration tickets. The network team dreaded month-end and quarterly reviews.

Network Architect Global manufacturer
Built for production environments

An IPSec tunnel straight to your firewall — no exposed ISE.

Netgraph establishes a Connector tunnel from our cloud to your firewall. The Cisco ISE API never leaves your perimeter. Granular rules in the tunnel scope what we can call.

Enterprise
Cisco ISE
API Gateway
Endpoint Identity Groups
  • CONTRACTOR-ABB
  • SIEMENS-OT
  • CAVERION-CCTV
  • ASSA-LOCKS
Customer
Firewall
IPSec
IPSec tunnel
API SSL
Netgraph Cloud
Cloud
Connector
IPSec
Endpoint Manager
4 groups
  • CONTRACTOR-ABB
  • SIEMENS-OT
  • CAVERION-CCTV
  • ASSA-LOCKS
Self-Service
4 group admins
  • User 1 CONTRACTOR-ABB
  • User 2 SIEMENS-OT
  • User 3 CAVERION-CCTV
  • User 4 ASSA-LOCKS
Capabilities

Everything a delegated administrator needs. Nothing they shouldn't.

01

MAC address management

Organize non-802.1X devices by MAC group for simpler onboarding and efficient management.

02

Bulk import of endpoints

Onboard hundreds of devices at once via CSV — save time and reduce manual effort.

03

Localize endpoints

Track device location and live status — online, offline, or session-active — straight from the portal.

04

SAML integration

Single sign-on with SAML for secure, seamless access to admin and self-service portals.

05

Role-based access control

Granular roles control who can manage endpoints, invite users, or configure group settings.

06

iPSK key management

Update and rotate per-group iPSK passphrases through the self-service portal — no ISE login needed.

07

Self-service portal

Group administrators add, remove, and edit their own devices — see who's connected, where, and how much traffic.

08

Endpoint custom attributes

Centrally manage VLANs, ACLs, SGTs, and custom attributes per endpoint to keep ISE configurations aligned.

See it in action

Two surfaces. One delegation model.

Network admins manage Endpoint Identity Groups, contexts, and API integrations from a single dashboard. Group administrators see only their devices — on whatever screen they happen to be on.

Admin Portal

One dashboard, every group.

Configure the API integration with Cisco ISE, create contexts, map groups to Endpoint Identity Groups, and assign access in clicks. See connected status, endpoint counts, and self-service enrollment per group at a glance.

  • 67 Endpoint Identity Groups, surfaced from ISE
  • Per-group connect/disconnect status, live
  • Endpoint counts with optional slow search for accuracy
Endpoint Manager admin dashboard showing 67 Endpoint Identity Groups synced from Cisco ISE
Self-Service Portal on three iPhones — group selection, device list, and per-device detail
Self-Service Portal

A delegated admin's whole job, on a phone.

Group administrators sign in to a portal scoped to exactly their group. Add devices one at a time or in batches, see live status (online · offline · session-active), and revoke a stolen MAC the moment it's reported.

  • Group selector when an admin owns more than one
  • Per-device detail · description · IP · session duration · usage
  • Modify or revoke without filing a ticket
How customers actually use it

One Cisco ISE. Many delegated groups.

Each Endpoint Identity Group in your Cisco ISE can be opted in to managed administration and handed to the right Group Administrator. They see only their group, and never log in to ISE.

IP_Phones
Managed by · Telephony vendor
Cameras
Managed by · Security contractor
Conference_Room_Displays
Managed by · AV integrator
Digital_Signage
Managed by · Marketing agency
Why Endpoint Manager

Distributed administration, centrally controlled.

0
ISE seats handed to delegated administrators
1
IPSec tunnel from Netgraph to your firewall
N
Endpoint Identity Groups managed by their actual owners

Safe. Simple. Smooth. — see for yourself.

A short demo, anywhere from 30 minutes to an hour, depending on what you want to dig into. Bring your toughest requirements. We'll show you how Netgraph handles them.

Book a demoRead the docs