Do you have a proper "Advanced Search" setup in the JSS (that reports properly to ISE) that is fairly liberal enough to cover all the devices in the JSS that you want reported to ISE? That was our problem originally. I wrote a VERY liberal advanced search myself as we only want ISE to verify whether a device is corporate owned or not...that's easy because any device enrolled in the JSS is corporate owned for us. We don't enroll personal devices. Food for thought hopefully. Also note that the login account we gave ISE had full read-only writes to the JSS...I just gave it auditor level permissions but assigned a complex password.
How it works is that you created an advanced search that returns your list of devices based on your criteria. ISE should then look at that list to see if it is a member. You then have rules based on whether or not the device was in the restored list.
If a device is not in your JSS it will not be in the list and the result should be returned ass such. Are you sure you have the ISE policy setup correctly?