Posted on 10-05-2016 08:31 AM
We're trying to restrict the privileges that a JSS account has that gives Cisco ISE access to seeing what a compliant computer looks like. To set this up, we're presented with this screen from the Cisco App
When we grant it access to only Advanced Computer Searches which is used to determine if a device is compliant or not, the cisco app can't communicate with the JSS giving us an error:
Connection Failed 403: Forbidden | The user account setup on the NotifyMDM server does not have the proper roles associated to it. Validate that the account being used by ISE is assigned the REST API MDM roles
Once we granted full read access it appears to be working, but we definitely want to limit what privileges this account has. Has anyone had experience with this and can recommend what privileges Cisco ISE requires from the JSS?
Thanks!
Posted on 10-05-2016 01:18 PM
All of our API accounts need access to read "Computers" as well as searches. The search is not useful if they can't access the data for the computers that the search returns.
This is not an ISE-specific response, but a general API answer.