PrepAway - Latest Free Exam Questions & Answers

Which of the following will not be removed from the dev…

Your corporate network uses MobileIron as an MDM for ISE. You have been informed that a user has lost his
phone and that you must perform a selective wipe on the device.
Which of the following will not be removed from the device during the selective wipe? (Select the best answer.)

PrepAway - Latest Free Exam Questions & Answers

A.
the MobileIron app

B.
the CA certificate for the WiFi profile installed by ISE

C.
corporate applications installed by MDM

D.
the MDM profile and all of its subprofiles

Explanation:
The certificate authority (CA) certificate for the WiFi profile installed by Cisco Identity Services Engine (ISE) is
not removed when you perform a selective wipe. ISE is a nextgeneration Authentication, Authorization, and
Accounting (AAA) platform with integrated posture assessment, network access control, and client provisioning.
ISE integrates with a number of Mobile Device Management (MDM) frameworks, such as MobileIron and
AirWatch. From ISE, you can easily provision network devices with native supplicants available for Microsoft
Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents that enable you to
perform various functions on the network device, such as installing software or locking the screen with a
personal identification number (PIN) lock.
For devices like phones, ISE relies on MDM servers to carry out the specific administrative actions selected in
ISE. For example, when a selective wipe is selected for a device in ISE, a request is made to the appropriate
MDM server to carry out the action. The MDM server communicates with its corresponding agent and removes
all corporate applications and installed profiles, including any subprofiles. The selective wipe also removes the
MDM agent, which in this scenario is the MobileIron App. Through an MDM server, ISE can perform a full wipe,
a selective wipe, or a PIN lock depending on the severity of the security risk of the lost phone.
An administrator can also initiate a selective wipe if an employee is terminated. However, the administrator
should also take steps to blacklist the device within ISE and remove the user accounts privileges so that the
user cannot reenroll the device. The administrator can then force the user’s device to attempt an immediate
reauthentication against ISE by revoking the user certificate on the CA server. This will cause the device to
match the blacklist upon its attempt to reenroll.

Cisco: Integrating MobileIron with Cisco Identity Services Engine: Corporate Wipe (PDF)


Leave a Reply