Coming Microsoft API change will break third-party device authentication

An impending change to Microsoft’s Intune APIs will break mobile device management (MDM) identity support from vendors like Cisco, Citrix and F5.

Earlier this year, Microsoft decided that on December 31 2022, it will deprecate the use of MAC addresses in Intune’s network access control (NAC) API, which the software currently uses to identify endpoint hardware.

Instead, Intune will identify devices using their Global Unique Identifier (GUID).

Software such as Cisco’s Identity Services Engine (ISE), however, uses MAC addresses to identify endpoints, and that service will fail when the deprecation takes effect.

As the company explains in this field notice, “ISE integrates with Microsoft Intune in order to determine corporate asset ownership or registration, as well as security compliance”.

“For ISE versions 3.0 or earlier, or any ISE 3.1 or later deployment using MDM APIv2 Microsoft Intune integration, the API queries to Intune will fail and Intune managed endpoints will appear as ‘not-registered.’ ISE will also trigger an alarm which indicates the Intune API is unreachable”, the field notice states.

Cisco is supporting the change in ISE 3.1 and later, but that doesn’t mean implementing the upgrade will be painless for IT shops: configuring the software for MDM APIv3 Intune integration will require installing certificates to all Intune endpoints, and confirming that those certificates are used for network authentication.

There could be other headaches: “For VPN-based endpoints, a workaround does not exist yet. It is suggested to use ISE posture in order to check for security compliance as an alternative to verification against Intune,” the field notice states.

Similar upgrade and configuration tasks face admins running Citrix Gateway and F5 BIG-IP systems.

Release notes for F5’s update to BIG-IP Version 17.0.0 can be found here.

Depending on their current environment, Citrix Application Delivery Controller users will have to upgrade to 13.1-12.51 or 13.0-84.11.

Microsoft’s notice about the API change is here.