Integrate ISE 3.3 with JAMF as MDM Server.

Introduction

This document describes procedures that are necessary to implement successfully Identity Services Engine version 3.3 with JAMF PRO instance 10.48.X

Prerequisites

Requirements

Cisco recommends knowledge in these topics:

• Identity Services Engine.
• JAMF as MDM solution.

Components Used

The information in this document is based on these software and versions:

• Cisco Identity Services Engine (ISE) version 3.3
• JAMF PRO version 10.48.1-t1689600654

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background information

Cisco ISE supports JAMF as a MDM server for managing Windows computers. Once these computers managed by JAMF are connected the network and authenticated, in order to retrieve further information for the security posture of those devices, ISE retrieves compliance information from JAMF server.

It uses this information to enforce secure access security by allowing/denying those computers depending on the criteria and conditions configured in ISE.

Therefore, this implementation helps to identify potential vulnerabilities and security weakness that could be exploited by attackers.

Configure

Preparing JAMF PRO for the MDM connection

Step 1. Log in with your JAMF cloud with the account for admin privileges at https://YOUR_ACCOUNT.jamfcloud.com/index.html.

JAMF PRO login page

Step 2. From the main menu, select the gear that is displayed over this icon.

JAMF PRO Dashboard

Step 3. In the main menu, select the option named System > User accounts and groups.

JAMF PRO System Settings

Step 4. Select the section Password Policies.

JAMF PRO Users accounts and groups

Step 5. In this section, confirm that you have the option Allow Basic authentication in addition to Bearer Token authentication.

Note: Starting JAMF PRO version 10.35 and upper version the basic authentication for API is not enabled by default, hence you need to enable such feature to get the MDM integration working, for more information please review https://developer.jamf.com/jamf-pro/docs/classic-api-authentication-changes

Step 6. Return once you have the last feature enabled to the menu Settings described in the step 3, then look for the Network Integration menu, and select it.

JAMF PRO Network integration

Step 7. Proceed to select + New to add a new instance for ISE 3.3.

JAMF PRO Network integration settings

Step 8. In the drop-down menu Network Access Management Service, leave the option marked as Cisco ISE.

Next provide a name in the menu Display Name as it is shown in this example.

For the initial settings and the connection for ISE, the configuration can be left with these standard configurations.

Proceed to Save the configuration.

Configuration sample Network integration with ISE

Step 9. The integration generates a Network Integration URL with this format https://YOUR_ACCOUNT.jamfcloud.com/networkIntegrationEndpoint/ID

Keep this URL because you need it later to connect with ISE.

Preparing ISE for the MDM connection

Step 1. Select the menu Administration > Network Resources > External MDM, and then click Add.

ISE MDM integration menu

Step 2. Name the installation within the MDM / UEM Integration Name segment. In the section Hostname / IP Address, select YOUR_ACCOUNT.jamfcloud.com from the URL generated in previous steps.

In Port select the 443 for the HTTPS connection with your JAMF PRO instance.

In the section Instance Name proceed to fill this information with the section missing from the URL created (in this case: /networkIntegrationEndpoint/ID).

Input a Username with full access to the JAMF PRO instance alongside the corresponding Password. Change the Status of the MDM server to Enabled.

ISE MDM JAMF PRO configuration example

Step 3. Scroll down and proceed to Test Connection. If the connection is successful, this image is displayed.

If you do not get the same output, please refer to Troubleshooting Section in this documentation.

Successful connection with the MDM JAMF account

Step 4. Select OK in the option selected from above. In the bottom of the page, find the Device Identifier in which ISE associates the sessions of the endpoints.

Depending upon your scenario, you can select the MAC address of the device or attributes of certificates as it is displayed.

Once you have customized this section Save the configuration.

Additional configuration for MDM server

Verify the Initial Connectivity of the integration with JAMF PRO instance.

Packet capture: In the case of successful connectivity, we see the HTTPS traffic that is sent from the ISE PAN server towards the JAMF PRO instance.

Packet capture example of connectivity with JAMF instance

Logs on ISE: The ISE processes and analyzes the data correspondingly as shown for ise-psc.log.

DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.api.MdmServerInfoApi -:::::- inside the method : callMdmServerInfoApiOnMdmServer()
TRACE [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- Inside MDMVerifyServer.verify, connectToServer is called 
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- apiVersionSb : 3, mdmApiVersionSb : , tryWithV3 : false
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3 
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3 
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- 1. Connecting to the MDM server host YOUR_ACCOUNTusing apiVersion 3
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: start  HTTP request - connectionsUsed: 1, connectionsAvailable: 199
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===Basic
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- QueryType is heartbeatQuery
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- using httpClient for http query - [parameters={http.route.default-proxy=http://PROXY_IP:PORT, http.socket.timeout=30000, http.connection.timeout=5000}]
INFO  [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- GET: MDM Server URL: https://YOUR_ACCOUNT:443//networkIntegrationEndpoint/ID/ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Proxy Config in request  = [,PROXY_IP,PORT,nullnull2fpwHJhtoIMf+jKzFKazgg==%/ZFdElAGn4odZaRIZxeiZQ==]
.
.
INFO  [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- MDM Server Response Code: 200
TRACE [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- 
Response data received from the MDM server : <?xml version="1.0" encoding="UTF-8"?><ise_api><name>mdminfo</name><api_version>3</api_version><api_path>/networkIntegrationEndpoint/ID/ciscoise/v3</api_path><redirect_url>https://YOUR_ACCOUNT.jamfcloud.com/enroll</redirect_url><query_max_size>1000</query_max_size><messaging_support>true</messaging_support><vendor>JAMF Software</vendor><product_name>JSS</product_name><product_version>10.48.1-t1689600654</product_version></ise_api>
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 1, connectionsAvailable: 199
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
TRACE [admin-http-pool16][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- isMdmSettingsIdNotNull flag Value : false,tryWithV3 : false, isMdmSettingsUpdateRequired : false
DEBUG [admin-http-pool16][[]] cisco.cpm.mdm.api.MdmServerInfoApi -:::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object {
  apiPath: /ID/ciscoise/v3
  redirectUrl: https://YOUR_ACCOUNT.jamfcloud.com/enroll
  queryMaxSize: 1000
  apiVersion: 3
  vendor: JAMF Software
  productName: JSS
  productVersion: 10.48.1-t1689600654
  COMMA: , 
  errorMsg: null
  errorOccurred: false
}

Troubleshooting MDM server is not reachable.

The base of this integration consists of the queries that ISE performs periodically towards the JAMF-PRO instance. 

The point of reference where the troubleshooting is performed (in this instance) is the Primary Administration Node (PAN).

The PAN node is from where the connectivity method is configured to reach the MDM server.

This same method is replicated in all the nodes for the implementation.

The next steps can be applied for troubleshooting reachability problems.

Step 1. Enable the component external-mdm in TRACE level on the PAN node.

External MDM component in TRACE level to troubleshoot

Step 2. Setup a capture from the PAN node, Save your configuration.

Packet capture example to collect information of MDM connection

Step 3. Navigate through the External MDM menu. Run the capture from Step 2 then select the button Test Connection. Wait for the error to appear.

Step 4. Stop the capture from Step 2. Review the logs corresponding ise-psc.log to analyze the behavior.

Scenario 1. A connection timeout occurred.

In the scenario where you get this error in ISE while testing the connection with JAMF:

MDM error connection timeout

The logs related to external MDM reveal this information.

TRACE [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- Inside MDMVerifyServer.verify, connectToServer is called
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- API version retrieved from MDM server : 3
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- apiVersionSb : 3, mdmApiVersionSb : 3, tryWithV3 : false
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- 1. Connecting to the MDM server host YOUR_ACCOUNT.jamfcloud.com using apiVersion 3
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===Basic
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- QueryType is heartbeatQuery
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- using httpClient for http query - [parameters={http.socket.timeout=30000, http.connection.timeout=5000}]
INFO  [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- GET: MDM Server URL: https://YOUR_ACCOUNT:443//networkIntegrationEndpoint/ID/ciscoise/mdminfo/?ise_api_version=3
INFO  [Timer-12][[]] cisco.mnt.common.utility.AlarmMessageDiskQueue -:::::- Inside dequeue
INFO  [Timer-12][[]] cisco.mnt.common.utility.AlarmMessageDiskQueue -:::::- root exists
INFO  [Timer-12][[]] cisco.mnt.common.utility.AlarmMessageDiskQueue -:::::- alarm.1692086243915 deleted true
INFO  [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmServersCache -:::::- MDM server - Status : Active, mdm server id : ID and mdm server name : JAMF_PRO
ERROR [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Error message while connecting to MDM server :
Connection Failed to the MDM server host – YOUR_ACCOUNT.jamfcloud.com, and port - 443 : Connection timeout occurred. Check if the MDM server is reachable : SocketTimeoutException message = connect timed out
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
ERROR [admin-http-pool26][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- Exception occurred while connecting to the MDM server A connection timeout occurred. Check if the MDM server is reachable.
ERROR [admin-http-pool26][[]] cisco.cpm.mdm.api.MdmClient -:::::- A connection timeout occurred. Check if the MDM server is reachable.
DEBUG [admin-http-pool26][[]] cisco.cpm.mdm.api.MdmServerInfoApi -:::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object {
  apiPath: null
  redirectUrl: null
  queryMaxSize: null
  apiVersion: null
  vendor: null
  productName: null
  productVersion: null
  COMMA: ,
  errorMsg: null
  errorOccurred: true
}

From the packet capture, the next information can be reviewed.

DNS traffic. The ISE performs a query towards your JAMF related instance if you input the hostname in the setup part of the integration.

If you do not see the resolution of the hostname, attempt to use the IP address. This option is available to configure instead of the hostname.

DNS traffic in a MDM flow

Retransmissions in MDM connection port.  After this, if you query the IP address directly provided either in the DNS query or the MDM setup, you possibly see repeated SYN packets.

This indicates no direct route to the JAMF instance or an external device interfering with communications on the 443 port.

Connection to MDM timeout example

Scenario 2. Connection Failed: 404.

This event indicates that you have connectivity to your JAMF account that you configured while setting up the MDM server, however, the instance that you indicated to connect does not exist or contains an error as it is not found.

MDM error 404 example

The logs corresponding this event are displayed:

DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.api.MdmServerInfoApi -:::::- inside the method : callMdmServerInfoApiOnMdmServer()
TRACE [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- Inside MDMVerifyServer.verify, connectToServer is called
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- API version retrieved from MDM server : 3
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- apiVersionSb : 3, mdmApiVersionSb : 3, tryWithV3 : false
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- 1. Connecting to the MDM server host YOUR_ACCOUNT.jamfcloud.com using apiVersion 3
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: start  HTTP request - connectionsUsed: 1, connectionsAvailable: 199
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===Basic
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- QueryType is heartbeatQuery
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- using httpClient for http query - [parameters={http.route.default-proxy=http://PROXY_IP:PROXY_PORT, http.socket.timeout=30000, http.connection.timeout=5000}]
INFO  [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- GET: MDM Server URL: https://YOUR_ACCOUNT.jamfcloud.com:443//networkIntegrationEndpoint/1/ewe/ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Proxy Config in request  = [,PROXY_IP,PROXY_PORT,nullnullglhhcSIWnCC7y8FvGQvm/Q==%fZ4PXgBMdoIDfbwdgIhSeA==]
INFO  [admin-http-pool37][[]] cpm.admin.infra.spring.ISEAdminControllerUtils -::admin:::- mapping path found in global-forwards, forwarding to: /pages/jsonResponse.jsp
INFO  [admin-http-pool37][[]] cpm.admin.infra.spring.ISEAdminControllerUtils -::admin:::- mapping path found in global-forwards, forwarding to: /pages/jsonResponse.jsp
INFO  [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmServersCache -:::::- MDM server - Status : Active, mdm server id : ID and mdm server name : JAMF_PRO
ERROR [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Error message while connecting to MDM server : Failed to connect to MDM Server JAMF_PRO : 404
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 1, connectionsAvailable: 199
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
ERROR [admin-http-pool32][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- Exception occurred while connecting to the MDM server Connection Failed: 404:: the MDM server is not reachable
ERROR [admin-http-pool32][[]] cisco.cpm.mdm.api.MdmClient -:::::- Connection Failed: 404:: the MDM server is not reachable
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.api.MdmServerInfoApi -:::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object {
  apiPath: null
  redirectUrl: null
  queryMaxSize: null
  apiVersion: null
  vendor: null
  productName: null
  productVersion: null
  COMMA: ,
  errorMsg: null
  errorOccurred: true
}
DEBUG [admin-http-pool32][[]] cisco.cpm.mdm.util.MdmServersCache -:::::- mdm Guid: GUID is found in cache and status is: false

The packet capture in this time provides a HTTPS connection that contains application data that is being transferred between the JAMF site and the ISE server.

Packets involved in error 404 MDM

Scenario 3. Connection Failed: 401.

This error in the connection indicates a problem with the user that you are deploying in the MDM setup to integrate.

Verify that the user:

• exists within the JAMF account,
• has the right privileges to do the integration with ISE,
• and can be used to perform API authentication (described earlier in this guide).

MDM connection error code 401

The logs on ISE indicate this behavior:

INFO  [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- GET: MDM Server URL: https://YOUR_ACCOUNT.jamfcloud.com:443/networkIntegrationEndpoint/1/79fu/ciscoise/mdminfo/?ise_api_version=3
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Proxy Config in request  = [,PROXY_PORT,PROXY_PORT,nullnull2fpwHJhtoIMf+jKzFKazgg==%/ZFdElAGn4odZaRIZxeiZQ==]
ERROR [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Error message while connecting to MDM server : Failed to connect to MDM Server YOUR_ACCOUNT.jamfcloud.com : 401
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 4, connectionsAvailable: 196
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- retry connecting using api v2 after 5 seconds.
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=2
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=2
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- 2. On Error : re-connecting to the MDM server host YOUR_ACCOUNT.jamfcloud.com using api version-2
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: start  HTTP request - connectionsUsed: 4, connectionsAvailable: 196
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===Basic
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- QueryType is heartbeatQuery
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- using httpClient for http query - [parameters={http.route.default-proxy=http://PROXY_IP:PROXY_PORT, http.socket.timeout=30000, http.connection.timeout=5000}]
INFO  [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- GET: MDM Server URL: https://YOUR_ACCOUNT.jamfcloud.com:443/networkIntegrationEndpoint/1/79fu/ciscoise/mdminfo/?ise_api_version=2
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Proxy Config in request  = [,PROXY_IP,PROXY_PORT,nullnull2fpwHJhtoIMf+jKzFKazgg==%/ZFdElAGn4odZaRIZxeiZQ==]
ERROR [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- Error message while connecting to MDM server : Failed to connect to MDM Server YOUR_ACCOUNT.jamfcloud.com : 401
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 4, connectionsAvailable: 196
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.util.MdmRESTClient -:::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
DEBUG [admin-http-pool8][[]] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:::::- retry connecting using api v1 after 5 seconds.

The packet capture reveals a similar behavior like the one shown here.

MDM packets involved in error 401

Related information

JAMF Integration with ISE 2.X as MDM

Troubleshoot and Enable Debugs on ISE

How to Enable Debugs on ISE 3.x Versions.