Skip to main content
Endpoint Manager for Cisco ISE — labelled ISE Device Management in the admin — lets you delegate the care and feeding of MAC-authorised endpoints in your own Cisco ISE, one Endpoint Identity Group at a time, without giving delegated admins access to ISE itself. The people who know what belongs on the network — the telephony vendor, the security contractor, the AV integrator — add, move, update and remove the endpoints in their group from a Self-Service portal. They manage their own inventory; you keep the ISE admin seat. It is designed for Cisco ISE deployments that authorise endpoints by MAC or hold per-endpoint identity (iPSK, profile-driven attributes, Security Group Tags, VLAN assignments) and where maintaining those lists has become a bottleneck because the knowledge lives somewhere other than the network team.
Add Service Context picker showing Sign In, EntryPoint, Meraki - Wireless Private Network, and ISE Device Management cards

The core idea — distributed administration of ISE Endpoint Identity Groups

A Cisco ISE Context connects the platform to an ISE instance you already run and surfaces its Endpoint Identity Groups. You opt each group in to managed administration, one by one, and invite one or more Self-Service Users to each managed group. For example:
  • IP_Phones is managed by a Group Administrator from your telephony vendor.
  • Cameras is managed by a Group Administrator from the security contractor.
  • Conference_Room_Displays is managed by a Group Administrator from the AV integrator.
  • Digital_Signage is managed by a Group Administrator from the marketing agency.
Each Group Administrator sees only their own group, adds and removes MACs there, optionally delegates to colleagues, and never logs in to ISE. You keep a single view of all managed groups — who owns what, how many endpoints are in each, who is an administrator where — from the admin dashboard. Distributed administration is one shape. BYOD onboarding for ISE deployments, per-vendor IoT inventory, and shared-lab equipment sign-out all work the same way: a Context, one or more Endpoint Identity Groups, and the right delegated administrators on each.

What Endpoint Manager is not

  • Not a RADIUS service. Your Cisco ISE continues to do all authentication and authorization — 802.1X, MAB, iPSK, profiling rules, authorization policies. Endpoint Manager sits next to ISE, not in front of it.
  • Not a replacement for ISE’s admin UI. You still run ISE’s own admin for policy work, identity sources, certificates, and the rest. Endpoint Manager only covers the per-endpoint, per-group work you want to delegate.
  • Not the same as EntryPoint’s iPSK for Cisco Networks. EntryPoint’s iPSK is a Netgraph-hosted RADIUS service that serves iPSK directly to your Cisco controllers. Endpoint Manager iPSK Management is delegated administration of iPSK endpoints that Cisco ISE is already serving. Two distinct Services for two distinct deployment shapes — don’t conflate them.
  • Not a Meraki-side tool. If your shared-SSID, per-unit key deployment is on Meraki, look at EasyPSK for Cisco Networks.

Who operates Endpoint Manager

Organization administrators connect the platform to their Cisco ISE (one-time API credentials), decide which of ISE’s existing Endpoint Identity Groups to bring into managed administration, and invite a Group Administrator on each. From that point the Group Administrator manages their group from the Self-Service portal — adding, updating, batch-importing, revoking — without involving you.

Prerequisites

You will need:
  • A Cisco ISE deployment that you administer, reachable over HTTPS from the platform’s egress FQDN (shown in the admin’s API Configuration card).
  • A dedicated ISE API user with permission to read and write endpoints, read endpoint identity groups, and query the Monitoring API.
  • ISE’s ERS (External RESTful Services) API, Open API and Monitoring API (MnT) enabled on the deployment. All three must respond before the Context is usable.
  • The Endpoint Identity Groups you want to manage either already in place or ready to be created from the admin.
  • For each Managed Attribute you want to synchronise (for example vendor-owner, asset-tag, maintenance-window), a matching Endpoint Custom Attribute defined in ISE under Administration → Identity Management → Endpoint Custom Attributes.

Where to go next

Quickstart

Connect an ISE, manage the first group, invite the first Group Administrator.

Endpoint Identity Groups

The hero concept — a managed reflection of an ISE group.

Delegated administration

Who does what, and where the trust boundary sits.

Cisco ISE connection

Base URL, API user, and the three ISE APIs to enable.