Exam 300-715 topic 1 question 206 discussion

According to this documentation Lost and Stolen are different as Nonce have reported Stolen: The user logs onto the My Devices portal, and marks a currently onboarded device as Stolen. This happens: If the device was onboarded by provisioning a certificate and a profile, Cisco ISE revokes the certificate that was provisioned to the device, and assigns the device’s MAC address to the Blacklist endpoint identity group. That device no longer has network access. If the device was onboarded by provisioning a profile (no certificate), Cisco ISE assigns the device to the Blacklist endpoint identity group. The device still has network access, unless you create an authorization policy for this situation. For example, IF Endpoint Identity Group is Blacklist AND BYOD_is_Registered THEN DenyAccess. https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_byod.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_byod.html#ID19 "If the device was onboarded by provisioning a profile (no certificate), Cisco ISE assigns the device to the Blacklist endpoint identity group. The device still has network access, unless you create an authorization policy for this situation. For example, IF Endpoint Identity Group is Blacklist AND BYOD_is_Registered THEN DenyAccess."

Although it should be the Blacklist endpoint identity group according to the Cisco web page, the answers are using Blocklist, anyway it's A the closest option. https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_byod.html#concept_E5CE365D49C94A32ACA7D629BB1CA9EE Device Registration Status Endpoint Attribute: Stolen: The user logs onto the My Devices portal, and marks a currently onboarded device as Stolen. This happens: If the device was onboarded by provisioning a certificate and a profile, Cisco ISE revokes the certificate that was provisioned to the device, and assigns the device’s MAC address to the Blacklist endpoint identity group. That device no longer has network access. If the device was onboarded by provisioning a profile (no certificate), Cisco ISE assigns the device to the Blacklist endpoint identity group. The device still has network access, unless you create an authorization policy for this situation. For example, IF Endpoint Identity Group is Blacklist AND BYOD_is_Registered THEN DenyAccess.

If the device was onboarded by provisioning a profile (no certificate), Cisco ISE assigns the device to the Blacklist endpoint identity group. The device still has network access, unless you create an authorization policy for this situation. For example, IF Endpoint Identity Group is Blacklist AND BYOD_is_Registered THEN DenyAccess.

A is right According to https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_byod.html

The correct answer is Endpoint Identity Group is Blocklist, and the BYOD state is Lost. The BYOD state of a device can be one of the following: Registered: The device has been enrolled in Cisco ISE and has a valid certificate. Pending: The device is in the process of being enrolled in Cisco ISE. Lost: The device has been reported as lost or stolen. Reinstate: The device has been reinstated after being reported as lost or stolen. If the administrator wants to block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen, then they must use the following conditions when configuring an authorization policy that sets DenyAccess permission: Endpoint Identity Group: Blocklist BYOD State: Lost This will ensure that any BYOD endpoint that is in the Blocklist identity group and has a BYOD state of Lost will be blocked from accessing the network.

When configuring an authorization policy in Cisco ISE to block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the My Devices Portal, the condition that should be used is Endpoint Identity Group is Blocklist, and the BYOD state is Registered. The Endpoint Identity Group attribute determines whether a device is allowed or denied network access, and the Blocklist group specifically denies access to devices in the list. The BYOD state attribute identifies the device's state in the BYOD workflow, and the Registered state is used for devices that have onboarded but have not yet been authorized. Therefore, by combining these two conditions in an authorization policy, the administrator can deny access to stolen BYOD devices that were onboarded without a certificate.

Provided answer is correct: https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_byod.html