If you have on-premises Active Directory (AD) synchronized with Cloud Identity Engine (CIE), you can integrate Device Security with CIE to learn whether your IoT devices are part of your AD information. This integration helps you identify managed and unmanaged devices on your network, providing more context to create effective Security policy rules.

Through the integration, Device Security retrieves devices and device attributes from CIE and matches the devices existing ones in your Device Security inventory based on hostname. Device Security can't learn new devices from the CIE integration. After matching devices, Device Security updates the device attributes for those devices in your asset inventory. These attributes include AD join status, AD groups, domain name, last login, and operating system information. When viewing the Device Details page, Device Security displays the source for attributes learned from Active Directory through the CIE integration as PAN-OS. Device Security queries CIE for device information when you first enable the integration, and then queries CIE once a day as long as the integration is active.

You can filter your device inventory based on AD join status or AD attributes, and create security policy rules that account for a device's domain membership. This contextual data enriches your device inventory, supporting more comprehensive security analysis. When accounting for AD status and groups, Security policy rules can enforce network and resource access based on your organization's management requirements.

This integration requires an active in the same tenant service group (TSG) as your Device Security tenant. You can enable or disable the CIE integration in Device Security.