Maintaining a BYOD network doesn’t have to be fraught with the challenges of managing device profiles or access to certain content. With new Systems Manager features in dashboard, including time based tags, web content filtering, and single app mode management, admins now have the ability to enhance MDM security easily.
Time based tags
For the same reasons that enabling a certain SSID during work hours or after hours is beneficial for limiting access to network resources, enabling when a device profile is active also assists in protecting important materials and providing a better end user experience.
Time-based tags, found in Systems Manager under Configure > General > Time based tags, provides the ability to add and remove profiles on tagged devices. There are numerous ways to take advantage of this functionality. For example, in the enterprise space, corporate profiles can be deployed to enrolled employee devices during the workday, allowing access to resources, enforcing restrictions, and more. While the device remains enrolled in Systems Manager, these group profiles can be removed seamlessly at the end of the day, enabling employees to use their devices freely while keeping sensitive information in the office.
In the school setting, where BYOD and 1:1 devices are deployed, profiles can also be pushed and removed from enrolled student devices during school hours. They can also be added or removed based on class schedules. If the same device is used for different grades, restrictions can be set in various profiles and scheduled to activate at appropriate times when classes are in session.
MDM web content filtering
Whether in the enterprise or education field, managing what content BYOD devices have access to is an important compliance, as well as security measure. With new web content filtering in Systems Manager, it’s easier than ever to ensure appropriate usage. Navigate to MDM > Settings > Restrictions for these enhanced restrictions over supervised iOS 7 devices.
Enabling web content filtering provides two options for managing content: auto-filter and whitelisting. Auto-filter mode, provided by Apple, evaluates each site as it loads, identifying adult language content and blocking as needed. This mode also provides the ability to maintain a list of permitted and blacklisted web pages. The whitelist bookmarks mode allows configured URLs to be added to the browser’s bookmarks, restricting Internet access to just these sites.
Single app mode management
Also under MDM > Settings > Restrictions is the ability to define which apps can enter single app mode. Single app mode management enables an app to lock the device so that users cannot flip back and forth between different applications. This feature is heavily utilized in education; for example, a testing app would be able to lock the device into that app to prevent the user from Googling answers to the test until it is complete. Systems Manager now gives admins the ability to specify a list of applications that are allowed to lock the device into single app mode for a period of time designated by the application. For instance, when a student is using an application on a device to complete a test, permitting the app to lock the device into single app mode prevents the student from accessing other material on the device.
Login to Systems Manager, or sign up for a free Systems Manager account here, and see how it easy it is to enhance your MDM security in just a few mouse clicks.
Apple recently announced a whole new way to enroll devices in MDM, and in doing so, they removed several of the roadblocks that have long plagued MDM admins. Apple’s new Device Enrollment Program (DEP) allows administrators to enroll devices in Systems Manager without ever touching them. In fact, devices can be enrolled right when they are purchased and arrive in users’ hands with Systems Manager as part of the initial setup process. Along with this functionality, comes more control for MDM administrators, most notably, the ability to prevent users from removing the Systems Manager profile from a device. Cisco Meraki Systems Manager lets admins take advantage of these enhancements right away.
Setting up the Device Enrollment Program
First, create an account with Apple’s Device Enrollment Program. Add devices to the program by their serial number or Apple purchase order number. Next, configure Systems Manager to communicate with the Apple DEP by navigating to Organization > Settings > Apple Device Enrollment Program. Systems Manager will then automatically populate the MDM>DEP tab in the dashboard with participating devices.
MDM > DEP tab with a single device on the Meraki Corp – Systems Manager network
Systems Manager DEP
With Systems Manager, administrators can configure every detail of the new device setup process, such as which screens appear on startup, and if installing the Systems Manager profile is mandatory or not. Not only can the setup process be streamlined for this one device, but for all of your MDM managed devices in just a few clicks.
Configure initial setup settings for DEP managed devices such as allowing the device to be paired and specifying which setup pages to skip (Siri and diagnostics are skipped above).
Now when the Apple device arrives in the end users hands, the initial setup is configured for that organizations specific needs including apple configurator supervision, MDM profile setup, and more.
During setup, the iPad prompts the user to install the Systems Manager profile with no intervention from the administrator and no Apple ID or passwords required.
Non-removable MDM profile
Not only can the administrator require that the SM profile be installed on setup, but they can also prevent the profile from being removed. This is a huge departure from previous management capabilities that left even company or school-owned devices at the mercy of the end user.
Systems Manager MDM management profile installed on the iPad with no option for removal
Systems Manager DEP enables an enhanced level of device management for administrators and it is available today in the dashboard. Brand new Apple devices, as well as those purchased directly from Apple in the last 3 years, are eligible for the Device Enrollment Program. As soon as your products are enrolled, admins can start prompting fresh installs for DEP devices.
Like purchasing a new car, buying networking infrastructure is a major investment decision. You need your gear to work reliably upon first use—and for years thereafter. You want something that won’t be obsolete in 6 months. Several people, perhaps thousands, will rely on what you bought to get from point A to point B—so a smooth user experience is key. And once you’ve installed your equipment, it can be painful and time-consuming to switch to other vendors’ models.
Test driving networking gear before you commit is vital; the equipment must work in your specific environment for your specific use cases and meet your specific criteria.
Every Cisco Meraki device is available for free evaluation. Yes, free—we pay the shipping both ways, so there’s zero risk to you. You have access to full Meraki technical support—exactly what paying customers receive—during your trial as well as access to a dedicated free trial support team, so you can try out our support service along with our hardware. You can even schedule an appointment with our free trial support team and get a dashboard walk-through from a support engineer. Every piece of equipment you’ll evaluate is straight from our factory; we won’t ship you gear that’s been floating in a rotation pool. And we also supply helpful tips on how our products make life easier for you.
Getting started is simple: call us or visit meraki.cisco.com/eval to register for a free eval. Experience firsthand the ease of deploying remote sites, the benefit of seamless cloud updates that future-proof your investment, and the satisfaction of deep visibility and control over your network from any Internet-accessible device.
Now that the 2014 March Madness bracket has been revealed and the games are underway, the cyber mayhem of live streaming and fan activity is sure to ensue. This could be a fantastic time to experiment with some useful dashboard features. Monitor which users are most invested in the tournament by utilizing the traffic analytics tool on the client details page, create a customized March Madness splash page, and perhaps consider taking some precautionary measures on the back-end to ensure the smooth functioning of your network during this exciting time.
One way to protect your network is to create layer 7 firewall rules and traffic shaping policies in dashboard. Made possible by the layer 7 fingerprinting and application QoS within Cisco Meraki APs and Security Appliances, our custom-built packet processing engine enables inspection, classification, and traffic-shaping inside Cisco Meraki devices. Our products use layer 7 firewall rules to deny certain types of traffic within your network. Policies can be as granular as you wish, from network-wide settings to per client specifications, and can vary between different SSIDs.
To make a Layer 7 firewall rule in dashboard :
Go to Configure > Firewall and traffic shaping.
Under the Firewall section, select “Add a layer 7 firewall rule.”
Select the type of traffic you would like to control (e.g., peer-to-peer, sports, video & music, etc).
Some organizations may choose to completely block certain types of traffic.
For those who do not wish to completely block a specific traffic category, traffic shaping rules may be more up your alley. Traffic shaping rules limit the amount of bandwidth dedicated to certain applications and traffic types.
Use traffic shaping rules for granular control over your network.
Global bandwidth limits apply to inter VLAN traffic on an MX security appliance, as well as outbound traffic, so we recommend taking a look at our Knowledge Base article on global bandwidth limit considerations before making changes to your network.
Another option for further customized control over your network is to create a group policy in dashboard that includes any bandwidth limits or traffic shaping rules you desire. You can decide which clients the policy will affect, and even enable scheduling on the policy to keep the limits in place for certain hours of the day but off for others.
Throughout the tournament, you can keep an eye on the status of your network with the live tools section in dashboard. Features such as spectrum analysis, throughput, and ping provide a real-time picture of your network’s health, allowing you to make changes to your settings if necessary. For quick check-ins, you can always monitor traffic from the client details page or schedule summary report emails to be sent on a weekly (or even daily) basis.
Use the throughput test to find bottlenecks in your network and to see the maximum throughput from a Cisco Meraki device to the Internet.
Now that you’ve prepped your network, let the Madness begin!
Jailbroken (or rooted) devices are compromised devices where, for Apple, the operating system has been modified to allow greater control and bypass Apple restrictions, or, for Android, the user roots the device to bypass various other restrictions. This can result in numerous complications, especially when those devices are company-issued. Voided warranties, downloaded malware, blocked access to app stores, and even bricking the device are all possible consequences.
With the newly released “Security Center” in dashboard, the Cisco Meraki team has made it easier than ever to spot these jailbroken devices and also determine why a device may be at risk.
There are several methods that Systems Manager uses to detect a jailbreak. For instance, it checks for the existence of certain apps, like Cydia, that are only available on jailbroken devices. Systems Manager can also detect if there is write access over certain root folders, which only occurs if a device is jailbroken. It can even check to see if an app can handle certain commands or prefixes that would be opened in apps associated with jailbroken devices.
Navigate to Security > Auditing, adding the fields like At risk?, Jailbroken, and Reason, to actively monitor the security of enrolled devices. In Security > Reporting, schedule emailed Systems Manager security reports to monitor all devices or choose to only report those that are failing. If enrolled jailbroken devices are discovered, choose a preferred remediation action, including enforcing a more restrictive Systems Manager profile or even revoking VPN or WiFi access.
Stop wondering about the status of enrolled devices and take charge of maintaining MDM security.
We have had so much positive feedback that we’re bringing back the program for a second round. Cisco Meraki hardware is enterprise class, easy to set up, and low maintenance – the perfect infrastructure for startups relying on rock-solid networks to build their products and businesses.
A Startup Kit provides a full stack of the hardware and software needed for a complete network:
We will be awarding Startup Kits to a select group of companies based on their ability to put a Cisco Meraki network to good use. We are especially excited to take nominations of new companies from our previous Startup Kit recipients.
To apply for a startup kit, fill out the short application form by April 1, 2014.
Important Eligibility Requirements
In order to place Startup Kits in companies that will receive the most value from them, and to prevent abuse, eligible companies must:
Have raised seed or Series A funding from a VC or established Angels
Be headquartered in the United States, Canada, or the United Kingdom
Have not previously received a Meraki Startup Kit
The Startup Kit is a limited-time offer. Quantities are limited. Eligibility is at the sole discretion of Cisco Systems.
Enter by April 1 for a chance to receive your very own Meraki Startup Kit!
Have you ever wondered which MX Security Appliance model is right for you? Or how maximum throughput is affected by enabling certain security features? Or how the Meraki MX stacks up against the competition?
We tell you which security features are commonly enabled in each scenario, and we’ve evaluated MX throughput with test traffic that reflects usage in the wild (e.g., K-12 institutions will see a greater proportion of Web traffic, while head-end concentrator deployments will see more FTP activity).
One of several use cases dissected in the new MX sizing guide.
Although we always encourage prospective customers to test-drive our products in their own environment through our free evaluation program, this sizing guide gives IT admins a way to quickly match their own use case to realistic, scenario-driven throughput numbers—and choose the right MX for their organizations.
The Systems Manager Support Community has moved to the Meraki Community.
Please navigate to the new Systems Manager page of the Meraki Community here!
The Cisco Meraki team is always looking to expand the resources available to customers. Whether it is through our documentation page or knowledge base, there are a wealth of resources out there, but we wanted to provide a way for customers to share their experiences, and ask their own questions about the product. The Systems Manager Support Community is exactly that.
Search for common topics and get answers to your Systems Manager questions. Some trending topics are:
How to retire a user and revoke all of their app licenses?
Does the user have to enter the Apple ID password for every app installed?
How do I mass-deploy the Windows agent using an AD GPO?
Share how you are implementing Systems Manager in your environment and find tips from other users who have had similar experiences.
Can’t find what you are looking for? Start a new discussion. Simply create an account and become part of the community. We can’t wait to hear from you.
The Systems Manager Support Community has moved to the Meraki Community.
Please navigate to the new Systems Manager page of the Meraki Community here!
For a while now, Systems Manager has offered an app that sits on the client device, streamlining enrollment and enhancing the location tracking via GPS. The Systems Manager team has enhanced the app, to provide even more functionality at the end client device, and the app now boasts tools to help clients manage apps that have been pushed to their devices, as well as a feature called Backpack, that pushes files to clients. This post looks at these enhancements as well as how to get started with the iOS SM app.
Below we can see a view of the managed app screen in the SM app. From here, end users can easily access all apps that have been provisioned for their device. They can also see which apps are installed and which apps are updated. For missing apps, users can simply tap the app to install in the device. This feature saves administrators valuable time by allowing the end user to re-push the app without IT intervention. Here is some further info on pushing apps from Systems Manager as well as how to push app using Apple’s new VPP managed distribution model.
The second addition to the iOS app is Backpack. This feature is already available on Android and we are excited to bring it to iOS devices. With Backpack, administrators can push all types of documents to the client devices, and also keep users up to date with the most recent version.
Backpack is a powerful tool for teachers, allowing them to push out documents to student devices before class or for homework. Each student will be able to access the most up to date version on their iPad from the SM app. Similarly, enterprises can securely push updated price lists to field sales teams on the go. To find out how to set up Backpack in the dashboard, click here.
We are excited to announce these much anticipated features and you can start taking advantage of them right away. To get your devices set up with the SM app, simply deploy it through Systems Manager to all of your managed devices, or download it directly from the App store.