Last week we were very excited to usher in the all new Systems Manager Enterprise into the Cisco Meraki product family. Along with enhanced policy management and end-to-end network and device security, Systems Manager Enterprise offers capabilities that simplify device management for growing networks as users (and their new devices) join an organization.
The first step in scaling a deployment is enrollment. As users enroll their devices in Systems Manager (manually or dynamically as they join a wireless network) the enrollment process can be integrated with Active Directory. This allows for enhanced security and to cuts down on the number of unknown devices in a network. Before AD integration, administrators needed to manually tie users to their devices. Now this can be done automatically with Systems Manager. Furthermore, AD groups can also be tied to devices, and policies can be automatically applied based on the AD groups. In this blog post we will take a look at how to implement this feature using Systems Manager Enterprise.
Configure AD integration in Systems Manager
First, configure the settings for your AD server in Systems Manager under the Configure > General tab. One or multiple AD servers can be configured. Here is a detailed explanation of how to configure user authentication with Active Directory.
‘Owners’ and ‘Auto tags’ are applied to devices
Now that the AD server is tied to Systems Manager, as users enroll, Systems Manager will query their username and groups from Active Directory. In the Configure > Owners tab as seen below, we can see that the first two users have enrolled with Active Directory as indicated by the ‘AD’ in the type field. The user ‘paul’ is in 3 AD groups: Administrators, Corporate, and Users.
By navigating to the client view of Paul’s device, we can see that the AD groups were also created as ‘Auto tags’. On this page, we can also see that the ‘Owner’ has been automatically assigned to the AD username ‘paul’. Having the owner preassigned is helpful for when we want to push out Exchange settings to Paul’s device, as those attributes are already tied to Paul from enrollment.
Dynamically apply policies based on AD groups
Finally, policies are dynamically applied based on the user’s AD groups. By navigating to MDM > Profiles, we have created a ‘Passcode’ profile. When the scope of this profile is defined, we can indicate that only users with the AD group of ‘Corporate’ should receive these settings.
Profiles can be used to define much more than enforcing a passcode. Administrators can set device restrictions, push out WiFi and VPN settings, deploy documents, and more. To test out these features, you can set up trial Systems Manager Enterprise for free, right here.