Wishes for the Meraki dashboard mobile app have been quite healthy of late, and there has been a significant uptick in users over the past few months. The engineering team has been hard at work enhancing the app and has added some new, exciting features.
Visibility into clients is key to understanding how the network is used and to identifying users consuming extraordinarily high amounts of bandwidth. The mobile app now shows connected and offline clients, with the ability to sort by usage, time last seen online, and other parameters. The famously-fast Meraki search is also in the app, enabling quick troubleshooting. Find devices by name, OS, or even IP subnet, and click to get details such as MAC, IP, SSID, RSSI, and more.
Get to the bottom of things quickly
New network troubleshooting tools help admins test infrastructure connectivity from the app. The ping tool triggers pings sent from the Meraki cloud to a switch, AP, or MX Security Appliance – average latency and ping loss percentage are updated live.
Help on the go
The Meraki mobile app is optimized for network management on-the-go. Sometimes it’s handy to check the status of an open support case or read notes on its resolution. Support cases are now viewable in the app (see the “More” tab) and categorized by status for convenience, making it quick and easy to get the latest support update for a network.
A few customers have wished for the ability to pin-lock the app, making access secure and convenient. Pin locking is offered in addition to two-factor authentication and is enabled by going to the “More” menu and selecting a four digit pin.
Get started by downloading the app onto your device:
From electric-powered longboards to 3D heart imaging, all of the startups we heard from are working on fascinating projects. We were very impressed by the caliber of the companies that applied for Startup Kits and also noticed a few interesting trends for this round:
Increase in cloud-based or cloud-related companies
Startups with a goal to aggregate or consolidate existing resources
Hardware startups building familiar items with a software twist
Healthcare-related startups seeking to revolutionize an existing process in the healthcare system
The Cisco Meraki team is excited to give out the Startup Kits over the next few weeks and hear about how companies put the them to use as they build and scale.
To hear more about our lucky winners, check back in a few weeks for our series of Startup Kit Spotlights – our semi-regular features on Startup Kit recipients and how they use their Meraki network to build up their company.
Over the past year, the Meraki team has worked with other Cisco teams to increase the business relevance of WiFi via Cisco CMX (Connected Mobile Experiences) and Cisco Meraki Presence. After extensive collaboration between product development, sales, and partner teams, Cisco is in an ideal position to offer one value proposition to the market, with two implementations for customers who prefer a cloud-managed or on-premise solution. To better address the market with a single voice, moving forward the Meraki Presence solution will be marketed under the CMX branding.
Today, both Cisco cloud-managed and Cisco on-premise solutions are market leaders for their respective target customers who are looking to WiFi as a platform to detect, connect, and engage with end-users. While both solutions offer exceptional capabilities in this area, they have different feature sets, and will continue to do so. Nothing is changing with respect to product strategy – Cisco will continue investing in both on-premise (optimized for flexibility and control) and cloud-managed (optimized for ease of use) CMX offerings. On-premise solution customers will continue to deploy CMX as a license for the Mobility Services Engine, while Meraki customers will continue to find CMX included by default as part of the Meraki cloud management platform.
To learn more about CMX with Cisco Meraki, see our:
The Cisco Meraki team is aware of a critical vulnerability in OpenSSL, CVE-2014-0160 (also known as the Heartbleed vulnerability). OpenSSL is a security library that is widely used across the Internet.
We determined that Meraki servers, infrastructure, and network devices (i.e., access points, switches, and security appliances) are not affected by this vulnerability.
The Systems Manager dashboard as well as iOS, Android, and Mac devices enrolled in Systems Manager are not affected. Some Windows PCs enrolled in Systems Manager are affected by the vulnerability in the initial startup phase of the Systems Manager agent. During this phase, no sensitive information is available for an attacker to collect, and no private keys are exposed. This vulnerability does not allow an attacker to gain access to a PC managed by Systems Manager and it does not allow an attacker to gain any knowledge of the Systems Manager configuration. Regardless, a new build of the Systems Manager agent for Windows PCs is available for download via the dashboard. It is not affected by the vulnerability and customers are encouraged to download the new agent at their convenience.
Back in the MDM Ice Ages, when admins pushed out a new app to a device, users would have to enter an Apple ID and password right then and there in order to download the app. This caused a number of problems, as some admins didn’t want users to get a hold of the Apple ID and password and set off on a downloading spree. Apple recently added a feature that allows admins to push out new apps to mobile devices without requiring the user to enter an Apple ID and password. Furthermore, Systems Manager has implemented this into the dashboard so you can take advantage of it right away. This blog post will take a look at how to silently push an app from start to finish.
1. Mobile device requirements
First, there are a few device dependencies in order to silently push apps. The device must be supervised by Apple Configurator and the device must be associated with an Apple ID (this means someone has to log into their Apple account on the device at some point, but it is not required at the time the app is pushed). And if you haven’t heard, you can now supervise your devices over-the-air using Apple’s Device Enrollment Program (learn how to configure DEP with Systems Manager here).
2. Purchase Licenses from Apple VPP program
Next, the app needs to be purchased from the Apple VPP program. This goes for free or paid apps. Below we have 1000 licenses of a free calculator app.
3. Dashboard automatically syncs to Apple VPP program
Purchased VPP apps are populated in the dashboard, available to be assigned.
4. Assign apps to mobile devices
Below we will click on the Calculator app and assign one of our licenses to a user. For a refresher on VPP managed distribution and setting up users, take a look at this article.
5. Add to Systems Manager App Management
Now we are ready to silently push out the app just as we would any other. Navigate to MDM > App. Select ‘+ Add new’ and find the app you’d like to push to your devices. Here, we searched for ‘calculator’ and clicked ‘Add’.
6. Silently push app to devices
Select the app to be pushed and define the scope. Below, we chose to push the app to all devices with the tag “vpp_managed.” Once we save, the app will be pushed.
7. App is silently pushed with no Apple ID and password prompt
On the iPad, we were prompted for the app installation but were not asked to enter a password.
This feature helps admins keep a tighter grip on those precious Apple IDs and passwords. It can also save a great deal of time when apps need to be pushed to many devices at once. Apple has made a number of new feature announcements and this is just another one that we have been able to quickly implement in Systems Manager. For more information on some of these new features check out our in depth look at Apple’s Device Enrollment Program as well as updates on content filtering and more from Systems Manager.
Back in the Autumn we introduced our new Combined Network dashboard view, which grouped together management of Access Points, Security Appliances and Switches under a single menu. This new, more efficient design has been welcomed by Meraki customers with wired and wireless networks sharing common user bases, enabling the engineer to work on more than one product type at a time, potentially across multiple sites.
In order to take advantage of grouping products together in this way, it makes sense to also combine the configuration of features common across more than one product type. To address this, our design team migrated common settings to a unified menu label named ‘Network Wide’, which looks like this:
Before we take a look at the new combined policy configuration screen, it’s worth refreshing the distinction between network-side settings and client-side policies. When the intent is to affect user behavior for all users of a network segment, network-side settings are the way to go. These will apply to all wired clients connected through a Security Appliance, or to a specific wireless network (SSID).
For example, it may be desirable to apply traffic shaping rules for video and music streaming services to all clients, network-wide, who connect to a guest SSID.
Policies, on the other hand, are designed to apply client-side to selective groups of users, typically identified either through a user authentication process, or through their devices, by fingerprinting device communications. The emphasis shifts to controlling the user experience for both wired and wireless connections for these select users or devices.
A client-side policy might choose to put all wireless financial data onto a specific VLAN with access to secure servers during normal office hours, and block Social Networking for both wired and wireless at the same time. This can now all be configured using the new combined Group Policies page, which looks like this:
The dashboard is continually evolving and improving, based in–part on the feedback we receive through the Make-a-Wish box on every dashboard page. This is just one example of a small change which helps make managing group policies on a modern unified access layer network more intuitive. There’s always room for improvement, so stay tuned as we announce further tweaks and enhancements.
Maintaining a BYOD network doesn’t have to be fraught with the challenges of managing device profiles or access to certain content. With new Systems Manager features in dashboard, including time based tags, web content filtering, and single app mode management, admins now have the ability to enhance MDM security easily.
Time based tags
For the same reasons that enabling a certain SSID during work hours or after hours is beneficial for limiting access to network resources, enabling when a device profile is active also assists in protecting important materials and providing a better end user experience.
Time-based tags, found in Systems Manager under Configure > General > Time based tags, provides the ability to add and remove profiles on tagged devices. There are numerous ways to take advantage of this functionality. For example, in the enterprise space, corporate profiles can be deployed to enrolled employee devices during the workday, allowing access to resources, enforcing restrictions, and more. While the device remains enrolled in Systems Manager, these group profiles can be removed seamlessly at the end of the day, enabling employees to use their devices freely while keeping sensitive information in the office.
In the school setting, where BYOD and 1:1 devices are deployed, profiles can also be pushed and removed from enrolled student devices during school hours. They can also be added or removed based on class schedules. If the same device is used for different grades, restrictions can be set in various profiles and scheduled to activate at appropriate times when classes are in session.
MDM web content filtering
Whether in the enterprise or education field, managing what content BYOD devices have access to is an important compliance, as well as security measure. With new web content filtering in Systems Manager, it’s easier than ever to ensure appropriate usage. Navigate to MDM > Settings > Restrictions for these enhanced restrictions over supervised iOS 7 devices.
Enabling web content filtering provides two options for managing content: auto-filter and whitelisting. Auto-filter mode, provided by Apple, evaluates each site as it loads, identifying adult language content and blocking as needed. This mode also provides the ability to maintain a list of permitted and blacklisted web pages. The whitelist bookmarks mode allows configured URLs to be added to the browser’s bookmarks, restricting Internet access to just these sites.
Single app mode management
Also under MDM > Settings > Restrictions is the ability to define which apps can enter single app mode. Single app mode management enables an app to lock the device so that users cannot flip back and forth between different applications. This feature is heavily utilized in education; for example, a testing app would be able to lock the device into that app to prevent the user from Googling answers to the test until it is complete. Systems Manager now gives admins the ability to specify a list of applications that are allowed to lock the device into single app mode for a period of time designated by the application. For instance, when a student is using an application on a device to complete a test, permitting the app to lock the device into single app mode prevents the student from accessing other material on the device.
Login to Systems Manager, or sign up for a free Systems Manager account here, and see how it easy it is to enhance your MDM security in just a few mouse clicks.
Apple recently announced a whole new way to enroll devices in MDM, and in doing so, they removed several of the roadblocks that have long plagued MDM admins. Apple’s new Device Enrollment Program (DEP) allows administrators to enroll devices in Systems Manager without ever touching them. In fact, devices can be enrolled right when they are purchased and arrive in users’ hands with Systems Manager as part of the initial setup process. Along with this functionality, comes more control for MDM administrators, most notably, the ability to prevent users from removing the Systems Manager profile from a device. Cisco Meraki Systems Manager lets admins take advantage of these enhancements right away.
Setting up the Device Enrollment Program
First, create an account with Apple’s Device Enrollment Program. Add devices to the program by their serial number or Apple purchase order number. Next, configure Systems Manager to communicate with the Apple DEP by navigating to Organization > Settings > Apple Device Enrollment Program. Systems Manager will then automatically populate the MDM>DEP tab in the dashboard with participating devices.
MDM > DEP tab with a single device on the Meraki Corp – Systems Manager network
Systems Manager DEP
With Systems Manager, administrators can configure every detail of the new device setup process, such as which screens appear on startup, and if installing the Systems Manager profile is mandatory or not. Not only can the setup process be streamlined for this one device, but for all of your MDM managed devices in just a few clicks.
Configure initial setup settings for DEP managed devices such as allowing the device to be paired and specifying which setup pages to skip (Siri and diagnostics are skipped above).
Now when the Apple device arrives in the end users hands, the initial setup is configured for that organizations specific needs including apple configurator supervision, MDM profile setup, and more.
During setup, the iPad prompts the user to install the Systems Manager profile with no intervention from the administrator and no Apple ID or passwords required.
Non-removable MDM profile
Not only can the administrator require that the SM profile be installed on setup, but they can also prevent the profile from being removed. This is a huge departure from previous management capabilities that left even company or school-owned devices at the mercy of the end user.
Systems Manager MDM management profile installed on the iPad with no option for removal
Systems Manager DEP enables an enhanced level of device management for administrators and it is available today in the dashboard. Brand new Apple devices, as well as those purchased directly from Apple in the last 3 years, are eligible for the Device Enrollment Program. As soon as your products are enrolled, admins can start prompting fresh installs for DEP devices.
Like purchasing a new car, buying networking infrastructure is a major investment decision. You need your gear to work reliably upon first use—and for years thereafter. You want something that won’t be obsolete in 6 months. Several people, perhaps thousands, will rely on what you bought to get from point A to point B—so a smooth user experience is key. And once you’ve installed your equipment, it can be painful and time-consuming to switch to other vendors’ models.
Test driving networking gear before you commit is vital; the equipment must work in your specific environment for your specific use cases and meet your specific criteria.
Every Cisco Meraki device is available for free evaluation. Yes, free—we pay the shipping both ways, so there’s zero risk to you. You have access to full Meraki technical support—exactly what paying customers receive—during your trial as well as access to a dedicated free trial support team, so you can try out our support service along with our hardware. You can even schedule an appointment with our free trial support team and get a dashboard walk-through from a support engineer. Every piece of equipment you’ll evaluate is straight from our factory; we won’t ship you gear that’s been floating in a rotation pool. And we also supply helpful tips on how our products make life easier for you.
Requesting free evaluation gear is easy.
Getting started is simple: call us or visit meraki.cisco.com/eval to register for a free eval. Experience firsthand the ease of deploying remote sites, the benefit of seamless cloud updates that future-proof your investment, and the satisfaction of deep visibility and control over your network from any Internet-accessible device.
Now that the 2014 March Madness bracket has been revealed and the games are underway, the cyber mayhem of live streaming and fan activity is sure to ensue. This could be a fantastic time to experiment with some useful dashboard features. Monitor which users are most invested in the tournament by utilizing the traffic analytics tool on the client details page, create a customized March Madness splash page, and perhaps consider taking some precautionary measures on the back-end to ensure the smooth functioning of your network during this exciting time.
One way to protect your network is to create layer 7 firewall rules and traffic shaping policies in dashboard. Made possible by the layer 7 fingerprinting and application QoS within Cisco Meraki APs and Security Appliances, our custom-built packet processing engine enables inspection, classification, and traffic-shaping inside Cisco Meraki devices. Our products use layer 7 firewall rules to deny certain types of traffic within your network. Policies can be as granular as you wish, from network-wide settings to per client specifications, and can vary between different SSIDs.
To make a Layer 7 firewall rule in dashboard :
Go to Configure > Firewall and traffic shaping.
Under the Firewall section, select “Add a layer 7 firewall rule.”
Select the type of traffic you would like to control (e.g., peer-to-peer, sports, video & music, etc).
Some organizations may choose to completely block certain types of traffic.
For those who do not wish to completely block a specific traffic category, traffic shaping rules may be more up your alley. Traffic shaping rules limit the amount of bandwidth dedicated to certain applications and traffic types.
Use traffic shaping rules for granular control over your network.
Global bandwidth limits apply to inter VLAN traffic on an MX security appliance, as well as outbound traffic, so we recommend taking a look at our Knowledge Base article on global bandwidth limit considerations before making changes to your network.
Another option for further customized control over your network is to create a group policy in dashboard that includes any bandwidth limits or traffic shaping rules you desire. You can decide which clients the policy will affect, and even enable scheduling on the policy to keep the limits in place for certain hours of the day but off for others.
Throughout the tournament, you can keep an eye on the status of your network with the live tools section in dashboard. Features such as spectrum analysis, throughput, and ping provide a real-time picture of your network’s health, allowing you to make changes to your settings if necessary. For quick check-ins, you can always monitor traffic from the client details page or schedule summary report emails to be sent on a weekly (or even daily) basis.
Use the throughput test to find bottlenecks in your network and to see the maximum throughput from a Cisco Meraki device to the Internet.
Now that you’ve prepped your network, let the Madness begin!