Activation Lock is a security feature on Apple iOS devices that prevents unauthorized use of an iOS device after it has been factory reset, rendering the device useless. While this is an amazing feature for personal use, it has presented challenges for IT administrators trying to deploy iOS devices for enterprise use cases. While IT administrators desire the added security Activation Lock provides, they are often frustrated by the lack of enablement control and device status insight.
Cisco Meraki’s mobile device management solution, Systems Manager, fully supports management of Activation Lock on supervised iOS devices. Let’s pull back the curtains and see how Cisco Meraki Systems Manager can help you effectively manage the Activation Lock status of your device fleet.
How is Activation Lock enabled?
There are two different ways to enable Activation Lock:
Device Activation Lock: The device owner enables Find My iPhone/iPad on the device with their personal Apple ID account.
MDM Activation Lock: Meraki Systems Manager enables Activation Lock with an MDM command. This action is only available on supervised iOS devices enrolled using Automated Device Enrollment through Apple Business Manager (ABM) or Apple School Manager (ASM).
How do I check the Activation Lock status of iOS devices?
You can view the Activation Lock status for each device in the “Management” section of the device’s details page in Meraki Systems Manager.
If Activation Lock is “Enabled”, Find My iPhone/iPad is enabled and the device’s activation may be locked by an owner’s personal Apple ID. MDM Activation Lock indicates that Meraki Systems Manager sent a command to enable Activation Lock on the device. The device’s activation may be locked by the Apple ID of an IT administrator with management rights in the ABM or ASM portals.
You can also view the Activation Lock status in the Devices list in Meraki Systems Manager by adding the applicable column to your view.
I wiped an iOS device and Activation Lock is enabled. How do I bypass or disable Activation Lock?
There are several methods to bypass or disable Activation Lock:
Apple ID: Enter the email address and password of the account that enabled Activation Lock on the device. Depending on how Activation Lock is enabled, this may be the user’s personal Apple ID credentials or the Apple ID credentials of an ABM/ASM administrator.
Bypass Code: When Activation Lock is enabled on supervised iOS devices, Meraki Systems Manager stores a bypass code, a randomized 30 character string, which can be used to clear the device’s Activation Lock state. In situations where both device and MDM Activation Lock may have been enabled, Meraki Systems Manager stores the codes generated for each type. The bypass code can then be entered at the Activation Lock screen to clear the Activation Lock status.
Clear Activation Lock Command: Meraki Systems Manager can send a remote command to Apple to clear Activation Lock on supervised iOS devices using the known bypass codes.
How can Meraki Systems Manager help me manage Activation Lock settings?
Meraki Systems Manager can only manage Activation Lock settings on supervised devices. If devices are supervised, Systems Manager prevents end users from being able to enable Device (Find My iPhone/iPad) Activation Lock by default on enrollment.
Via the “Privacy & Lock” payload, Meraki Systems Manager can be configured to automatically allow Device Activation Lock, and/or automatically enable MDM Activation Lock when devices are enrolled.
Check out Meraki Documentation for more information on how to manage Activation Lock settings and behaviors with Meraki Systems Manager. If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
If you have experience managing Apple devices in the enterprise, then you’ve probably used Apple’s Device Enrollment Program (DEP), which helps administrators deploy Apple devices seamlessly throughout an organization.
Large organizations such as school districts, managed service providers, and business conglomerates often procure company-owned Apple devices through various entities which requires multiple DEP accounts. This can create a logistical nightmare when trying to deploy devices at scale.
Previously, admins could only manage one DEP server per organization in Systems Manager. This led to network admins having to create separate organizations in order to support multiple DEP servers.
Taking these user experiences into account, it is with great excitement that we announce that Systems Manager now supports Multi-DEP!
What does this mean for you?
Customers can now add, remove, and edit multiple DEP servers within the same organization in the Meraki dashboard. This gives more flexibility to deploy devices that are being procured under one subset. The experience will be more seamless, efficient, and granular; an admin can specify which DEP server should be visible for management and syncing under each network.
For instance, a school district with 10 schools can manage all of the 10 schools under one organization, with each school network having its own DEP server. Similarly, a managed service provider could manage different customers’ networks simultaneously, with each customer network mapped to its own DEP server.
For customers in education using Apple School Manager (ASM), the ASM sync can now also handle multiple DEP servers at the same time. When an ASM sync is initiated, it will automatically run for all DEP servers assigned to that network. DEP servers will now sync in-the Apple server display name, and the Meraki dashboard will display that metadata along with a timestamp of the last update of the DEP server.
If you are already using Systems Manager, give it a try today by going to Organization > MDM in the Meraki dashboard to see the new ‘Apple DEP Servers’ section. Let us know what you think of it; we love getting feedback!
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
When Denis Guerrero joined Moreland School District as the Director of Technology, he knew it was time to find a better way to manage the school district’s 1,400 iPads. Throughout the district many iPads were locked, unusable, associated with different Apple IDs, and loaded with apps purchased through various gift cards, personal accounts, and vouchers. Managing this fleet of devices was becoming an impossible task and it was time to set some processes and tools in place for district-wide iPad visibility, app distribution, and device management.
After investigating different options, Denis and the team chose Cisco Meraki Systems Manager to accomplish these goals. To take full advantage of Systems Manager, the team worked to unify the district under one Device Enrollment Program (DEP) account with Apple, consolidate app license purchases, and register with Apple School Manager.
Systems Manager allows schools to easily provision Apple devices (out of the box) through DEP, install apps, apply custom configurations, and limit classroom distractions such as games and web surfing. Furthermore, schools and organizations can leverage Meraki’s free trial program for expert assistance throughout the trial process, access the open Community forum for peer insight and advice on the solution, and reference video and instructional content to help them get oriented in the dashboard.
Today students and teachers at Moreland School District can easily log into iPads, find the right apps, and start their digital lessons — without wasting instruction time on iPad lockouts or mitigating student access to distracting website and apps.
In an upcoming webinar on May 16th, 2018, Denis will share his favorite features and how Systems Manager helped his team streamline student learning throughout the district. Register now to learn more!
This week the Systems Manager team released a host of exciting new Apple features and made some interface changes in the Meraki dashboard to make endpoint management even easier, automated, and more powerful.
Interface Changes: Settings Page
Interface changes can be seen on the Settings page, where users set configuration profiles and settings for different device types. The new Settings page has been redesigned to streamline management and make configuration settings more easily discoverable when creating profiles.
We’ve flattened out the previous tile view and added a search bar to help users instantly find the configuration settings desired, or filter and browse settings by supported operating system. This guide offers a full review of these dashboard changes.
New Apple Features
Also on the new Settings page, you’ll see a host of new features available for iOS and macOS, some of these were made available in the Apple iOS 11.3 and macOS 10.13.4 release. These new features are extremely powerful for all organizations managing Apple devices, but particularly compelling for those in education!
Highlights include:
Delay OS updates for up to 90 days on iOS and macOS: Providing time for IT teams to vet and test new OS versions before they are deployed on managed devices.
Keep apps up to date on iOS and macOS: Select for specific App Store apps to automatically update when a new version is available.
Disable Bluetooth settings on iOS and macOS: Limit distractions and security loopholes by locking down the bluetooth functionality on devices through the live tools on a device page. IT teams can use this in conjunction with bluetooth restrictions settings to lock bluetooth settings on or off.
FileVault Personal Recovery Key (PRK) Escrow: Store PRKs for disk encryption on macOS devices.
Login window: Set custom login window messages for macOS devices to alert users of management or convey organizational messages.
Lock screen: Specify a custom lock screen asset tag on iOS to easily identify a device in hand.
App Store Restrictions: Restrict end user app installations and updates for more control of apps and app versions on macOS devices.
AirPrint: Set printer configurations for iOS and macOS devices.
Dock: Change size, magnification, position, minimization effect, and more macOS dock settings.
Setup Assistant: When re-provisioning a macOS device, select to skip steps like Siri setup.
….and more! For a full list, please go to the “New Features” section in the Meraki dashboard.
Current customers can take advantage of these features immediately! We hope you’ll join the Community discussions on this and other topics.
Apple CEO Tim Cook and Cisco CEO Chuck Robbins took the stage at Cisco Live! this week to talk about the next phase of the Apple Cisco partnership. Part of this next phase will be the Cisco Security Connector, which will completely change the story when talking security on iOS. It can be deployed on enterprise supervised iOS devices using Systems Manager, Cisco’s enterprise mobility management (EMM) solution. See below for an excerpt from David Ulevitch’s Cisco Blog.
“Expected to be released in the fall of 2017, the Cisco Security Connector is designed to deliver the deepest visibility, control, and privacy for iOS devices. The Cisco Security Connector offers organizations the most granular view of what is happening on enterprise-owned mobile devices and provides the best protection for users, anywhere they travel. With the Cisco Security Connector, businesses will now have the ability to meet risk and compliance requirements from auditors and ultimately expand iOS adoption in new ways.”
With the Cisco Security Connector, organizations gain the following:
Visibility: Ensure compliance of mobile users and their enterprise-owned iOS devices during incident investigations by rapidly identifying what happened, whom it affected, and the risk exposure.
Control: Protect users of iOS devices from connecting to malicious sites, whether on the corporate network, public Wi-Fi, or cellular networks.
Privacy: Safeguard corporate data and users by encrypting internet (DNS) requests.
Welcome to the second edition of ‘In the Know’. In the Know posts showcase features or capabilities that already exist in the Cisco Meraki portfolio but may not be as well known. For reference, here is last month’s In the Know about Windows 10.
First things first, Apple’s iOS 10 is here and macOS Sierra is coming soon. There are many things Meraki has already been doing to aid administrators in both preparing for and deploying the latest and greatest.
Meraki added extremely early, general support for iOS 10 and macOS betas after the start of Apple’s Worldwide Developers Conference (WWDC) last June. For those with access to the betas, Meraki was ready–far ahead of the status quo. Early this year, Meraki released a solution for administrators using Apple products and Meraki Systems Manager to issue OS updates over the air. Over-the-air updates provide the ability to push the latest version of iOS and macOS to an entire fleet of devices remotely and with only a few mouse clicks. Keeping devices up to date is essential in order to deploy the latest security patches and features. More information can be found on the documentation article here.
Also announced at WWDC were many improvements with iOS 10 and Cisco specific features, like fast lane profiles or fast-tracking the mobile enterprise, which promised to change the way people work. This is carried out through network optimization around performance, creating an even better experience for Cisco voice communication, and reinventing teamwork and meetings with Cisco collaboration tools on iPhone and iPad. See below for an example of setting up per-app QoS with iOS 10 and Cisco in the Systems Manager Dashboard, and click here for documentation.
Systems Manager legacy customers interested in these powerful features can find out how to take advantage of them here. For those new to Meraki or Systems Manager, start a free trial.
When Apple and Cisco announced their partnership last year, Meraki customers were left on the edge of their seats awaiting the arrival of the improvements that would be coming down the pipeline for them. Now, there’s exciting news out of Apple’s Worldwide Developers Conference that sheds some light on the details of what the companies have been working on and when to expect them. Here’s what customers can look forward to, and an overview of how these improvements can be utilized by Meraki enthusiasts in the fall, when iOS 10 is scheduled to be released:
Enhanced roaming capabilities for iOS devices on Cisco (including Meraki) APs — With iOS 10, iPads and iPhones will be able to recognize the most optimal AP on a Cisco network with which to connect. This means Apple devices roaming on a Meraki network will become even more streamlined, eliminating worries of losing WiFi connectivity while on a VoIP or video call.
Fast lane for business critical apps — Meraki networking customers have long enjoyed the simplicity and variety of implementations of QoS for layer 7 web applications. Now, with iOS 10, Systems Manager customers will be able to apply that same level of QoS ease to iOS apps. Prioritize business critical apps while limiting bandwidth usage for, say, video streaming apps that might not be necessary for work. Couple this functionality with existing Systems Manager tools like geofencing, dynamic tagging, and scheduled policies, and the possibilities for customizability are practically limitless.
Cisco Spark calls on the iPhone, just like native calls — When iOS 10 launches, Spark customers will be able answer Spark calls from the lock screen. They’ll also be able to initiate these calls directly from their address books and answer Spark calls from the lock screen. This is an exciting update for our customers using Cisco Spark.
If you want to read more about the Apple and Cisco partnership, check out the details on Apple & Cisco’s websites, and stay tuned for future news from the Meraki side!
Meraki Systems Manager continues to offer extensive functionality for Apple platforms. Only recently we announced same day support for iOS 9 in conjunction with a new strategic joint development partnership between Cisco and Apple. We continued that story with the launch of extensive new features for Systems Manager on February 9th. In this particular post we are going to explore the Apple specific elements of that launch.
iOS Wallpaper
With MDM it has always been important to make sure you keep the users informed. This ensures they attribute changes to their device to administrative control and not to a fault. The iOS Wallpaper functionality of iOS 9 offers a great way of keeping users informed, while also offering branding and user experience options.
The Lock and Home page Wallpapers can be configured independently or together with a simple drag and drop. The reason that changing the Wallpaper with Systems Manager offers a great way of interacting with the user is because it can be tied to tags. This means that the Wallpaper can change dynamically based on various events, for example based on the person using the device or its posture.
FileVault disk encryption
Information is the lifeblood of any organization, with the securing and management of this data under increasing scrutiny. Encryption of information on portable devices such as laptops is frequently being mandated in regulated industries such as health care. The loss of confidential or private information can lead to stiff penalties, brand damage, and dented consumer confidence.
FileVault in OS X provides strong data security with full disc encryption using AES. With full disk encryption, data on a mislaid or stolen device is useless to the unauthorised recipient. Systems Manager now supports FileVault disk encryption management, and in typical Meraki fashion, has been made as simple as possible.
The difficulty associated with disk encryption is not typically with encrypting data but in decrypting it when required. For example, when an employee leaves the organization it may be necessary to access the customer data on their device. If the password or recovery key has not been provided by the departed employee, then the data is lost forever.
Systems manager supports all three methods of FileVault data recovery: an institutional recovery key, a personal recovery key, or both simultaneously. Institutional recovery keys are transparently managed by the Meraki cloud ensuring they are never lost. More information on FileVault 2 can be found on our documentation portal.
OS X system preferences
To top off the list of Apple functionality added in this Systems Manager launch there are now 35 new OS X system preferences to play with. This includes things such as control of Security & Privacy settings, Software Updates, and Parental Controls. Further information on these OS X systems preferences is again located on our documentation portal.
The new features for Apple platforms included as part of this launch are available today. If you are a Systems Manager Legacy customer interested in these new capabilities, then you can upgrade to the full version by simply contacting our sales team. The full version includes a wealth of features on top of those mentioned in this post, with further information available on the Systems Manager licensing page.
Excited by the new content in this systems manager launch? We are! The team will be highlighting these features and more in upcoming Systems Manager webinars. Alternatively if you can’t wait to get started, contact us to begin a no risk trial and we will help get you up and running.
With the release of iOS 9 Apple introduced a number of improvements to the Volume Purchasing Program (VPP). Of these improvements, one of the more significant is app assignment by device. With this new functionality it is now possible to assign VPP apps to an iOS device without the need for an Apple ID, and if that device is supervised, the installation is silent.
Before this change, it was only possible to assign apps to a user by associating them with an Apple ID. This method of app management can be an administrative nightmare when used in environments such as K-12 education, where many users may be working with a particular device. Students may not have an Apple ID, or may be too young to have one without parental consent. Additionally, it meant that an Apple ID needed to be configured on the iPad for apps to be silently pushed to supervised devices.
With VPP device assignment, an Apple ID is no longer required and with supervised devices, apps can be pushed silently with no end user interaction. Silent app push has a huge impact on an administrator’s ability to seamlessly deliver iOS apps to users. Combining this new functionality with Meraki Systems Manager features, such as multiuser authentication, can offer a fantastic classroom experience. Apps and settings are tailored to each student’s needs and dynamically changed as the user changes.
Systems Manager Legacy customers can gain access to this great new functionality by upgrading to the latest version of Systems Manager. Please contact your Meraki representative for further information or alternatively sign up for a specialist Systems Manager Teacher’s Assistant webinar here. Additionally stay tuned to our YouTube channel for additional video guides to this functionality.
On August 31, Cisco and Apple announced a new strategic partnership. To address the ever-increasing demands on corporate infrastructure, Cisco networks and iOS devices will be optimized so that they work together more efficiently, with the goal of providing users even greater performance. Read more reflections on this significant announcement from Cisco CEO Chuck Robbins.
With the release of iOS 9 today, Meraki is announcing same day support for Systems Manager, made possible by the agile cloud architecture for which we’re renowned.
iOS 9 brings new functionality to MDM, with new restrictions such as being able to disallow sharing of managed documents with AirDrop and disabling iCloud Photo Library. There are also a host of new supervised restrictions available, which include the ability to control:
The App Store
Keyboard shortcuts
Pairing with Apple Watch
Modification of passcode settings
Modification of device name
Modification of wallpaper
Automatic downloading of apps purchased on other devices
Automatically trusting enterprise apps
The News app
Systems Manager customers who are using the legacy, license free version will be able to manage devices running iOS 9, but will not receive the new iOS 9 functionality such as the extra restrictions. If you would like to upgrade to take advantage of the new features and gain access to many others, such as 24/7 support and network policy integration with Systems Manager Sentry, contact the sales team for more information.
We know there are going to be many questions we won’t be able to cover in a single blog post. To help provide more detail on iOS 9 and what’s new in Systems Manager, we are running a “What’s new with iOS 9 and Systems Manager” webinar on Tuesday the September 29th at 9am PDT. Register today to reserve your place, and to find out more about the new functionality such as VPP app provisioning by device rather than by user.
For customers in education using Apple School Manager (ASM), the ASM sync can now also handle multiple DEP servers at the same time. When an ASM sync is initiated, it will automatically run for all DEP servers assigned to that network. DEP servers will now sync in-the Apple server display name, and the Meraki dashboard will display that metadata along with a timestamp of the last update of the DEP server. 
