These days, as individuals carry multiple types of devices and expect to be connected at all times, the job of an IT admin becomes more complicated and stressful. Knowing what each end-user and device is trying to do on the network can be a burden. How can you feel confident that your network security will not be jeopardized while company assets remain contained?
Systems Manager, Cisco’s Mobile Device Management (MDM) solution, is evolving to address this need. We are introducing Meraki Trusted Access, which securely connects personal devices to business-critical resources without requiring an MDM profile to be installed.
Meraki Trusted Access enhances both the IT and end-user experience
For IT, Meraki Trusted Access means no longer dealing with tedious and manual onboarding processes. Granting secure network access to end devices becomes seamless and automated. With the Meraki dashboard, IT can sync their Active Directory server to create user profiles. From those user profiles, Trusted Access can then be enabled for specific Wi-Fi networks, specifying how many devices each user can onboard to get access and for how long. A user’s device gets access using a certificate, once that user is authenticated, the device is now “trusted”. A “trusted” device can now securely access resources.
Additionally, Meraki Trusted Access enables more control and manageability over certificate-based onboarding processes. Whether a user is managed or unmanaged, the certificate authentication is done with Meraki. This removes the need to engineer complex third-party integrations. Finally, Systems Manager also offers an open API platform for customized integrations, for more business-critical operations.
For end-users, Meraki Trusted Access means an easier way to access critical applications. By using the newly enhanced Meraki Self-Service Portal, end-users can sign into the portal and start onboarding their devices themselves. From there, they can download certificates directly to those devices, granting them secure access to business-critical applications they might need. On top of this intuitive method of getting their devices access, end-users will also be happy to know that their privacy stays intact. They will no longer need to enroll into an MDM solution in order to get the access they need.
Meraki Trusted Access is the easiest way to securely connect devices without an MDM
Enabling Meraki Trusted Access is simple. Meraki Trusted Access is enabled when you have both Meraki MR access points and Meraki Systems Manager in your network.
You can configure Meraki Trusted Access in 4 simple steps:
Enable Trusted Access on an SSID
Create an end-user profile under Systems Manager. You can automatically use Active Directory group tags to enable Trusted Access or configure users manually.
Select the end-user’s network access privileges and tie them to the SSID that has Trusted Access enabled
Share the Self-Service Portal link to the end-user so they can onboard their devices and download the trusted certificate.
Cisco’s MDM solution, Meraki Systems Manager, continues to provide end-users and end-devices network security with flexible authentication methods, automated device onboarding, and dynamic security policies.
If you are a current MR and SM customer, you can try Meraki Trusted Access today (just make sure you have enough SM licenses to cover the number of mobile devices). Start by reading our Meraki Trusted Access documentation guide for a smooth set-up. If you’d like to learn more aboutSystems Manager, you can connect with the Meraki team to start a 30-day free trial, no strings attached.
The Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) arena is an exciting technology field with rapid innovation across a wide breadth of platforms. On February 9th we announced the launch of a host of new Systems Manager (SM) features and functionality for these platforms, and as part of this release SM now supports Android for Work.
This provides a major boost to the manageability of Android devices as it makes it much simpler for employees to use their own device for work. It does this without ceding the user’s control of their personal device, while allowing the organization to ensure appropriate security.
An example of one of the areas where functionality has been significantly extended over existing Android controls, is in the area of restrictions. There are now three new categories of Android restrictions available in SM, in addition to the previously available ones. Keyguard restrictions help secure an Android device when it is locked. Although you may be confident your data’s security when the device is locked, information could still leak out without the correct keyguard settings, for example a notification that displays the content of an SMS even when the device is locked. With keyguard restrictions you can now disable any or all of the following items:
All keyguard features
In addition to keyguard controls, an administrator can now also apply restrictions to other system areas. One brilliant addition is the ability to prevent users from installing applications from unknown sources. With the prevalence of malware and other dangerous apps in the Android ecosystems, allowing users to turn off this safety net is often not desirable. This control lets the administrator decide. The complete list of system restrictions we are announcing in this launch is:
Prevent Android Debug Bridge (ADB) access
Prevent installation of apps from unknown sources
Prevent uninstalling of apps
Prevent app control
Enforce application verification
Disable screen capture
Disable volume adjustment
Disable factory reset
Along with the new restrictions, there is now containerization with separate Google Play stores for personal and work apps. This allows separate instances of identical applications to be isolated within the appropriate personal or work container. For example you can have two instances of Gmail with one configured for personal use and the other configured for IMAP access to a corporate mail server.
Administrators can now be confident in the knowledge that corporate data can be erased with the removal of the work app from a device, and users will be reassured that their personal data won’t be affected. A complete wipe of the work profile removes all the contained applications and data meaning off boarding employee devices is straightforward and secure.
Android for Work and the other new features included as part of this launch are available today. If you are a Systems Manager Legacy customer interested in these new capabilities, then you will need to upgrade to the full version. This includes a wealth of features on top of those mentioned in this post, with further information available on the Systems Manager licensing page.
More information can be found on our documentation portal, with upcoming Systems Manager webinars highlighting these features. Alternatively contact us to begin a no risk trial and we will help get you up and running.
The notion of most employees using their personal devices for work is practically a foregone conclusion. Instead of resisting this trend, responsible IT organizations see BYOD as a means to boost employee productivity and take advantage of today’s always connected lifestyle. But what happens when a company’s sensitive information gets into the wrong hands? What happens if a device goes missing or an employee leaves the company? While BYOD can be liberating, there are important security implications for every organization to address.
When employees bring their mobile devices into the workplace, they tend to use resources like email, the corporate network via WiFi or over VPN, shared documents on servers, and enterprise apps.
These uses set the stage for a key question about how corporate IT thinks about mobile security: How can you remove access to those resources without completely wiping the device or affecting personal data on the device?
With the new Systems Manager selective wipe feature, we provide the “easy button” to address this challenge. Selective Wipe removes everything previously pushed to the device through the Cisco Meraki Systems Manager dashboard, including configuration profiles, apps, and documents.
Selective wipe provides a new way to remove secure data from lost or stolen devices
A device that has been selectively wiped is still enrolled in the Systems Manager network, so location tracking and over live tools will remain functional but the corporate provisioned data and settings are removed. This is a convenient way to handle employee devices that are missing or stolen, since IT will be able to track the device if and when it reconnects to the internet.
Auto-Quarantine on Enrollment
We’ve also introduced a second capability to increase security when devices are enrolled into a Systems Manager network. With the new auto-quarantine feature, IT has the option to explicitly approve enrolled devices before they receive any configuration profiles and mobile apps.
Auto-quarantine is easily configured to enhance security in the enrollment process for all new devices.
With auto-quarantine, organizations can allow users to self-enroll into a Systems Manager Network, while maintaining strict control over network access credentials, or sensitive apps and data that would otherwise be automatically pushed to newly enrolled devices.
Administrators have one-click access to authorize newly enrolled devices or to selectively wipe data
Bring on BYOD
With these new additions Cisco Meraki Systems Manager continues to make it easy to support BYOD while providing flexibility fo varying security needs. And as always—we’re excited to bring all these feature to you 100% free! If you haven’t already tried Cisco Meraki Systems Manager, try it here and get started today.
Have you ever wondered how simple it really is to create a custom network with Cisco Meraki devices that supports nearly 20,000 users daily? We were too, so we invited John Wilds, Network Manager at Alvin ISD, the fastest growing district in the Houston, Texas area, to join us for a live, interactive webinar to answer your questions.
John spent the better part of an hour describing the deployment of his network as well as its daily use, and we’ve highlighted some of his story here.
Why were you looking for a network change and why did you choose Cisco Meraki devices?
JW: We were running about 530 HP Procurve APs in the junior high schools participating in our 1:1 initiative, but we knew the wireless system wasn’t going to support the demand the initiative would generate. We were having a lot of dropped connections and problems with band-steering.
We compared Cisco Meraki products, Aruba, Motorola, and HP in a WiFi stress test. We set up two classrooms side by side with 1 AP and 90 HP Netbooks each, simultaneously imaging all of them. The Meraki APs were clear winners with no problems running 180 HP Netbooks on only 2 APs.
Can you explain what the deployment process was like?
JW: Well we currently have 23 school buildings in the district with plans to construct more in the near future. We had only planned to provide wireless to the 5 schools with 1:1, but with the affordable pricing of the Meraki products, we were able to do the entire district.
For the actual deployment, I simply hired student workers to install throughout the district. I configured the settings from the dashboard and they simply plugged the APs in. We were done in less than three weeks!
How have the Cisco Meraki devices changed the day to day within the district?
JW: Having the district covered in wireless has let us do more with technology. And the reporting lets me see how the network and different devices are being used. For example, in the dashboard, we discovered that Netbooks were utilized more when they stayed in a classroom, instead of with a student. We altered our 1:1 plans and created Netbook sets assigned to classrooms.
We’ve also extended our purchases to other devices, matching devices to an educational purpose: Kindle Fires for reading, Chromebooks for content creation, Android, iOS, you get the idea. It’s a device-neutral environment, we’re building the network to support whatever device needs to connect to it.
Last year we started allowing BYOD in our high schools and quickly expanded it down through 6th grade because of its success. In response to security concerns, I can ensure network security and limit access to appropriate content with custom rules – it’s like having a firewall at the AP level.
But the best part is the response to the WiFi. The high schools were interested in which areas were strongly using BYOD and how. Were students bringing in their own devices? Were the devices being used for educational purposes? What applications were being run? It became a competition to see which of the two schools could utilize the network most! I want them to try to hit the roof with network usage, it would mean that the network is being used! We can always add more Meraki APs if needed.
What has been the best part of management with the cloud management platform?
JW: How simple and reliable it is. We actually have a part-time student worker that’s maintaining the network. When we first deployed, I noticed that some of the APs were acting in mesh mode rather than running in gateway mode. The Meraki APs were diagnosing our bad cables for use. How long were our old APs running on bad cables and we never knew it?
Since installing the Meraki devices, we’ve spent no time at all on wireless issues, and we’ve had no complaints about laptops not connecting. Wireless coverage is expected everywhere now, regardless of how remote the location. The Meraki APs give us the ability to provide that reliable coverage anywhere.
Check out the case study to see more of how John is using his network to optimize how technology is used for education within his district.
As many enterprises have gradually— in some cases, grudgingly—adopted BYOD, it is safe to say that email has been the killer app. iOS and Android devices make it incredibly easy to setup an email account with no hassles or calls to the Helpdesk for support.
Perhaps the biggest enabler for this is ActiveSync, the data synchronization application from Microsoft. ActiveSync has been adopted by several mail programs including Microsoft Exchange, Gmail, and a dozen others. One of the nice things about ActiveSync is the ability to seamlessly deliver data to a device without requiring the user to constantly refresh the inbox to check for new mail.
As more and more businesses have adopted the Cisco Meraki Systems Manager MDM platform, we’ve heard from lots of customers who wanted a simple way to configure email settings on mobile devices. Our new ActiveSync feature allows you to securely manage ActiveSync and related settings, like enabling encryption and email formatting.
Associate an email address with a particular client device in one of two ways: set the owner attribute on the client details page, or add new users on the Owners page located in the Configure section and assign them to any enrolled client device.
After a device receives the ActiveSync profile, the user is prompted for the password to complete the setup process. That’s it!
Responsibly Enabling BYOD
Businesses with a BYOD policy or devices issued to employees can leverage this feature to not only configure email on a device, but also just as quickly remove email settings on a device if a device goes missing or an employee leaves the company. If devices need to change hands between users, the ActiveSync profile can be updated without affecting the other data and settings.
Dan Dorato, CTO at Vector Media uses Systems Manager to manage his company’s BYOD program. After using the ActiveSync feature in deploying a new fleet of iOS devices, he marveled at the simplicity. “Meraki SM makes supporting BYOD in our business a no-brainer,” Dan said. “It’s not only easy to use, but the stuff just works!”
Preparing students for the future is what every educator strives to do. As society continues to innovate new ways to experience and understand the world around us, it is only natural that learning techniques change too.
On February 14th, Chin Song, Director of Technology at Milpitas USD, joined us to share how he created a custom wireless network from scratch and bolstered his existing wired network. Spanning 14 schools in Silicon Valley with over a half million square feet of indoor classroom space, Milpitas USD has begun implementing numerous technology initiatives, including 1:1 with Chromebooks, iPads in the classrooms, and BYOD.
Deploying more than 600 Meraki access points and over 100 Meraki switches, Chin now has granular visibility into how 10,000 students and 800 faculty members are using the network, what devices they’re on, and the types of applications they’re using. Cloud architecture gives Chin increased control over his network from anywhere with real-time management, for both wired and wireless, from a single web-based dashboard.
Milpitas USD Dashboard View
Interacting with guest speakers via live video streaming, collaborating with fellow students in another school, broadcasting district news on location instead of in a studio – these are just some of the ways that Milpitas USD is now embracing technology to promote a higher level of education.
Watch the video – See how Chin quickly deployed the Meraki solution, created a custom network for his district, manages and troubleshoots on the fly, and most importantly how he’s created a mobile and collaborative campus.
This Thursday, February 14th at 9am PT, Chin Song, Director of Technology at Milpitas USD in Silicon Valley, will be joining us to share his experiences crafting a wireless network from scratch and bolstering the existing wired infrastructure.
Students at Milpitas USD are using technology for increased collaboration throughout the district.
With over 2,000 Chromebooks currently issued to students, and another 8,000 on the way, Chin is excited to prepare his district for 21st century learning and increased technology initiatives, like 1:1 deployments and BYOD. Teachers can now work together and share ideas remotely, increasing the time they can spend teaching. Students are collaborating via the Internet, sharing documents online and video conferencing, enabling them to expand their learning environment.
With the cloud architecture, Chin has granular visibility into how students and faculty are using the network on their devices and what types of applications they’re using. Cloud-managed WiFi and switching is providing Chin increased network control in a number of ways:
Real-time management from a web-based dashboard, for both wired and wireless, for on-the-fly troubleshooting
CIPA-compliant, integrated traffic shaping and content filtering
Remote identification of switch port usage and testing of Ethernet cables, facilitating creation of new learning areas
Data-rich packet capturing and easy to implement QoS capabilities, ensuring flawless multimedia streaming and collaboration
Join us on Thursday to see Chin’s network in action!
Chris Gasaway, Director of Technology at Rockwall ISD, joined us on January 29th to share his experiences creating a secure network to support the growing trend of BYOD with students and faculty/staff. Rockwall ISD is an expanding school district just outside of Dallas, Texas with 2 high schools, 3 middle schools, and 12 elementary schools.
The district is comprised of families who are extremely mobile device friendly and expect the best in technology for their children. While the district has over 6,000 computers and over 4,000 iPads available for use in the schools, Chris wanted an environment where students could bring their own personal devices and connect to the school’s network.
Taking advantage of the numerous SSIDs, Chris created custom experiences depending on user type, shaping traffic and setting firewall rules as needed. In a few short mouse clicks, not only was the network secure and CIPA-compliant, but he can also make changes as needed based on new requirements or challenges. Chris now has deep, granular visibility into the devices, users, and applications on his network, with the ability to troubleshoot on the fly.
Check out the video from the webinar – see how Chris created a BYOD revolution at Rockwall ISD, encouraging the explosion of personal devices within the school system, while still maintaining control and network security.
Brian Clayton, CIO at Taft, Stettinius & Hollister LLP, joined us on December 5th to share his experiences deploying Meraki at one of the nation’s largest law firms. Taft spans 7 distributed locations in Ohio, Arizona, Indiana, and Kentucky, as well as a US-based Japanese practice.
When employees began bringing in their personal mobile devices, there was an immediate demand for network access anytime, anywhere. The demand for BYOD materialized seemingly overnight. Brian and his team responded, but ended up with a hard-to-manage network consisting of consumer grade access points as well as controller-based APs that they quickly outgrew.
After hearing about Meraki, Brian trialed it in one of the offices, finding he could not only secure the entire network in a few mouse clicks, he could also centrally manage all of the offices from his dashboard. In a matter of weeks he deployed Meraki throughout all of the offices and gained visibility into the users, devices, and applications on the network.
Check out the video and slides from the webinar – see how Brian transformed Taft into a mobile work environment and revolutionized the way attorneys and legal professionals collaborate, access information, and provide exceptional service to their clients.
You can also read Clayton’s article in the January 2012 edition of ILTA to see how Meraki can support mobile devices at your company.