If you have experience managing Apple devices in the enterprise, then you’ve probably used Apple’s Device Enrollment Program (DEP), which helps administrators deploy Apple devices seamlessly throughout an organization.
Large organizations such as school districts, managed service providers, and business conglomerates often procure company-owned Apple devices through various entities which requires multiple DEP accounts. This can create a logistical nightmare when trying to deploy devices at scale.
Previously, admins could only manage one DEP server per organization in Systems Manager. This led to network admins having to create separate organizations in order to support multiple DEP servers.
Taking these user experiences into account, it is with great excitement that we announce that Systems Manager now supports Multi-DEP!
What does this mean for you?
Customers can now add, remove, and edit multiple DEP servers within the same organization in the Meraki dashboard. This gives more flexibility to deploy devices that are being procured under one subset. The experience will be more seamless, efficient, and granular; an admin can specify which DEP server should be visible for management and syncing under each network.
For instance, a school district with 10 schools can manage all of the 10 schools under one organization, with each school network having its own DEP server. Similarly, a managed service provider could manage different customers’ networks simultaneously, with each customer network mapped to its own DEP server.
For customers in education using Apple School Manager (ASM), the ASM sync can now also handle multiple DEP servers at the same time. When an ASM sync is initiated, it will automatically run for all DEP servers assigned to that network. DEP servers will now sync in-the Apple server display name, and the Meraki dashboard will display that metadata along with a timestamp of the last update of the DEP server.
If you are already using Systems Manager, give it a try today by going to Organization > MDM in the Meraki dashboard to see the new ‘Apple DEP Servers’ section. Let us know what you think of it; we love getting feedback!
On August 31, Cisco and Apple announced a new strategic partnership. To address the ever-increasing demands on corporate infrastructure, Cisco networks and iOS devices will be optimized so that they work together more efficiently, with the goal of providing users even greater performance. Read more reflections on this significant announcement from Cisco CEO Chuck Robbins.
With the release of iOS 9 today, Meraki is announcing same day support for Systems Manager, made possible by the agile cloud architecture for which we’re renowned.
iOS 9 brings new functionality to MDM, with new restrictions such as being able to disallow sharing of managed documents with AirDrop and disabling iCloud Photo Library. There are also a host of new supervised restrictions available, which include the ability to control:
The App Store
Pairing with Apple Watch
Modification of passcode settings
Modification of device name
Modification of wallpaper
Automatic downloading of apps purchased on other devices
Automatically trusting enterprise apps
The News app
Systems Manager customers who are using the legacy, license free version will be able to manage devices running iOS 9, but will not receive the new iOS 9 functionality such as the extra restrictions. If you would like to upgrade to take advantage of the new features and gain access to many others, such as 24/7 support and network policy integration with Systems Manager Sentry, contact the sales team for more information.
We know there are going to be many questions we won’t be able to cover in a single blog post. To help provide more detail on iOS 9 and what’s new in Systems Manager, we are running a “What’s new with iOS 9 and Systems Manager” webinar on Tuesday the September 29th at 9am PDT. Register today to reserve your place, and to find out more about the new functionality such as VPP app provisioning by device rather than by user.
Some information in this post has changed.
More about Systems Manager licensing is available here.
Today we are excited to announce a new product structure for Systems Manager (SM). We are streamlining Systems Manager from two products to a single product that will now include all advanced features. SM Standard (free) and SM Enterprise (paid) will become just Systems Manager.
Importantly, nothing will change for existing SM Standard users unless they want it to.
What does this mean?
On March 24th, every new Systems Manager customer will be able to access features that were previously available only with SM Enterprise. Systems Manager, complete with all Enterprise features, is free for up to 100 devices, and as was previously the case with SM Standard, support is available through the Systems Manager Support Community.
For existing SM Standard (free) customers, nothing will change, and users can continue to operate Systems Manager exactly as they have before. They will even be able to continue to enroll an unlimited number of devices free of charge.
For customers wishing to expand their new Systems Manager deployment beyond the 100 free devices, or to obtain 24/7 enterprise class phone support, then they can purchase the required number of device licenses.
As an existing SM Standard customer, what if I want to upgrade?
As of March 24th, if a customers has less than 100 devices, they can convert their SM Standard to the new fully featured Systems Manager at no cost. However, we know that many of these customers could have more than 100 devices, would like access to advanced features, and have enterprise support.
To enable these existing loyal users to take advantage of these benefits, we will offer a steep discount for those upgrading from SM Standard. This one time promotional offer is running until June 2015, and brings an unheard of discount to Systems Manager, which is already one of the most competitively priced and feature rich MDM offerings on the market.
What if I have questions?
Further information will be released on our blog in the coming days and weeks. Make sure to subscribe to get instant notifications when updates are released.
When configuring large distributed networks, small insignificant tasks become time consuming and laborious quite quickly. Meraki cloud managed networking products eliminate a lot of the complexity of this type of deployment with features such as configuration templates and AutoVPN. With configuration templates you are able to rapidly deploy hundreds or thousands of remote sites and connect them together with a VPN in a few clicks.
As we recently announced in our Quarterly update, there have been some enhancements to the features on the MX which allow further automation of multiple site deployments. It is now possible to add firewall rules to your configuration template that are dynamically generated to match the appropriate networks.
A recap on templates
A template is a configuration which can be applied to tens, hundreds, or thousands of MX Security appliances. Networks within a Meraki dashboard Organization can be bound to this template so that they inherit these settings and only has to be configured once. If this configuration is no longer required they can be bound to a different template, or reverted to the configuration state they had before they were bound. This reduces monotonous administrative tasks and prevents human error.
One of the advantages of templates is that they can dynamically allocate subnets and IP addresses for each site. In some instances it may be desirable to have identical subnet and IP configurations at each site, but when this is not the case, unique configurations are required per site. Using templates, a network administrator can choose to have subnets and MX interface IPs created automatically, so there is no subnet duplication or IP overlap.
Making security easy
With many retailers taking advantage of Meraki’s solutions for their stores, PCI 3.0 security is an important concern. The Meraki MX’s built in security features such as anti-malware and Intrusion Detection & Prevention (IDS/IPS) make it simple to deploy a robust security solution. However there is still a need to configure relevant firewall settings to safeguard payment processing systems in a retail environment, or confidential business data in an enterprise.
The new firewall objects functionality in the Meraki dashboard allows network administrators to summarize detailed firewall configurations and replicate them to many sites with templates. This has a huge impact on the amount of work required, firewall rules are only configured once for the template, no matter how many remote sites you have. In an organization of 500 remote sites, with a simple firewall rule set of only 10 lines, that’s a saving of 490 lines of configuration or 98% less work !
It’s all in the name
When configuring an MX template an administrator will create the VLANs and associated subnets that need to be replicated at each site. The key step in this process is assigning a name to this VLAN. This name is the object identifier that is referenced on the firewall page.
Now when configuring the firewall rules for the template, the name of the VLAN can be selected. This means that no matter what network mask is automatically generated for that site, the firewall rule will reflect the subnet correctly. For example in the screenshots below, ‘home’ and ‘corp’ are referenced as aliases for the actual subnet at that site.
If the firewall rule needs to be specific to a particular host within the subnet, the ‘Add host bits’ button allows you to define a specific host for the site at which this rule applies. Again this is exceptionally useful in retail environments, where it is common for devices to have specific host addresses. A good example of this is that every cash register on every site could have addresses .5, .6, & .7
Extensible Firewall Templates are a flexible and easy to use feature for configuring your Meraki networks. From corporate branch sites, to retail outlets and large scale teleworking using the Meraki Z1, templates improve the operational efficiency of the network administrator and allow lean IT teams to respond quickly to business needs on tight deadlines.
When you get a call from a wireless user complaining about connectivity problems, what is one of the first questions you might ask? “Where are you exactly?” Knowing precisely where a user is located can be immensely helpful in diagnosing and troubleshooting issues. What AP are they associated to? Are they behind a pillar that could be blocking their wireless signal? Are they in an area of a new building where the network is currently being expanded and might still have some coverage weak spots? This knowledge can often provide an administrator with a good idea of where they should dig in to properly troubleshoot the issue.
Starting today, administrators of Meraki Enterprise networks won’t have to ask where a client is because they’ll know: introducing Meraki Location-Based Services. On each client details page you’ll notice a new map where the current location of the client is clearly indicated on either a Google map or building floorplan (see below screen shot).
In addition to troubleshooting client issues, there are many other situations where being able to pin down a client device’s location can be very useful to administrators, such as tracking down a lost laptop or monitoring a nurse’s progress doing rounds in a hospital with the medicine cart. Typically these capabilities might require additional appliances and third-party software costing $10,000’s, but with Meraki they are provided with all Enterprise networks at no additional cost and without the need to deploy additional gear.
When combined with other Dashboard features like “remote hands” tools and detailed reporting with Traffic Shaper’s application-level visibility, Location-Based Services provides administrators with powerful tools to understand exactly how their network is being used and to quickly troubleshoot client issues remotely. Please let us know what you think of this new feature using the Make a Wish box!
TEDGlobal 2010, themed “And Now the Good News”, wrapped up with some good news for Meraki and TEDGlobal attendees using the conference WiFi. As part of the British Telecom Sponsorship team, fellow Meraki engineer Robert Shanks and I were on site to deploy and support the wireless network for this 4-day conference. To make a long story short, the wireless network performed flawlessly, with just over a 1,000 people connecting throughout the conference and transferring over 250 gigabytes of data.
The conference venue, located in Oxford, UK, had its fiber backhaul brought in by BT. The backhaul was then distributed to wireless users in the two main venues of the conference, the Oxford Playhouse and the gala rooms of the Randolph Hotel, through fifteen MR14 dual-radio access points.
We leaned heavily on the Cloud Controller to quickly deploy the network with a small team. Rogue AP detection and automatic channel spreading maintained performance while TEDsters blogged, tweeted, browsed and streamed all at once. While we trusted the Cloud Controller’s real-time alerts to let us know about unexpected changes (there weren’t any), we also kept tabs on the network’s summary report, giving us a good understanding of the overall usage and performance of the network.
Along with performance and usage information, the summary reports confirmed that the device-of-choice for TEDsters was the iPad, with well over 100 using the network. In fact, hand-held devices accounted for over 50% of clients connecting to the network.
We had a great time at TED, and were happy to see the Meraki network being used so heavily. Thanks to the team at British Telecom for including us!
One of the most challenging aspects of managing large distributed networks is troubleshooting issues when the client is across town (or maybe even across the country!). Having on-site IT personnel 24/7 at even small satellite branch offices can require a very large IT staff and is too expensive for most organizations. Meraki networks offer a variety of “remote hands” troubleshooting tools, helping network admins diagnose and resolve many wireless connectivity issues without dispatching IT staff to the site. The ability to run diagnostic checks such as pinging an access point, running a throughput test from Dashboard, or reviewing detailed event logs have been integral to Meraki’s value for distributed networks and organizations with small IT staffs and large footprints.
We are now announcing a set of Live Client Tools that expose even more up-to-the-second information about who is on a wireless network, and further help troubleshoot connectivity issues. Administrators who log into their Enterprise network in Dashboard will notice several new and improved areas. On the Monitor > Overview page, there is now a new addition under the network name showing the number of clients that are associated at that moment:
If you click on the “More” link, you will see an expanded list with more information, including which SSIDs and channels the clients are using. This data is automatically refreshed as long as the “More” link is expanded.
Even cooler, Enterprise customers can change the access points map to show where clients are associated: click the “Options” menu on the map and select “Current clients.”
But the really interesting stuff is on the Access Point and Client detail pages. The Access Point detail page used to look like this:
Now, all of the live tools have been consolidated into a new, cleaner layout. Both Pro and Enterprise networks will benefit from the new layout. Enterprise networks now have two additional features in this area: Current Clients and Ping Client MAC. Clicking on the play icon next to Current Clients will pop up a list of all clients associated to that AP at that instant, including useful information about each client such as MAC, SSID, channel, signal strength, and how long they have been associated. Click on the name of a client to go to its client details page. You’ll even see clients that have associated, but not authenticated (they’re listed in grey). If you click the Ping link next to the client, you can actually ping that client in real time using ARP, as well as get additional information, such as RSSI changes over time and 802.1X identity (if appropriate).
The other new addition, Ping Client MAC, allows you to enter a MAC address and try to ping it. This can be very useful if you are trying to determine if a particular device is on your network at that moment.
There is also a new Live Tools section on the client detail page. From this page you can also ping that individual client, but there are a few additional new tools:
The Locate Client tool allows you to find out whether that client is associated on your network at that moment, and if so, where they’re associated and for how long:
Finally, the Packet Counter tool shows a real-time count of received and sent packets to that client. You can actually see the packet counters roll as you ping the client!
We think these new tools further improve Meraki’s uniquely clear approach to distributed, multi-site network management, a normally challenging task. Network administrators can more quickly resolve their wireless users’ connectivity issues and access accurate real-time data about the exact state of their network.
We’ve got two big announcements today for our enterprise customers – significant new product features, and a lifetime warranty on all indoor enterprise access points!
Lifetime Warranty on Indoor Enterprise APs
We put a lot of care into building solid, high-quality products. We think our APs should last a lifetime, and now we’re putting our money where our mouth is.
Effective immediately, all of our enterprise-class indoor access points – including our most popular model, the MR14 – are covered by a lifetime warranty. This upgraded coverage applies retroactively to existing units as well as to new purchases, and is free of charge.
We’re also offering free advanced shipping – a first in our industry. This means that if your access points need replacement, we’ll ship out new units immediately, rather than waiting to receive your APs before sending out replacements.
Since we’ve seen very few failures, these new policies won’t affect the vast majority of you. But we hope that these policies will make infrastructure budget planning easier for some, and add peace of mind for all.
New Enterprise Features
We’ve been working hard on new features for our enterprise products and we’re excited to announce that they’re available for you to use on your networks today.
We now automatically generate periodic analytics reports of the activity on your wireless network. These reports show the usage and reliability of the wireless network, bandwidth trends, device popularity, mobility, and more. These are great for network operators, as well as their staff and management. We’ve even had beta users post parts of the reports to their blogs. Wondering which operating systems are most popular on the Stanford Computer Science department’s wireless network? See here. (Hint – Apple is taking over the world.)
Check out a complete sample, from Stanford’s Computer Science Department:
Rogue AP Detection
This feature protects against 2 kinds of security risks. In one, a hacker can place an access point near your network that broadcasts the same SSID as your legitimate device. If users inadvertently connect to it, they could enter sensitive information (like their network login) into the malicious device. In the second case, one could plug a wireless access point into the wired LAN, without the appropriate encryption and access control – providing an opening into your network. More often than not, this is done by an employee who does not know that he is putting the network at risk.
These two types of “rogue APs” can be detected with dedicated software tools – provided you physically walk around your coverage area with a laptop. We’ve integrated rogue AP detection into our access points and monitoring software, so the Meraki network can continually monitor the airwaves for you and alert you upon signs of trouble.
Here at Meraki’s San Francisco office, our engineers plug in test devices left and right, giving a fertile testing ground for this feature:
We now expose fine-grained event logs in the Meraki Cloud Controller, giving precise visibility into where, when, and how devices are connecting to the network, and aiding in troubleshooting and device tracking.
Support for 15 SSIDs
We’ve upped the maximum number of SSIDs from 4 to 15. While most customers have one SSID for their secure corporate network, and another open network for guests, some of our users have dedicated virtual networks for specialized equipment and devices, SSIDs with different bandwidth limits, etc. Westmont College, one of our customers whom we’ve mentioned on the blog before, has an SSID for their WiFi-controlled HVAC system, and Stanford’s Computer Science department has a dedicated SSID for their experimental robots! Now that we support 15 SSIDs, you can have a dedicated SSID for your wireless toaster oven and not run out.
Availability (and the beauty of SaaS)
Since the Meraki Cloud Controller is a cloud-based software service, these features (and many other improvements) are available immediately – with no upgrades to purchase, and no software to download or install.
Within the next few days and weeks, we’ll dive deeper into some of these features here on the blog – exploring use cases, tips, and tricks. In the mean time, give them a spin on your networks!