Are you excited about all the new Apple innovation coming in iOS 13 and macOS 10.15 Catalina? Great, so are we! Both iOS 13 and macOS Catalina are introducing significant changes to Apple’s enterprise management capabilities and we are excited to announce that Cisco Meraki Systems Manager will support new settings and features on both platforms. Here are some of the planned changes coming to Meraki Systems Manager to support iOS 13 and macOS Catalina.
Changes to Device Restrictions
Between iOS 13 and macOS Catalina, Meraki Systems Manager will support a grand total of seventeen device restriction settings changes. The changes include six new restriction settings and eleven settings that are changing supervision requirements.
New Restrictions
Allow Find My Device in the Find My app (iOS)
Allow Find My Friends in the Find My app (iOS)
Force Wi-Fi power on (iOS)
Allow Files Network Drive Access (iOS)
Allow Files USB Drive Access (iOS)
Allow continuous path keyboard (iOS)
Allow Handoff (New to macOS)
Supervision Requirement Changes
Now Requires Supervision:
Allow adding Game Center friends
Allow installing apps
Allow use of camera
Allow cloud Keychain sync
Allow document sync
Allow explicit music and podcasts
Allow use of iTunes Store
Allow use of Safari
Allow users to use saved passwords in Safari and AutoFill Passwords feature
Allow Facetime
No Longer Requires Supervision:
Allow remote screen observation by the Classroom app
Restrictions settings that are changing status in iOS 13 and macOS 10.15, will retain their configured effect if an unsupervised device is upgraded. For example, if camera use is blocked by restrictions settings on an unsupervised device running iOS 12.4 and lower, the restriction setting will continue to block the Camera app when the device is upgraded to iOS 13.
New Settings Updates
Along with the Restrictions payload, Apple has updated a number of different settings with enhanced options to affect behavior on devices. Meraki Systems Manager will also support changes to the following payloads at the time of release:
Wi-Fi – Support for WPA3 authentication
Exchange ActiveSync – Manage synching of Contacts, Calendars, and Mail independently on iOS
Web Content Filter – macOS support for Filter Data Providers
Privacy Preferences Policy Control – Manage new permissions in macOS
Single App Mode – Manage Voice Control settings on iOS or tvOS
Automated Device Enrollment Changes
Automated Device Enrollment (also known as DEP) will now enforce mandatory enrollment in Meraki Systems Manager. Also, we have introduced a new option to skip “Dark Mode” setup on iOS and macOS.
Coming Soon
In the weeks following the launch of iOS 13 and macOS Catalina, Meraki Systems Manager will continue the momentum by rolling out support for more advanced features and functionality. This includes, but is not limited to:
Support for brand new macOS Catalina settings payloads
New Extensible Single Sign On capabilities to allow for native Apple Kerberos SSO and 3rd-party integration
Custom enrollment webpage to more readily personalize and secure the enrollment process on devices
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
Activation Lock is a security feature on Apple iOS devices that prevents unauthorized use of an iOS device after it has been factory reset, rendering the device useless. While this is an amazing feature for personal use, it has presented challenges for IT administrators trying to deploy iOS devices for enterprise use cases. While IT administrators desire the added security Activation Lock provides, they are often frustrated by the lack of enablement control and device status insight.
Cisco Meraki’s mobile device management solution, Systems Manager, fully supports management of Activation Lock on supervised iOS devices. Let’s pull back the curtains and see how Cisco Meraki Systems Manager can help you effectively manage the Activation Lock status of your device fleet.
How is Activation Lock enabled?
There are two different ways to enable Activation Lock:
Device Activation Lock: The device owner enables Find My iPhone/iPad on the device with their personal Apple ID account.
MDM Activation Lock: Meraki Systems Manager enables Activation Lock with an MDM command. This action is only available on supervised iOS devices enrolled using Automated Device Enrollment through Apple Business Manager (ABM) or Apple School Manager (ASM).
How do I check the Activation Lock status of iOS devices?
You can view the Activation Lock status for each device in the “Management” section of the device’s details page in Meraki Systems Manager.
If Activation Lock is “Enabled”, Find My iPhone/iPad is enabled and the device’s activation may be locked by an owner’s personal Apple ID. MDM Activation Lock indicates that Meraki Systems Manager sent a command to enable Activation Lock on the device. The device’s activation may be locked by the Apple ID of an IT administrator with management rights in the ABM or ASM portals.
You can also view the Activation Lock status in the Devices list in Meraki Systems Manager by adding the applicable column to your view.
I wiped an iOS device and Activation Lock is enabled. How do I bypass or disable Activation Lock?
There are several methods to bypass or disable Activation Lock:
Apple ID: Enter the email address and password of the account that enabled Activation Lock on the device. Depending on how Activation Lock is enabled, this may be the user’s personal Apple ID credentials or the Apple ID credentials of an ABM/ASM administrator.
Bypass Code: When Activation Lock is enabled on supervised iOS devices, Meraki Systems Manager stores a bypass code, a randomized 30 character string, which can be used to clear the device’s Activation Lock state. In situations where both device and MDM Activation Lock may have been enabled, Meraki Systems Manager stores the codes generated for each type. The bypass code can then be entered at the Activation Lock screen to clear the Activation Lock status.
Clear Activation Lock Command: Meraki Systems Manager can send a remote command to Apple to clear Activation Lock on supervised iOS devices using the known bypass codes.
How can Meraki Systems Manager help me manage Activation Lock settings?
Meraki Systems Manager can only manage Activation Lock settings on supervised devices. If devices are supervised, Systems Manager prevents end users from being able to enable Device (Find My iPhone/iPad) Activation Lock by default on enrollment.
Via the “Privacy & Lock” payload, Meraki Systems Manager can be configured to automatically allow Device Activation Lock, and/or automatically enable MDM Activation Lock when devices are enrolled.
Check out Meraki Documentation for more information on how to manage Activation Lock settings and behaviors with Meraki Systems Manager. If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
The latest ‘dot 3’ release with Apple iOS 10.3 brought quite the buzz again. With Systems Manager, Cisco Meraki’s EMM, we are excited to continue to support iOS releases day one and take another opportunity to talk about what’s new. Below is a breakdown of some of the more interesting 10.3 features now available.
More WiFi control is a popular topic and request from administrators spanning many industries. Whether mobile devices are in a retail shop, an educational institution, a government facility, or somewhere else, it can be crucial to ensure they are joining the right wireless network. Not only can joining the wrong network affect security, especially when open and other compromising networks are in proximity, but this can remove critical access to network resources which devices sometimes need. Systems Manager and iOS 10.3 now bring you the ability to whitelist only the managed SSIDs a device is allowed to join. This ensures the right access for mobile devices wherever that device may be.
Next up is support for additional managed restrictions. With the previous dot 3 release, iOS 9.3, there was a huge emphasis on education and classroom support. Continued technological advancements in the classroom are helpful not just for IT management but to aid teachers in directing and guiding students. Alongside iOS 9.3 we added the ability to share iPads as well as have teachers show student devices on AirPlay enabled screens. Now with iOS 10.3, there is the ability to automatically grant observation permission to teachers using the Classroom app. Other managed restrictions include disallowing or allowing Bluetooth modification, dictation, remote screen observation, and the modification of diagnostic submissions.
On the email security front, Apple is also adding OAuth 2.0 support for the native mail app. When using Microsoft Exchange services with Office 365, this brings token based security that goes well beyond simple username and password. Paired with improvements around S/MIME, which uses certificates for signing and encrypting email, there is now a compelling native solution for secure email which creates a better and familiar experience for mobile users.
Finally we have tvOS, which requires almost no introduction. This brings some of the features found in iOS, which are already loved across millions of mobile devices managed globally, and will expand it to Apple TVs. This includes the ability to restart devices, deploy network configurations, and more. EMM controls on tvOS mean more endpoints simply and effectively managed in the Cisco Meraki cloud. New controls are available in tvOS 10.2 and later.
Systems Manager legacy customers interested in these powerful features can find out how to take advantage of them here. Start an instant 30-day trial here.
During the months prior to launching Meraki MV, our extensive user experience testing for the new product spanned everything from the layout on the dashboard to physical installation of the security cameras. In doing so, we realized just how difficult it is to stand at the top of a tall ladder while holding a laptop (often the unfortunate reality of IP camera setup). That’s why we’re excited to announce that the Meraki mobile app for iOS and Android now supports MV security cameras.
The Meraki app makes it easier and quicker than ever to set up your cameras. View live video feeds and adjust focus, zoom, and aperture, all from a smartphone. Simply download the Meraki dashboard app on your phone, login with your standard dashboard credentials, and then navigate to your cameras in the left-hand navigation menu. Click on the camera you want to view, and then click “Live” in the lower right hand corner. The live video feed will automatically start to stream, and, if needed, you can make any necessary camera adjustments. For video walls and enhanced video monitoring functionality, MV also works with mobile browsers in Android.
Kiss the days of climbing onto a ladder with a laptop goodbye, and say hello to security camera configuration and management from your phone! Whether onsite or halfway around the world, the mobile app will help to keep tabs on what’s important to you and your organization.
As always, our engineers are keeping their ears open for requests through our Make a Wish tool. It’s hard to believe MV just launched a couple of months ago, and MV engineers have already added full disk encryption and support for the mobile app since then. Just imagine what could be coming next!
The fine people at Cisco Meraki are always looking for even better ways to help customers as they configure and manage their IT environments. Offering 24/7 phone support and giving guidance is merely one of the many avenues used to help create the best experience possible for users around the globe. Below are two videos the Meraki support team created to show how to most effectively manage one-to-one and Shared iPad deployments with Systems Manager–just in time for the holiday break here in the U.S.
The first video is a breakdown of setting up Shared iPad in six simple steps. This includes all the configuration needed in the Meraki dashboard using Systems Manager as well as configuration for Apple School Manager at school.apple.com. Shared iPad provides a way to manage iPads in the classroom where they can be shared with multiple students. Students can log into an iPad from a cart or classroom for a personalized experience, and the student’s work (data) gets saved back to their account.
For more information about Apple School Manager, check out the Apple help article here.
Up next is a video which similarly shows how to configure an iPad for use in the classroom, but focuses on a one-to-one environment. ‘One-to-one’ is used to describe a program where there is one computer, or in this case iPad, per student.
Meraki customers are encouraged to give real time feedback by submitting a wish at the bottom of any page in the Meraki dashboard. This feedback, called ‘Make a Wish’, is one of the many tools Meraki uses to keep in touch with current customer needs. See below for an example.
Managing cellular data plans can difficult and expensive. The cost of exceeding data plans and the lack of visibility into managed devices’ cellular usage has made it challenging to have company cellular policies, let alone maintain them. Meraki Systems Manager has provided tools to manage and increase the visibility of mobile devices, as well as the likes of desktops and servers, since 2010. Today, we are happy to announce yet another big step in the evolution of Cisco’s mobility management with the addition of cellular data management.
Systems Manager customers have cellular data management functionality now, and they have it for no extra charge. It was made automatically available–like all updates to Dashboard. At Meraki, there is a lot of pride around offering the best tools possible while maintaining a rapid feature trajectory that redefines the industry’s status quo.
Practically, cellular data management enables the ability to do three important things;
Track data usage on managed devices globally and individually
Automatically take action on devices going over data limits
Generate reports
Firstly, to view tracked data usage over all managed devices, simply navigate to Monitor > Clients and click the ‘+’ button in the top right hand corner, then add ‘Cellular data’ to the table. Next, enter a plan reset date on the Configure > General page–the default is the first of the month. This will specify when the monthly counter should restart and will allow for easier data usage tracking over time and on-the-fly. Current data usage can also be tracked individually on a specific device’s client page as shown below. The first selector allows for a quick view to show data for the past day, week, month, or 3 months. The second selector toggles between different policies and thresholds.
Secondly, single or multiple data caps can be set using policies in Systems Manager by navigating to the Configure > Policies page. Check the box for ‘Device cellular data usage’ and enter the amount for the maximum data allowance in MBs. Policies can be used to manage, monitor, and create reports for many different actions. Below is an example policy which is configured to track a cellular data usage limit of 10GBs*.
Security policies in Systems Manager become even more powerful when used to automatically take action on devices. Changing the scope of devices with tagging provides the ability to control profiles or add and remove apps based on security posture. If a device exceeds a data limit or violates security compliance, Systems Manager can be configured to automatically lock it into single app mode, disable settings, or even remove company data, access, and apps. To get more information on tagging in Meraki Systems Manager, check out the documentation article here.
Last but certainly not least, all good security policies should be accompanied by a report. Systems Manager makes is easy to enable daily, weekly, or monthly reports for any of the security policies created. Along with this is the option to select which kind of devices are important to each policy and whether or not only failing devices should be included.
Systems Manager legacy customers interested in these powerful features can find out how to take advantage of them here.
Welcome to the second edition of ‘In the Know’. In the Know posts showcase features or capabilities that already exist in the Cisco Meraki portfolio but may not be as well known. For reference, here is last month’s In the Know about Windows 10.
First things first, Apple’s iOS 10 is here and macOS Sierra is coming soon. There are many things Meraki has already been doing to aid administrators in both preparing for and deploying the latest and greatest.
Meraki added extremely early, general support for iOS 10 and macOS betas after the start of Apple’s Worldwide Developers Conference (WWDC) last June. For those with access to the betas, Meraki was ready–far ahead of the status quo. Early this year, Meraki released a solution for administrators using Apple products and Meraki Systems Manager to issue OS updates over the air. Over-the-air updates provide the ability to push the latest version of iOS and macOS to an entire fleet of devices remotely and with only a few mouse clicks. Keeping devices up to date is essential in order to deploy the latest security patches and features. More information can be found on the documentation article here.
Also announced at WWDC were many improvements with iOS 10 and Cisco specific features, like fast lane profiles or fast-tracking the mobile enterprise, which promised to change the way people work. This is carried out through network optimization around performance, creating an even better experience for Cisco voice communication, and reinventing teamwork and meetings with Cisco collaboration tools on iPhone and iPad. See below for an example of setting up per-app QoS with iOS 10 and Cisco in the Systems Manager Dashboard, and click here for documentation.
Systems Manager legacy customers interested in these powerful features can find out how to take advantage of them here. For those new to Meraki or Systems Manager, start a free trial.
Meraki Systems Manager continues to offer extensive functionality for Apple platforms. Only recently we announced same day support for iOS 9 in conjunction with a new strategic joint development partnership between Cisco and Apple. We continued that story with the launch of extensive new features for Systems Manager on February 9th. In this particular post we are going to explore the Apple specific elements of that launch.
iOS Wallpaper
With MDM it has always been important to make sure you keep the users informed. This ensures they attribute changes to their device to administrative control and not to a fault. The iOS Wallpaper functionality of iOS 9 offers a great way of keeping users informed, while also offering branding and user experience options.
The Lock and Home page Wallpapers can be configured independently or together with a simple drag and drop. The reason that changing the Wallpaper with Systems Manager offers a great way of interacting with the user is because it can be tied to tags. This means that the Wallpaper can change dynamically based on various events, for example based on the person using the device or its posture.
FileVault disk encryption
Information is the lifeblood of any organization, with the securing and management of this data under increasing scrutiny. Encryption of information on portable devices such as laptops is frequently being mandated in regulated industries such as health care. The loss of confidential or private information can lead to stiff penalties, brand damage, and dented consumer confidence.
FileVault in OS X provides strong data security with full disc encryption using AES. With full disk encryption, data on a mislaid or stolen device is useless to the unauthorised recipient. Systems Manager now supports FileVault disk encryption management, and in typical Meraki fashion, has been made as simple as possible.
The difficulty associated with disk encryption is not typically with encrypting data but in decrypting it when required. For example, when an employee leaves the organization it may be necessary to access the customer data on their device. If the password or recovery key has not been provided by the departed employee, then the data is lost forever.
Systems manager supports all three methods of FileVault data recovery: an institutional recovery key, a personal recovery key, or both simultaneously. Institutional recovery keys are transparently managed by the Meraki cloud ensuring they are never lost. More information on FileVault 2 can be found on our documentation portal.
OS X system preferences
To top off the list of Apple functionality added in this Systems Manager launch there are now 35 new OS X system preferences to play with. This includes things such as control of Security & Privacy settings, Software Updates, and Parental Controls. Further information on these OS X systems preferences is again located on our documentation portal.
The new features for Apple platforms included as part of this launch are available today. If you are a Systems Manager Legacy customer interested in these new capabilities, then you can upgrade to the full version by simply contacting our sales team. The full version includes a wealth of features on top of those mentioned in this post, with further information available on the Systems Manager licensing page.
Excited by the new content in this systems manager launch? We are! The team will be highlighting these features and more in upcoming Systems Manager webinars. Alternatively if you can’t wait to get started, contact us to begin a no risk trial and we will help get you up and running.
With the release of iOS 9 Apple introduced a number of improvements to the Volume Purchasing Program (VPP). Of these improvements, one of the more significant is app assignment by device. With this new functionality it is now possible to assign VPP apps to an iOS device without the need for an Apple ID, and if that device is supervised, the installation is silent.
Before this change, it was only possible to assign apps to a user by associating them with an Apple ID. This method of app management can be an administrative nightmare when used in environments such as K-12 education, where many users may be working with a particular device. Students may not have an Apple ID, or may be too young to have one without parental consent. Additionally, it meant that an Apple ID needed to be configured on the iPad for apps to be silently pushed to supervised devices.
With VPP device assignment, an Apple ID is no longer required and with supervised devices, apps can be pushed silently with no end user interaction. Silent app push has a huge impact on an administrator’s ability to seamlessly deliver iOS apps to users. Combining this new functionality with Meraki Systems Manager features, such as multiuser authentication, can offer a fantastic classroom experience. Apps and settings are tailored to each student’s needs and dynamically changed as the user changes.
Systems Manager Legacy customers can gain access to this great new functionality by upgrading to the latest version of Systems Manager. Please contact your Meraki representative for further information or alternatively sign up for a specialist Systems Manager Teacher’s Assistant webinar here. Additionally stay tuned to our YouTube channel for additional video guides to this functionality.
On August 31, Cisco and Apple announced a new strategic partnership. To address the ever-increasing demands on corporate infrastructure, Cisco networks and iOS devices will be optimized so that they work together more efficiently, with the goal of providing users even greater performance. Read more reflections on this significant announcement from Cisco CEO Chuck Robbins.
With the release of iOS 9 today, Meraki is announcing same day support for Systems Manager, made possible by the agile cloud architecture for which we’re renowned.
iOS 9 brings new functionality to MDM, with new restrictions such as being able to disallow sharing of managed documents with AirDrop and disabling iCloud Photo Library. There are also a host of new supervised restrictions available, which include the ability to control:
The App Store
Keyboard shortcuts
Pairing with Apple Watch
Modification of passcode settings
Modification of device name
Modification of wallpaper
Automatic downloading of apps purchased on other devices
Automatically trusting enterprise apps
The News app
Systems Manager customers who are using the legacy, license free version will be able to manage devices running iOS 9, but will not receive the new iOS 9 functionality such as the extra restrictions. If you would like to upgrade to take advantage of the new features and gain access to many others, such as 24/7 support and network policy integration with Systems Manager Sentry, contact the sales team for more information.
We know there are going to be many questions we won’t be able to cover in a single blog post. To help provide more detail on iOS 9 and what’s new in Systems Manager, we are running a “What’s new with iOS 9 and Systems Manager” webinar on Tuesday the September 29th at 9am PDT. Register today to reserve your place, and to find out more about the new functionality such as VPP app provisioning by device rather than by user.
