These days, as individuals carry multiple types of devices and expect to be connected at all times, the job of an IT admin becomes more complicated and stressful. Knowing what each end-user and device is trying to do on the network can be a burden. How can you feel confident that your network security will not be jeopardized while company assets remain contained?
Systems Manager, Cisco’s Mobile Device Management (MDM) solution, is evolving to address this need. We are introducing Meraki Trusted Access, which securely connects personal devices to business-critical resources without requiring an MDM profile to be installed.
Meraki Trusted Access enhances both the IT and end-user experience
For IT, Meraki Trusted Access means no longer dealing with tedious and manual onboarding processes. Granting secure network access to end devices becomes seamless and automated. With the Meraki dashboard, IT can sync their Active Directory server to create user profiles. From those user profiles, Trusted Access can then be enabled for specific Wi-Fi networks, specifying how many devices each user can onboard to get access and for how long. A user’s device gets access using a certificate, once that user is authenticated, the device is now “trusted”. A “trusted” device can now securely access resources.
Additionally, Meraki Trusted Access enables more control and manageability over certificate-based onboarding processes. Whether a user is managed or unmanaged, the certificate authentication is done with Meraki. This removes the need to engineer complex third-party integrations. Finally, Systems Manager also offers an open API platform for customized integrations, for more business-critical operations.
For end-users, Meraki Trusted Access means an easier way to access critical applications. By using the newly enhanced Meraki Self-Service Portal, end-users can sign into the portal and start onboarding their devices themselves. From there, they can download certificates directly to those devices, granting them secure access to business-critical applications they might need. On top of this intuitive method of getting their devices access, end-users will also be happy to know that their privacy stays intact. They will no longer need to enroll into an MDM solution in order to get the access they need.
Meraki Trusted Access is the easiest way to securely connect devices without an MDM
Enabling Meraki Trusted Access is simple. Meraki Trusted Access is enabled when you have both Meraki MR access points and Meraki Systems Manager in your network.
You can configure Meraki Trusted Access in 4 simple steps:
Enable Trusted Access on an SSID
Create an end-user profile under Systems Manager. You can automatically use Active Directory group tags to enable Trusted Access or configure users manually.
Select the end-user’s network access privileges and tie them to the SSID that has Trusted Access enabled
Share the Self-Service Portal link to the end-user so they can onboard their devices and download the trusted certificate.
Cisco’s MDM solution, Meraki Systems Manager, continues to provide end-users and end-devices network security with flexible authentication methods, automated device onboarding, and dynamic security policies.
If you are a current MR and SM customer, you can try Meraki Trusted Access today (just make sure you have enough SM licenses to cover the number of mobile devices). Start by reading our Meraki Trusted Access documentation guide for a smooth set-up. If you’d like to learn more aboutSystems Manager, you can connect with the Meraki team to start a 30-day free trial, no strings attached.
Are you excited about all the new Apple innovation coming in iOS 13 and macOS 10.15 Catalina? Great, so are we! Both iOS 13 and macOS Catalina are introducing significant changes to Apple’s enterprise management capabilities and we are excited to announce that Cisco Meraki Systems Manager will support new settings and features on both platforms. Here are some of the planned changes coming to Meraki Systems Manager to support iOS 13 and macOS Catalina.
Changes to Device Restrictions
Between iOS 13 and macOS Catalina, Meraki Systems Manager will support a grand total of seventeen device restriction settings changes. The changes include six new restriction settings and eleven settings that are changing supervision requirements.
New Restrictions
Allow Find My Device in the Find My app (iOS)
Allow Find My Friends in the Find My app (iOS)
Force Wi-Fi power on (iOS)
Allow Files Network Drive Access (iOS)
Allow Files USB Drive Access (iOS)
Allow continuous path keyboard (iOS)
Allow Handoff (New to macOS)
Supervision Requirement Changes
Now Requires Supervision:
Allow adding Game Center friends
Allow installing apps
Allow use of camera
Allow cloud Keychain sync
Allow document sync
Allow explicit music and podcasts
Allow use of iTunes Store
Allow use of Safari
Allow users to use saved passwords in Safari and AutoFill Passwords feature
Allow Facetime
No Longer Requires Supervision:
Allow remote screen observation by the Classroom app
Restrictions settings that are changing status in iOS 13 and macOS 10.15, will retain their configured effect if an unsupervised device is upgraded. For example, if camera use is blocked by restrictions settings on an unsupervised device running iOS 12.4 and lower, the restriction setting will continue to block the Camera app when the device is upgraded to iOS 13.
New Settings Updates
Along with the Restrictions payload, Apple has updated a number of different settings with enhanced options to affect behavior on devices. Meraki Systems Manager will also support changes to the following payloads at the time of release:
Wi-Fi – Support for WPA3 authentication
Exchange ActiveSync – Manage synching of Contacts, Calendars, and Mail independently on iOS
Web Content Filter – macOS support for Filter Data Providers
Privacy Preferences Policy Control – Manage new permissions in macOS
Single App Mode – Manage Voice Control settings on iOS or tvOS
Automated Device Enrollment Changes
Automated Device Enrollment (also known as DEP) will now enforce mandatory enrollment in Meraki Systems Manager. Also, we have introduced a new option to skip “Dark Mode” setup on iOS and macOS.
Coming Soon
In the weeks following the launch of iOS 13 and macOS Catalina, Meraki Systems Manager will continue the momentum by rolling out support for more advanced features and functionality. This includes, but is not limited to:
Support for brand new macOS Catalina settings payloads
New Extensible Single Sign On capabilities to allow for native Apple Kerberos SSO and 3rd-party integration
Custom enrollment webpage to more readily personalize and secure the enrollment process on devices
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
Activation Lock is a security feature on Apple iOS devices that prevents unauthorized use of an iOS device after it has been factory reset, rendering the device useless. While this is an amazing feature for personal use, it has presented challenges for IT administrators trying to deploy iOS devices for enterprise use cases. While IT administrators desire the added security Activation Lock provides, they are often frustrated by the lack of enablement control and device status insight.
Cisco Meraki’s mobile device management solution, Systems Manager, fully supports management of Activation Lock on supervised iOS devices. Let’s pull back the curtains and see how Cisco Meraki Systems Manager can help you effectively manage the Activation Lock status of your device fleet.
How is Activation Lock enabled?
There are two different ways to enable Activation Lock:
Device Activation Lock: The device owner enables Find My iPhone/iPad on the device with their personal Apple ID account.
MDM Activation Lock: Meraki Systems Manager enables Activation Lock with an MDM command. This action is only available on supervised iOS devices enrolled using Automated Device Enrollment through Apple Business Manager (ABM) or Apple School Manager (ASM).
How do I check the Activation Lock status of iOS devices?
You can view the Activation Lock status for each device in the “Management” section of the device’s details page in Meraki Systems Manager.
If Activation Lock is “Enabled”, Find My iPhone/iPad is enabled and the device’s activation may be locked by an owner’s personal Apple ID. MDM Activation Lock indicates that Meraki Systems Manager sent a command to enable Activation Lock on the device. The device’s activation may be locked by the Apple ID of an IT administrator with management rights in the ABM or ASM portals.
You can also view the Activation Lock status in the Devices list in Meraki Systems Manager by adding the applicable column to your view.
I wiped an iOS device and Activation Lock is enabled. How do I bypass or disable Activation Lock?
There are several methods to bypass or disable Activation Lock:
Apple ID: Enter the email address and password of the account that enabled Activation Lock on the device. Depending on how Activation Lock is enabled, this may be the user’s personal Apple ID credentials or the Apple ID credentials of an ABM/ASM administrator.
Bypass Code: When Activation Lock is enabled on supervised iOS devices, Meraki Systems Manager stores a bypass code, a randomized 30 character string, which can be used to clear the device’s Activation Lock state. In situations where both device and MDM Activation Lock may have been enabled, Meraki Systems Manager stores the codes generated for each type. The bypass code can then be entered at the Activation Lock screen to clear the Activation Lock status.
Clear Activation Lock Command: Meraki Systems Manager can send a remote command to Apple to clear Activation Lock on supervised iOS devices using the known bypass codes.
How can Meraki Systems Manager help me manage Activation Lock settings?
Meraki Systems Manager can only manage Activation Lock settings on supervised devices. If devices are supervised, Systems Manager prevents end users from being able to enable Device (Find My iPhone/iPad) Activation Lock by default on enrollment.
Via the “Privacy & Lock” payload, Meraki Systems Manager can be configured to automatically allow Device Activation Lock, and/or automatically enable MDM Activation Lock when devices are enrolled.
Check out Meraki Documentation for more information on how to manage Activation Lock settings and behaviors with Meraki Systems Manager. If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
In a variety of different industries, Apple TV is helping provide better guest experiences and increase user engagement.
Educational environments around the globe, including classrooms, hallways, and entire campus structures, are becoming more technologically integrated. Apple TV is a common tool used by instructors to share information. Teachers are able to better engage with students while seamlessly sharing content from their iPads to on larger screens, enabling easy collaboration and spontaneous sharing between students.
In the hospitality sector, making the guest experience an “at-home” experience has always been a top priority. Today it is more common to see technologies like Apple TV provide a platform for proactive and efficient communication. Employees can easily share relevant information with guests and other hotel staff, resulting in simpler and more automated hotel operations. Local recommendations, amenities, and seasonal offerings can be featured in guest rooms and around an entire hotel, allowing guests to constantly be in the know, without it interfering with their stay.
Having received a ton of requests for Apple TV support from our customers, Cisco Meraki is happy to announce that Systems Manager now fully supports Apple TV (tvOS). With the addition of tvOS, Systems Manager now supports six operating systems, with tvOS joining iOS, MacOS, Android, Chrome OS, and Windows.
The new Systems Manager feature allows customers to manage Apple TV-enabled devices similar to mobile phones, tablets, laptops, desktops and other endpoint devices.
With the way these verticals are using Apple TV and how it contributes to their business, any downtime on these devices can be costly. Not being able to get alerted when an Apple TV is offline, locate and erase a lost device, or enroll hundreds of devices at the same time results in a stressful and inefficient experience for IT admins.
In order to optimize technologies like Apple TV for better student engagement, larger revenue streams, and improved customer experience, managing these devices needs to be intuitive, fast, and to-the-point.
Systems Manager caters to these needs by:
Supporting new out-of-box enrollment (OOBE) capabilities using Apple DEP for easy Apple TV onboarding
Providing remote troubleshooting tools (such as locking devices, selectively wiping, erasing a device, and rebooting)
Allowing device restrictions — now made easier with an updated user experience and more security for AirPlay and Single App mode
Enabling easier addition and synchronization of tvOS apps via VPP
The list doesn’t stop there — if you are familiar with Systems Manager, the experience is built to be on par with the management of other Apple operating systems such as iOS and macOS.
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
Prior to Oreo’s release, Cisco Meraki Systems Manager teams had already tested dozens of possible variations of customer use cases with Android Oreo. This includes updates that can be utilized by customers using G Suite Education and Business–also known as Android for Work. Systems Manager is certified for all the Android EMM protocols and is ready to go with Android Oreo. See below for a few example use cases:
Enable Work Profile on employee-owned BYOD devices to isolate personal and work apps and data
Place education, payment, or healthcare devices into single use mode or Kiosk mode (COSU)
Enjoy all the necessary control with Android Device Owner mode for corporate-owned devices
Android Oreo also brings many device advantages and improvements including better battery life, picture-in-picture, and increased stability for apps. See below for a list of some of the new functionality with Android 8.0:
System optimizations around better app stability
Background limits including battery and memory optimizations
Picture-in-picture for multitasking on Android
Notification dots for streamlined access of activity and notifications
Autofill framework to simplify new device setup and password synchronization
A complementary Android Vitals dashboards containing exciting new visibility for developers
Apple CEO Tim Cook and Cisco CEO Chuck Robbins took the stage at Cisco Live! this week to talk about the next phase of the Apple Cisco partnership. Part of this next phase will be the Cisco Security Connector, which will completely change the story when talking security on iOS. It can be deployed on enterprise supervised iOS devices using Systems Manager, Cisco’s enterprise mobility management (EMM) solution. See below for an excerpt from David Ulevitch’s Cisco Blog.
“Expected to be released in the fall of 2017, the Cisco Security Connector is designed to deliver the deepest visibility, control, and privacy for iOS devices. The Cisco Security Connector offers organizations the most granular view of what is happening on enterprise-owned mobile devices and provides the best protection for users, anywhere they travel. With the Cisco Security Connector, businesses will now have the ability to meet risk and compliance requirements from auditors and ultimately expand iOS adoption in new ways.”
With the Cisco Security Connector, organizations gain the following:
Visibility: Ensure compliance of mobile users and their enterprise-owned iOS devices during incident investigations by rapidly identifying what happened, whom it affected, and the risk exposure.
Control: Protect users of iOS devices from connecting to malicious sites, whether on the corporate network, public Wi-Fi, or cellular networks.
Privacy: Safeguard corporate data and users by encrypting internet (DNS) requests.
With the mammoth growth of mobile device availability and capabilities, virtually all industries have been affected. This includes the creation of new IT processes, new teams, and new categories of solutions like mobile device management (MDM) and enterprise mobility management (EMM). Mobile devices offer leaps in productivity and automation, but there are not many products that truly make it manageable or scalable for an administrator and end user. That is where Systems Manager comes in. Last month, we went over some of the overall benefits of using Systems Manager in EDU. Today, we will talk about some practical examples of mobility with app management.
Mobility – Apps are one of the major ways end users interact with devices. They are also one of the ways businesses provide their products to customers. Imagine everything from mobile websites and Gmail to the SalesForce or even a calculator app. There are three main considerations when venturing into mobile application management. How to push apps, how to manage app licensing, and how to implement containerization. In the following three sections we will show more about each of these contemplations.
Pushing Apps – Nothing makes it as straightforward as Systems Manager in regard to pushing apps. If it is a public app from the Apple App Store or Google Play Store, then search for the desired app and push it to managed devices. If it’s an installer or private application, then upload it to the Meraki cloud or point to where it is hosted. With the steps being 1) pick an app, 2) select a group that needs the app, and 3) push the app, it is literally as easy as 1-2-3. See below for an example of some of the top apps customers are pushing to their devices today.
Manage App Licenses – App licensing and software inventory are critical in managing a successful app deployment, but they can be tedious without the right solution. The right solution is something that greatly increases visibility while streamlining the entire process. To accomplish this, Systems Manager not only removes complexities by combining inventory over many devices and device types (e.g. Windows, iOS, Android, etc.) but it also integrates with Apple’s Volume Purchase Program (VPP) and Google’s G Suite in order to simplify bulk licensing and distribution. In addition, Systems Manager alongside these solutions provides the ability to silently push apps to iOS and Android devices. This means easier management for administrators and less disruption for end users.
Containerization –Finally, there is a great need to decide on a strategy for containerization. This may sound complicated, but it comes down to one simple question: should managed apps and data be allowed to talk to unmanaged apps and data? In the Systems Manager world, if you don’t want private apps like an unmanaged Dropbox application or personal file storage to communicate with managed apps like a managed Box app or even a managed email account, then you want containerization. For an example of how simple something this powerful can be, see the configuration options for containerization in iOS below. It only takes deciding on checking or unchecking two boxes.
Hopefully this provided some insight into the simplicity Systems Manager brings to mobile application management (MAM).
To start an instant 30-day trial and see things first hand, click here.
Most administrators are aware of the challenges that come with managing mobile devices: the sheer number, the lack of visibility and security, and the difficulty provisioning or configuring them, to name a few. As we approach the end of another school year in the US, let’s review some of the reasons tens of thousands of customers in education chose Systems Manager to manage millions of mobile devices and PCs.
Before talking about a specific feature, it may help to know some of the general reasons people choose Systems Manager. For one, it takes something as complicated and cumbersome as navigating a flood of mobile devices and makes it manageable while keeping the advantages of mobility. Simplifying powerful technology to free passionate people to focus on their mission is at the core of the Cisco Meraki vision. This is fundamental to how Systems Manager addresses enterprise mobility management (EMM) and mobile device management (MDM).
People also love SM because it continues to grow. For years, Systems Manager has flexed its cloud-managed and software-only muscles by rapidly iterating on ideas and support. This isn’t just about Systems Manager’s consistent zero-day support for new OS versions. It’s also about its consistency in adding brand new features and functionality. A great example of this is the Systems Manager Teacher’s Assistant.
A real life teacher’s assistant (TA) can make a difference by reducing stress, workload, and disruption in the classroom. Unfortunately, TAs are not always available for all teachers and classes, and they’re not necessarily able to help with everyday tasks for a large number of devices or complex digital technology. When automation, scalability, and simplicity are needed, SM has many solutions. There have been quite a few tools for education added since the May 2015 launch of the Systems Manager Teacher’s Assistant, and for those interested in a free trial check out the link at the bottom.
Stayed tuned in the coming weeks to learn more about the specific tools that make Systems Manager so popular in education.
The latest ‘dot 3’ release with Apple iOS 10.3 brought quite the buzz again. With Systems Manager, Cisco Meraki’s EMM, we are excited to continue to support iOS releases day one and take another opportunity to talk about what’s new. Below is a breakdown of some of the more interesting 10.3 features now available.
More WiFi control is a popular topic and request from administrators spanning many industries. Whether mobile devices are in a retail shop, an educational institution, a government facility, or somewhere else, it can be crucial to ensure they are joining the right wireless network. Not only can joining the wrong network affect security, especially when open and other compromising networks are in proximity, but this can remove critical access to network resources which devices sometimes need. Systems Manager and iOS 10.3 now bring you the ability to whitelist only the managed SSIDs a device is allowed to join. This ensures the right access for mobile devices wherever that device may be.
Next up is support for additional managed restrictions. With the previous dot 3 release, iOS 9.3, there was a huge emphasis on education and classroom support. Continued technological advancements in the classroom are helpful not just for IT management but to aid teachers in directing and guiding students. Alongside iOS 9.3 we added the ability to share iPads as well as have teachers show student devices on AirPlay enabled screens. Now with iOS 10.3, there is the ability to automatically grant observation permission to teachers using the Classroom app. Other managed restrictions include disallowing or allowing Bluetooth modification, dictation, remote screen observation, and the modification of diagnostic submissions.
On the email security front, Apple is also adding OAuth 2.0 support for the native mail app. When using Microsoft Exchange services with Office 365, this brings token based security that goes well beyond simple username and password. Paired with improvements around S/MIME, which uses certificates for signing and encrypting email, there is now a compelling native solution for secure email which creates a better and familiar experience for mobile users.
Finally we have tvOS, which requires almost no introduction. This brings some of the features found in iOS, which are already loved across millions of mobile devices managed globally, and will expand it to Apple TVs. This includes the ability to restart devices, deploy network configurations, and more. EMM controls on tvOS mean more endpoints simply and effectively managed in the Cisco Meraki cloud. New controls are available in tvOS 10.2 and later.
Systems Manager legacy customers interested in these powerful features can find out how to take advantage of them here. Start an instant 30-day trial here.
Today is an exciting day for our enterprise mobility management (EMM) customers. We’ve revamped Cisco Meraki Systems Manager, our EMM platform. This represents the single, most significant addition we’ve made to Systems Manager since introducing the solution in 2010. And, for those not familiar with the Cisco Meraki licensing model, when we add new functionality to a product all existing customers automatically get access to the new functionality–for no extra charge.
What’s New
Per-App and Always-on VPN
Android for Work – fully certified
Systems Manager API
Brand new UX tools to simplify onboarding
Managed app configuration
Cellular data tracking
User authentication w/ Google, Azure, or any OAuth
New features. New capabilities. And (maybe most importantly) a fresh, new approach to enterprise mobility management.
Simplifying Management and Access
At Cisco Meraki, we are driven by our mission of simplifying powerful technology. That’s why we’ve added so much to our EMM platform. We continue to learn about the different ways customers around the world want to manage their mobile devices, and the features they need to run their businesses effectively. We’ve rethought the way mobile devices and PCs check-in, when and why they are updated, and how they are configured in the first place.
Cisco Meraki Systems Manager provides a simple and effective way to manage the apps and access for endpoints in any organization. Specify the right apps and access for mobile devices, who should be receiving them, and when they should have them. Cisco Meraki takes care of the rest.
New features, new capabilities
With Systems Manager 2017, customers can enjoy a host of new features, including:
– VPN: Per-App and Always-on VPN bring more flexibility, security, and control. Per-App VPN means only the apps that matter are secured and connected to home base. Always-on VPN automatically and on demand creates a secure, private tunnel to a security appliance from wherever a device may be. This is supported in the certificate-based VPN solutions, including Cisco AnyConnect and IKEv2.
– Android for Work: Android for Work provides a way to enable apps, add containerization, and bring security without needing to manage complicated SDKs or application source code. Meraki enables Android for Work to provide major business benefits and secure work-ready apps with minimal setup required. With this launch, we are certified on all of the currently available Android for Work protocols. Popular use cases include:
Work Profile: maintain BYOD use cases with native containerization and mobile application management
Kiosk Mode: point of sale and kiosk mode at the click of a button
Organization-owned: lock down the entire device for maximum security and control
More settings, restrictions, and support than ever before with Android
– New API: The Systems Manager API extends the power and visibility of the Meraki Dashboard to the platforms and infrastructure you already support. Trigger a device wipe when removing an employee from your internal database. Automatically assign apps to users where you already manage them. For those with a Cisco Meraki Dashboard account, see the API documentationhere.
– UX tools to simplify onboarding: This one hits particularly close to home for us. Our mission is to simplify powerful technology. There are a lot of benefits that come with mobile devices and PCs, but there can also be complexity. Whether it’s setting up an Apple push certificate, an Android EMM domain, or what is needed for a Windows laptop, the new onboarding flow makes it just a couple clicks.