Recently, we polled viewers of our Behind the Network series. Out of 81 responses, 51 confirmed that security and compliance is what worries them the most about shifting to a more remote workforce. It’s no surprise that security is always a top priority, even as our work environment changes. While most organizations prioritize protecting employees, devices, business applications, and sensitive data from cyberattacks, the task is no easy feat. Let’s take one aspect of security and break it down into actionable steps: securing mobile devices.
When it comes to securing mobile phones, IT administrators know the importance of using endpoint management software to provision, configure, and monitor those assets. Another critical step is asking key questions like:
What was the state of the device before we installed the management software?
Are we certain that our corporate applications are being deployed to a secure device?
Are we certain the applications themselves are secure?
There are two critical pillars in security are the device level and at the application level. When planning your mobile foundation, the combinedMeraki Systems Manager and Duo’s Trusted Endpoint featurehelps you address each of these areas. Meraki Systems Manager provides complete control over your mobile phones and Duo provides the best possible Multi-Factor Authentication (MFA), used from those secure devices, to ensure your users access corporate applications securely and with the highest level of authentication. Duo’s Trusted Endpoint feature, integrated with Systems Manager, ensures an extra level of trust based on a Duo issued certificate unique to each mobile device.
Whether your company buys phones for your employees or whether you manage BYOD phones, you can use Meraki Systems Manager to ensure the security of those devices. Configure password requirements, enforce GeoFencing policies, automatically deploy “Sentry WiFi” profiles for secure wireless, and track inventory to ensure the OS and apps are up-to-date. Additionally, for an even stronger foundation you can deploy company-purchased phones using Apple’s DEP or Zero Touch on Android phones, so that security is turned on at the factory before the shrink wrap is opened.
Given how important Duo’s MFA capability is to a defense-in-depth strategy, and how logically it builds on top of the OS security Meraki Systems Manager provides beneath it, you would be right to ask “what is the most secure process for deploying and configuring Duo on my mobile devices?” Duo’s Trusted Endpoint feature is the exact answer to this question.
Meraki Systems Manager now integrates directly with Duo and supports the Trusted Endpoint feature for securely deploying Duo to iOS and Android devices. Configuration takes just a few minutes. You can easily set up both Meraki and Duo from your couch at home given that both systems are managed using native cloud dashboards. Upon completion, you will have laid down the ultimate secure foundation for mobile OS management and MFA application security. Using the Duo Trusted Endpoint feature, Meraki Systems Manager is able to provision Duo automatically to each device while simultaneously configuring Duo so that it is enrolled in Duo’s PKI before the MFA actions are allowed.
Fast, scalable deployment of mobile devices requires a trusted foundation, otherwise you are building a very shaky structure for your business. Meraki Systems Manager, when combined with Duo’s Trusted Endpoint capability, is a comprehensive security solution for mobile devices. The operating system is configured and secured by Meraki—with security originating at the factory if zero touch provisioning is used. Your multi-factor authentication provided by Duo ensures that access to corporate applications is gated securely. And, critically, the security foundation for the Duo application itself is laid down using Meraki System Manager’s integration with the Trusted Endpoint feature.
For more information on this enterprise security feature, please join us on an upcoming live webinar co-presented by Meraki and DUO.
These days, as individuals carry multiple types of devices and expect to be connected at all times, the job of an IT admin becomes more complicated and stressful. Knowing what each end-user and device is trying to do on the network can be a burden. How can you feel confident that your network security will not be jeopardized while company assets remain contained?
Systems Manager, Cisco’s Mobile Device Management (MDM) solution, is evolving to address this need. We are introducing Meraki Trusted Access, which securely connects personal devices to business-critical resources without requiring an MDM profile to be installed.
Meraki Trusted Access enhances both the IT and end-user experience
For IT, Meraki Trusted Access means no longer dealing with tedious and manual onboarding processes. Granting secure network access to end devices becomes seamless and automated. With the Meraki dashboard, IT can sync their Active Directory server to create user profiles. From those user profiles, Trusted Access can then be enabled for specific Wi-Fi networks, specifying how many devices each user can onboard to get access and for how long. A user’s device gets access using a certificate, once that user is authenticated, the device is now “trusted”. A “trusted” device can now securely access resources.
Additionally, Meraki Trusted Access enables more control and manageability over certificate-based onboarding processes. Whether a user is managed or unmanaged, the certificate authentication is done with Meraki. This removes the need to engineer complex third-party integrations. Finally, Systems Manager also offers an open API platform for customized integrations, for more business-critical operations.
For end-users, Meraki Trusted Access means an easier way to access critical applications. By using the newly enhanced Meraki Self-Service Portal, end-users can sign into the portal and start onboarding their devices themselves. From there, they can download certificates directly to those devices, granting them secure access to business-critical applications they might need. On top of this intuitive method of getting their devices access, end-users will also be happy to know that their privacy stays intact. They will no longer need to enroll into an MDM solution in order to get the access they need.
Meraki Trusted Access is the easiest way to securely connect devices without an MDM
Enabling Meraki Trusted Access is simple. Meraki Trusted Access is enabled when you have both Meraki MR access points and Meraki Systems Manager in your network.
You can configure Meraki Trusted Access in 4 simple steps:
Enable Trusted Access on an SSID
Create an end-user profile under Systems Manager. You can automatically use Active Directory group tags to enable Trusted Access or configure users manually.
Select the end-user’s network access privileges and tie them to the SSID that has Trusted Access enabled
Share the Self-Service Portal link to the end-user so they can onboard their devices and download the trusted certificate.
Cisco’s MDM solution, Meraki Systems Manager, continues to provide end-users and end-devices network security with flexible authentication methods, automated device onboarding, and dynamic security policies.
If you are a current MR and SM customer, you can try Meraki Trusted Access today (just make sure you have enough SM licenses to cover the number of mobile devices). Start by reading our Meraki Trusted Access documentation guide for a smooth set-up. If you’d like to learn more aboutSystems Manager, you can connect with the Meraki team to start a 30-day free trial, no strings attached.
Activation Lock is a security feature on Apple iOS devices that prevents unauthorized use of an iOS device after it has been factory reset, rendering the device useless. While this is an amazing feature for personal use, it has presented challenges for IT administrators trying to deploy iOS devices for enterprise use cases. While IT administrators desire the added security Activation Lock provides, they are often frustrated by the lack of enablement control and device status insight.
Cisco Meraki’s mobile device management solution, Systems Manager, fully supports management of Activation Lock on supervised iOS devices. Let’s pull back the curtains and see how Cisco Meraki Systems Manager can help you effectively manage the Activation Lock status of your device fleet.
How is Activation Lock enabled?
There are two different ways to enable Activation Lock:
Device Activation Lock: The device owner enables Find My iPhone/iPad on the device with their personal Apple ID account.
MDM Activation Lock: Meraki Systems Manager enables Activation Lock with an MDM command. This action is only available on supervised iOS devices enrolled using Automated Device Enrollment through Apple Business Manager (ABM) or Apple School Manager (ASM).
How do I check the Activation Lock status of iOS devices?
You can view the Activation Lock status for each device in the “Management” section of the device’s details page in Meraki Systems Manager.
If Activation Lock is “Enabled”, Find My iPhone/iPad is enabled and the device’s activation may be locked by an owner’s personal Apple ID. MDM Activation Lock indicates that Meraki Systems Manager sent a command to enable Activation Lock on the device. The device’s activation may be locked by the Apple ID of an IT administrator with management rights in the ABM or ASM portals.
You can also view the Activation Lock status in the Devices list in Meraki Systems Manager by adding the applicable column to your view.
I wiped an iOS device and Activation Lock is enabled. How do I bypass or disable Activation Lock?
There are several methods to bypass or disable Activation Lock:
Apple ID: Enter the email address and password of the account that enabled Activation Lock on the device. Depending on how Activation Lock is enabled, this may be the user’s personal Apple ID credentials or the Apple ID credentials of an ABM/ASM administrator.
Bypass Code: When Activation Lock is enabled on supervised iOS devices, Meraki Systems Manager stores a bypass code, a randomized 30 character string, which can be used to clear the device’s Activation Lock state. In situations where both device and MDM Activation Lock may have been enabled, Meraki Systems Manager stores the codes generated for each type. The bypass code can then be entered at the Activation Lock screen to clear the Activation Lock status.
Clear Activation Lock Command: Meraki Systems Manager can send a remote command to Apple to clear Activation Lock on supervised iOS devices using the known bypass codes.
How can Meraki Systems Manager help me manage Activation Lock settings?
Meraki Systems Manager can only manage Activation Lock settings on supervised devices. If devices are supervised, Systems Manager prevents end users from being able to enable Device (Find My iPhone/iPad) Activation Lock by default on enrollment.
Via the “Privacy & Lock” payload, Meraki Systems Manager can be configured to automatically allow Device Activation Lock, and/or automatically enable MDM Activation Lock when devices are enrolled.
Check out Meraki Documentation for more information on how to manage Activation Lock settings and behaviors with Meraki Systems Manager. If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
If you have experience managing Apple devices in the enterprise, then you’ve probably used Apple’s Device Enrollment Program (DEP), which helps administrators deploy Apple devices seamlessly throughout an organization.
Large organizations such as school districts, managed service providers, and business conglomerates often procure company-owned Apple devices through various entities which requires multiple DEP accounts. This can create a logistical nightmare when trying to deploy devices at scale.
Previously, admins could only manage one DEP server per organization in Systems Manager. This led to network admins having to create separate organizations in order to support multiple DEP servers.
Taking these user experiences into account, it is with great excitement that we announce that Systems Manager now supports Multi-DEP!
What does this mean for you?
Customers can now add, remove, and edit multiple DEP servers within the same organization in the Meraki dashboard. This gives more flexibility to deploy devices that are being procured under one subset. The experience will be more seamless, efficient, and granular; an admin can specify which DEP server should be visible for management and syncing under each network.
For instance, a school district with 10 schools can manage all of the 10 schools under one organization, with each school network having its own DEP server. Similarly, a managed service provider could manage different customers’ networks simultaneously, with each customer network mapped to its own DEP server.
For customers in education using Apple School Manager (ASM), the ASM sync can now also handle multiple DEP servers at the same time. When an ASM sync is initiated, it will automatically run for all DEP servers assigned to that network. DEP servers will now sync in-the Apple server display name, and the Meraki dashboard will display that metadata along with a timestamp of the last update of the DEP server.
If you are already using Systems Manager, give it a try today by going to Organization > MDM in the Meraki dashboard to see the new ‘Apple DEP Servers’ section. Let us know what you think of it; we love getting feedback!
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
In a variety of different industries, Apple TV is helping provide better guest experiences and increase user engagement.
Educational environments around the globe, including classrooms, hallways, and entire campus structures, are becoming more technologically integrated. Apple TV is a common tool used by instructors to share information. Teachers are able to better engage with students while seamlessly sharing content from their iPads to on larger screens, enabling easy collaboration and spontaneous sharing between students.
In the hospitality sector, making the guest experience an “at-home” experience has always been a top priority. Today it is more common to see technologies like Apple TV provide a platform for proactive and efficient communication. Employees can easily share relevant information with guests and other hotel staff, resulting in simpler and more automated hotel operations. Local recommendations, amenities, and seasonal offerings can be featured in guest rooms and around an entire hotel, allowing guests to constantly be in the know, without it interfering with their stay.
Having received a ton of requests for Apple TV support from our customers, Cisco Meraki is happy to announce that Systems Manager now fully supports Apple TV (tvOS). With the addition of tvOS, Systems Manager now supports six operating systems, with tvOS joining iOS, MacOS, Android, Chrome OS, and Windows.
The new Systems Manager feature allows customers to manage Apple TV-enabled devices similar to mobile phones, tablets, laptops, desktops and other endpoint devices.
With the way these verticals are using Apple TV and how it contributes to their business, any downtime on these devices can be costly. Not being able to get alerted when an Apple TV is offline, locate and erase a lost device, or enroll hundreds of devices at the same time results in a stressful and inefficient experience for IT admins.
In order to optimize technologies like Apple TV for better student engagement, larger revenue streams, and improved customer experience, managing these devices needs to be intuitive, fast, and to-the-point.
Systems Manager caters to these needs by:
Supporting new out-of-box enrollment (OOBE) capabilities using Apple DEP for easy Apple TV onboarding
Providing remote troubleshooting tools (such as locking devices, selectively wiping, erasing a device, and rebooting)
Allowing device restrictions — now made easier with an updated user experience and more security for AirPlay and Single App mode
Enabling easier addition and synchronization of tvOS apps via VPP
The list doesn’t stop there — if you are familiar with Systems Manager, the experience is built to be on par with the management of other Apple operating systems such as iOS and macOS.
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
At Cisco Meraki, we’re passionate about helping IT keep sophisticated networks running and secure, without the pain of manual configuration and complex integrations.
Our Systems Manager product is widely known for its endpoint management capabilities, including pushing apps and email settings; configuring device security for point-of-sale systems or in-class student use; and tracking location and device status. Systems Manager is a powerful tool for these classic endpoint management scenarios, but it is also one of the most compelling additions to your network management toolset.
Systems Manager is unique in the endpoint management space for its native integrations with the Meraki wireless, switching, and security portfolios. It’s been engineered to share intelligence and enforce policy in concert with Meraki networking hardware to help admins automate and secure access to the company network based on device posture, location, installed or running software, or users.
And the integrations have only gotten deeper with the recent introduction of automatic profiles to reflect Meraki networking configurations into Systems Manager.
These network-centric features are core to Systems Manager’s ability to deliver value beyond endpoint management and are provided alongside the rest of the Meraki portfolio.
Here are a few of these integrations in action:
Device Enrollment
Systems Manager provides an easy way to enroll existing devices in the field (including staff and student personal devices) without physically handling each device! Through an integration with Meraki MR access points, network administrators can configure SSIDs to only allow devices with Systems Manager installed onto the network.
Unenrolled devices are sent to a splash page to install Systems Manager before gaining access to the network.
Wi-Fi Configuration
Having Systems Manager talking to Meraki MR access points allows administrators to save time and effort when provisioning SSID access to devices. Wi-Fi access can be automatically deployed to devices based on Systems Manager’s knowledge of device type, user group, location, security compliance, etc. These settings will also automatically update if changes are made to the Meraki MR network.
Additionally, admins have the option to leverage Systems Manager’s built-in certificate infrastructure to provision EAP-TLS WLAN authentication with unique certificates — eliminating the need to manage a certificate authority, RADIUS server, or Public Key Infrastructure (PKI)!
VPN Configuration
This feature allows admins to provision client VPN automatically with the Meraki MX, while controlling access based on time of day, user group, geolocation, and Systems Manager’s security compliance.
Wi-Fi Security and Network Policy Automation
This feature allows admins to dynamically grant or restrict network access to a device based on its security status, location, installed software and OS version, and more. With this feature, when a device fails to comply with a set security measure (for example, the user disables the antivirus program, jailbreaks a device, removes a passcode, leaves a given territory, etc.), Systems Manager can automatically revoke access to Wi-Fi networks.
Systems Manager allows IT to create dynamic, segmented network policies without the need for dedicated hardware. Meraki access controls such as VLAN assignment, firewall rules, traffic shaping, and content filtering can be dynamically changed based on endpoint posture from Systems Manager. Network access is controlled, updated, and remediated automatically based on granular policies ranging from OS type and time schedule to security posture and user. Requires: Systems Manager (SM) and Meraki security or wireless products (MX or MR products).
For more about using Systems Manager to better inform and automate your network access, join us in an upcoming webinar!
When Denis Guerrero joined Moreland School District as the Director of Technology, he knew it was time to find a better way to manage the school district’s 1,400 iPads. Throughout the district many iPads were locked, unusable, associated with different Apple IDs, and loaded with apps purchased through various gift cards, personal accounts, and vouchers. Managing this fleet of devices was becoming an impossible task and it was time to set some processes and tools in place for district-wide iPad visibility, app distribution, and device management.
After investigating different options, Denis and the team chose Cisco Meraki Systems Manager to accomplish these goals. To take full advantage of Systems Manager, the team worked to unify the district under one Device Enrollment Program (DEP) account with Apple, consolidate app license purchases, and register with Apple School Manager.
Systems Manager allows schools to easily provision Apple devices (out of the box) through DEP, install apps, apply custom configurations, and limit classroom distractions such as games and web surfing. Furthermore, schools and organizations can leverage Meraki’s free trial program for expert assistance throughout the trial process, access the open Community forum for peer insight and advice on the solution, and reference video and instructional content to help them get oriented in the dashboard.
Today students and teachers at Moreland School District can easily log into iPads, find the right apps, and start their digital lessons — without wasting instruction time on iPad lockouts or mitigating student access to distracting website and apps.
In an upcoming webinar on May 16th, 2018, Denis will share his favorite features and how Systems Manager helped his team streamline student learning throughout the district. Register now to learn more!
We don’t talk enough about Meraki Systems Manager’s role in the larger Cisco story. Being a part of Cisco gives our Systems Manager team access to a broad range of Cisco products and initiatives, from security to networking and collaboration. As Cisco’s endpoint management solution, Systems Manager strengthens Cisco’s position in endpoint security and enables smarter decisions about device access and policies on Cisco networks.
Earlier this year, Systems Manager played an important role in the launch of Cisco’s cloud-based endpoint security portfolio for managed security service providers. This portfolio offers scalable solutions for visibility and control of endpoint devices and highlights key products for service providers to deploy.
In another example of how Cisco and Meraki are leading the industry in endpoint security, Cisco announced that Cisco Security Connector (CSC) is now available for purchase! Cisco Security Connector is a powerful tool to help organizations with supervised iOS devices ensure compliance, block phishing attacks and malicious links, understand application and device behaviors, and investigate security incidents across deployments.
Building CSC was a collaborative effort between Apple, Systems Manager, Cisco Umbrella, and AMP for Endpoints. Only Cisco has been able to achieve this type of cross-product alignment at scale. Having access to and information about upcoming security initiatives gives us at Meraki the opportunity to find compelling ways to collaborate across products at Cisco.
There’s work underway to bring even more cross-product value to customers. Look out for future launches with our larger Cisco family!
Learn more about Cisco Security Connector hereor contact us to get started using Systems Manager to deploy and manage this powerful iOS application!
As a leader in both the cloud and the end-device space, Google recognizes the critical role that all endpoints play in cloud security. Endpoint management is essential to an organization’s cloud, network, and data security initiatives, but managing endpoints can be burdensome on IT teams, especially when teams are forced into multiple solutions for managing different types of endpoints (Chrome OS, iOS, macOS, Android, and Windows).
To help customers streamline the management of all devices in a single solution, the Meraki Systems Manager team has worked closely with Google to integrate native Chrome Enterprise management tools into Systems Manager.
The Meraki team is excited to announce a suite of new management features for Chrome Enterprise users. These new Chrome Enterprise management capabilities enable quick and easy provisioning, efficient fleet management, uninterrupted workflow/adjustments, and ongoing updates.
Capabilities include:
Lock, disable, control devices
Set and manage user and device-based settings
Whitelist users to sign in on approved devices
Enable auto updates
Enable Kiosk mode for Chrome apps
Configure Wi-Fi and VPN settings
Enable safe browsing on any network
Set idle settings
Preload bookmarks and open tabs
Push custom, Chrome, and Android apps
Remote reboot devices
Read disk usage info
Manage policy extensions
With this integration, customers can now leverage Meraki System Manager’s intuitive interface, tags management, and differentiated settings to manage Chrome OS devices right alongside other platforms.
The screenshot below shows some of what’s available in SM’s configuration settings, including settings for Wi-Fi, VPN, App Settings, Security, Startup, Content, and User experience.
Register for our upcoming webinar to learn more about these features and cross-device updates on Systems Manager, or take a look at our Chrome OS documentation guides. For a free trial, please reach out to your Meraki rep to get started!
Please note: management features are available for Chrome Enterprise users only at launch. To learn more about Chrome OS endpoint security initiatives, please refer to Google’s Connected Workspaces site.
Managing mobile devices is an increasingly daunting task for many organizations, as needs evolve from basic app and content management to protecting data and networks, setting granular policy configurations, meeting compliance standards, and managing user identity. As demands on IT teams increase, device management products like Cisco Meraki Systems Manager have evolved to include the capabilities needed to support the full cycle of device management.
The term Enterprise Mobility Management (EMM) has been used to describe a new evolution of mobility management – those that provide policy and configuration management tools for applications and content. In today’s market, there are many EMM products, and organizations may find it difficult to compare functionality and features between competitive offerings.
By providing a platform for peer reviews, Gartner’s Peer Insights Customers’ Choice program allows customers to anonymously review and rate the many EMM products on the market in four categories: Evaluation and Contracting, Integration and Deployment, Service and Support, and Product Capabilities.
Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here and are not intended in any way to represent the views of Gartner or its affiliates.
The Gartner Peer Insights Customers’ Choice Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved.
For customers in education using Apple School Manager (ASM), the ASM sync can now also handle multiple DEP servers at the same time. When an ASM sync is initiated, it will automatically run for all DEP servers assigned to that network. DEP servers will now sync in-the Apple server display name, and the Meraki dashboard will display that metadata along with a timestamp of the last update of the DEP server. 
