On August 31, Cisco and Apple announced a new strategic partnership. To address the ever-increasing demands on corporate infrastructure, Cisco networks and iOS devices will be optimized so that they work together more efficiently, with the goal of providing users even greater performance. Read more reflections on this significant announcement from Cisco CEO Chuck Robbins.
With the release of iOS 9 today, Meraki is announcing same day support for Systems Manager, made possible by the agile cloud architecture for which we’re renowned.
iOS 9 brings new functionality to MDM, with new restrictions such as being able to disallow sharing of managed documents with AirDrop and disabling iCloud Photo Library. There are also a host of new supervised restrictions available, which include the ability to control:
The App Store
Pairing with Apple Watch
Modification of passcode settings
Modification of device name
Modification of wallpaper
Automatic downloading of apps purchased on other devices
Automatically trusting enterprise apps
The News app
Systems Manager customers who are using the legacy, license free version will be able to manage devices running iOS 9, but will not receive the new iOS 9 functionality such as the extra restrictions. If you would like to upgrade to take advantage of the new features and gain access to many others, such as 24/7 support and network policy integration with Systems Manager Sentry, contact the sales team for more information.
We know there are going to be many questions we won’t be able to cover in a single blog post. To help provide more detail on iOS 9 and what’s new in Systems Manager, we are running a “What’s new with iOS 9 and Systems Manager” webinar on Tuesday the September 29th at 9am PDT. Register today to reserve your place, and to find out more about the new functionality such as VPP app provisioning by device rather than by user.
With so many feature additions to Systems Manager, we have decided to create a recurring series of specialist webinars focusing on how to make the most of them. These specialist webinars will be scheduled regularly and cover two important feature sets available in Systems Manager, Sentry and Teacher’s Assistant. Listen to the podcast below to learn about all the features, functionality, and use cases that will be covered in these sessions.
Systems Manager Sentry provides simple automatic security that is context aware. Sentry dramatically simplifies previously complex security configurations due to the native integration of Meraki networking products with Systems Manager MDM. In the Sentry-specific webinar, we will cover how Sentry works, highlight where it can be used, and go through live demonstrations of the individual features including:
With Systems Manager Teacher’s Assistant, integrating technology such as iPads into your lesson plan becomes a cinch. Teachers remain in control, ensuring that students’ learning benefits from the inclusion of mobiles devices, rather than them proving a classroom distraction. The Teacher’s Assistant specialist webinar covers examples of how mobile devices can be successfully used in education by looking at use cases, and providing a live demonstration of how to use features such as:
With so many ways to use Systems Manager, the amount of choice can sometimes seem overwhelming. Shortcut the learning process and attend one of these specialist webinars for further guidance on how to make the most of Systems Manager. These webinars assume attendees have a basic understanding of Meraki Systems Manager by having attended an introductory webinar such as Introduction to Cloud-Based Mobile Device Management, or having used the product with a trial. Sign up today for a Sentry session or a Teacher’s Assistant session.
Systems Manager Sentry offers a range of features that make the life of IT administrators easier. By providing simple, automatic security that is context aware, Sentry dramatically simplifies previously complex configurations. To be able to take advantage of Sentry functionality, devices need to be enrolled in Systems Manager. There are a variety of ways this can be done, but one of the simplest is by using Sentry enrollment.
Sentry enrollment is available with Meraki MR Access Points (AP) and not only automates deployment of Systems Manager, but ensures policy compliance by requiring Systems Managers installation. Sentry enrollment is an option within the wireless access control page of the Meraki dashboard. By choosing the radio button that enables Systems Manager Sentry enrollment, all devices connecting to this SSID will be checked for Systems Manager.
With Sentry enrollment enabled and a Systems Manager network selected, the administrator then has a couple of options to choose from. The strength option allows the level of compliance to be tailored to suit your environment. With the strength set to ‘Focused’, only the system types you have chosen will be forced to enrol in Systems Manager. A good example of why this may be desirable, is if you only want mobile Apple devices such as iPhones and iPads under management, not Windows laptops. This can be achieved by choosing ‘Focused’ and selecting iOS as the only system type you wish to force to enroll.
When a user connects to an SSID with Sentry enrollment, they must have Systems Manager to be able to access the network. If a user removes Systems Manager from their device, they will be forced to install it again if they want to access the network. Watch the video below for a full dashboard and end user demonstration of this feature in action.
Users are guided through the enrollment process with the necessary settings pre-configured for them. This eliminates the need to pre-stage devices before they are delivered to users and allows enrollment as and when devices connect. Think of it as your fast lane to pervasive mobile device management.
Sentry features highlight the power and simplicity of the Meraki cloud architecture that provides native integration between different product families. Typically such enrollment or onboarding processes require additional servers, appliances, or licences. Even if this is not needed, integration between the MDM and the network (often from different vendors) can be complex to configure. With Meraki, enrollment becomes a couple of clicks and a matter of moments to enable. Find out more by attending one of our focused webinars covering the Sentry features of Systems Manager in further detail.
In June we announced Systems Manager Sentry, a set of features which provide simple, automatic security that is context aware. It can do this due to the integration between the Meraki networking products and Systems Manager.
Sentry Wi-Fi security is a feature enabled on Meraki MR wireless networks with Systems Manager. It takes the typically complex Wi-Fi access control method, EAP-TLS, and simplifies it to a couple of clicks.
To understand the power of this feature let’s quickly review Extensible Authentication Protocol (EAP) – Transport Layer Security (TLS). EAP is an authentication framework that is used for providing access to a network. As the extensible part of the EAP acronym implies, the framework can support multiple authentication protocols, from basic passwords to more secure certificate based authentication. Think of it as a cook book for a cake. Depending on the ingredients in the recipe you end up with a different cake, but still a cake.
EAP with Transport Layer Security (TLS) is considered one of the most secure network authentication mechanisms (the tastiest cake recipe). This is because it uses certificates to authenticate and secure the network connection using asymmetric cryptography. The problem with certificates, as an ingredient of this authentication mechanism, is that they are complex to setup and deploy.
There are two main reasons certificates can be complex to setup and deploy. The first is the infrastructure that is needed, something called a certificate authority. This issues the certificates and allows devices to check if a service is genuine. The second reason is that every client needs its own unique certificate. With a handful of clients this isn’t too much work, but with hundreds of thousands of clients this could be a daunting prospect. The tastiest cake results from a bake time of weeks or months, and looks less attractive as a result.
Sentry Wi-Fi security provides EAP-TLS for a Meraki MR wireless network while eliminating all the complexity. It can do this because of the certificate infrastructure that already exists for every Systems Manager customer. This eliminates the need for the configuration of a certificate authority and distribution of certificates to clients. A gourmet cake from an
instant-bake ready-mix pack.
Make deploying EAP-TLS a piece of cake with Systems Manager Sentry. To find out more listen to Paul Wolfe (Product Specialist for Systems Manager) and George Bentinck (Solutions Architect) discuss Sentry Wi-Fi security in the following podcast. Alternatively attend one of our upcoming Systems Manager webinars, or if you already have Meraki MR access points, try Sentry out today by signing up for Systems Manager.
To allow IT to be capable of meeting the varied and often conflicting demands of users and security, we have developed Systems Manager Sentry. Sentry brings together the mass of data available in a Cisco Meraki IT infrastructure, to provide context aware automatic security. Hear more about the headline features in Sentry in the following podcast with June Odongo (Product Manager for Systems Manager) and George Bentinck (Solutions Architect).
Let’s for a minute stop to think about the importance of context. Imagine an iPhone that belongs to the VP of operations for a high street retailer. This VP of operations needs to check inventory levels on a company server to make sure they get their manufacturing orders placed on time.
One evening an iPhone accesses the server over a VPN and looks at the stock levels.
Should anyone be concerned by this? The answer is you don’t know without context. Let’s look at the same situation again.
One evening the VP’s iPhone accesses the server over a VPN and looks at the stock levels. The iPhone is no longer in Paris where the VP lives, it is in Bulgaria and the time there is 3:39AM.
With context can come automation, and with automation comes an agile, simple, and secure IT world. The IT team no longer needs to be alerted by a user that their device needs sensitive information removed due to it being lost or stolen. Dynamic policies can look at device specifics and using the context available, such as the current owner of the device and the location, it can act automatically.
In the past it was difficult to collect, store, and then find information, but today it is trivial to access data on almost anything; from the latest weather to the morning news, or your friend’s location to what restaurant to go to. The challenge now is taking this overwhelming wealth of data, and making sense of it all.
Sentry is unique in the EMM market for being a complete solution for enabling the secure dynamic network of the future. This gives the IT team time to work with the organisation on defining policies, not being tied up with configuration. Device on-boarding, settings assignment, application management, and network access, are just some IT responsibilities that can be simplified, automated, and dynamically updated with Sentry.
Cisco Meraki Systems Manager is a best in class Enterprise Mobility Management (EMM) solution founded on Meraki’s pioneering cloud architecture. We understand the IT challenges faced by technology users in enterprises, education, or government based on our extensive experience of next generation cloud deployments.
Contact your Cisco Meraki representative today to find out how Systems Manager Sentry can provide automation to your IT world, and simplify your security. Alternatively sign up to a specialist Sentry webinar here or watch a recorded version of the webinar below.
With Meraki Systems Manager, Enterprise Mobility Management (EMM) solution, very powerful controls are placed into the hands of IT administrators. With great power, comes great responsibility; it may not be desirable to have every administrator in your organization capable of wiping the CEO’s iPad!
This is why we have introduced the new limited access roles feature in the Meraki dashboard. It allows organizations to easily choose what devices an administrative user has access to, but most interestingly, this selection of devices can change dynamically based on parameters such as time and identity. For example, teachers can only be given responsibility for devices during the time of their class, or enterprise helpdesk staff can only manage devices in their Active Directory group.
Limited access roles can be found in the Meraki dashboard under Configure > General
The example above is based on a retail environment where helpdesk staff only have access to the devices they are responsible for, with three roles for each of the helpdesk teams. These are:
A specialist team with knowledge of the Electronic Point of Sale (EPOS) system running on mobile handhelds
A generalist team responsible for the customer facing kiosks’ tablets
An emergency out of hours team able to help with anything
Tags are used to select the devices managed by each role, with both static and dynamic tags being used in our example. The grey tags represent static tags that have been applied to the device based on its role, while the green tags represent dynamic tags which can change. For these roles, time is being used as the dynamic tag corresponding to the stores operational hours.
With the times and roles defined, the user George has been given the ‘Shop floor EPOS help desk’ role. If George was part of another team and needed a different role, this can be selected from the drop–down.
Limited access roles help ensure privacy, protect against operator error, and simplify management of devices in the Meraki dashboard. This functionality has widespread applicability, while also being a core feature in education, where it is part of our Teacher’s Assistant functionality. Further information on this can be found in our previous blog post here.
At the heart of the Shared User feature is multi-user authentication. This allows for the user of the device to be repeatedly changed without an administrator’s intervention. The device will dynamically change based on the person using it at a given time, with the user logging into, or out of, the device using the Meraki Systems Manager app. This exceptionally simple self-service model allows a single iOS device to be easily used by multiple people with different needs.
A user can be assigned a device, or multiple devices, and this pairing allows for configurations, settings, applications, and other options to be automatically applied based on that specific person’s requirements. The list of users can be managed in the Meraki dashboard, or easily integrated into Active Directory.
Driven again by the requirements of educators, the Shared User feature is a natural extension of Teacher Assistant, enabling even more ways of learning with an iPad. Although of particular interest to those wishing to use iOS devices in a learning environment, the ability to easily support multiple users on one device has is useful in a number of situations.
Multi-user authentication can be enabled with a single checkbox in the Meraki dashboard under Systems Manager > Configure > General
The Meraki Systems Manager app acts as the interface for multi-user authentication. With multi-user authentication enabled in a Systems Manager network, a fourth option will now appear in the bottom navigation pane of the app called ‘User’. When a user goes to this page, it will give the user the option to login to the device if no user is already assigned, or they can log the current user out of the device.
When a new user logs into the app, the Meraki cloud will check to see what needs to be changed on the device and act accordingly. This could be new applications, alternate settings, or fewer restrictions than the device had previously.
Total control, complete customization
With Systems Manager’s dynamic tags, the user of the device can be checked along with other things such as time, location, and security profile, to allow for complete customization of a device, giving total control. For further information on tags refer to this article.
A great example of the practical use of tags and multi-user authentication, is to put devices into a locked state when no one is logged in. By creating a profile that places non-assigned devices into single app mode, they can be locked into the Meraki app preventing any activity other than the ability to log into the device. When a user logs in, their tags are applied and the configuration for the device is updated.
Start sharing your devices today
Start sharing your iOS devices today by signing up for a Systems Manager account here, free for 100 devices or less. Existing Systems Manager Standard customer who would like to take advantage of this, and other new features, can enable a free trial directly within the Meraki dashboard.
Here at Meraki we have been working on Systems Manager to further ease the burden on educators trying to integrate technology into the learning process. With a wealth of powerful features, mobile devices, such as tablets, can significantly enhance the learning process, but this wealth can also come at a cost. Distractions caused by features not relevant to education, can hinder student learning. Teachers skilled in running a classroom must play the role of digital cowboy or cowgirl, corralling errant students and devices.
We’re listening to your concerns and are announcing the release of some new Systems Manager features. These will compliment existing features, and create a comprehensive suite of controls for your classroom; in essence, a Teacher’s Assistant (TA) for your devices!
Pay attention now
Single App Mode forces Apple iOS devices, such as iPads, to display just a single app. When in this special mode, the specified app is the only thing the user of the device can interact with, even the settings menu of the device is unavailable.
With role-based administration, network admins can provide teachers with access to their classroom’s devices, making Single App Mode easy to integrate into the classroom. A teacher can use the intuitive Meraki dashboard to find a device, view its details, and then lock it to the desired application. Whatever the student is doing at the time will be replaced with the app chosen by the teacher, focusing classroom activity on one task and preventing distractions.
Teachers can easily select an app of their choice from a drop down menu listing the available apps on that device. A great way to stop the class from using the devices, and command attention to ‘bring eyes up front’, is to lock the devices to the Meraki MDM app, preventing it’s further use. When free use of the device is allowed, the device can be easily released by clicking the ‘Disable Lock’ button.
All together now
Having this level of control per iOS device is great, but what about a whole classroom? Systems Manager has this covered with the ability to command devices in bulk. A teacher can easily select the iPad, or other iOS devices they want to lock to an app by using the instant search box. For example, it only takes a couple of clicks to select all 3rd Graders iPads and lock them on to a single app.
With the power of instant search, any teacher can precisely choose the devices they want to control; however in large deployments, selecting the wrong set of devices is a possibility. This is where the new Limited Access Roles in the Systems Manager dashboard come into play. School IT staff can prevent mistakes and simplify the educator’s experience by defining roles relevant to their needs.
At a high level, a teacher is unlikely to manage Apple MDM certificates in the Meraki Dashboard. They are more likely to want to control the specific classes of iPads, leaving the advanced options to administrators. Using Meraki’s tagging concept, teaching staff can be assigned the groups of devices they will work with.
Tags can be updated dynamically, for example by time. This allows for teachers to be given control of different sets of devices depending on their schedule. Time is only one of the many dynamic tags available in Systems Manager, with others such as location, or the owner also being available. Further information is available here
Show and tell
AirPlay is great for allowing teachers to easily display their screens to the whole class, but what about students? This ease of use can become a problem without control. How do you prevent students from taking control of unsecured AppleTV devices? Securing them with a password provides access control but has other problems. How do you allow students to use AirPlay when you want, but prevent access when you don’t?
AirPlay settings can be pre-provisioned in Systems Manager so that student iOS devices have all the settings ready to use, including password.
This prevents students being given the password, while making the teacher’s life easier as all the settings are ready to use on the class devices, not just their own. They can select the student’s device they wish display, choose their classroom from the drop down, and click AirPlay.
Combining this functionality with app lock allows a teacher to have the whole class focused on their fellow student’s screen, not distracted by their own.
You will need this
Some of us here in the Meraki office remember carrying heavy bags laden with books. Worse, we remember getting in trouble for having left one behind! Fortunately students today are looked after by Systems Manager with the Backpack feature.
Backpack can automatically download files and content to devices, storing it for use. Not only does digital content delivery take the strain off young shoulders, but it ensures that nothing gets left behind and only the most up-to-date material is available for learning.
Along with documents, lesson plans, and test results delivered via Backpack; the Meraki MDM app provides students access to a library of managed apps. Students can have core apps automatically pushed to their device, but collections of extra curricula content can be offered. Again, managed through powerful tags, individual students, classes, or sets of devices, can be given the exact content they need.
A TA for every classroom
Putting educators first, while not limiting the powerful creative potential of technology, is an essential goal of making our schools ready for the future. With Systems Manager’s new features, you have a new Teacher’s Assistant helping you manage the digital classroom.
In March we saw a tweet that caught our attention from the team at Inveneo. Inveneo is a non-profit social enterprise that delivers sustainable computing and broadband to those who need it most in the developing world. They believe that improved access to technology can transform lives and opportunities, even in some of the poorest and most technology-challenged communities.
The tweet had a picture of a Cisco Meraki MR62 outdoor access point (AP) that was being used as part of the Ebola Response Connectivity Initiative (ERCI) project.With the Inveneo office just a 10 minute drive from the Meraki office in San Francisco, we went over to find out more about how they are using Meraki technology.
The ERCI project uses a combination of technologies to offer connectivity to relief agencies fighting Ebola in local communities. Rugged Meraki APs are used at the edge of the deployment to provide end device connectivity, with backhaul provided by long range wireless backhaul to cellular towers. Although not yet live at the time of our visit, it was fascinating to hear what features were most important to them, in comparison to our typical expectations of customers needs. A typical enterprise may be interested in performance and security as primary features, but when your APs have to be powered by the sun using solar panels, energy consumption is of highest importance.
Although not the instigator of the meeting, the conversation switched to Meraki Systems Manager, Meraki’s MDM platform. Inveneo exclusively uses Android tablets due to the ability to find low cost, locally sourced, or locally manufactured devices where Apple products are not available. Again it was interesting to hear the differences in the importance of pieces of functionality when compared to the typical uses we see for Systems Manager.
The use of MDM is focused on enabling and supporting the user of the device rather than securing and restricting. One of the important features provided by Systems Manager for Inveneo is a report on the battery level of the device. With disaster relief workers and community health workers often in locations with poor to no infrastructure, knowing if a user was able to charge the device is important in understanding if they are able to use it.
Another useful reporting feature is to find out what apps users download. This led to the team finding out that one of the most heavily used types of apps was for a flashlight. Now knowing this, they can pre-load a flashlight app, and other apps they know are likely to be useful, to save on scarce local bandwidth.
We hope to catchup with the Inveneo team in the future to find out how the ERCI project progresses, and we would love to hear from anyone else who has innovative community uses for Meraki technology. Tweet us @meraki.
Some information in this post has changed.
More about Systems Manager licensing is available here.
Today we are excited to announce a new product structure for Systems Manager (SM). We are streamlining Systems Manager from two products to a single product that will now include all advanced features. SM Standard (free) and SM Enterprise (paid) will become just Systems Manager.
Importantly, nothing will change for existing SM Standard users unless they want it to.
What does this mean?
On March 24th, every new Systems Manager customer will be able to access features that were previously available only with SM Enterprise. Systems Manager, complete with all Enterprise features, is free for up to 100 devices, and as was previously the case with SM Standard, support is available through the Systems Manager Support Community.
For existing SM Standard (free) customers, nothing will change, and users can continue to operate Systems Manager exactly as they have before. They will even be able to continue to enroll an unlimited number of devices free of charge.
For customers wishing to expand their new Systems Manager deployment beyond the 100 free devices, or to obtain 24/7 enterprise class phone support, then they can purchase the required number of device licenses.
As an existing SM Standard customer, what if I want to upgrade?
As of March 24th, if a customers has less than 100 devices, they can convert their SM Standard to the new fully featured Systems Manager at no cost. However, we know that many of these customers could have more than 100 devices, would like access to advanced features, and have enterprise support.
To enable these existing loyal users to take advantage of these benefits, we will offer a steep discount for those upgrading from SM Standard. This one time promotional offer is running until June 2015, and brings an unheard of discount to Systems Manager, which is already one of the most competitively priced and feature rich MDM offerings on the market.
What if I have questions?
Further information will be released on our blog in the coming days and weeks. Make sure to subscribe to get instant notifications when updates are released.