The Organization > Configure > MDM Settings page is used to configure the necessary accounts and certificates that may be required for any MDM networks within the Organization. This includes:
- Android for Work domains
- Apple MDM Push Certificate
- Apple VPP Managed Distribution accounts
- Apple DEP and School Manager tokens
- Chrome OS Device Management accounts
- SCEP CA Certificate
- File Vault recovery key
- ISE settings
Note: If Organization > Configure > MDM is not present, please create a new network, and set the network type to EMM (Systems Manager).
Android For Work
The Android For Work (AFW) section allows for the configuration of an AFW domain. This can either be an existing Google domain or a Meraki managed domain. Once enrolled in a domain you will see the information for the current AFW domain listed here with an option to unenroll the Organization from the domain. For more information about configuring an AFW domain and general AFW deployment information, please refer to our Android Enterprise Deployment guide.
Apple MDM Push Certificate
In order to use iOS devices with Systems Manager, you must upload an Apple MDM push certificate. This certificate is used to link and allow for communication between the Meraki Dashboard and Apple's MDM servers. Without a valid push certificate the Dashboard will be unable to communicate with any Apple devices enrolled in MDM. This certificate must be renewed prior to its expiration date, otherwise all Apple devices enrolled in MDM networks under that Organization will need to be re-enrolled in their respective MDM networks once the new certificate has been uploaded. For more information about the Apple MDM push certificate, please refer to our Creating an Apple MDM push certificate and Renewing an Apple MDM push certificate articles.
Apple VPP Managed Distribution
The Apple Volume Purchase Program (VPP) allows for the purchasing of application licensing in bulk and easy distribution and management of those licenses through Meraki Systems Manager. From this section of the MDM Settings page you can add additional Apple VPP accounts to link to the Organization in addition to configuring restrictions such as specific Allowed Administrators and licensing assignment to only specific MDM networks on a per-VPP account basis. For more information about configuring Apple VPP and using it to deploy and manage licenses, please see our guide on Using Apple’s Volume Purchase Program (VPP) with Systems Manager.
Apple DEP and School Manager
Apple's Device Enrollment Program (DEP) allows administrators to pre-provision iOS and macOS devices to automatically self-enroll into Systems Manager before even touching them, and provides an additional level of management control through bulk device supervision. Apple School Manager (ASM) simplifies the management of student and teacher iPads in education, and enables a new optional feature called Shared iPad. Shared iPad allows students to sign in and out of an iPad and automatically saves their app data to iCloud. To utilize either of these deployment solutions you will need to exchange server tokens between the Dashboard and Apple's Deployment Program portal, which can be done from the Organization > Configure > MDM page. For more information about configuring either DEP or ASM, please visit our Device Enrollment Program with Systems Manager article or our Configuring ASM for Shared or 1:1 iPad article.
Chrome OS Management
Chromebook and Chrome OS devices can also be managed through Systems Manager provided Google API access has been enabled from the Google Admin console, the device has been enrolled with Google, and Chrome OS Management has been enabled under Organization > Configure > MDM. Once all of the above has been configured properly Chrome OS devices will now automatically appear in Systems Manager with device information and management options available. For more detailed information about enrolling and managing Chrome OS devices please refer to our Chrome OS Management in Systems Manager article.
SCEP CA Certificate Configuration
The SCEP CA certificate is a certificate issued by Meraki to all devices that are enrolled in Systems Manager. If you require the SCEP CA certificate to be signed by your own infrastructure for any purposes you can download the current SCEP CA certificate from the Organization > Configure > MDM page. Once downloaded, you can sign the certificate with your Certificate Authority and re-upload it to the Dashboard to be deployed to enrolled devices.
The SCEP CA Issuer and CN are determined by the name of the Organization at the time of generation. If this needs to be changed, please contact Meraki Support.
Your organization's SCEP CA certificate must include the following extension value pairs:
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,digitalSignature
In order to properly sign the certificate you must first create a .ext file with the above value pairs. You can then sign the certificate with the following OpenSSL command where configuration_file.ext is the created file containing the required extension value pairs:
openssl x509 -req -days 3650 -in Meraki_SCEP_CA_CSR.csr -CA your_ca.crt -CAkey your_key.key -CAcreateserial -extfile configuration_file.ext -out Signed_Meraki_SCEP.crt
File Vault is a method of encrypting macOS devices through Systems Manager. Devices encrypted by File Vault can be decrypted with either the Personal Recovery Key (PRK), the Institutional Recovery Key (IRK), or both depending how File Vault was configured on the device. The Institutional Recovery Key can be used to decrypt a device if the Personal Recovery Key has been lost or was never created. The Institutional Recovery Key is stored on the Dashboard and can be downloaded at any time by going to Organization > Configure > MDM and following the instructions to download the key. For more information about configuring File Vault and decrypting devices with either the IRK or PRK, please refer to our Using File Vault 2 article.
When using a Google domain for Android for Work, newly enrolled Android devices are automatically enrolled into the default ISE enrollment network. If there is no default ISE network selected the device will be enrolled in a random existing MDM network.