Cisco Security Connector (CSC) is the latest round of innovation to come out of the Cisco-Apple partnership, delivering Clarity (AMP for Endpoints) and Umbrella exclusively through Cisco Meraki Systems Manager to enable a new level of visibility and security to supervised iOS 11 (and above) devices. This article details how to configure your Cisco Meraki Dashboard console for CSC.
For general information on CSC, see here, or visit the respective pages for Clarity and Umbrella.
Enroll your devices in supervision, usually through DEP
Register for VPP to distribute applications licenses to each device
Set up your Cisco Meraki Dashboard account with licensing for Meraki Systems Manager
Provision licenses in the VPP portal for each of your devices to eventually use
Enroll your devices and ensure they are supervised
Enable API access in the Meraki Dashboard and generate a key
Enter the key into the Cisco AMP and Cisco Umbrella consoles
Register for DEP and VPP
To deploy the Cisco Security Connector to your devices, you will need to supervise your devices, typically through DEP, and distribute the application through VPP. For more information on these Apple Programs, see Apple’s official deployment guide here: https://help.apple.com/deployment/business
We recommend following the above link and registering your organization for these accounts with Apple in advance, as Apple DEP and VPP processing can take several days and is required prior to deploying CSC.
Device Enrollment Program
CSC can only be configured on supervised iOS 11 devices. The easiest way to supervise devices is with Apple’s Device Enrollment Program, or DEP, which allows you to automate supervision and enrollment during the initial device setup steps by pairing a device with Systems Manager even before it’s delivered and powered on. This means that iOS devices out of the box will check into Apple’s servers, enroll into Systems Manager, and pull down pre-configured apps and profiles, including Cisco Security Connector, automatically.
Volume Purchase Program
VPP is an Apple program that allows you to centrally manage your organization’s application licensing, for both free and paid apps. Distributing apps through VPP allows you to grant and revoke licenses to devices while retaining central ownership, and also install apps ‘silently’ on iOS devices without requiring the end user to confirm or sign in with an Apple ID.
Set up the Meraki Dashboard
Note that these steps need to be completed by an organization admin.
You’ll first need to create a Meraki Dashboard account or sign into an existing one. If your organization is not yet licensed for Systems Manager, claim your purchased license key under Organization > License info before you continue setting up the Dashboard or enrolling devices. After claiming your license, you will see “Systems Manager - Enabled (paid)”.
If you do not have a Systems Manager network yet, navigate to Organization > Create network to create an EMM network for your devices to enroll into. If you have Meraki hardware, this can be combined with your hardware networks through Organization > Overview.
In order to push CSC configurations to your devices, you will need to create a new profile under Systems manager > Manage > Settings. By default, this profile will install on all iOS devices that are enrolled into your network. To narrow the selection of devices CSC is deployed to, you can change the tag scope on the profile. Your devices can be tagged to receive this profile in a later step. For more information on creating profiles, see this article.
Set Up VPP
After setting up your organization’s VPP account with Apple, sign into the VPP portal and provision licenses for Cisco Security Connector. Although it is a free application, licenses still need to be ‘purchased’ (at no cost) in your VPP account in order to install applications seamlessly on your enrolled iOS devices. Ensure you have at least one license for each of the devices you plan to deploy CSC to.
To automate enrollment into Systems Manager, we also recommend provisioning Meraki Systems Manager licenses for each of your devices as well.
Once licenses have been provisioned, follow these steps to link your VPP account to the Meraki Dashboard. Once linked, you should see your CSC licenses available in Systems manager > Manage > VPP.
For more information on using VPP, refer to this article.
Set Up DEP
After registering your DEP account (see above) you will need to complete the follow steps to automatically enroll and supervise your devices in Systems Manager. The following steps are all detailed in our DEP setup guide.
Link your DEP account to the Meraki Dashboard
Add your devices into DEP by order or serial number
Assign settings to supervise your devices. If you changed the tag scope of your profile, you can edit the tags of the device in the DEP page to match the profile at this step.
Boot up your device for the first time, or factory reset it if already deployed. After connecting to wireless during the setup assistant, your device should automatically enroll into Systems Manager.
To confirm a device was successfully enrolled and supervised, navigate to Systems manager > Monitor > Clients and select the device. You should see under the management section: “Supervised: Yes”.
For more information on using DEP, refer to this article.
Deploying the Connector
The last steps involve linking your AMP and Umbrella consoles to the Meraki Dashboard and deploying CSC to your devices.
First, enable API access on your Dashboard and generate an API key as described in this article. Copy the API key, and follow the steps below to enter it into the AMP and Umbrella consoles respectively.
Note that this key is tied to your Dashboard administrator account, meaning that the AMP and Umbrella consoles will have visibility into all Meraki networks that your account is an organization admin for.
For additional documentation on AMP, see here.
Sign into your AMP console and navigate to Accounts > Business. Select Cisco Meraki EMM Integration under the ‘Features’ section and paste your Dashboard API key.
Follow AMP’s documentation to configure policies to push down to your devices. Once configured, navigate to Management > Deploy Connector. Select the Group you wish to install onto your devices, then select the Meraki Dashboard organization, network, and profile that you created previously, and click ‘Update’.
If you return to the Meraki Dashboard, you should now see a ‘Cisco Clarity’ payload added to your profile in Systems Manager > Manage > Settings. In the AMP console, you can monitor your devices under Dashboard > iOS Clarity.
Sign into your Umbrella console and follow Umbrella’s documentation to configure your desired policies. To link the account to Systems Manager, navigate on the side menu to Identities > Mobile Devices.
At the top of the screen, click on link MDM and paste in your Meraki API key. Select your Meraki organization, network, and then profile. Ensure that ‘Provision Umbrella root certificate’ is checked, then save changes. If the profile has been scoped for devices they will now appear in the Mobile Devices list.
If you return to the Meraki Dashboard, you should now see an ‘Umbrella DNS Proxy’ payload added to your profile in Systems Manager > Manage > Settings.
After pushing Clarity or Umbrella settings, you can confirm if your profile was successfully pushed to your devices by navigating to Systems manager > Manage > Settings, and checking the installation status at the bottom. To troubleshoot install status, see the following section.
The CSC application should also be automatically configured under Systems manager > Manage > Apps with the same scope ‘Automatic’ as the profile. You may need to click ‘Try new version’ at the top of the page to see the configuration.
On the iOS device, the CSC app should install and indicate ‘Protected’ For Clarity or Umbrella when launched.
The few issues you may encounter when deploying the connector through Systems Manager can typically be categorized as:
Failure to install the profile settings
Failure to install the CSC app
If questions arise with integrating DEP/VPP, or with installing the app and profile after reading through documentation, contact Meraki Support. For all other questions related to the Umbrella and Clarity products, contact Umbrella support or TAC for AMP.
CSC App Indicates ‘Not Protected’ or Profile Fails to Install
If the app indicates not protected after pushing the profile, confirm that the profile was correctly scoped for the device. You can also check the client details page and confirm the management profile is correctly installed.
If you see an ‘updates pending’ under the management setting, this means that the profile update has not yet installed. The most common cause for this is if the device is not supervised, which will result in the profile never installing. You can confirm supervision status in the same section ‘Supervised: Yes’. If the device is not supervised, review the DEP documentation and be sure to assign settings to supervise.
Otherwise, ensure the device has network connectivity and hit ‘Check-in now’, or wait a few minutes for the profile to install.
CSC App Fails to Install
The most common cause of app install failures is the lack of VPP licenses or an incorrect VPP link. For symptoms and troubleshooting tips, see this article.