Home > Enterprise Mobility Management > Device Enrollment > Enabling Auto-quarantine for newly enrolled devices

Enabling Auto-quarantine for newly enrolled devices

Table of contents
No headers



Auto-quarantine restricts newly enrolled devices from receiving any subsequent configuration profiles or apps without authorization from a Systems Manager (SM) network administrator. Auto-quarantine is disabled by default, but can be enabled on a per-SM network basis. Until authorized by a SM network administrator, Quarantined devices will not gain access to any sensitive network resources, including WiFi credentials, VPN settings, and paid iOS apps. Enabling this feature is an especially good idea if configuration profiles or apps are set to automatically deploy to all enrolled devices. This article describes how to enable Auto-quarantine and how to authorize a quarantined client. 

To enable Auto-quarantine:


  1. Select the appropriate Systems Manager network from the 'Network' pull-down menu at the top of your Dashboard account.
  2. Navigate to Configure > Network-wide Settings.
  3. Scroll down to Enrollment settings
  4. Select Auto-quarantine pull-down, and choose Enabled: automatically quarantine devices at enrollment.
  5. Save the page.

Note: Auto-quarantine only applies to newly enrolled devices. If a device is already listed on the Monitor > Clients page, and it re-enrolls, the device will not be quarantined upon re-enrollment. In this situation, the device would need to be removed from the Clients list before a new enrollment will auto-quarantine the device.

Authorizing a Quarantined Client:

An administrator can authorize a quarantined client to receive targeted configuration profiles and managed apps from either the Monitor > Clients page or the Client's details page.

Option 1: Authorize from the Monitor > Clients page



  1. Navigate to Monitor > Clients.
  2. Add the 'Quarantined?' column to the Clients list from the '+' symbol at the top-right of the list.
  3. Sort by the 'Quarantined?' column to more easily find quarantined clients.
  4. Select the client(s) to authorize.
  5. Select the Quarantine pull-down menu above the list.
  6. Choose Authorize.
  7. Confirm authorization by clicking OK when prompted.

Option 2: Authorize from client's details page


  1. Navigate to Monitor > Clients.
  2. Click on the desired client's name to view the client's details page.
  3. Scroll down to the MDM Commands section.
  4. Select Authorize.
  5. Confirm authorization by clicking OK when prompted.

Enabling Auto-quarantine allows a device to enroll in a SM network, but still be restricted from receiving any subsequent configuration profiles or apps until the device is authorized by an admin. Auto-quarantine further strengthens network security by preventing unauthorized devices from accessing any sensitive network information.

You must to post a comment.
Last modified
20:41, 2 Feb 2015


This page has no custom tags.


This page has no classifications.

Article ID

ID: 1262

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case