Supervised Devices in Meraki Systems Manager
Overview
Cisco Meraki allows iOS and Android devices enrolled in Systems Manager MDM to be supervised and managed. This enables users to explore additional features such as the ability to bulk push firmware updates or delay iOS updates remotely from the dashboard itself or prevent devices from removing their management profile. This document showcases some of the features that come as part of device supervision and commands that can be sent to supervised devices.
Device supervision in Systems Manager requires a Systems Manager license for each device. Unfortunately, legacy Systems Manager users do not have the ability to have a supervised device in their network.
How to Supervise Devices
There are two ways to supervise an Apple device: Device Enrollment Program (DEP) or Apple Configurator. Apple's DEP program is the only way to make iOS and macOS profiles mandatory and non-removable new from box or after a factory reset. It is highly advised for any organization-owned devices to be enrolled that qualify. There are other ways to discouraging removal of a Meraki management profile for devices that can not be enrolled in Apple's DEP program.
Android devices are supervised using Device Owner mode and this done during initial setup of the device. This prevents end users from removing the management profile from the device. Device owner mode can be used to limit the end users' ability to factory reset the device and use Android Debug Bridge (ADB).
How to Enroll Supervised Devices
The process to enroll a supervised device is the same as unsupervised device. The instructions can be found in dashboard under Systems Manager > Manage > Add Devices or following our guide on how to enroll every operating system.
Some Supervised Feature Restrictions for iOS
Meraki is committed to providing an inclusive experience for our customers. The following section contains language that does not adhere to our standards for inclusivity. We are working with our partners to replace it.
|
Feature |
Description |
Supervision Required |
|---|---|---|
| Allow use of Camera |
Show or hide the native camera app Allow or prevent use of the camera in all application |
 |
| Allow screen capture | Allow or prevent screenshots of the device's display | |
| Allow device assistant (Siri) | Allow or prevent use of Siri | |
| Allow Siri while locked | Allow or prevent Siri when device is locked | |
| Allow Voice dialing |
Show or hide the native phone app Allow or prevent the use of the phone dialer |
|
| Allow FaceTime calls | Allow or prevent FaceTime video calls | |
| Allow automatic sync when roaming | Allow or prevent device sync of managed data when device is roaming | |
| Allow Passbook notifications while locked | Show or hide Passbook notifications on the lock screen | |
| Allow in-app purchases | Allow or prevent buying extra content or subscriptions within an app | |
| Force user to enter iTunes Store password for all purchases | Require user to enter their iTunes store password to make purchases | |
| Allow multiplayer gaming | Allow or prevent gaming with multiple external users | |
| Allow adding Game Center Friends | Allow or prevent Game Center and integration in apps | |
| Show Control Center in lock screen | Show or hide Control Center while device is locked | |
| Show Notification center in lock screen | Show or hide Notification Center while device is locked | |
| Show Today view in lock screen | Show or hide Today View within Notification Center while device is locked | |
| Do not containerize work data and contacts from unmanaged apps | Allow or prevent data from being shared or stored in corporate (managed) apps in personal (unmanaged) apps | |
| Do not containerize personal data and contacts from managed apps | Allow or prevent data stored in personal (unmanaged) apps to be shared with corporate (managed) apps | |
| Allow Handoff | Allow or prevent apps from using Handoff capabilities | |
| Require passcode on outgoing AirPlay pairing requests | Require a passcode to broker an outbound Airplay request | |
| Require passcode on incoming AirPlay pairing requests | Require a passcode when an Airplay request is received | |
| Force paired Apple Watch to use Wrist Detection | Require paired Apple Watches to use wrist detection to automatically unlock or lock | |
| Disallow sharing of managed documents with AirDrop |
Allow or prevent data from being shared or stored in corporate (managed) apps to AirDrop destinations |
|
| Delay OS software updates | Delay updates to iOS for up to 90 days |  |
| Allow UI configuration profile installation | Allow or prevent a UI prompt to install configuration profiles or certificates | |
| Allow modifying account settings |
Allow or prevent the ability to add or remove accounts e.g. mail account, iCloud settings, iMessage settings, etc. |
|
| Allow AirDrop | Allow or prevent AirDrop from being available | |
| Allow changes to cellular data usage for apps | Show or hide the toggle to allow apps to use cellular data | |
| Allow user-generated content in Siri |
Allow or prevent Siri from showing content from sources that allow user-generated content e.g. Wikipedia |
|
| Allow modifying Find My Friends settings | Allow or prevent changes to settings for the Find My Friends app | |
| Allow host pairing | Allow or prevent a device from pairing with Macs that do not have the Supervision certificate installed | |
| Enable Siri profanity filter | Allow or prevent profanity in Siri | |
| Allow configuring restrictions | Allow or prevent the end user from creating their own restrictions | |
| Allow Erase All Content and Settings | Allow or prevent the end user from being able to wipe a device | |
| Allow Internet results in Spotlight | Allow or prevent Spotlight search from showing internet search results | |
| Allow keyboard auto-correction | Allow or prevent word correction suggestions | |
| Allow keyboard spell-check | Show or hide warnings (red underline) underneath potentially mistyped words | |
| Allow definition lookup | Allow or prevent the ability to search for a word's definition by double-clicking a word | |
| Allow predictive keyboard | Allow or prevent the use of a predictive keyboard | |
| Allow keyboard shortcuts | Allow or prevent users to create and use keyboard shortcuts | |
| Allow pairing with Apple Watch | Allow or prevent an iPhone to pair with Apple Watch | |
| Allow modification of passcode settings | Allow or prevent users to change passcode on the device | |
| Allow modification of device name | Allow or prevent users to change the device's name | |
| Keep device name up-to-date with Dashboard | Sync the devices name to dashboard | |
| Allow modification of wallpaper | Allow or prevent changes to the device's wallpaper by the user | |
| Set Lock & Home screen wallpaper | Configure the lock screen and home screen wallpaper images | |
| Set lock screen payload | Set asset tag information and footnote to be displayed on the login window and lock screen | |
| Allow changes to Notifications settings | Allow or prevent end users to change notification preferences | |
| Allow remote screen observation by the Classroom app | Allow or prevent a Teacher iPad to view Student iPad screen in the Classroom App | |
| Allow modification of diagnostic submission and app analytics settings | Allow or prevent users from changing diagnostic log submission and app analytics settings | |
| Allow modification of Bluetooth settings | Allow or prevent users from changing Bluetooth settings | |
| Allow dictation input | Allow or prevent users from using voice to text | |
| Enforce SSID Whitelisting | Restrict the device to only connect to WiFi networks specified by MDM policy | |
| Allow creation of VPN configurations | Allow or prevent users to create new VPN configuration | |
| Enable USB Restricted Mode | Allow or prevent a device to connect to USB accessories without entering a passcode | |
| Enable Web Content Filter | Configure which HTTP or HTTPS websites via a permitted and block list | |
| Enable Global HTTP Proxy | Configure proxy settings for all HTTP/S network traffic | |
| Set managed email domains | The device will warn the user by coloring the email address text red if a user sends an email to an email domain not listed in a managed domains profile | |
| Set managed safari web domains | Documents viewed on or downloaded from managed web domains can only be opened by a managed app. | |
| Set home screen layout | Specific placement of app icons on the home screens | |
| Set Per App VPN | Create a VPN connector and create policies for when, how, and which applications or web pages would use this VPN connection | |
| Allow managed apps to write contacts to unmanaged contacts accounts | Allow or prevent contacts generated in managed apps to be created in unmanaged contacts accounts | |
| Allow unmanaged apps to read from managed contacts accounts | Allow or prevent contacts stored in managed contacts to be read by unmanaged apps | |
| Allow server-side Siri logging | Allows or prevent Siri from logging to its server | |
| Turn the Date & Time 'Set Automatically' feature to ON and disallow user disabling |
Allow or prevent the user from changing the date and time settings Set the date and time on the device automatically |
|
| Allow users to used saved passwords in Safari and AutoFill Passwords feature | Allow or prevent users from using saved passwords or the AutoFill password feature in Safari | |
| Allow user's device to request passwords from nearby devices | Allow or prevent a device from requesting passwords from other devices | |
| Allow users to share their passwords with the Airdrop Passwords feature | Allow or prevent a device from sharing passwords through AirDrop | |
| Allow users to add or remove a cellular plan to the eSIM of a device | Allow or prevent changes to the eSIM cellular plan | |
| Allow users to modify the personal hotspot setting | Allow or prevent the user from making changes to the hotspot settings | |
Commands Requiring Device Supervision
Here is a breakdown of commands that require supervision before pushing to the device from the dashboard.
|
Command |
Description |
Supervision required |
|---|---|---|
| Restart | Send a command to reboot the device | |
| Shutdown | Send a command to turn off the device | |
| Unenroll device | Remove the management profile from a device | |
| Clear Passcode |
Remove the current passcode from the device If a passcode restriction profile is applied, user will be prompted to create a new passcode |
|
| Lock device | Locks the device with a passcode or locks the screen if there is no passcode set | |
| Selective wipe | Remove all of the profiles, restrictions, configuration options, and apps from the device | |
| Erase device | Send the command to initiate a full device wipe and factory reset | |
| Force OS Update | Send the command to download and update latest version of iOS immediately | |
| Preserve Data Plan (Erase Device) | The device will maintain the current utilization of its data plan after being wiped | |
| Skip Proximity Setup (Erase Device) | Instruct the device to skip using proximity auto-configuration after being wiped | |
| Enable Activation Lock | Turn on the Find My iPhone activation lock tied to a user's signed in Apple ID | |
| Clear Activation Lock | Disable activation lock on the device | |
| Clear Restrictions Passcode | Remove passcode protecting device restrictions in settings | |
| Enable Bluetooth | Turn on the Bluetooth radio | |
| Enable Lost Mode | Turn on Lost Mode | |