Skip to main content
Cisco Meraki Documentation

Systems Manager Agent and MDM Profile Enrollment

Because Systems Manager supports so many different operating systems, there are a few primary enrollment methods to add management capability to your devices. This guide will cover the two primary aspects of management, agent installs, and enrollment profiles, and the features associated with each of them.

 

For detailed instructions on how to enroll a particular device type, see this article.

What are the Meraki Agent and MDM Profiles?

The MDM enrollment profile provides most of the management functionality on devices, such as restrictions or live tools like sending notifications and remote reboot commands. These profiles exist as configurations on the device's operating system, using the vendor's native APIs, and are provisioned during the enrollment process. You can see examples of where the profile can be found on each device type in this article.

Although MDM profiles are used for most platforms, desktop versions of Windows and macOS support installing an agent as well. The Meraki agent installs like an application and runs as a service in the background of your enrolled Windows/Mac machine. The agent provides additional functionality, such as custom software deployment and remote desktop. The agent and profile are not mutually exclusive, you can enroll a device using either method or with both.
 

We typically recommend enrolling with both methods for full Systems Manager functionality.

Operating System Compatibility 

 

Agent

MDM Profile

macOS

Checkbox.png

Checkbox.png

iOS/iPadOS/tvOS

Not a checkbox.png

Checkbox.png

Android

Not a checkbox.png

Checkbox.png

Windows 10

Checkbox.png

Checkbox.png

Windows 11

Checkbox.png

Checkbox.png

Chrome OS*

Not a checkbox.png

Checkbox.png

* Chrome OS technically does not run an agent or install a profile and connects via Google's APIs for management. See here.

For a list of supported operating systems and versions see the Supported Operating Systems KB article.

How to Enroll

Enrollment instructions can be found in the Meraki Dashboard under Systems Manager > Manage > Add Devices. You can also find guides on how to enroll every operating system for a detailed breakdown. 

Agent Version Control

Systems Manager admins have the ability to manage the preferred version of the agent used for all devices in their networks, or upgrade or downgrade the agent on specific devices.

To manage the preferred version in a network, navigate to Systems Manager > Configure > General and select the preferred agent version under Agent Version.  The Agent version can be set to a specific version number or "Latest" which will automatically update the agent on currently managed and newly enrolled devices with each new Agent release.

preferred-agent-version.png

To manage the preferred version for a specific device, navigate to the "Device Details" page for a target device and select the expected version under Agent Version. Click on "Set" to automatically upgrade or downgrade the agent on the next device check-in. 

choose-version.png

Please use agent versions greater than 3.7.2. 

For a list of feature updates and bug fixes across all agent versions, see the Systems Manager Agent Release Notes.

 

Auto-installing the macOS Agent

The macOS agent can be pushed down as an application to Mac devices that have gone through profile enrollment. This can help streamline the enrollment process of macOS devices, ensuring that both profile and agent are installed without needing to manually run the .pkg on devices. The agent can be added Systems Manager > Manage > Apps > + Add new and scoped to all devices, or via tags. Once configured, enrolled devices can automatically install the agent if within the specified scope. 

Screen Shot 2018-03-20 at 1.33.18 PM.png

Agent vs Profile Features

The agent and profile each enable different sets of features on your devices. For full functionality on Windows 10 desktops and macOS devices, we recommend enrolling through both methods whenever possible. Most notably, Microsoft did NOT build MDM profile support for Windows 7 and 8, which means it is not possible to distribute settings like wireless configs to those devices.

The key differences: software installer (macOS/Windows Custom Apps) and remote desktop require the agent to be installed, and installing MDM profiles (wireless, VPN settings, etc.) or Store Apps (macOS) require the management profile. See a full comparison of features, including various MDM commands below.

  Windows Profile Windows Agent

Apple

Unsupervised  Profile

Apple

Supervised Profile

macOS Agent

Push MDM profiles

Checkbox.png

 

Checkbox.png

Checkbox.png

 

Lock Device

   

Checkbox.png

Checkbox.png

 

Selective Wipe

   

Checkbox.png

Checkbox.png

 

Erase Device

Checkbox.png

 

Checkbox.png

Checkbox.png

 

Fetch process list

 

Checkbox.png

   

Checkbox.png

Command line

                  Checkbox.png    

Checkbox.png

Network stats

 

Checkbox.png

   

Checkbox.png

Screenshot

 

Checkbox.png

   

Checkbox.png

Remote Desktop

 

Checkbox.png

   

Checkbox.png

Power Control

 

Checkbox.png

   

Checkbox.png

Install Software Binaries     Checkbox.png**       Checkbox.png**

Send Notification

 

Checkbox.png

Checkbox.png

Checkbox.png

 

Install OS updates

     

 Checkbox.png*

 

Activation Lock/Bypass

     

Checkbox.png

 

* Installing OS updates on iOS requires ADE supervision specifically, and will not work with Apple Configurator supervision.

** Filetypes are OS Specific: Windows may install .exe or .msi files, macOS may install .pkg or .app encapsulated inside a .dmg image.

Checking Enrollment Status on Dashboard

For Windows desktop and macOS devices, there are a few ways to check whether a device has the management profile installed, agent installed, or both.

Client Details

After selecting a client, scroll down to the 'Online status' section. A device with the agent installed with show 'Last online' here. A device with the management profile installed will show "Last check-in'. Devices enrolled through both methods will show both lines, as in the below image.

2017-07-14 15_54_02-Clients - Meraki Dashboard.png

 

You can also tell how a device was enrolled based on the MDM commands available. With just the management profile installed, you'll see:

clipboard_e37e5c377c03e26bad8bb57ea42db7940.png

With both the profile and agent installed, you'll see:

clipboard_e2b234fecff3379fec1ce71ad2996e844.png

Clients List

On the Systems manager > Clients page, click the '+' sign at the top right, and add the 'Managed?' column to the table. Devices that are enrolled with 'Managed? No' are enrolled through the agent, and do not have a management profile installed.

2017-07-14 16_00_06-Clients - Meraki Dashboard.png

Checking for Management Profile on Devices 

iOS/iPadOS

For iOS/iPadOS, the enrollment profile is stored in Settings > General > Profiles & Device Management > Meraki Management/Meraki Systems Manager.

iOS_enrollment_profile1.PNG

In addition to the Meraki Management enrollment profile, you can also add the Meraki Systems Manager app to iOS, which allows some additional features to be enabled, including Backpack, GPS tracking, Push Notifications, and much more. 

macOS

For macOS, the enrollment profile is stored in System Preferences > Profiles > Meraki Management/Meraki Systems Manager.

osx_enrollment_profile.png

Android

For Android, the enrollment profile can be viewed in the Meraki Systems Manager app on the Configuration page.

sm_android.png

Windows 10/11

For Windows 10/11, the enrollment profile is stored in Settings > Accounts > Work Access.

windows_profile_location.png

Checking for the Agent on Devices

The agent is a process that will be running in the background on macOS and Windows 7, Windows 8, and Windows 10.

To confirm that the agent is running on macOS and view the Meraki agent's log file, run the following command in Terminal:

tail -f /var/log/m_agent.log

osx_logs.png

If you see logging information being generated for today's date, your Meraki agent is currently running!

To confirm that the agent is running on Windows 10, or Windows 11, view the Meraki agent's log file by opening m_agent_service.log located in one of the directories below (depending on what agent version is installed).

Agents ≤ 3.6.0: C:\Windows\temp\m_agent_service.log 
Agents ≥ 3.7.0: C:\ProgramData\Meraki\Systems Manager Agent\Logs\m_agent_service.log

If you see logging information generated for today's date, your Meraki agent is currently running! 

windows_logs1.png

 

For extra Windows agent running confirmation, you can also find the m_agent_service running with the Task Manager:

windows_process.png

What about Chrome OS?  

Chromebooks are enrolled through the Google Admin Console with API access enabled. If you are interested in managing your Chrome OS devices, please view our documentation on enrolling Chrome OS into Meraki Systems Manager