Systems Manager Agent and MDM Profile Enrollment
Because Systems Manager supports so many different operating systems, there are a few primary enrollment methods to add management capability to your devices. This guide will cover the two primary aspects of management, agent installs, and enrollment profiles, and the features associated with each of them.
For detailed instructions on how to enroll a particular device type, see this article.
What are the Meraki Agent and MDM Profiles?
The MDM enrollment profile provides most of the management functionality on devices, such as restrictions or live tools like sending notifications and remote reboot commands. These profiles exist as configurations on the device's operating system, using the vendor's native APIs, and are provisioned during the enrollment process. You can see examples of where the profile can be found on each device type in this article.
Although MDM profiles are used for most platforms, desktop versions of Windows and macOS support installing an agent as well. The Meraki agent installs like an application and runs as a service in the background of your enrolled Windows/Mac machine. The agent provides additional functionality, such as custom software deployment and remote desktop. The agent and profile are not mutually exclusive, you can enroll a device using either method or with both.
We typically recommend enrolling with both methods for full Systems Manager functionality.
Operating System Compatibility
|
Agent |
MDM Profile |
macOS |
||
iOS/iPadOS/tvOS |
||
Android |
||
Windows 10 |
||
Windows 11 |
||
Chrome OS* |
* Chrome OS technically does not run an agent or install a profile and connects via Google's APIs for management. See here.
For a list of supported operating systems and versions see the Supported Operating Systems KB article.
How to Enroll
Enrollment instructions can be found in the Meraki Dashboard under Systems Manager > Manage > Add Devices. You can also find guides on how to enroll every operating system for a detailed breakdown.
Agent Version Control
Systems Manager admins have the ability to manage the preferred version of the agent used for all devices in their networks, or upgrade or downgrade the agent on specific devices.
To manage the preferred version in a network, navigate to Systems Manager > Configure > General and select the preferred agent version under Agent Version. The Agent version can be set to a specific version number or "Latest" which will automatically update the agent on currently managed and newly enrolled devices with each new Agent release.
To manage the preferred version for a specific device, navigate to the "Device Details" page for a target device and select the expected version under Agent Version. Click on "Set" to automatically upgrade or downgrade the agent on the next device check-in.
Please use agent versions greater than 3.7.2.
For a list of feature updates and bug fixes across all agent versions, see the Systems Manager Agent Release Notes.
Auto-installing the macOS Agent
The macOS agent can be pushed down as an application to Mac devices that have gone through profile enrollment. This can help streamline the enrollment process of macOS devices, ensuring that both profile and agent are installed without needing to manually run the .pkg on devices. The agent can be added Systems Manager > Manage > Apps > + Add new and scoped to all devices, or via tags. Once configured, enrolled devices can automatically install the agent if within the specified scope.
Agent vs Profile Features
The agent and profile each enable different sets of features on your devices. For full functionality on Windows 10 desktops and macOS devices, we recommend enrolling through both methods whenever possible. Most notably, Microsoft did NOT build MDM profile support for Windows 7 and 8, which means it is not possible to distribute settings like wireless configs to those devices.
The key differences: software installer (macOS/Windows Custom Apps) and remote desktop require the agent to be installed, and installing MDM profiles (wireless, VPN settings, etc.) or Store Apps (macOS) require the management profile. See a full comparison of features, including various MDM commands below.
Windows Profile | Windows Agent |
Apple Unsupervised Profile |
Apple Supervised Profile |
macOS Agent | |
Push MDM profiles |
|||||
Lock Device |
|||||
Selective Wipe |
|||||
Erase Device |
|
|
|||
Fetch process list |
|||||
Command line |
|||||
Network stats |
|||||
Screenshot |
|||||
Remote Desktop |
|||||
Power Control |
|||||
Install Software Binaries | ** | ** | |||
Send Notification |
|||||
Install OS updates |
* |
||||
Activation Lock/Bypass |
* Installing OS updates on iOS requires ADE supervision specifically, and will not work with Apple Configurator supervision.
** Filetypes are OS Specific: Windows may install .exe or .msi files, macOS may install .pkg or .app encapsulated inside a .dmg image.
Checking Enrollment Status on Dashboard
For Windows desktop and macOS devices, there are a few ways to check whether a device has the management profile installed, agent installed, or both.
Client Details
After selecting a client, scroll down to the 'Online status' section. A device with the agent installed with show 'Last online' here. A device with the management profile installed will show "Last check-in'. Devices enrolled through both methods will show both lines, as in the below image.
You can also tell how a device was enrolled based on the MDM commands available. With just the management profile installed, you'll see:
With both the profile and agent installed, you'll see:
Clients List
On the Systems manager > Clients page, click the '+' sign at the top right, and add the 'Managed?' column to the table. Devices that are enrolled with 'Managed? No' are enrolled through the agent, and do not have a management profile installed.
Checking for Management Profile on Devices
iOS/iPadOS
For iOS/iPadOS, the enrollment profile is stored in Settings > General > Profiles & Device Management > Meraki Management/Meraki Systems Manager.
In addition to the Meraki Management enrollment profile, you can also add the Meraki Systems Manager app to iOS, which allows some additional features to be enabled, including Backpack, GPS tracking, Push Notifications, and much more.
macOS
For macOS, the enrollment profile is stored in System Preferences > Profiles > Meraki Management/Meraki Systems Manager.
Android
For Android, the enrollment profile can be viewed in the Meraki Systems Manager app on the Configuration page.
Windows 10/11
For Windows 10/11, the enrollment profile is stored in Settings > Accounts > Work Access.
Checking for the Agent on Devices
The agent is a process that will be running in the background on macOS and Windows 7, Windows 8, and Windows 10.
To confirm that the agent is running on macOS and view the Meraki agent's log file, run the following command in Terminal:
tail -f /var/log/m_agent.log
If you see logging information being generated for today's date, your Meraki agent is currently running!
To confirm that the agent is running on Windows 10, or Windows 11, view the Meraki agent's log file by opening m_agent_service.log located in one of the directories below (depending on what agent version is installed).
Agents ≤ 3.6.0: C:\Windows\temp\m_agent_service.log Agents ≥ 3.7.0: C:\ProgramData\Meraki\Systems Manager Agent\Logs\m_agent_service.log
If you see logging information generated for today's date, your Meraki agent is currently running!
For extra Windows agent running confirmation, you can also find the m_agent_service running with the Task Manager:
What about Chrome OS?
Chromebooks are enrolled through the Google Admin Console with API access enabled. If you are interested in managing your Chrome OS devices, please view our documentation on enrolling Chrome OS into Meraki Systems Manager.