Before you enroll iOS devices, make sure you have an Apple Push Certificate set up in your Dashboard organization.
By default, Systems Manager will grant administrators the maximum amount of control available when applied to your Apple devices upon enrollment. However, in certain bring-your-own-device (BYOD) environments where the device is personally owned, device owners may not want administrators having this level of control over their personal devices.
Systems Manager can be customized to meet the needs of different deployment models by changing the permissions of what can be retrieved from or sent to the device. It is important to note that Access Rights must be set before devices are enrolled; changes made after enrollment will only take effect if a device is re-enrolled.
Access rights limitations can be found in Configure > General. See the article here for more info.
Supervised vs. non-Supervised
Device supervision is an important concept to understand when enrolling iOS devices in an EMM solution like Systems Manager. Supervising your iOS devices allows Systems Manager to manage many additional device settings, like locking a device into a single app, specifying a homescreen layout, or restricting access to additional apps like iMessage.
Enrolling your devices in supervised mode is typically recommended if your devices are organization-owned, or if you want to have deeper levels of control over your devices. Note that supervising a device requires either setting up devices as new, or factory resetting existing devices.
There are two options for supervision: ADE and Apple Configurator.
Automated Device Enrollment (ADE)
ADE allows you to permanently manage your organization's macOS, iOS, and tvOS devices. Your devices need to qualify for Apple's program to use this method, but it grants you the most control over your devices. For example, ADE allows you to make MDM enrollment mandatory and unremovable, and also automates enrollment into Systems Manager so that it happens automatically during the initial device setup.
Please reference our ADE deployment guide for information on how to link your account and supervise devices with ADE.
Apple Configurator can be used to bulk configure and deploy iOS devices that do not qualify for ADE. This method requires connecting your iOS devices to a Mac to supervise.
Note: Although iOS can be managed without the use of the Systems Manager app, additional features (e.g. GPS location, jailbreak detection) require the app. It can also be used for manual enrollments. View the following article here for more information.
To manually enroll a device without supervising it, navigate to Systems Manager > Manage > Add devices in Dashboard and follow the below steps.
- From the device's Safari browser, open: enroll.meraki.com
- Enter your ten-digit Network ID found in Dashboard: XXX-XXX-XXX
- Press register
- If using SM Enrollment Authentication then follow the prompts accordingly.
- Open the iOS "Settings" app and tap on the downloaded profile.
- Follow the prompts to install the profile.
- You are now done!
SM Sentry Enrollment SSID
You can also use SM Sentry to force iOS, Android, Windows, and Mac devices to enroll in Systems Manager for an efficient mass deployment or BYOD. When enabled on a given SSID for a Cisco Meraki wireless AP, Sentry facilitates the secure and rapid onboarding and deployment of SM to mobile devices. For more information on Systems Manager Sentry enrollment, please visit the following page.
You can also send device enrollment information to your users via email or SMS, by navigating to Systems Manager > Add devices > iOS. This method allows you to pre-configure a tag to be applied upon registration.