MDM Commands in Systems Manager
Systems Manager has built-in commands that allow for device-level troubleshooting as well as live management of devices from the Cisco Meraki Dashboard. These can be found by selecting a client from Systems Manager > Monitor > Devices and selecting the desired device. Certain commands can be issued in bulk from the client's list as well by selecting multiple clients and the 'Command' button or sent via the API. Devices need to be online in order to receive the commands, but in some cases, commands can be enqueued and processed the next time an offline device connects.
The available commands depend on the device’s operating system, vendor, and the level of access given to any mobile device management (MDM) solution. Since Windows and macOS devices have two methods of enrollment, Agent Enrollment and Profile Enrollment, it is important to note which commands are available with either method. Please be aware that certain iOS commands require device supervision.
Windows Commands
- The following features are disabled by default to protect user privacy and can be enabled by removing them from the Systems Manager > General > Feature Restrictions list. Please note that enabling or disabling these features creates an entry in the network change log.
- Remote Desktop
- Silent Remote Desktop
- Screenshot
- Command Line
Agent Live Tools
- Process List: The Process List tool provides an active list of all running processes on the device at the time of execution
- Command Line: The Command Line tool allows administrators to run shell commands on Windows and Mac devices.
- More information can be found in the Command Line Live Tools Knowledge based article
- Network Stats: Network Stats gives remote visibility into current network-specific information such as TCP connections, TCP statistics, and the device’s routing table.
- Screenshot: The Screenshot feature enables access to a real-time screenshot of the desktop device.
- Remote Desktop: The Remote Desktop feature enables full remote access to the MDM-managed desktop devices.
- More information can be found in the Remote Desktop Knowledge Base article.
- Power Control: Power Control allows remote rebooting or shutting down of a device.
- Send Notification: The Send Notification tool sends a pop-up notification to the device to alert the user.
- Agent Logs: This tool can be used to remotely fetch Meraki Systems Manager Agent logs.
Profile Commands
- Mobile Security: This tool can be used to Erase devices (Caution: this resets the device to factory defaults)
- Power Control: Power Control allows remote rebooting or shutting down of a device.
If your Windows device is both Agent enrolled and Profile Enrolled, you should have access to both sets of commands.
MacOS Commands
- The following features are disabled by default to protect user privacy and can be enabled by removing them from the Systems Manager > General > Feature Restrictions list. Please note that enabling or disabling these features creates an entry in the network change log.
- Remote Desktop
- Silent Remote Desktop
- Screenshot
- Command Line
Agent Live Tools
- Mobile security: Mobile security gives you the ability to change the password on the managed macOS device.
- Process List: The Process List tool provides an active list of all running process on the device at the time of execution
- Command Line: The Command Line tool allows administrators to run shell commands on Windows and Mac devices.
- More information can be found in the Command Line Live Tools Knowledge based article
- Network Stats: Network Stats gives remote visibility into current network-specific information such as TCP connections, TCP statistics, and the device’s routing table.
- Screenshot: The Screenshot feature enables access to a real-time screenshot of the desktop device.
- Remote Desktop: The Remote Desktop feature enables full remote access to the MDM-managed desktop device.
- More information can be found in the Remote Desktop Knowledge Base article.
- Power Control: Power Control allows remote rebooting or shutting down of a device.
- Send Notification: The Send Notification tool sends a pop-up notification to the device to alert the user. The user must accept the notification permission on the first message sent, or must manually enable permissions in System Settings (System Settings > Privacy & Security > Automation > m_agent > System Events)
- OS Update: OS Upgrade supports remote upgrading of an iOS device. Requires the device to be ADE enrolled for full functionality
- Bluetooth: Allows for the ability to enable or disable Bluetooth functionality.
- FileVault: Allows for the ability to display the device's personal recovery key if it is needed for any reason. Additional information can be found here.
- Agent Logs: This tool can be used to remotely fetch Meraki Systems Manager Agent logs.
Profile Commands
- Mobile security: Mobile security gives remote control over devices, including:
- Locking devices
- Selectively wiping devices (removing MDM-delivered applications and profiles)
- Erasing devices (resetting devices to factory defaults)
- Unenroll Device (removing the Management profile from the device)
- Activation Lock Commands - Additional information can be found in the Activation Lock for Apple Devices Knowledge Base article.
- Power Control: Power Control allows remote rebooting or shutting down of a device.
- OS Update: OS Upgrade supports remote upgrading of a macOS device.
- Bluetooth: Allows for the ability to enable or disable Bluetooth functionality.
- FileVault: Allows for the ability to display the device's personal recovery key if it is needed for any reason. Additional information can be found here.
If your macOS device is both Agent enrolled and Profile Enrolled, you should have access to both sets of commands.
iOS Commands
- Mobile security: Mobile security gives remote control over devices, including:
- Clear Passcode
- Clear Screentime
- Lock Device
- Selectively wiping devices (removing MDM-delivered applications and profiles)
- Erase Device (resetting devices to factory defaults)
- Unenroll Device (removing the Management profile from the device)
- Activation Lock Commands - Additional information can be found in the Activation Lock for Apple Devices Knowledge Base article.
- AirPlay: The AirPlay tool can be used to initiate streaming to known AirPlay-supported devices using MAC or device name.
- Data Settings: Allows for the ability to enable roaming or hotspot
- Power Control (iOS supervised): Power Control allows remote rebooting or shutdown of a device.
- Send Notification: The Send Notification feature sends a pop-up notification to the device to alert an end user - requires the SM iOS App be installed
- GPS Location: GPS Location enables a request of the current location of an iOS device and delivers it back to the interface - requires the SM iOS App be installed
- Single App Mode (iOS supervised): Single App Mode locks an iOS device into a specific mode in which only the app you select will be available for use on the device. This is also referred to as Kiosk mode.
- OS Update (iOS supervised): OS Upgrade supports remote upgrading of an iOS device.
- Lost Mode (iOS supervised): When enabled, Lost Mode can push specific messages and contact information to the device on the lock screen.
- Bluetooth: Allows for the ability to enable or disable Bluetooth functionality.
Android Commands
- Mobile security: Mobile security gives remote control over devices, including:
- Clear Passcode - If the device is BYOD enrolled, will only clear the passcode for the work profile
- Lock Device - requires Device Owner enrollment
- Selectively wiping devices (removing MDM-delivered applications and profiles)
- Erase Device (resetting devices to factory defaults) - requires Device Owner enrollment
- Send Notification: The Send Notification feature sends a pop-up notification to the device to alert an end user.
- Beacon: The Beacon feature enables an alarm to sound on an Android device to locate it - requires Device Owner enrollment
- AFW Account: Provides the ability to reset the AFW account associated with the device.