Skip to main content
Cisco Meraki Documentation

Selective Wipe and Device Quarantine in Systems Manager

  1. Last updated
  2. Save as PDF

A 'Quarantined' device in Systems Manager will not receive any applications or configuration profile settings until authorized by a SM network administrator. Devices can be placed in quarantine through the selective wipe MDM command, or automatically during enrollment into Systems Manager by enabling enrollment auto-quarantine

Selective Wipe

A selective wipe on managed clients will remove all managed apps and managed profiles installed via SM, without fully factory resetting the device, and prevent additional apps or profiles from being pushed down. This can secure network resources (WiFi access, Exchange emails) without relying on the device user to remove the SM agent from their device.

This feature is most typically utilized when a BYOD device user is no longer affiliated with the Organization, or as an intermediary step before fully wiping a lost or stolen device.  For more information about this feature, please see our Cisco Meraki Blog post on the topic.

How to Selective Wipe

An administrator can selectively wipe multiple clients from the Monitor > Clients page, or individual clients from the Client details page

Option 1: Device List 

  1. Select the appropriate Systems Manager network from the 'Network' pull-down menu at the top of the Dashboard account. 
  2. Navigate to Systems manager > Monitor > Devices.
  3. Place a check-mark next to the device(s) to selective wipe.
  4. Select the Quarantine pull-down menu above the Clients list.
  5. Choose Selective wipe.
  6. Confirm the selective wipe by clicking OK when prompted.

152.png

Option 2: Client Details page

Windows and macOS clients need to be enrolled through the profile method for the "MDM commands" section to appear.

  1. Navigate to Systems manager > Monitor > Clients.
  2. Click on the desired client's name to view the client's details page.
  3. Scroll down to the MDM Commands section.
  4. Select Selective wipe.
  5. Confirm selective wipe by clicking OK when prompted.

2017-07-27 09_17_52-Clients - Meraki Dashboard.png

Enrollment Auto-Quarantine

Auto-quarantine restricts newly enrolled devices from receiving any subsequent configuration profiles or apps without authorization from a Systems Manager network administrator. The setting is disabled by default, but can be enabled on a per-SM network basis. Enabling this feature is an especially good idea if configuration profiles or apps are set to automatically deploy to all enrolled devices, so that quarantined devices will not gain access to any sensitive network resources, like WiFi credentials, VPN settings, and paid iOS apps

  1. Select the appropriate Systems Manager network from the 'Network' pull-down menu at the top of your Dashboard account.
  2. Navigate to Systems manager > Configure > General.
  3. Scroll down to Enrollment settings
  4. Select Auto-quarantine pull-down, and choose Enabled: automatically quarantine devices at enrollment.
  5. Save the page.

2017-07-27 09_19_13-General - Meraki Dashboard.png

Note: Auto-quarantine only applies to newly enrolled devices. If a device is already listed on the Monitor > Clients page, and it re-enrolls, the device will not be quarantined upon re-enrollment. In this situation, the device would need to be removed from the Clients list before a new enrollment will auto-quarantine the device.

Authorizing a Quarantined Client

An administrator can authorize a quarantined client to receive targeted configuration profiles and managed apps from either the Monitor > Clients page or the Client's details page.

Option 1: Client List

  1. Navigate to Monitor > Clients.
  2. Add the 'Quarantined?' column to the Clients list from the '+' symbol at the top-right of the list.
  3. Sort by the 'Quarantined?' column to more easily find quarantined clients.
  4. Select the client(s) to authorize.
  5. Select the Quarantine pull-down menu above the list.
  6. Choose Authorize.
  7. Confirm authorization by clicking OK when prompted.

Option 2: Client Details page

  1. Navigate to Monitor > Clients.
  2. Click on the desired client's name to view the client's details page.
  3. Scroll down to the MDM Commands section.
  4. Select Authorize.
  5. Confirm authorization by clicking OK when prompted.

Enabling Auto-quarantine allows a device to enroll in a SM network, but still be restricted from receiving any subsequent configuration profiles or apps until the device is authorized by an admin. Auto-quarantine further strengthens network security by preventing unauthorized devices from accessing any sensitive network information.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. selective wipe
    2. SM
    3. systems manager