Home > Enterprise Mobility Management > Monitoring and Reporting > Selective Wipe and Device Quarantine in Systems Manager

Selective Wipe and Device Quarantine in Systems Manager

A 'Quarantined' device in Systems Manager will not receive any applications or configuration profile settings until authorized by a SM network administrator. Devices can be placed in quarantine through the selective wipe MDM command, or automatically during enrollment into Systems Manager by enabling enrollment auto-quarantine

Selective Wipe

A selective wipe on managed clients will remove all managed apps and managed profiles installed via SM, without fully factory resetting the device, and prevent additional apps or profiles from being pushed down. This can secure network resources (WiFi access, Exchange emails) without relying on the device user to remove the SM agent from their device.

This feature is most typically utilized when a BYOD device user is no longer affiliated with the Organization, or as an intermediary step before fully wiping a lost or stolen device.  For more information about this feature, please see our Cisco Meraki Blog post on the topic.How to Selective Wipe

An administrator can selectively wipe multiple clients from the Monitor > Clients page, or individual clients from the Client details page

Option 1: Client List 

  1. Select the appropriate Systems Manager network from the 'Network' pull-down menu at the top of the Dashboard account. 
  2. Navigate to Systems manager > Monitor > Clients.
  3. Place a check-mark next to the device(s) to selective wipe.
  4. Select the Quarantine pull-down menu above the Clients list.
  5. Choose Selective wipe.
  6. Confirm the selective wipe by clicking OK when prompted.

Option 2: Client Details page

Windows laptops and desktops and macOS clients need to be enrolled through the profile method for selective wipe to appear in the MDM commands.

  1. Navigate to Systems manager > Monitor > Clients.
  2. Click on the desired client's name to view the client's details page.
  3. Scroll down to the MDM Commands section.
  4. Select Selective wipe.
  5. Confirm selective wipe by clicking OK when prompted.

Enrollment Auto-Quarantine

Auto-quarantine restricts newly enrolled devices from receiving any subsequent configuration profiles or apps without authorization from a Systems Manager network administrator. The setting is disabled by default, but can be enabled on a per-SM network basis. Enabling this feature is an especially good idea if configuration profiles or apps are set to automatically deploy to all enrolled devices, so that quarantined devices will not gain access to any sensitive network resources, like WiFi credentials, VPN settings, and paid iOS apps

  1. Select the appropriate Systems Manager network from the 'Network' pull-down menu at the top of your Dashboard account.
  2. Navigate to Systems manager > Configure > General.
  3. Scroll down to Enrollment settings
  4. Select Auto-quarantine pull-down, and choose Enabled: automatically quarantine devices at enrollment.
  5. Save the page.

Note: Auto-quarantine only applies to newly enrolled devices. If a device is already listed on the Monitor > Clients page, and it re-enrolls, the device will not be quarantined upon re-enrollment. In this situation, the device would need to be removed from the Clients list before a new enrollment will auto-quarantine the device.

Authorizing a Quarantined Client

An administrator can authorize a quarantined client to receive targeted configuration profiles and managed apps from either the Monitor > Clients page or the Client's details page.

Option 1: Client List

  1. Navigate to Monitor > Clients.
  2. Add the 'Quarantined?' column to the Clients list from the '+' symbol at the top-right of the list.
  3. Sort by the 'Quarantined?' column to more easily find quarantined clients.
  4. Select the client(s) to authorize.
  5. Select the Quarantine pull-down menu above the list.
  6. Choose Authorize.
  7. Confirm authorization by clicking OK when prompted.

Option 2: Client Details page

  1. Navigate to Monitor > Clients.
  2. Click on the desired client's name to view the client's details page.
  3. Scroll down to the MDM Commands section.
  4. Select Authorize.
  5. Confirm authorization by clicking OK when prompted.

Enabling Auto-quarantine allows a device to enroll in a SM network, but still be restricted from receiving any subsequent configuration profiles or apps until the device is authorized by an admin. Auto-quarantine further strengthens network security by preventing unauthorized devices from accessing any sensitive network information.

 

You must to post a comment.
Last modified
09:19, 27 Jul 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 1250

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community