Owners
Overview
Under Systems manager > Configure > Owners, you can associate device owners with their managed devices. An owner entry contains the full name, email address, and username of the end user. On the page, you will also see how many devices are associated with each owner. Owners are organization-wide and will be seen on all System Manager networks within an organization.
Most users created or imported into the Owners table can be used in conjunction with enrollment authentication to create another layer of security during enrollment, preventing unauthorized users from adding devices into your Systems Manager network.
Certain profile payloads like email configurations will use device owner information to populate device settings. This allows you to create a single payload for all your users instead of creating a unique profile only scoped to a single device. Owners can also be tagged so that profiles and apps can be deployed on a per-user basis, to all devices that person owns.
Adding and Importing Owners
Owners can come from multiple different sources, and will have a different 'Type' icon depending on how it was generated. Duplicate entries of different types in your table will automatically merge by matching the email address of the owner.
Meraki Managed
Meraki Managed owners are managed solely through Dashboard and can be leveraged for user tag scoping and enrollment authentication without integrating with a third-party directory service. To create a new Meraki hosted owner, navigate to Systems Manager > Configure > Owners and then select the “+ Add New” button at the top left-hand corner of the page.
You should then see a popup with various fields that can be filled out.
-
Full Name
-
Email
-
Username
-
Password
-
Tags
Enter the user’s information into whichever fields you need populated, then press “Create owner”.
CSV Import
You may also import Meraki Managed Owners with a CSV file by clicking “CSV Import” on the System Manager > Owners page. You will also be able to download a CSV of your current users to see the format. The CSV file can contain the following information:
- Full name
- Username
- Tags
Optionally, the CSV file may also contain the columns Serial or WiFi MAC to identify devices. If a row contains both user information and device information, the device specified in the row will be assigned to the user. Rows with blank values for Email will be ignored. Any other columns are ignored. An example CSV with all modifiable fields can be seen below:
Wifi MAC,Serial,Email,Full name,Username,Tags 00:2c:7a:00:00:00,9S716H8794309FA67000018,,,, 00:1b:00:00:00:00,To be filled by O.E.M.,,,, 00:0c:00:00:00:00,VMware-56 4d 00 00 bd bf 00 6c-76 00 07 6c 00 00 00 15,,,,VMWare 00:5c:00:00:00:00,C02AB95WG8W1N,example@meraki.com,Example Account,example,sample-tag
Apple School Manager
To import ASM owners, first navigate to https://school.apple.com and ensure the users are populated in ASM. Next, ensure you have your ADE Server Token added to Dashboard under Organization > MDM. Then, go to Systems manager > Configure > Owners, select Sync > Sync ASM.
To merge ASM imported owners with entries of a different owner type, make sure to check the 'Strip prefix domain' button in Organization > MDM if you follow Apple's recommended email domain naming schema. To add user photos into the Apple Classroom, create a folder of images matching the users' email addresses, and select 'Import > Import profile photos'.
Active Directory
To populate Active directory users into the Owners table, you need to have Active Directory enrollment authentication setup.
During enrollment, users will be prompted to sign in with their username and password. If successfully authenticated, Dashboard will automatically create an owner entry and assign it the newly enrolled device, pulling in all of the user’s AD groups as tags. You can use the ‘Sync AD groups’ command to update these group tags should they ever change.
Note that 'Sync AD groups' does not automatically import all your AD owners into the Meraki Dashboard, it only syncs tags for existing owner entries. AD Owner entries are only generated when an AD account is used to enroll a device into Systems Manager.
If you need your OUs available as Systems Manager for scoping profiles and apps prior to your full device rollout, you can use a 'keystone' user to authenticate first. This user should be associated with all OUs you plan to scope so that those tags are immediately loaded into the Owners page for configuration.
For more information regarding setup and configuration for enrollment authentication, please see the following article.
Azure AD
To populate Azure AD users into the Systems Manager > Owners table, you need to have Azure AD enrollment authentication setup.
During enrollment, users will be prompted to sign in with their Azure AD username and password. If successfully authenticated, Dashboard will automatically create an owner entry and assign it the newly enrolled device, pulling in all of the user’s Azure AD groups as tags. You can use the ‘Sync Azure AD groups’ command to update these group tags should they ever change.
Note: 'Sync Azure AD groups' does not automatically import all your Azure AD owners into the Meraki Dashboard, it only syncs tags for existing owner entries. AD Owner entries are only generated when an AD account is used to enroll a device into Systems Manager.
Note: Systems Manager only uses the Azure Application Secret for transitive memberOf calls.
For more information regarding setup and configuration for enrollment authentication, please see the following article.
Google Domain
Google owners will populate once you have enrolled in Android for Work using your Google domain. When a device is enrolled for the first time, the user will be prompted for their Google Credentials, which will be added to the Owners table after signing in.
Managing Owners
Clicking on an owner entry in the table will bring up options to edit certain fields, depending on the owner type. The below example is a Meraki Managed Owner, which allows Dashboard admins to manually edit the email, username, and reset the password associated with the entry. Owner entries automatically generated through enrollment authentication will only allow you to modify tags and owned devices in most cases.
Identity Certificates
When editing an owner entry, admins also have the option to add an identity certificate, for use with email certificate-based authentication. These can be uploaded individually per owner by selecting an owner entry, or in bulk by selecting Import > Import certs at the top right of the Owners page.