Skip to main content

 

Cisco Meraki Documentation

Systems Manager FAQ

This article answers some frequently asked questions regarding Meraki Systems Manager.

Frequently Asked Questions

What platforms does Meraki Systems Manager support?

Systems Manager supports a variety of Android, Apple iOS, macOS, and Windows platforms. Some features are OS-dependent. For a list of OS version support, please see here

  • Android phones, tablets & more
  • Chrome OS including Chromebook & more (G Suite or G Suite for Education account)
  • iOS and iPadOS including iPad, iPod Touch, & iPhone (SM app requires iOS 7 or higher)
  • tvOS including Apple TV 4 and Apple TV 3 
  • macOS including Macbook, iMac, Mac mini, Mac Pro, & more
  • Microsoft Server
  • Windows including Surface, tablets, desktops, laptops, & more

Is there a limit to the number of devices I can manage with Systems Manager?

No, there is no known limit to the number of devices you can manage with Systems Manager!

What ports do I need open on my firewall to manage my devices with Systems Manager?

Clients using Meraki Systems Manager initiate outbound management connections to the Meraki cloud.

The list of IP addresses, ports, and protocols for which you need to allow outbound access for Meraki cloud communication varies by customer and can be viewed here:

https://dashboard.meraki.com/manage/support/firewall_configuration

Why can I remove the 'Meraki Management' profile even when I set a password policy?

The 'Meraki Management' profile contains mobile device management settings for devices. Vendors (like Apple, Google, and Microsoft) do not allow profiles that contain these settings to be non removable by default. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the 'Meraki Management' profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.

Note: by using a program like the Device Enrollment Program, you can ensure an iOS or macOS devices remains enrolled. For more information about the device enrollment program, click here.

Why is my device's location sometimes inaccurate?

Systems Manager makes a best effort to estimate a device's location. Occasionally this estimate is inaccurate. We use these four methods to locate a device, in order of decreasing accuracy:

  • GPS location (via GPS) - this is the most accurate, but is only available for Android, and iOS (using the SM app) devices.
  • Location of Meraki products (via AP) - if your organization has other Meraki products, such as WiFi access points, we can use their location as part of the calculation.
  • BSSID geolocation (via WiFi) - location based on the BSSID (the address of the WiFi network).
  • IP geolocation (via IP) - location based on the device's most recent IP address. This is our fallback mechanism, and the one that's most likely to be inaccurate.
For more information, please reference our documentation.

Can you locate iOS devices using GPS?

Yes. However, you must install the SM app.

Can I disable location tracking for privacy reasons?

Yes. You can enable privacy settings for mobile devices under the Systems Manager > Manage > Settings page. Under the privacy tab you can disable both location tracking or SSID tracking for enrolled devices.

Can I be notified when a client goes offline or comes online?

Yes, you can set a 'connectivity alert' from the Configure > Alerts page. When a device with the specified tag goes offline for the specified amount of time, you will receive an email alert. When the device comes back online, you will also receive an email alert.

Does the user have to enter the Apple ID password for every app installed?

If you are using VPP Device Assignment, then no Apple ID is required. Otherwise, an Apple ID and password are required for the app to be installed by and MDM/EMM vendor. 

With iOS 6+, the device caches a users password for 15 minutes. If you install FREE apps in batches via Systems Manager with iOS 6+, you will have to enter the password once instead of doing it for every single App.

Devices running pre-iOS 6 will be required to enter a password for every app regardless of whether it is free or paid.

Do you support Apple's Volume Purchase Program (VPP)?

Yes, we support both Redemption Codes, Managed Distribution, and the Device Assignment method! If you add a non-free App, you'll see a field for you to enter VPP codes. Note, there's no way for us to verify if a code is valid or not -- make sure all codes are unused before adding to Systems Manager

I deployed a paid App via a VPP code; can I reclaim the App back?

Paid apps can only be reclaimed and reassigned only if it is deployed on a supervised iOS device. More details on how to do this are here: http://support.apple.com/kb/HT5188

For unsupervised devices, there is no way to remove the app in a way that allows you to reuse or reassign the redemption code. When a code is used to install an app on an unsupervised device, it is permanently consumed.

Can you push iTunes credentials so that users aren't prompted for an Apple ID?

No. This is a limitation of Apple's MDM framework. However, if you're using VPP Device Assignment, you don't need to know or use Apple IDs. Check out the VPP page for more information.

I want to upgrade to the latest iOS software - can I do that with Systems Manager?

Yes! This can be done with Systems Manager. Note: this is not included in Legacy Systems Manager

What are 'iOS supervised restrictions,' and how do I enable them on my iOS device?

Devices can be supervised in the Device Enrollment Program (DEP) or by using Apple Configurator, a macOS application. Once supervised, Apple's iOS permits additional restrictions to toggle over-the-air via Systems Manager. These 'iOS supervised restrictions' are listed under the 'iOS supervised restrictions' section on the 'Restrictions' tab of the Systems Manager > Manage > Settings page.

On non-supervised devices, profiles will fail to deploy if, for example, Global HTTP Proxy is enabled. When the other iOS supervised restrictions are enabled (e.g., iMessage, Game Center), these restrictions will simply be ignored on a non-supervised device.

Why do I have to click to install apps I push to an Android device?

Android for Work allows for silent installation of Android apps (.apk). For more information about Android for Work, check out the article here.

Without Android for Work, when you push an app Systems Manager pushes a link of the app onto the device. The native Android framework does not allow installing the app silently.

How do I install custom Android Apps without the Playstore?

You can install custom Android Apps that are not available in either Google Play or the Kindle Store using Systems Manager's Backpack feature or by using Android for Work with EMM integration.

For backpack, point the Backpack URL to your Android application package file (APK) and install the app on the device which will be available in the Backpack folder in the Systems Manager Android App.

How do I use profiles and tags in my deployment for different groups of devices?

Profiles and tags are very handy to configure different groups of devices and push apps to different subsets of devices.

Please reference our documentation for more info regarding profiles and tags.

How do I uninstall Systems Manager from a client?

See this article for full instructions. First, locally uninstall the agent from the desired client.

  • Windows - use the Add/Remove Programs control panel to uninstall the Meraki Systems Manager Agent.
  • Mac - download, unzip, and run our uninstaller or for the profile method open Systems Preferences > Profiles, then remove (-) the Cisco Meraki Settings.
  • iOS - open Settings, navigate to General->Profiles->Meraki Management, then tap remove.
  • Android - uninstalling is a two-step process:
    1. Open Settings > Security > Device Administrators, and select 'Meraki Systems Manager'. Touch 'Deactivate'.
    2. Open System Settings > Applications > Manage Applications. From here, navigate down and select 'Systems Manager', and touch 'Uninstall'.

Once the agent is removed, the client can be removed from Dashboard by checking it on the client list, and then selecting "Remove from network" from the 'Move' pull-down menu.

How do I prevent remote desktop or screenshot from being invoked on certain clients?

Remote desktop and screenshot can be disabled per network by navigating to Configure > General > Feature restrictions and disabling remote desktop, screenshot, or silent remote desktop.

Remote desktop and screenshot can also be disabled on a per client basis as follows:

  • Windows: download meraki_sm_privacy.reg and merge into the registry
  • Mac: download ci.conf and place in '/etc/meraki/' (create a folder called "meraki" in /etc)

How do I mass-deploy the Windows agent using an AD GPO?

You may find this KB article useful. Systems Manager Deployment - GPO

Is there any more documentation on how to get started?

Yes, please watch our getting started videos. Best practice deployment guides can also be found here!
 

  • Was this article helpful?