Home > Endpoint Management > Profiles and Settings > Configuration Settings

Configuration Settings

The Systems Manager > Manage > Settings page allows you to configure the specific settings associated with a particular configuration profile. These settings and profiles can be used to ensure that your devices meet business requirements and receive the configurations your users need to work.


After creating a new profile, click the 'Add settings' option on the left to begin adding settings payloads to your profile. Profiles can contain multiple payloads at once, and multiple profiles can be installed on a device. Your settings and profiles should be tailored to how your device deployment and tag structure are organized. 


The rest of this article introduces each of the primary settings payload options.  

Screen Shot 2018-04-26 at 5.08.38 PM.png


This option is used to set various restrictions on managed devices, which allow you to control what access and functionality your end users have. Some examples include blocking iMessage, the App Store, setting a Safari web content filter, enabling single app mode, or blacklisting/whitelisting iOS apps. Note that some of the iOS restrictions require devices to be supervised to be applied.

Privacy and Lock

Unchecking the privacy options will prevent Systems Manager from displaying SSID or location information for clients in scope of the profile.


The Allow Activation Lock option will, when unchecked, disable Cloud Activation Locking of DEP devices on their next enrollments.  


This option is used to enforce passcode requirements when unlocking iOS, Mac, and Android devices. Note that each operating system may enforce each requirement differently, or only support a subset of the configurations displayed. This payload does not allow you to specify a particular password to be pushed down to devices.

If using this in conjunction with the 'Restrictions' payload for iOS, ensure that the 'Allow modification of passcode settings (iOS 9+)' option is not selected in restrictions.


With AirPlay configuration in Systems Manager, devices can be pre-provisioned with the connection details for AirPlay devices. This can be a great way to secure Apple TV and other AirPlay resources from unauthorized users while ensuring that presenters' devices have all the information required to connect. 

Systems Manager can also be customized to only list specific AirPlay devices, allowing for restricted general access to these resources.


Allows you to push down Exchange email configurations. For more information, see the full article here.


This tool is used to push X.509 (.cer, .p12) certificates to devices. These certificates can be generated by a 3rd party certificate authority or by a locally hosted certificate authority. A good use case for this feature is to push a verified certificate to an iOS device to wirelessly authenticate via 802.1X.

These will automatically populate under the "Trust" feature in a WPA2-Enterprise WiFi profile under the "WiFi" tab.

Web Clips

Web clips are shortcuts to web URLs (similar to browser bookmarks) that you can push out to your iOS devices for an easy way to access commonly-visited websites. Please be sure that the icon you upload is less than 144 x 144 pixels and in .png format. See the full article on web clips here.


Backpack allows administrators to securely deliver content like student lesson plans or employee resources to managed devices. See the full article here for more info.


WiFi settings can be used to push out a wireless profile to your managed devices. Some example use cases for this feature are:

  • Providing an Internet connection for your devices, but do not want to explicitly provide the SSID name or credentials to the end user
  • Pushing out WPA2-Enterprise WiFI profiles with 802.1X authentication (EAP-MSCHAPv2, EAP-TLS, etc.) This can be further configured with "Trusted Certificates" that you upload, utilizing the "Credentials" feature described below


This payload allows you to pre-configure client-to-gateway VPN connectivity for your iOS Android (Knox) and Mac devices with support for multiple connection types. Non-Knox Android devices should use solutions like AnyConnect, or apps that support AppConfig app settings like Pulse VPN. If you are hosting client VPN through a Cisco Meraki MX in the same organization, you can use the ‘Sentry’ configuration to automatically configure VPN.

Samsung Knox

Knox-specific settings for Android devices enrolled through Knox and not Android Enterprise. For information on these features, see the Knox article. For more info on different types of Android enrollments, see the Android Enrollment article.


Requires iOS supervision. This payload allows you to specify the background wallpaper and lock screen image for your supervised iOS devices. Choose images with dimensions that exactly match your devices' dimensions.

App Settings

Managed app settings allow you to preconfigure specific applications installed on your managed devices via key/value pairs. See the full article here for more info.

More Android

The Device Owner, Kiosk Mode, and System Apps payloads only affect Androids enrolled in device owner mode.

  • App Permissions: This setting allows for custom application permissions. Examples include denying an application access to the device's contacts, saved payments methods and even network access. Application permissions vary app to app and a list of relevant permissions can be found using the "Fetch permissions" button that appears once an app has been selected.
  • Device Owner: Contains additional restrictions like preventing factory reset or adding additional accounts on corporate-owned assets.
  • Kiosk Mode: Locks DO-mode devices into one or more specific applications. This can be configured with an unlock code to temporarily exit kiosk mode, or specify application upgrade windows.
  • System Apps: Allows you to block specific pre-installed apps from appearing in device owner mode. Enter in the app identifier, such as 'com.google.android.dialer' for the default Google phone app. Note that different device vendors may have proprietary app IDs. For more information, see here.

More iOS

The Education, Home screen Layout, and Notifications payloads all require iOS device supervision.

  • Education: used to configure Apple School Manager Classroom settings
  • Home screen Layout: allows you to specify how application icons will be arranged across devices. This prevents users from rearranging icons, or uninstalling apps from the homescreen. Apps can still be removed from Settings > General > Storage & iCloud Usage > Manage Storage . Note that apps that are installed that are not explicitly placed in this payload will appear in random order behind the icons that are set. The full article on configuring HSL can be found here.
  • Notifications: configure notification settings on a per app basis
  • Per App VPN: configure a VPN connection with AnyConnect or IKEv2. The device will only tunnel traffic when the specified applications are launched
  • Network usage rules: allows you to disable cellular and roaming data for particular managed apps. See more info here.

More macOS

  • Filevault: see this article for configuration details
  • System Preferences: specify which options to lock out on your devices. Note that third-party preferences could be limited by pushing a script to install a custom .plist with the software installer. For an example of how scripts can be deployed, see this article.

More Chrome

  • Enrollment: Force device to re-enroll into this domain after wiping
  • Sign-in: Sign-in options & user account whitelist
  • Device updates: Auto update settings including auto checking for updates and auto installing updates
  • Kiosk mode: Lock device into one app
  • Miscellaneous: System time zone settings and other various settings
Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4279

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community