The Systems Manager > Manage > Settings page allows you to configure the specific settings associated with a particular configuration profile. These settings and profiles can be used to ensure that your devices meet business requirements and receive the configurations your users need to work.
After creating a new profile, click the 'Add settings' option on the left to begin adding settings payloads to your profile. Profiles can contain multiple payloads at once, and multiple profiles can be installed on a device. Your settings and profiles should be tailored to how your device deployment and tag structure are organized.
The rest of this article introduces each of the primary settings payload options.
Set various restrictions on managed devices, which allow you to control what access and functionality your end users have. Some examples include blocking iMessage, the App Store, setting a Safari web content filter, enabling single app mode, or blacklisting/whitelisting iOS apps. Note that some of the iOS restrictions require devices to be supervised to be applied.
Enforce passcode requirements when unlocking iOS, Mac, and Android devices. Note that each operating system may enforce each requirement differently, or only support a subset of the configurations displayed. This payload does not allow you to specify a particular password to be pushed down to devices.
If using this in conjunction with the 'Restrictions' payload for iOS, ensure that the 'Allow modification of passcode settings (iOS 9+)' option is selected in restrictions.
Push SCEP certificates to a device using Meraki's Certificate Authority.
Push X.509 (.cer, .p12) certificates to devices. These certificates can be generated by a 3rd party certificate authority or by a locally hosted certificate authority. A good use case for this feature is to push a verified certificate to an iOS device to wirelessly authenticate via 802.1X.
These will automatically populate under the "Trust" feature in a WPA2-Enterprise WiFi profile under the "WiFi" tab.
Push out a wireless profile to your managed devices. Some example use cases for this feature are:
Providing an Internet connection for your devices, but do not want to explicitly provide the SSID name or credentials to the end user
Pushing out WPA2-Enterprise WiFi profiles with 802.1X authentication (EAP-MSCHAPv2, EAP-TLS, etc.) This can be further configured with "Trusted Certificates" that you upload, utilizing the "Certificate" feature described above.
Privacy and Lock
Privacy options will allow/prevent Systems Manager from displaying SSID or location information for devices in scope of the profile.
The Lock options control the behavior of the Activation Lock feature on supervised Apple devices. Enabling 'Allow Activation Lock' will allow end users to use Activation Lock in the 'Find My' app with their personal Apple IDs. Enabling 'Allow MDM Activation Lock' will automatically send a command to Apple to enable Activation Lock on a DEP-enrolled device. The command will enable Activation Lock on target devices using the Apple ID of an Apple Business Manager or Apple School Manager administrator.
This option allows you to pre-configure client-to-gateway VPN connectivity for your iOS, Android (Knox), Mac and Windows devices with support for multiple connection types. Non-Knox Android devices should use solutions like AnyConnect, or apps that support AppConfig app settings like Pulse VPN.
If you are hosting client VPN through a Cisco Meraki MX in the same organization, you can use the ‘Sentry’ configuration to automatically configure VPN.
With AirPlay configuration in Systems Manager, devices can be pre-provisioned with the connection details for AirPlay devices. This can be a great way to secure Apple TV and other AirPlay resources from unauthorized users while ensuring that presenters' devices have all the information required to connect.
Systems Manager can also be customized to only list specific AirPlay devices, allowing for restricted general access to these resources.
Systems Manager can remotely deploy AirPrint network printer settings to Apple devices. This allows for seamless printer configuration without the need for a physical connection to the printing device.
Managed App Config
Preconfigure specific applications installed on your managed devices via key/value pairs. See the article Managed App Settings for more info.
Exchange ActiveSync Email
Deploy Microsoft Exchange email configurations to the native Mail app. For more information, see the article Configuring an Exchange ActiveSync Profile for more details.
Backpack allows administrators to securely deliver content like student lesson plans or employee resources to managed devices. See the full article here for more info.
Single App Mode (Kiosk)
Supervised iOS and tvOS devices can be locked down to display a single application using the Single App Mode payload
Web Content Filter
On iOS devices, configure content filters for all web requests based on pre-determined categories or admin-defined domains. On MacOS devices, define the settings for a third-party web content filtering app. See the full article Web Content filtering for more info.
Single Sign On Extension
Deploy settings for third-party Single-Sign On apps, including the Apple Enterprise Connect extension.
Knox-specific settings for Android devices enrolled through Knox and not Android Enterprise. For information on these features, see the Knox article. For more info on different types of Android enrollments, see the Android Enrollment article.
This setting allows for custom application permissions. Examples include denying an application access to the device's contacts, saved payments methods and even network access. Application permissions vary app to app and a list of relevant permissions can be found using the "Fetch permissions" button that appears once an app has been selected.
Contains additional restrictions like preventing factory reset or adding additional accounts on corporate-owned assets.
Locks Device Owner mode devices into one or more specific applications. This can be configured with an unlock code to temporarily exit kiosk mode, or specify application upgrade windows.
This payload includes several System and screen lock restrictions that can be applied to the Android devices. Allow/restricts users to access various features like notifications, camera, bluetooth, account modification and many others.
Wallpaper & Lock Screen Message
Configure a custom message to be displayed on an Android device’s lock screen, and provide links to images that can be used as the system or lock screen wallpaper.
Allows you to block specific pre-installed apps from appearing in device owner mode. Enter in the app identifier, such as 'com.google.android.dialer' for the default Google phone app. Note that different device vendors may have proprietary app IDs. For more information, see this article on Controlling Android System Apps.
The Device Owner, Kiosk Mode, and System Apps payloads only affect Android devices enrolled in Device Owner mode.
Web clips are shortcuts to web URLs (similar to browser bookmarks) that appear on the homescreen of iOS devices for an easy way to access commonly-visited websites. Please be sure that the icon you upload is less than 144 x 144 pixels and in .png format. See the full article on web clips.
Allow devices to sync corporate calendars (CalDAV) directly to the native Calendar app on iOS.
Global HTTP Proxy
Specify a web proxy address to filter all HTTP traffic to and from iOS devices. Devices can only receive one of this type of payload
Establish a list of email domains and Safari web domains that will be treated as managed on an iOS device. Emails sent from a managed domain to an external address will be flagged in the Mail app. Downloaded attachments from a managed domain are considered follow the “Managed Open In” rules defined in the Restrictions payload.
On iOS 9.3+, admins may also provide an option to save users’ passwords in Safari from matching URL domains. Multiple password domains can be added.
Provide complete network visibility and control on supervised iOS devices by leveraging the power of Cisco Umbrella to filter DNS requests against malicious sites. Requires the Cisco Security Connector app. For more information on configuration, see the Cisco Security Connector article.
Audit and gain insight into app-level network traffic flows on supervised iOS devices using Cisco AMP. Requires the Cisco Security Connector app. For more information on configuration, see the Cisco Security Connector article.
Requires iOS supervision. This payload allows you to specify the background wallpaper and lock screen image for your supervised iOS devices. Choose images with dimensions that exactly match your devices' dimensions.
Configure Apple School Manager Classroom settings. Requires device supervision.
Allows you to push a Google account to Apple devices. Users will be prompted to enter credentials after the payload is pushed.
Per App VPN
Configure a VPN connection with AnyConnect or IKEv2. The device will only tunnel traffic when the specified applications are launched.
Network Usage Rules
Allows you to disable cellular and roaming data for specific managed apps. See this article Cellular Data Management with Systems Manager for more infomation.
Home Screen Layout
Allows you to specify how application icons will be arranged across devices. This prevents users from rearranging icons, or uninstalling apps from the homescreen. Apps can still be removed from Settings > General > Storage & iCloud Usage > Manage Storage . Note that apps that are installed that are not explicitly placed in this payload will appear in random order behind the icons that are set. Requires iOS device supervision. See the full article on configuring HSL.
Configure notification settings on a per app basis. Requires device supervision.
Lock Screen Payload
Configure a custom message or asset tag information to be displayed in the login window and lock screen for a supervised iOS device.
Specify which options to lock out on your devices. Note that third-party preferences could be limited by pushing a script to install a custom .plist with the software installer. For an example of how scripts can be deployed, see this article Deploying scripts in Systems Manager.
Allows you to enforce FileVault encryption on Mac devices. See this article FileVault, for configuration details
FileVault Recovery Key Escrow
Define a specific certificate that can be used to encrypt and decrypt the FileVault recovery key. For configuration steps, refer to the FileVault article
Configure restrictions for accessing the Mac App store. It is supported only on User channel (Apple User profiles).
Specify the login window behavior on a Mac device including disabling or hiding components on the login screen.
Specify the dock settings such as dock size, position, or apps that can be added to the dock.
Choose which settings will be skipped when users launch the Setup Assistant on Mac devices.
Enforce Firewall settings including preventing unauthorized applications, programs, and services from accepting incoming connections.
Kernel Extension Policy
Kernel Extension (KEXT) is a macOS feature which allows dynamic loading of code into the Kernel without needing to re-compile them. They are usually implemented as Bundles and this payload lets you to configure the KEXT’s on behalf of an end user.
Accept or deny permissions for various apps under the ‘Privacy’ tab of the ‘Security & Privacy’ preference pane.
Allows you to define domains where an app can be linked to an extensible app SSO, universal links, or password autofill service on a Mac.
Force device to re-enroll into this domain after wiping.
Sign-in options & user account whitelist.
Auto update settings including auto checking for updates and auto installing updates.
Lock device into one app.
Reports the device state and tracking the recent device users.
System time zone settings and other various settings.
Define the password prompt behavior and network connection type for AirPlay connections on an Apple TV.
Conference Room Display
This payload forces the Apple TV into Conference Room display mode with an optional message displayed on the screen.
Note : When Conference Room Display mode and Single App mode are both enabled, Conference Room Display mode is active and the user canʼt access the Single App mode App.