Home > Enterprise Mobility Management > Profiles and Settings > Dynamic Settings and Profiles using Tags

Dynamic Settings and Profiles using Tags

A major benefit of using Systems Manager is the ability to dynamically apply and remove settings on devices using profiles. This allows administrators to automatically control which devices should have certain settings and when. This is all done using tags in systems manager. This article will cover the steps needed to use profiles, with links the appropriate documentation for more information. 

While this article concentrates on dynamic profiles, tags can also be used to control which devices should receive particular apps. Refer to the article on Using Tags with Systems Manager for more information.

 

This article contains outdated UI instructions. For updated information, see the section on dynamic tags in the tags article and on profiles.

Creating a Profile

Start by creating a profile. Profiles contain the settings that should be applied to a device. Devices can have multiple profiles applied to them, and profiles can be applied to many devices. Thus, it often makes sense to group settings into profiles based on which groups of devices they will be applied to.

 

From a Systems Manager network, profiles can be created on the MDM > Profiles page. For more information, review the SM product manual.

 

Once a profile has been created, navigate to MDM > Settings, and select the Profile created earlier. A number of tabs exist for different types of settings that can be used. For an overview, please review the SM product manual. For information about specific settings, search the knowledge base.

Scoping a Profile

Which devices should receive a profile is controlled by the Scope of the profile, and tags associated with a device. From the MDM > Profiles page, select the desired profile. Use the Scope section to indicate what the criteria are for receiving a profile. For more information on configuring the scope of a profile, refer to the article on using tags. Once configured, devices that are within scope will automatically receive the profile. If they are removed from the scope, the profile will automatically be removed.

Tagging Devices

In order to have profiles applied to devices, they need to be tagged. There are various types of tags, which can be manually applied to devices or dynamically assigned using options like security policies, geofencing, or time-based tags.

Manual Example

To illustrate, this example will quickly cover applying a basic profile to a device with a manual tag. This is how an administrator would manually designate devices that should receive settings.

 

Start by creating a profile and scoping it.

 

  1. Navigate to Systems Manager > Settings.
  2. Click + Add new > New mobile profile.
  3. Give the profile a Name and configure the Scope. In this case, the tag "example_tag" is used.
  4. Click Save Changes.

Configure settings for the profile.

 

  1. Navigate to Systems Manager > Settings.
  2. Select the Profile configured earlier.
  3. Open a tab and configure the desired settings. The example below enabled various restrictions regarding passcodes on devices.
  4. Click Save Changes.

 

Tag the desired devices. In this case, manual tags are being used, but various options are available to dynamically tag devices based on different criteria.

  1. Navigate to Systems Manager > Clients.
  2. Click the checkbox next to the desired client(s).
  3. Click Tag, and Add the desired tag. Detailed steps can be found here. In this case, the tag "example_tag" created earlier is used.

Once a device is in scope, the device must check-in before the settings can be applied. This may take a few minutes to occur, and requires that iOS devices be unlocked. To confirm if the profile was pushed to the device:

 

  1. From Systems Manager > Clients click on the desired client.
  2. Scroll down to the Profiles section.
  3. The profile created earlier should now be listed.

Dynamic Example

This example will illustrate how settings can be dynamically applied to a device based on more complex criteria. In this case, devices should only receive VPN access if they are considered secure.

 

Start by configuring a security policy. In this case, the policy is designed to confirm that devices have various security measures enabled.

 

Next, create a profile that is dynamically pushed to only devices which are compliant with the security policy.

  1. Navigate to Systems Manager > Settings.
  2. Click + Add new > New mobile profile.
  3. Give the profile a Name and configure the Scope. In this example, the security policy tag for "Device_Secure" is used.
    Note: Multiple tags can be combined in various combinations, as discussed in the tags article. This can allow different sets of criteria to all be required in order for profiles to be applied to clients.
  4. Click Save changes.

Then configure the policy with the desired settings. In this case, it contains VPN settings for connecting to the corporate network.

 

  1. Navigate to Systems Manager > Settings.
  2. Select the Profile configured earlier.
  3. Open a tab and configure the desired settings. The example below provides devices with a VPN connection.
  4. Click Save Changes.

 

 

Once a device is in scope, the device must check-in before the settings can be applied. This may take a few minutes to occur, and requires that iOS devices be unlocked. To confirm if the profile was pushed to the device:

  1. From Systems Manager > Clients click on the desired client.
  2. Scroll down to the Profiles section.
  3. The profile created earlier should now be listed.

Since a security policy was configured, compliance for individual devices can be seen under the Security section of the client details page. If a device isn't compliant, the profile will be removed automatically when the device next checks in. For more information, read the section on checking device compliance in the security policies article.

Or using the appropriate columns in the clients list.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1243

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community