Skip to main content
Cisco Meraki Documentation

Security Policies in Systems Manager

Security policies in Systems Manager (SM) networks can be used to monitor a number of security-related data points on enrolled client devices. Compliance information can then be used to generate scheduled reports or control deployment of apps and profiles to clients through the use the automatically generated security dynamic tags. This article will walk through the configuration and use of security policies.

Note that creating policies alone does not enforce or block behavior on devices. A tag labeling a device as 'compliant' or 'violating' is automatically applied to all devices, and needs to be used to scope profiles or apps to grant conditional access, or conditionally apply more restrictions. See the article on dynamic tags for more info.

For info on related topics, refer to the articles on App allowing/denying list in security policies and the application of tags and scoping with security policy tags.

Note: Some security policy features are not available for Legacy SM users. Differences will be indicated where relevant.

Creating Security Policies

  1. Navigate to Systems manager > Configure > Policies.
  2. Click Add new along the right side of the page.
    Note: Customers with Legacy SM can only create one security policy, and thus skip this step.
    4ea0e9bd-ad83-41de-9853-993618899110

     
  3. Enter a Security policy name that describes its intended use or purpose.
    Note: The name can only contain letters, numbers, dashes, underscores, and periods, and must not be blank.
    2017-07-20 08_32_30-Security policies - Meraki Dashboard.png
     
  4. Select any of the traits that should be used to determine device compliance. See below for an example.
    Security_policies.png
     
  5. Click Save Changes.

 

If additional policies need to be configured, click Back to list and repeat from Step 2.
2017-07-27 08_47_33-Security policies - Meraki Dashboard.png

Deleting Security Policies

Note: Legacy SM users can only have one policy, which is only used for security reports. Thus it cannot be deleted. Instead, delete any undesired reports.

  1. Navigate to Systems manager > Configure > Policies.
  2. Check the box next to the policy or policies that should be deleted.
    2017-07-20 08_35_25-Security policies - Meraki Dashboard.png
     
  3. Click Delete.
    2017-07-20 08_36_10-Security policies - Meraki Dashboard.png
     
  4. Check the box confirming deletion.
    2017-07-20 08_36_54-Security policies - Meraki Dashboard.png
     
  5. Click Delete # check security policy/policies.
    2017-07-20 08_37_37-Security policies - Meraki Dashboard.png
     
  6. The security policy/policies will then disappear from the list and be removed from any policies or security reports.

Generating Security Reports

Once a security policy has been created, security reports can be used to automatically send compliance reports to configured administrators or e-mail addresses. 

  1. Navigate to Systems manager > Configure > Alerts.
  2. Under the Security report section, click Add a new report.
    2017-07-20 08_38_31-Alerts - Meraki Dashboard.png
     
  3. Select a Security policy to report on.
  4. Choose a Schedule that indicates the frequency the report should be sent at.
  5. Check the box for Only failing? if only devices out of compliance should be included in the report.
  6. Check the box for Filter tags? if only devices with certain tags should be included in the report.
  7. If Filter tags? is checked:
    1. Select the Tag scope. "Any" requires at least one of the tags be present on a client to match. "All" requires all of the tags be present on a client to match.
    2. Select the Tags to match on.
      2017-07-20 08_44_40-Alerts - Meraki Dashboard.png
       
  8. Click Save Changes.

 

To delete a report, simply click the X in the Delete column next to the report. Then click Save Changes.
2017-07-20 08_45_17-Alerts - Meraki Dashboard.png

 

To control who should receive the scheduled reports, use the Delivery settings section of the Configure > Alerts page.
2017-07-20 08_53_10-Alerts - Meraki Dashboard.png

Checking Device Compliance

There are few different ways to determine if a client is compliant with a security policy.

To check an individual client:

  1. Navigate to Systems Manager > Monitor > Devices.
  2. Select the client that is to be checked.
    2017-07-20 09_03_27-Clients - Meraki Dashboard.png
     
  3. Under the Security section, the Security policy field will indicate compliant with any existing policies. Green indicates compliance
    2017-07-20 09_02_58-Clients - Meraki Dashboard.png

    Red indicates non-compliance
    2ad3a81c-5f7d-4bf7-b618-1c79b9b78130

 

To check multiple clients:

  1. Navigate to Network-wide > Monitor > Clients.
  2. Using the dropdown in the upper right corner above the client list, select Security.

    2017-07-20 09_04_12-Clients - Meraki Dashboard.png
  3. This will present a set of security policy fields within the client list.
  4. To add or remove fields, use the + sign on the right end of the header row.
    2017-07-20 09_05_08-Clients - Meraki Dashboard.png
     
  5. Within the list that appears, check the boxes in the Security section for any desired columns.
    2017-07-20 09_04_44-Clients - Meraki Dashboard.png
     
  6. The list will now indicate the compliance of policies or specific security traits, as selected.
    2017-07-20 09_19_04-Clients - Meraki Dashboard.png

Using Security Policies to Control Profiles

Similar to other types of tags, security policy compliance can be used to dynamically control which client devices will receive a particular profile. Both "Compliant" and "Violating" tags will be available for each configured security policy in the Scope for a given profile.
c06a3969-2889-4c79-947c-4e51a588a75a

 

The example image below shows the Scope for a profile containing VPN settings, which should only be pushed to devices with the "vpn" tag and are compliant with the security policy indicated.

2017-07-20 09_22_06-Apps - Meraki Dashboard.png

 

Note: This feature is not available for Legacy SM users.

Additional Resources

Please review our documentation for more information on the application of tags and scoping.

  • Was this article helpful?