Home > Enterprise Mobility Management > Tags and Policies > Security Policies in Systems Manager

Security Policies in Systems Manager

Security policies in Systems Manager (SM) networks can be used to monitor a number of security related items on enrolled clients. Compliance information can then be used to generate scheduled reports, or control deployment of apps and profiles to clients through the use of security policy generated dynamic tags. This article will walk through the configuration and use of security policies.

Note: Some security policy features are not available for Legacy SM users. Differences will be indicated where relevant.

For more details on related topics, refer to the articles on App blacklist/whitelist and the application of tags and scoping with security policy tags.

Creating Security Policies

  1. Navigate to Systems manager > Configure > Policies.
  2. Click Add new along the right side of the page.
    Note: Customers with Legacy SM can only create one security policy, and thus skip this step.
    4ea0e9bd-ad83-41de-9853-993618899110

     
  3. Enter a Security policy name that describes its intended use or purpose.
    Note: The name can only contain letters, numbers, dashes, underscores, and periods, and must not be blank.

     
  4. Select any of the traits that should be used to determine device compliance. See below for an example.

     
  5. Click Save Changes.

 

If additional policies need to be configured, click Back to list and repeat from Step 2.

Deleting Security Policies

Note: Legacy SM users can only have one policy, which is only used for security reports. Thus it cannot be deleted. Instead, delete any undesired reports.

  1. Navigate to Systems manager > Configure > Policies.
  2. Check the box next to the policy or policies that should be deleted.

     
  3. Click Delete.

     
  4. Check the box confirming deletion.

     
  5. Click Delete # check security policy/policies.

     
  6. The security policy/policies will then disappear from the list and be removed from any policies or security reports.

Generating Security Reports

Once a security policy has been created, security reports can be used to automatically send compliance reports to configured administrators or e-mail addresses. 

  1. Navigate to Systems manager > Configure > Alerts.
  2. Under the Security report section, click Add a new report.

     
  3. Select a Security policy to report on.
  4. Choose a Schedule that indicates the frequency the report should be sent at.
  5. Check the box for Only failing? if only devices out of compliance should be included in the report.
  6. Check the box for Filter tags? if only devices with certain tags should be included in the report.
  7. If Filter tags? is checked:
    1. Select the Tag scope. "Any" requires at least one of the tags be present on a client to match. "All" requires all of the tags be present on a client to match.
    2. Select the Tags to match on.

       
  8. Click Save Changes.

 

To delete a report, simply click the X in the Delete column next to the report. Then click Save Changes.

 

To control who should receive the scheduled reports, use the Delivery settings section of the Configure > Alerts page.

Checking Device Compliance

There are few different ways to determine if a client is compliant with a security policy.

To check an individual client:

  1. Navigate to Network-wide > Monitor > Clients.
  2. Select the client that is to be checked.

     
  3. Under the Security section, the Security policy field will indicate compliant with any existing policies. Green indicates compliance


    Red indicates non-compliance
    2ad3a81c-5f7d-4bf7-b618-1c79b9b78130

 

To check multiple clients:

  1. Navigate to Network-wide > Monitor > Clients.
  2. Using the dropdown in the upper right corner above the client list, select Security.

  3. This will present a set of security policy fields within the client list.
  4. To add or remove fields, use the + sign on the right end of the header row.

     
  5. Within the list that appears, check the boxes in the Security section for any desired columns.

     
  6. The list will now indicate the compliance of policies or specific security traits, as selected.

Using Security Policies to Control Profiles

Similar to other types of tags, security policy compliance can be used to dynamically control which client devices will receive a particular profile. Both "Compliant" and "Violating" tags will be available for each configured security policy in the Scope for a given profile.
c06a3969-2889-4c79-947c-4e51a588a75a

 

The example image below shows the Scope for a profile containing VPN settings, which should only be pushed to devices with the "vpn" tag and are compliant with the security policy indicated.

 

Note: This feature is not available for Legacy SM users.

Additional Resources

Please review our documentation for more information on the application of tags and scoping.

You must to post a comment.
Last modified
08:48, 27 Jul 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community