Skip to main content
Cisco Meraki Documentation

Troubleshooting Security Policies in Systems Manager

Security policies in Systems Manager (SM) networks can be used to monitor a number of security-related data points on enrolled client devices. Compliance information can then be used to generate scheduled reports or control deployment of apps and profiles to clients through the use of automatically generated security dynamic tags. For more information on the purpose of a Security Policy and how to set one up, please review our document on 'Security Policies in Systems Manager'. This document will cover how Systems Manager collects this information from devices, and therefore how you can troubleshoot issues in the event a device is reporting an unexpected security policy compliance status. 

 

As of 1/28/2020 this is the list of Security Policies. 
Screen Shot 2019-03-27 at 9.14.09 AM.png

 

On macOS and Windows: Security Policies refresh about once every 6 hours. On Android and iOS it will be much faster should happen within 1 hour. All devices need to be online to communicate this information into Meraki Dashboard, of course. 

Desktop

The "Desktop" security policies are supported on macOS and Windows. The Meraki SM agent is required to detect the device compliance, always ensure that the device is checking in correctly via the agent (not just via MDM profile) so these policies can be reported correctly from the SM Agent. A ist of Security Policies and their functions are detailed below:

Screen lock after '__' minutes or less 

macOS: 

As of macOS Mojave 10.14+, detecting screen lock delay is no longer supported. 

 

Windows

windows.png

If screensaver timeout "wait" time is less than the SM security policy time value, the policy is compliant

Login required 

macOS

System Preferences > Users & Groups > Login Options > Automatic Login.

Users&Groups Settings.png


If Automatic Login is set to "Off" the security policy is compliant.  

This is checked with the following command: 

sysadminctl -autologin status 2

 

Windows

Screen Shot 2020-01-28 at 12.10.57 PM.png

 

If "Users must enter a user name as password" is checked the security policy is compliant. 

Firewall enabled 

macOS:
System Preferences > Security & Privacy > Firewall.

Screen Shot 2019-04-23 at 12.02.01 PM.png

 

If Firewall is enabled, the security policy is compliant.  

This is checked with the follow command: 

defaults read /Library/Preferences/com.apple.alf globalstate

0 = Firewall OFF
1 = Firewall ON

 

Windows

netsh advfirewall show allprofiles state

Running apps blocked 

macOS: To see running application run top -o cpu -s 2 -i 5 from Terminal or open Activity Monitor.app and look in the CPU tab. 

Windows: Open Task Manager (control+alt+delete) and open the Processes tab. 

Mandatory running apps 

macOS: To see running application run top -o cpu -s 2 -i 5 from Terminal or open Activity Monitor.app and look in the CPU tab. 

Windows: Open Task Manager (control+alt+delete) and open the Processes tab. 

macOS

Disk encryption

Detects if disk encryption (FileVault) is enabled on macOS. FileVault can be enabled locally in System Preferences > Security & Privacy > FileVault. It can also be forced to be enabled with a MDM profile in Systems Manager.

Screen Shot 2019-03-27 at 9.19.54 AM.png

 

If Filevault is enabled, the security policy is compliant. 

Windows

Antivirus running

The following commands are run on Windows to check for AntiVirus:

Get-WmiObject -query "Select * from AntiVirusProduct" -Namespace "root\SecurityCenter"

Get-WmiObject -query "Select * from AntiVirusProduct" -Namespace "root\SecurityCenter2"

Antispyware installed

The following commands are run on Windows to check for Antispyware:

Get-WmiObject -query "Select * from AntiSpywareProduct" -Namespace "root\SecurityCenter"

Get-WmiObject -query "Select * from AntiSpywareProduct" -Namespace "root\SecurityCenter2"

Mobile Devices (iOS and Android)

SM app installed is recommended. While troubleshooting iOS and Android security policies, it is always good practice to launch the SM app and have the device perform a check-in from the app. 

Passcode lock

With this policy enforced, the device must have a passcode set on device to be compliant. You can confirm there is a passcode set by locking and then trying to unlock the device manually -- if you are forced to type a passcode (or touch ID, FaceID, etc) then the device has a passcode. You can also confirm the passcode is enabled by checking the device's local Settings.

iOS: Settings > TouchID/FaceID & Passcode  

Android: Settings > Security > Passcode (this will change depending on Android OS and device)

Device is not compromised 

With this policy enforced, the device must have a be jailbroken (iOS) or rooted (Android). If the device is not jailbroken/rooted, the device will be compliant with this policy. 

Device cellular data does not exceed __ mb

Cellular data usage allowances are reset on the 1st day of the month. This data allowance reset day can be customized in the Systems manager > Configure > General. The SM app must be installed on devices to report this correctly. If a device goes over the security policy defined megabyte allocation, then the device will be failing this policy. 

iOS 

Required kiosk mode application bundle ID

Require user to authorize location tracking 

This one requires the SM app to be installed and running. On iOS, launch the iOS app. If Location does not have a green check (location tracking set to Always) the device will be failing this policy. 

IMG_044344A4F480-1.jpeg

All Devices

Application block/allow list

The device will be checked if it has or does not have an application. To see a device's currently reported installed application list go to Systems Manager > Devices and click on a single device to view the Apps section. If the device does not have an application installed from the security policy allow list it will fail the security policy. If the device has an application installed that is on the block list it will fail the security policy. 

Screen Shot 2019-06-18 at 11.33.10 AM.png

Note: Hover over an application in the device's installed App list to reveal its unique app identifier. 

Note: Wildcard matches can be made with a '*'. (e.g. com.mer*, *meraki*, and *.sm would all match com.meraki.sm)

Mandatory installed applications

The device must have a certain list of applications installed. To see a device's currently reported installed application list go to Systems Manager > Devices and click on a single device to view the Apps section. This device must have all of the applications from the security policy to be compliant with the security policy.

Screen Shot 2019-06-18 at 11.33.10 AM.png

Note: Hover over an application in the device's installed App list to reveal its unique app identifier. 

Note: Wildcard matches can be made with a '*'. (e.g. com.mer*, *meraki*, and *.sm would all match com.meraki.sm)

Minimum OS version

The device must have a certain OS version to be compliant with this security policy. To see a device's currently reported OS version go to Systems Manager > Devices and click on a single device to view the OS section. There should be a field called "Version". This reported "Version" needs to match the security policy requirements to be compliant with the security policy. 

Screen Shot 2019-06-18 at 11.10.54 AM.png

Device must check-in every __ minutes

To see a device's last MDM check-in timestamp, go to Systems Manager > Devices and click on a single device to view the "Last MDM check-in" field. The device must have performed a MDM check-in within the set time frame to be compliant with this security policy. 

 Screen Shot 2019-06-18 at 11.08.00 AM.png

  • Was this article helpful?