Home > Enterprise Mobility Management > Tags and Policies > Using Tags in Systems Manager

Using Tags in Systems Manager

Tags are powerful tools used to apply profiles, deploy apps, and organize groups of client devices together. This article will cover the types of tags available, and to how to add and remove them in Systems Manager.

Types of Tags

Before creating and applying tags, it's important to understand the different types of tags available.

Device Tags

Manual - Simple admin generated tags that are applied statically to devices. These are labeled when scoping simply as "Tags". Must be manually added/removed, and are always active.

Device type - These are automatically generated and assigned to devices by Dashboard based on operating system. Listed under "Auto tags" on client pages.

Policy Tags

Most tags are considered static, meaning the tag remains unchanged unless it is modified or removed by a Dashboard Admin. Policy tags are considered dynamic, as they can automatically change themselves into one of two binary states (i.e. compliant or violating, within hours or after hours). This allows you to gate settings or applications on devices meeting certain criteria, for example pushing work materials only during work hours, or only to devices that are within school location bounds. Continue reading below, or check the profile example.

Security policy - For each policy configured in Dashboard, devices are either compliant or violating, and will automatically be labeled with the corresponding tag. These are set under Configure > Policies. For more information, refer to the article on security policies.

 

Geofencing - These dynamic tags are automatically assigned to devices depending if they are within a designated physical boundary, such as a campus or office location. These are set under Configure > Geofencing. For more information, refer to the article on Geofencing.

 

Schedule - Only active during scheduled periods. Also known as time based tags. Configured under Configure > General.

User Tags

Active Directory - Another example of dynamic tags. If you configure enrollment authentication with AD or Meraki-hosted accounts, Systems Manager can use your existing AD organization units as tags. During enrollment, users will authenticate their device and automatically have owner or AD groups applied as tags to that device. This allows you to scope by user role, like 'Administrators', instead of manually marking each device or owner as an administrator.

Owner Tags - Similar to manual device tags, except these are applied directly to owners under Configure > Owners. These can be used to scope by individual, or by role. For example, if 'Patrick' owns multiple devices, or multiple devices belonging to people labeled 'sales', it may be easier to scope by owner tag instead of device tag.

Applying Tags

Tags manually created in Dashboard can be structured or named however your organization sees fit for your deployment model. Recall, these tags are used to map devices to applications and profiles, so create tags that makes sense for how devices will be differentiated. 

As an example, a business with multiple offices may want to tag devices 'HQ' or 'san_francisco' if different office locations receive different settings. A school may want to tag devices by grade level, or by subject topic if 'first_grade' devices receive a different set of apps from 'second_grade'. For more considerations, see our deployment guides.

 

The interface for adding or removing manual tags is the same for clients, owners, and geofences. Begin by navigating to the correct configuration pane from the lefhand 'Systems manager' menu.

  • Client devices are tagged from Monitor > Clients
  • Owners are tagged from Configure > Owners
  • Geofences are tagged from Configure > Geofencing 

Note: Admin generated tags cannot contain spaces. E.g. "example tag" is not acceptable and would be treated as two separate tags, while "example_tag" would be treated as a single tag.

 

In all of the above pages, tags can be edited on multiple items at once.

  1. Click the checkbox next the items to add/remove tags on.
  2. Click Tag or Edit Scope.

In the box that appears, options will be available to add or remove tags. 

Creating a New Tag

To create and add a new tag:

  1. Click in the Add box.
  2. Enter the name of the tag desired.
    Remember that this must not contain spaces.
  3. Click Add option. The tag will appear in the Add box with a bubble around it.
  4. Repeat steps 1-3 as needed. Then click Add.

Adding an Existing Tag

To add an existing tag:

  1. Click in the Add box.
  2. Select the tag from the list suggested. Begin typing to locate a tag within the list.
  3. Once selected, the tag will appear in the Add box with a bubble around it.
  4. Repeat steps 1-3 as needed. Then click Add.

Removing a Tag

To remove an existing tag:

  1. Click in the Remove box.
  2. Select the tag from the list. 
  3. Repeat steps 1-2 as needed. Then click Remove.

Note: Tags will continue to be listed as an option for addition until they are no longer in use anywhere.

Modifying a Specific Client's Tag

Tags can also be removed on an individual basis by selecting a particular client, geofence, or owner.

 

As an example, instructions on modifying tags for a specific client are listed below:

  1. From Monitor > Clients, click on the name of the client to update.
  2. Click Edit details.
  3. Click in Tags.
  4. To remove a tag, click the X in the bubble with it.
    To add an existing tag, select it from the list.
    To add a new tag, type the name of the tag (must not have spaces) and click Add option.
  5. Repeat steps 3-4 as needed to add/remove all desired tags.
  6. Click Save.

Scoping Profiles and Apps

Once your tags are created, you'll use them to specify which devices will receive your configuration profiles and applications. This is done by scoping the app or profile to specific devices, which you can do as broadly or specifically as necessary.

For info on unscoping or removing profiles and apps, see this article.

 

After you specify a scope to apply your profile or app, the bottom of the page will update to reflect which devices are in scope have the profile/app either installed (or removed, if you are unscoping). In the below example, all 10 enrolled devices in Systems Manager will install the profile because the scope was set to 'All devices'. 

Note: Apps/profiles only be pushed to supported devices, even if an unsupported devices is within scope. For example, an iOS app will only install on iOS devices, even if the scope is set to 'All devices'.

 

Scope Operators

Scoping combines a logic operator with your organization's tags to help you narrow down the set of devices that will receive apps/profiles.

 

All devices - The setting/feature will be applied to all supported devices.

 

with ANY of the following tags - Requires at least one tag. Supported devices matching 1 or more of the tags listed will receive the feature/setting. If 3 tags are defined, clients with 1 or more of those tags will receive the feature/setting.

 

with ALL of the following tags - Requires at least one tag. Supported devices matching all of the tags listed will receive the feature/setting. If 3 tags are defined, clients with all 3 tags will receive the feature/setting.

 

WITHOUT ANY of the following tags - Requires at least one tag. Supported devices that do not have any one or more of the tags listed will receive the feature/setting.   If 3 tags are defined, clients that have 2 or less of them will receive the feature/setting.

 

WITHOUT ALL of the following tags - Requires at least one tag. Supported devices that do not have any of the tags listed will receive the feature/setting. If 3 tags are defined, clients that have 0 of them will receive the feature/setting.

 

Dynamic Scoping Example

The below profile configuration will only be pushed down to devices that have been manually labeled as 'employee', that are also both compliant with the geofence and 'MerakiSecure' security policy that we've created. Because we're using dynamic policy tags, if the device were to ever violate the geofence (e.g. stolen from the office), or violate our security policy (e.g. become rooted or jailbroken), the profile and all associated settings would be automatically removed from the device.

 

Checking Client Tags

At any time, the tags currently active on a device can be seen by navigating to the Monitor > Clients page and clicking on the client in question.

 

Manual tags will appear under the Client details section as Tags. Click any of these tags to get a list of clients with that tag. 

Schedule and device tags will appear under the Client details section as Auto tags.

 

Geofencing and security policy tags will appear under Security as their own respective fields. 

You must to post a comment.
Last modified
09:39, 6 Jun 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 1271

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case