I’ve spent a lot of time trying to find the most efficient way to manage iOS devices. Apple Configurator and Profile Manager go some way to providing bulk management of iPads but nothing meets all of our requirements at a low cost. Then I came across Meraki.
Recently purchased by Cisco, Meraki System Manager is a cloud based Mobile Device Management (MDM) system designed to wirelessly manage not only iOS devices, but also Android, Windows 7, and Mac OSX . Because Meraki is entirely cloud based and works wirelessly pushing out settings and apps to iPads, iPhones, and even iPod Touch you don’t have to gather all your iOS devices together to update them as you would Apple Configurator and you don’t have the additional hardware cost involved with Apple’s Profile Manager. As long as your devices have an Internet connection you can push out configuration changes wherever they are in the world.
Did I mention it’s also free?
Which of These MDMs Looks Like The Other?
The iOS MDM enigma. I’ve reviewed serveral iOS management solutions, both paid and free, and the one thing you quickly become aware of is that they are all essentially exactly the same product. The reason for this is that Apple’s API for iOS management is so specific and controlled that there is very little an MDM provider can do that is above and beyond their competitors. You’ll notice when viewing options in most MDM solutions (Meraki, Airwatch, and Casper come immediately to mind) is that not only do they have almost identical functions but they also look visually similar even down to the order and categorisation of the options.
While some solutions have added minor additional features (such as Airwatch’s geo and time fencing, or Meraki’s device tagging) the take away from this should be that all iOS MDM solutions essentially do the same job. The features you should be looking at are those that are not as a result of Apples API service level and security of data.
If you’ve used Apple Configurator or another MDM solution you’ll be familiar with many of the iOS management options available in Meraki:
- Allow or disallow use of the camera
- Allow or disallow installing apps
- Allow or disallow Facetime
- Allow or disallow in-app purchases
- Allow or disallow access to specific built-in apps such as Safari
- Allow or disallow specific age related content
- Force storage encryption
- Force lockscreen passcode
- Configure Wifi settings
- Add web clips — shortcuts in my day — to the homescreen
- Remote wipe the device
- Push applications to devices
Log in to Meraki and the first thing you see is a neat dashoard pinpointing the location of your devices on a Google Map. Select the Overview option and you have access to live status updates from your devices including disk usage, connectivity, battery status and user. It’s a nice touch giving to an immediate overview of your organisation’s devices.
Device management is similarly well thought out. You are able to use tags to group devices simplifying management when pushing out settings and apps.
The ability to create multiple administrator user accounts and have all changes logged centrally makes this a powerful platform and the ability to create multiple networks within the same account allows for multi-site management of devices.
Two of my primary concerns when testing mobile devices have been how to force a user to require a lock screen passcode and, when devices are inevitably lost or stolen, and how to remote wipe them. As long as the device is locked, Meraki does both of these things well.
Such A Tasty Free Lunch!
Meraki is free, so the obvious question is why, and is this a concern? Is there any upsell?
Well, Meraki is now owned by Cisco, so some concerns about data protection etc. may be swayed by a company heavily into network security being behind this. The official line from Meraki is:
Why is Systems Manager free?
We want everyone to have an opportunity to interact with the Meraki dashboard. Once you interact with the dashboard via Systems Manager, we believe you’ll love the ease of management, and you’ll consider Meraki’s other products when you’re ready to upgrade your WiFi, switching, or security appliance infrastructure.
It would be naive to think there is not some element of data collection involved here. Meraki is certainly a great way for Cisco to get to know the internals of potential customer’s networks, but there’s no sign of this in practice.
You should be aware that Meraki will detect and store the location of your devices, a useful feature, no doubt, but it’s important to recognise the context in which specific devices are being used. You may want to use Meraki to push out
Why Can’t Everything Be So Simple?
Unfortunately there are two main draw backs here. I should make clear, these are not problems with Meraki specifically, instead they are issues caused by Apple which prevent any MDM system (including Apple’s own) being what I would consider enterprise ready. Both issues are excellently hightlighted on Meraki’s own website:
Can you push iTunes credentials so that users aren’t prompted for an Apple ID?
No. This is a limitation of Apple’s MDM framework.
When you push an app to an iOS device Apple requires you to manually login with an Apple ID on the device. This is fine if it is a staff iPad, where the user is likely to already have an iTunes account set up, but pushing an app to a pool of iPads in a classroom makes this process unwieldy. In the latter case Apple Configurator is going to be the preferred option.
Meraki does allow you to distribute a pool of App Store voucher codes when pushing out applications, which is great, but the system assigns the purchased application to the Apple ID of the user that authenticates the install on the device which may not be desirable.
Likewise, when pushing an app to an Android device the end user is only prompted with a notification which when selected takes you to the relevent page on the Google Play store. It doesn’t actually force the app to install.
The second issue is more concerning and in my opinion makes all iOS MDMs of questionable value:
Why can I remove the ‘Meraki Management’ profile even when I set a password policy?
The ‘Meraki Management’ profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the ‘Meraki Management’ profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.
Due to the way iOS is designed, no matter how tightly you lock down the operating system, the end user can always simply enter the settings menu and remove all security policies and applications even if the policy has been password protected. This is simply a limitation of the operating system and something Apple needs to seriously address.
The limitations imposed by Apple make all iOS MDM solutions impossible to recommend as a secure management platform — this isn’t Windows Server with Group Policy — but what it does do is make an already difficult to manage operating system that bit more palatable and scaleable for the educational environment. It’s not the perfect solution, but to the extent that it works it removes a significant administrative overhead, and so far Meraki is the best MDM offering I have tested at the lowest cost possible — free.
Over the next few weeks I’ll be putting together some simple guides demonstrating the basics of Meraki as I roll it out to a group of test devices. Check back for more soon.
Find out more about Meraki Systems Manager here.