I’ve spent a lot of time trying to find the most efficient way to manage iOS devices. Apple Configurator and Profile Manager go some way to providing bulk management of iPads but nothing meets all of our requirements at a low cost. Then I came across Meraki.

Recently purchased by Cisco, Meraki System Manager is a cloud based Mobile Device Management (MDM) system designed to wirelessly manage not only iOS devices, but also Android, Windows 7, and Mac OSX . Because Meraki is entirely cloud based and works wirelessly pushing out settings and apps to iPads, iPhones, and even iPod Touch you don’t have to gather all your iOS devices together to update them as you would Apple Configurator and you don’t have the additional hardware cost involved with Apple’s Profile Manager. As long as your devices have an Internet connection you can push out configuration changes wherever they are in the world.

Did I mention it’s also free?

Which of These MDMs Looks Like The Other?

The iOS MDM enigma. I’ve reviewed serveral iOS management solutions, both paid and free, and the one thing you quickly become aware of is that they are all essentially exactly the same product. The reason for this is that Apple’s API for iOS management is so specific and controlled that there is very little an MDM provider can do that is above and beyond their competitors. You’ll notice when viewing options in most MDM solutions (Meraki, Airwatch, and Casper come immediately to mind) is that not only do they have almost identical functions but they also look visually similar even down to the order and categorisation of the options.

While some solutions have added minor additional features (such as Airwatch’s geo and time fencing, or Meraki’s device tagging) the take away from this should be that all iOS MDM solutions essentially do the same job. The features you should be looking at are those that are not as a result of Apples API service level and security of data.

If you’ve used Apple Configurator or another MDM solution you’ll be familiar with many of the iOS management options available in Meraki:

  • Allow or disallow use of the camera
  • Allow or disallow installing apps
  • Allow or disallow Facetime
  • Allow or disallow in-app purchases
  • Allow or disallow access to specific built-in apps such as Safari
  • Allow or disallow specific age related content
  • Force storage encryption
  • Force lockscreen passcode
  • Configure Wifi settings
  • Add web clips — shortcuts in my day — to the homescreen
  • Remote wipe the device
  • Push applications to devices

Meraki OptionsLog in to Meraki and the first thing you see is a neat dashoard pinpointing the location of your devices on a Google Map. Select the Overview option and you have access to live status updates from your devices including disk usage, connectivity, battery status and user.  It’s a nice touch giving to an immediate overview of your organisation’s devices.

Device management is similarly well thought out. You are able to use tags to group devices simplifying management when pushing out settings and apps.

The ability to create multiple administrator user accounts and have all changes logged centrally makes this a powerful platform and the ability to create multiple networks within the same account allows for multi-site management of devices.

Two of my primary concerns when testing mobile devices have been how to force a user to require a lock screen passcode and, when devices are inevitably lost or stolen, and how to remote wipe them. As long as the device is locked, Meraki does both of these things well.

Such A Tasty Free Lunch!

Meraki is free, so the obvious question is why, and is this a concern? Is there any upsell?

Well, Meraki is now owned by Cisco, so some concerns about data protection etc. may be swayed by a company heavily into network security being behind this. The official line from Meraki is:

Why is Systems Manager free?
We want everyone to have an opportunity to interact with the Meraki dashboard. Once you interact with the dashboard via Systems Manager, we believe you’ll love the ease of management, and you’ll consider Meraki’s other products when you’re ready to upgrade your WiFi, switching, or security appliance infrastructure.

It would be naive to think there is not some element of data collection involved here. Meraki is certainly a great way for Cisco to get to know the internals of potential customer’s networks, but there’s no sign of this in practice.

You should be aware that Meraki will detect and store the location of your devices, a useful feature, no doubt, but it’s important to recognise the context in which specific devices are being used. You may want to use Meraki to push out

Why Can’t Everything Be So Simple?

Unfortunately there are two main draw backs here. I should make clear, these are not problems with Meraki specifically, instead they are issues caused by Apple which prevent any MDM system (including Apple’s own) being what I would consider enterprise ready. Both issues are excellently hightlighted on Meraki’s own website:

Can you push iTunes credentials so that users aren’t prompted for an Apple ID?
No. This is a limitation of Apple’s MDM framework.

When you push an app to an iOS device Apple requires you to manually login with an Apple ID on the device. This is fine if it is a staff iPad, where the user is likely to already have an iTunes account set up, but pushing an app to a pool of iPads in a classroom makes this process unwieldy. In the latter case Apple Configurator is going to be the preferred option.

Meraki does allow you to distribute a pool of App Store voucher codes when pushing out applications, which is great, but the system assigns the purchased application to the Apple ID of the user that authenticates the install on the device which may not be desirable.

Likewise, when pushing an app to an Android device the end user is only prompted with a notification which when selected takes you to the relevent page on the Google Play store. It doesn’t actually force the app to install.

The second issue is more concerning and in my opinion makes all iOS MDMs of questionable value:

Why can I remove the ‘Meraki Management’ profile even when I set a password policy?
The ‘Meraki Management’ profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the ‘Meraki Management’ profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.

Due to the way iOS is designed, no matter how tightly you lock down the operating system, the end user can always simply enter the settings menu and remove all security policies and applications even if the policy has been password protected. This is simply a limitation of the operating system and something Apple needs to seriously address.

The limitations imposed by Apple make all  iOS MDM solutions impossible to recommend as a secure management platform — this isn’t Windows Server with Group Policy — but what it does do is make an already difficult to manage operating system that bit more palatable and scaleable for the educational environment. It’s not the perfect solution, but to the extent that it works it removes a significant administrative overhead, and so far Meraki is the best MDM offering I have tested at the lowest cost possible — free.

Over the next few weeks I’ll be putting together some simple guides demonstrating the basics of Meraki as I roll it out to a group of test devices. Check back for more soon.

Find out more about Meraki Systems Manager here.


About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.


    • Meraki Networking frameworks convey easiness to wander class frameworks. With remote, trading, security, and system organization oversaw from the cloud, Meraki Networking, a lump of Cisco, gives framework executives detectable quality and control, without using an excessive amount.

  1. “This is simply a limitation of the operating system and something Apple needs to seriously address.” “The limitations imposed by Apple make all iOS MDM solutions impossible to recommend as a secure management platform”

    I think these are incorrect statements to make. In a properly configured environment there is no way onto the wireless network without the config profile associated with the MDM profile. Users remove it and they’re off network. There are others ways to ensure restricted data can’t remain on the device or get onto it in the first place.

    • Profile photo of Karl Rivers

      Hi Andrew,

      Thanks for your comment!

      I may have been a bit harsh with my turn of phrase, but I think the point I was trying to get across was that many schools look at MDM as a way to manage security of iPads and, as you state, that really isn’t the purpose of MDM.

      I still stand by the argument, however, that the way Apple has implemented MDM in iOS ignores several common use cases that exist in education. Schools should at least have the option to prevent a user removing an MDM profile from school owned device if they choose.


  2. So, if the device is supervised and very much LOCKED down, students still have the ability to go in and essentially remove Meraki? And once Meraki is gone…probably so is the iPad??!!


      • I thought that you could put a password on certificate. I seem to be able to do it ( I am only testing one iPad right now). when I put a password on through the Meraki Dashboard, it will not permit me to delete the Meraki profile without the password….I am I missing something?


        • Profile photo of Karl Rivers

          Hi Jim,

          Please share the process you are going through! I’ve tried similar things, as have many others, and I haven’t found a way to stop the profile being removed. Even Meraki say it isn’t possible.

          Let us know what you are doing!


  3. I am using Meraki to manage our schools iPads, the way I am dealing with the users ability to remove the Meraki profile, the Meraki manager offers the ability to be notified when the profile is removed. To enable this navigate to the Configure tab, under Mobile device management enable “Send an email alert if Meraki Management profile is removed”.

  4. Colette lambie on

    I’m using meraki on ios7 iPads. I need to enter the password for every app downloaded. I can’t
    change the setting to “every 15 min”. This is really inconvenient in a school setting and undermines the simplicity of Meraki. Can I resolve this any way?

  5. Thanks for your article. We’ve just started using meraki to manage a relatively small number of iPads in a primary school. Does anyone else find it very slow to push out apps? It’s taken a couple of hours to roll out 14 small apps to trial set of 10 iPads this afternoon. Several of the apps also don’t seem to get going again and remain “pending” unless restarted on the device.
    Is this common or something we can work around?

    • Profile photo of Karl Rivers

      Hi Al,

      I’ve had mixed success installing apps through Meraki. In my experience there can be a delay and also some simply never pick up the apps.


  6. Darrell Milam on

    If you use the apple DEP and VPP programs with meraki can any of the issues be over come. Including installing without account password and removing meraki profile?

    • Profile photo of Karl Rivers

      Hi Darrell,

      Yes, DEP will resolve some of the issues with iPad management and Meraki, but you still won’t be able to do silent app installs.

      Hope this helps.


      • Hi all,

        We manage a small number of iPhone/ipads with meraki systems manager mdm, which works well for us.
        Now we will be rolling out 250-300 iPhone 5c’s our staff located in various cities across the UK.

        I’ll be using the Apple Configurator based upon meraki kb 1809 to prepare these iPhones. The kb mentions we can supervise the iPhones if we wish. However are there any ‘dangers’ that I should be aware of if we choose to supervise these devices? Yesterday an Apple Solutions Engineer at the Covent Garden Apple Store warned me to steer clear of supervising the iPhones as it means that each iPhone will be ‘tied/locked’ to the machine that the Apple Configurator is installed on.

        Grateful for any of your thoughts on this,



  7. This article was just what I was looking for. I am managing around 125 iPads for our school system and am finally starting with Meraki to make it easier. My biggest problem is having an individual Apple ID on each one. We have, in the past, allowed teachers to use their id’s on multiple devices for their classroom. Now I find myself needing to create individual emails and then Apple IDs? Is there an easy way to do this?

    Also, I tried to connect to our VPP by inviting users. The two that I attempted are still listed as “Invited” although they (I) have accepted the invitation. Is there a lag in time between accepting the invitation and when it shows up in System Manager?

    Any help would be awesome!

    • Profile photo of Karl Rivers

      Hi Melanie,

      Glad to help!

      Are you using your iPads 1:1 or are they shared? How you set up Apple IDs will depend on this.

      I haven’t had a time lag issue with VPP users. It’s pretty much instant. Do you have anymore details?


    • Hi Melanie. Did you sort your time lag issue? We are having the same problem here – the invitation has been accepted but still shows on the Meraki Dashboard as ‘invited’.

      • Never. I managed to do what I needed although it took much longer than anticipated. I spoke with a representative from Cisco/Meraki and he said “It shouldn’t do that” We are looking into another MDM solution.

  8. I’m struggling with Meraki. I had everything up and running on both Apple DEP and Meraki and finally starting to set up a group of iPads yesterday. Today I was ready to jump in and get the big group of iPads rolling and pushing out apps with VPP. But the Meraki DEP page says “Server token has been rejected by Apple.” Apple assures me that everything looks fine on their end. I can submit a new token, except Meraki doesn’t allow us the ability to upload a new token and Customer Service refuses to speak to me unless I have an Enterprise account. Of course this would happen during a time crunch, right? 😉 Any suggestions are welcome!

  9. Bill Marsden on

    I have supervised an iPad on Apple Configurator and it has been returned to me activation-locked. I was assured that if the device could not be activation locked if supervised. Meraki gives a bypass code but no instructions as to how to use it. Any ideas please?

    • William Hagan on

      To use Meraki’s bypass code you must have setup DEP between Apple and Meraki. Apple Configurator devices CAN be activation locked. There are many deployment strategies to defend against rouge users activate-locking their devices. Slightly too big of a topic to add in a reply.

  10. We looked at Meraki but in the end we found the Casper Suite from JAMF software to be far superior and well worth the price.

  11. William Hagan on

    I’ve used Meraki since it’s beta release. Fortunately for us most of the weaknesses of ALL MDM’s have been mitigated. For example:
    1) you can now silently push Apps to devices without end user intervention ( I actually just pushed about 800 apps to over 100 devices in 10 minutes, including paying for the app purchase )
    2) Supervisor profile can be locked to the device ( end user cannot remove it, no matter what they may try )

  12. I am facing an issue were Meraki and the Apple Config. are not playing nice. I have 30+ apps I need to install but the config dies every time it gets to the MDM enrollment. I hate to manually do all the ipads to get this to work but it is starting to look like that may be the case as every ipad has Meraki pushing to it on log on.


      • The only error I receive is it is, unable to connect to Meraki. I am planning on starting my next class of ipads today. I will ook deeper and get imformation out. Thank you for the reply.

        • Unable to contact Apple servers. Please try again later. Is the first error I am getting from Meraki. This is when I am trying to set up profiles so I can try and by-pass the error from the Apple Config that stats “Unable to activate. This device is configured by the Apple automated MDM enrollment service.”

          Do you know if there are any specific web or port address I should make sure are added to our Firewall for Apple Config / Meraki? I am starting to bevel the error may be firewall driven.

          Thank you for any assistance.

  13. Activation lock is proving to be a problem. We have iPads supervised with Configurator. We tell students to turn on Find my iPad so that they can find them when misplaced. A student leaves and the iPad is locked. We attempt to resupervise but the device is activation locked. In Meraki, we can obtain an Activation lock bypass code. It has been suggested that this can be entered in the password field for the Apple ID,leaving the username blank but I can’t get this to work. I’ve also tried clicking the Disable Activation Lock button in Meraki. This gives the message “Error – Activation lock bypass code not found with Apple. Is activation lock already disabled?”. Meraki say there is a bug in iOS7 with this, so I’ve tried iOS8, but get the same error. My question is where do you enter the long bypass code?

    • Hi Russell, we have the same issue here in our schools. Seems that the supervised mode does not prevent the activation lock. We use the DEP and push a supervised profile with Meraki. So far, the only way we can unlock the devices is by going through the lengthy process of contacting Apple and providing proof of purchase for EACH locked iPads..

        • You can contact your Apple Rep and ask to be part of the DEP, even though they say it’s only available in the USA. I’m in Canada and they accepted to have us use the program. It makes things much simpler to prepare the iPads.

          • I am running in to the same issues as described above. Any luck on getting the meraki activation lock features to actually work, either the bypass code or the disable button?

          • Russell Healey on

            Disable activation lock is still not working for me with Meraki. I had to log a case with Apple to get two of our iPads unlocked a couple of months ago. However, apart from this Meraki works well for us – we have about 450 pupil devices enrolled. We do not use it for App deployment (the pupils do their own), but merely to set restrictions and a global proxy. It’s also useful as an inventory of devices. We have not yet found a paid-for platform that offers us functionality that we would benefit from. The problem is with Apple’s model of age ratings – this is too simplistic – we’d like to be able to say “allow this app” “disallow this app” in a uncomplicated way. Some platforms off “quarantine” if so and so app is installed, but this is no good for us.

  14. We have several iPads in Meraki, we are trying to figure out a way to change a setting on the ipad through Meraki. We need to change the Auto-Lock to Never. We took the passcode off, but that did not prevent the ipad from going to a black screen. Is there a way to make this change through Meraki with out going out and physically making the change?

  15. It may be free, but it seems like a lot of problems looking through these comments! Platforms that you pay for, even just a little per month, seem to come with a lot less to worry about in my opinion. Does anyone else think its worth the cost? I guess I haven’t tried out Meraki, though, so a little bias.

    • Profile photo of Karl Rivers

      Hi Kevin,

      I would agree that Meraki isn’t perfect, especially if you’re managing a lot of iPads, but for many schools it’s a cost effective solution. I’d be interested in finding out more about Bushel. Do you have any details? Maybe we can do a feature on it.


      • That is very true, school budgets don’t always have that certain leeway necessary. And that’s no problem at all. I would suggest contacting the product manager for Bushel, Charles Edge (charles.edge@bushel.com), directly for the best information. I’m glad you took an interest!

          • Hi everyone, we launched an MDM solution built for schools early this year, called Cellabus. We are absolutely FREE for school owned iPads with an optional paid 24/7 support and $10 per device per year for BYOD with parents access. We started Cellabus after searching exhaustively for an MDM solution that was simple enough but powerful for K12 schools for our own classrooms. We already have 100s of schools using us across the world, a lot of whom have moved from Meraki among others, more so since Meraki limited its free plan to 100 devices in April. Please feel free to reach out to me at sam at cellabus dot com, if you would want to talk about our approach and give Cellabus a try.

  16. DEP is available in the UK from March 2015. DEP stops users from removing a profile and if the device is wiped again as soon as it hits apps activations servers the profile is installed again.

    If you go for DEP remember that you must have an MDM solution in place. (EDIT) hmm not so sure now see https://support.apple.com/en-gb/HT201092

    Quote “When a device is enrolled in the Device Enrollment Program (DEP), you can still use the device with Apple Configurator.

    You can still use enrolled devices with Apple Configurator as long as the devices are not assigned to an active MDM Server:

    You can elect to leave the devices eligible, but unassigned.
    You can assign these devices to a temporary MDM server to continue using Apple Configurator.
    You can unassign a device from the current MDM server by searching for the device, then selecting the Unassigned option.”

    Not clear whether you can use Apple Configurator *permanently* after enrolling devices into DEP?

  17. Hi There

    We are also currently using meraki but have a slight problem , in order for us to do updates on our app i need the device to always be on , we have used the single app mode to keep our app always on but I cant find away to keep the screen to never switch off if i havent done those settings manually on the ipad , Any ideas


  18. Urgent Please!
    Hi there. I’ve iPad which want to connect it to meraki using MDM. I have already created the license and everything. When I go to iPads to Install the certificate I get the message saying: Profile connection fail. Please help

  19. I work at a public library and am trying to figure out how Meraki can be used to wipe out patron information after each iPad circulation. It was mentioned to us that you have to use a Macbook pro to do this. Is that true, or can you use Meraki on any computer?

Tell us what you think!