Managing iPads with Meraki

34

logo-meraki-2color-800x400

I’ve spent a lot of time trying to find the most efficient way to manage iOS devices. Apple Configurator and Profile Manager go some way to providing bulk management of iPads but nothing meets all of our requirements at a low cost. Then I came across Meraki.

Recently purchased by Cisco, Meraki System Manager is a cloud based Mobile Device Management (MDM) system designed to wirelessly manage not only iOS devices, but also Android, Windows 7, and Mac OSX . Because Meraki is entirely cloud based and works wirelessly pushing out settings and apps to iPads, iPhones, and even iPod Touch you don’t have to gather all your iOS devices together to update them as you would Apple Configurator and you don’t have the additional hardware cost involved with Apple’s Profile Manager. As long as your devices have an Internet connection you can push out configuration changes wherever they are in the world.

Did I mention it’s also free?

Which of These MDMs Looks Like The Other?

The iOS MDM enigma. I’ve reviewed serveral iOS management solutions, both paid and free, and the one thing you quickly become aware of is that they are all essentially exactly the same product. The reason for this is that Apple’s API for iOS management is so specific and controlled that there is very little an MDM provider can do that is above and beyond their competitors. You’ll notice when viewing options in most MDM solutions (Meraki, Airwatch, and Casper come immediately to mind) is that not only do they have almost identical functions but they also look visually similar even down to the order and categorisation of the options.

While some solutions have added minor additional features (such as Airwatch’s geo and time fencing, or Meraki’s device tagging) the take away from this should be that all iOS MDM solutions essentially do the same job. The features you should be looking at are those that are not as a result of Apples API service level and security of data.

If you’ve used Apple Configurator or another MDM solution you’ll be familiar with many of the iOS management options available in Meraki:

  • Allow or disallow use of the camera
  • Allow or disallow installing apps
  • Allow or disallow Facetime
  • Allow or disallow in-app purchases
  • Allow or disallow access to specific built-in apps such as Safari
  • Allow or disallow specific age related content
  • Force storage encryption
  • Force lockscreen passcode
  • Configure Wifi settings
  • Add web clips — shortcuts in my day — to the homescreen
  • Remote wipe the device
  • Push applications to devices

Meraki OptionsLog in to Meraki and the first thing you see is a neat dashoard pinpointing the location of your devices on a Google Map. Select the Overview option and you have access to live status updates from your devices including disk usage, connectivity, battery status and user.  It’s a nice touch giving to an immediate overview of your organisation’s devices.

Device management is similarly well thought out. You are able to use tags to group devices simplifying management when pushing out settings and apps.

The ability to create multiple administrator user accounts and have all changes logged centrally makes this a powerful platform and the ability to create multiple networks within the same account allows for multi-site management of devices.

Two of my primary concerns when testing mobile devices have been how to force a user to require a lock screen passcode and, when devices are inevitably lost or stolen, and how to remote wipe them. As long as the device is locked, Meraki does both of these things well.

Such A Tasty Free Lunch!

Meraki is free, so the obvious question is why, and is this a concern? Is there any upsell?

Well, Meraki is now owned by Cisco, so some concerns about data protection etc. may be swayed by a company heavily into network security being behind this. The official line from Meraki is:

Why is Systems Manager free?
We want everyone to have an opportunity to interact with the Meraki dashboard. Once you interact with the dashboard via Systems Manager, we believe you’ll love the ease of management, and you’ll consider Meraki’s other products when you’re ready to upgrade your WiFi, switching, or security appliance infrastructure.

It would be naive to think there is not some element of data collection involved here. Meraki is certainly a great way for Cisco to get to know the internals of potential customer’s networks, but there’s no sign of this in practice.

You should be aware that Meraki will detect and store the location of your devices, a useful feature, no doubt, but it’s important to recognise the context in which specific devices are being used. You may want to use Meraki to push out

Why Can’t Everything Be So Simple?

Unfortunately there are two main draw backs here. I should make clear, these are not problems with Meraki specifically, instead they are issues caused by Apple which prevent any MDM system (including Apple’s own) being what I would consider enterprise ready. Both issues are excellently hightlighted on Meraki’s own website:

Can you push iTunes credentials so that users aren’t prompted for an Apple ID?
No. This is a limitation of Apple’s MDM framework.

When you push an app to an iOS device Apple requires you to manually login with an Apple ID on the device. This is fine if it is a staff iPad, where the user is likely to already have an iTunes account set up, but pushing an app to a pool of iPads in a classroom makes this process unwieldy. In the latter case Apple Configurator is going to be the preferred option.

Meraki does allow you to distribute a pool of App Store voucher codes when pushing out applications, which is great, but the system assigns the purchased application to the Apple ID of the user that authenticates the install on the device which may not be desirable.

Likewise, when pushing an app to an Android device the end user is only prompted with a notification which when selected takes you to the relevent page on the Google Play store. It doesn’t actually force the app to install.

The second issue is more concerning and in my opinion makes all iOS MDMs of questionable value:

Why can I remove the ‘Meraki Management’ profile even when I set a password policy?
The ‘Meraki Management’ profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the ‘Meraki Management’ profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.

Due to the way iOS is designed, no matter how tightly you lock down the operating system, the end user can always simply enter the settings menu and remove all security policies and applications even if the policy has been password protected. This is simply a limitation of the operating system and something Apple needs to seriously address.

The limitations imposed by Apple make all  iOS MDM solutions impossible to recommend as a secure management platform — this isn’t Windows Server with Group Policy — but what it does do is make an already difficult to manage operating system that bit more palatable and scaleable for the educational environment. It’s not the perfect solution, but to the extent that it works it removes a significant administrative overhead, and so far Meraki is the best MDM offering I have tested at the lowest cost possible — free.

Over the next few weeks I’ll be putting together some simple guides demonstrating the basics of Meraki as I roll it out to a group of test devices. Check back for more soon.

Find out more about Meraki Systems Manager here.

Share.

About Author

Karl is an award winning school Network Manager, IT Lead Professional for Bedfordshire Borough Council, and is an ICT Across the Curriculum Co-ordinator based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.

34 Comments

    • Meraki Networking frameworks convey easiness to wander class frameworks. With remote, trading, security, and system organization oversaw from the cloud, Meraki Networking, a lump of Cisco, gives framework executives detectable quality and control, without using an excessive amount.

  1. “This is simply a limitation of the operating system and something Apple needs to seriously address.” “The limitations imposed by Apple make all iOS MDM solutions impossible to recommend as a secure management platform”

    I think these are incorrect statements to make. In a properly configured environment there is no way onto the wireless network without the config profile associated with the MDM profile. Users remove it and they’re off network. There are others ways to ensure restricted data can’t remain on the device or get onto it in the first place.

    • Hi Andrew,

      Thanks for your comment!

      I may have been a bit harsh with my turn of phrase, but I think the point I was trying to get across was that many schools look at MDM as a way to manage security of iPads and, as you state, that really isn’t the purpose of MDM.

      I still stand by the argument, however, that the way Apple has implemented MDM in iOS ignores several common use cases that exist in education. Schools should at least have the option to prevent a user removing an MDM profile from school owned device if they choose.

      Karl

  2. So, if the device is supervised and very much LOCKED down, students still have the ability to go in and essentially remove Meraki? And once Meraki is gone…probably so is the iPad??!!

    Jim

      • I thought that you could put a password on certificate. I seem to be able to do it ( I am only testing one iPad right now). when I put a password on through the Meraki Dashboard, it will not permit me to delete the Meraki profile without the password….I am I missing something?

        jim

        • Hi Jim,

          Please share the process you are going through! I’ve tried similar things, as have many others, and I haven’t found a way to stop the profile being removed. Even Meraki say it isn’t possible.

          Let us know what you are doing!

          Karl

  3. I am using Meraki to manage our schools iPads, the way I am dealing with the users ability to remove the Meraki profile, the Meraki manager offers the ability to be notified when the profile is removed. To enable this navigate to the Configure tab, under Mobile device management enable “Send an email alert if Meraki Management profile is removed”.

  4. Colette lambie on

    I’m using meraki on ios7 iPads. I need to enter the password for every app downloaded. I can’t
    change the setting to “every 15 min”. This is really inconvenient in a school setting and undermines the simplicity of Meraki. Can I resolve this any way?

  5. Thanks for your article. We’ve just started using meraki to manage a relatively small number of iPads in a primary school. Does anyone else find it very slow to push out apps? It’s taken a couple of hours to roll out 14 small apps to trial set of 10 iPads this afternoon. Several of the apps also don’t seem to get going again and remain “pending” unless restarted on the device.
    Is this common or something we can work around?

    • Hi Al,

      I’ve had mixed success installing apps through Meraki. In my experience there can be a delay and also some simply never pick up the apps.

      Karl

  6. Darrell Milam on

    If you use the apple DEP and VPP programs with meraki can any of the issues be over come. Including installing without account password and removing meraki profile?

    • Hi Darrell,

      Yes, DEP will resolve some of the issues with iPad management and Meraki, but you still won’t be able to do silent app installs.

      Hope this helps.

      Karl

      • Hi all,

        We manage a small number of iPhone/ipads with meraki systems manager mdm, which works well for us.
        Now we will be rolling out 250-300 iPhone 5c’s our staff located in various cities across the UK.

        I’ll be using the Apple Configurator based upon meraki kb 1809 to prepare these iPhones. The kb mentions we can supervise the iPhones if we wish. However are there any ‘dangers’ that I should be aware of if we choose to supervise these devices? Yesterday an Apple Solutions Engineer at the Covent Garden Apple Store warned me to steer clear of supervising the iPhones as it means that each iPhone will be ‘tied/locked’ to the machine that the Apple Configurator is installed on.

        Grateful for any of your thoughts on this,

        Thanks

        Kyza

  7. This article was just what I was looking for. I am managing around 125 iPads for our school system and am finally starting with Meraki to make it easier. My biggest problem is having an individual Apple ID on each one. We have, in the past, allowed teachers to use their id’s on multiple devices for their classroom. Now I find myself needing to create individual emails and then Apple IDs? Is there an easy way to do this?

    Also, I tried to connect to our VPP by inviting users. The two that I attempted are still listed as “Invited” although they (I) have accepted the invitation. Is there a lag in time between accepting the invitation and when it shows up in System Manager?

    Any help would be awesome!

    • Hi Melanie,

      Glad to help!

      Are you using your iPads 1:1 or are they shared? How you set up Apple IDs will depend on this.

      I haven’t had a time lag issue with VPP users. It’s pretty much instant. Do you have anymore details?

      Karl

    • Hi Melanie. Did you sort your time lag issue? We are having the same problem here – the invitation has been accepted but still shows on the Meraki Dashboard as ‘invited’.

      • Never. I managed to do what I needed although it took much longer than anticipated. I spoke with a representative from Cisco/Meraki and he said “It shouldn’t do that” We are looking into another MDM solution.

  8. I’m struggling with Meraki. I had everything up and running on both Apple DEP and Meraki and finally starting to set up a group of iPads yesterday. Today I was ready to jump in and get the big group of iPads rolling and pushing out apps with VPP. But the Meraki DEP page says “Server token has been rejected by Apple.” Apple assures me that everything looks fine on their end. I can submit a new token, except Meraki doesn’t allow us the ability to upload a new token and Customer Service refuses to speak to me unless I have an Enterprise account. Of course this would happen during a time crunch, right? ;) Any suggestions are welcome!

  9. Bill Marsden on

    I have supervised an iPad on Apple Configurator and it has been returned to me activation-locked. I was assured that if the device could not be activation locked if supervised. Meraki gives a bypass code but no instructions as to how to use it. Any ideas please?

    • William Hagan on

      To use Meraki’s bypass code you must have setup DEP between Apple and Meraki. Apple Configurator devices CAN be activation locked. There are many deployment strategies to defend against rouge users activate-locking their devices. Slightly too big of a topic to add in a reply.

  10. We looked at Meraki but in the end we found the Casper Suite from JAMF software to be far superior and well worth the price.

  11. William Hagan on

    I’ve used Meraki since it’s beta release. Fortunately for us most of the weaknesses of ALL MDM’s have been mitigated. For example:
    1) you can now silently push Apps to devices without end user intervention ( I actually just pushed about 800 apps to over 100 devices in 10 minutes, including paying for the app purchase )
    2) Supervisor profile can be locked to the device ( end user cannot remove it, no matter what they may try )

  12. I am facing an issue were Meraki and the Apple Config. are not playing nice. I have 30+ apps I need to install but the config dies every time it gets to the MDM enrollment. I hate to manually do all the ipads to get this to work but it is starting to look like that may be the case as every ipad has Meraki pushing to it on log on.

    Thoughts?

      • The only error I receive is it is, unable to connect to Meraki. I am planning on starting my next class of ipads today. I will ook deeper and get imformation out. Thank you for the reply.

        • Unable to contact Apple servers. Please try again later. Is the first error I am getting from Meraki. This is when I am trying to set up profiles so I can try and by-pass the error from the Apple Config that stats “Unable to activate. This device is configured by the Apple automated MDM enrollment service.”

          Do you know if there are any specific web or port address I should make sure are added to our Firewall for Apple Config / Meraki? I am starting to bevel the error may be firewall driven.

          Thank you for any assistance.

Tell us what you think!

x
The ClassThink Guide to Managing iPad in Education
Available on iTunes Soon!

If you'd like us to let you know when our guide is available, pop your email below: