We are a School. If our users utilise their own devices to access School emails is there any way that we can force them to enroll onto Meraki SM? We use G Suite for email and documents and normally users just add in the details of the School G Suite domain and they can sync their emails. I would like to stop them doing this unless they have installed Meraki Systems Manager first.
Thanks for the reply. The URL you linked to does not work for me.
I didnt want to use Device Owner deployment as I understood that to be aimed at devices owned by the School rather than personal devices owned by Staff members.
Sorry Fiza, but I can't think of anyway to achieve what you want.
G-Suite does not offer any way (that I know of) that prevents any person from simply trying to add the account to their device.
As @PhilipDAth mentioned, it is not possible to have a personal device enroll if the user logs into your domain email.
I would be cautious opening up enrollment to personal devices as Meraki does collect logs and inventory on any enrolled device and often users don't understand that. Also, this would chew up a lot of your licensing. What is your cause wanting to have users enroll their personal devices?
Because our Staff tend to use their personal devices to access emails and documents on Google Drive we want to enforce device password/pin protection and enforce device encryption. If Staff don't want to install SM then we would like to prevent them from accessing work related emails and documents on their personal devices. I have found that you can do a forced install using Googles own MDM so as soon as users try to access work emails they are asked to download the Google Device Policy App which then enforces the policies we set. The same doesnt seem to be true of Meraki MDM.
Google offers Oauth that their devices use as part of Google at Work. It works like an LDAP. While you can set this up for android devices in SM, iOS devices are not compatible with Google Oauth at this point from what I understand.
Hi @Fiza!
To prevent users from logging in to email accounts on anything other than "known", SM-enrolled devices, I've seen organizations do the following:
1 - Set up both username/password and certificate authentication on their email server
2 - Encourage users to install SM to get access to school/company email (and wifi networks, VPN, etc.)
3 - Pushing Email Configuration Settings (Managed App Settings for Gmail, on Android devices) AND Credentials to SM-enrolled devices
The above would ensure that only devices with the SM-pushed certificates would be able to log in to email accounts.
Here are some additional resources on this!
https://documentation.meraki.com/SM/Profiles_and_Settings/Configuration_Settings
https://documentation.meraki.com/SM/Deployment_Guides/Android_Enterprise_Deployment_Guide
1. Set up 3rd Party management for Device management in Google Workspace
2. Create a token and copy it.
3. In the Dashboard under Organization / MDM, choose Google authentication and paste in the token.
Once that is done, when someone adds their work email to their phone, SM will download and install automatically. The end user will need to enroll the device so they will need the enrolment code.
There is currently a bug somewhere between Android / Meraki / Google Workspace that breaks this functionality in Android 11.
-Dave