Force SM install on Personal devices?

Fiza
Conversationalist

Force SM install on Personal devices?

We are a School. If our users utilise their own devices to access School emails is there any way that we can force them to enroll onto Meraki SM? We use G Suite for email and documents and normally users just add in the details of the School G Suite domain and they can sync their emails. I would like to stop them doing this unless they have installed Meraki Systems Manager first.

9 Replies 9
nextgenconcepts
Here to help

If you go to add devices under SM, there are a few different ways that you can have them add their own devices. You can then set them with device owners and schedule the apps if you want.

https://documentation.meraki.com/SM/Deployment_Guides/Android_Enterprise_Deployment_Guide_(Android_f...)

I hope that this helps 🙂
Fiza
Conversationalist

Thanks for the reply. The URL you linked to does not work for me. 

I didnt want to use Device Owner deployment as I understood that to be aimed at devices owned by the School rather than personal devices owned by Staff members.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Sorry Fiza, but I can't think of anyway to achieve what you want.

 

G-Suite does not offer any way (that I know of) that prevents any person from simply trying to add the account to their device.

jared_f
Kind of a big deal

As @PhilipDAth mentioned, it is not possible to have a personal device enroll if the user logs into your domain email. 

 

I would be cautious opening up enrollment to personal devices as Meraki does collect logs and inventory on any enrolled device and often users don't understand that. Also, this would chew up a lot of your licensing. What is your cause wanting to have users enroll their personal devices? 

Find this helpful? Click the kudos button. Thanks!
Fiza
Conversationalist

Because our Staff tend to use their personal devices to access emails and documents on Google Drive we want to enforce device password/pin protection and enforce device encryption. If Staff don't want to install SM then we would like to prevent them from accessing work related emails and documents on their personal devices. I have found that you can do a forced install using Googles own MDM so as soon as users try to access work emails they are asked to download the Google Device Policy App which then enforces the policies we set. The same doesnt seem to be true of Meraki MDM.

nextgenconcepts
Here to help

Google offers Oauth that their devices use as part of Google at Work. It works like an LDAP. While you can set this up for android devices in SM, iOS devices are not compatible with Google Oauth at this point from what I understand.

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hi @Fiza

 

To prevent users from logging in to email accounts on anything other than "known", SM-enrolled devices, I've seen organizations do the following:

 

1 - Set up both username/password and certificate authentication on their email server

2 - Encourage users to install SM to get access to school/company email (and wifi networks, VPN, etc.)

3 - Pushing Email Configuration Settings (Managed App Settings for Gmail, on Android devices) AND Credentials to SM-enrolled devices

 

The above would ensure that only devices with the SM-pushed certificates would be able to log in to email accounts. 

 

Here are some additional resources on this!

 

https://documentation.meraki.com/SM/Profiles_and_Settings/Configuration_Settings

https://documentation.meraki.com/SM/Deployment_Guides/Android_Enterprise_Deployment_Guide

 

DHAnderson
Head in the Cloud

1. Set up 3rd Party management for Device management in Google Workspace

2. Create a token and copy it.

3. In the Dashboard under Organization / MDM, choose Google authentication and paste in the token.

 

Once that is done, when someone adds their work email to their phone, SM will download and install automatically.  The end user will need to enroll the device so they will need the enrolment code.

 

There is currently a bug somewhere between Android / Meraki / Google Workspace that breaks this functionality in Android 11.

 

-Dave

 

Dave Anderson
Android
Conversationalist

Android apps
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels