cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDM: Management profile 'rights'

SOLVED
Go to solution
Miyo360
Getting noticed
‎05-22-2018 03:19 AM
‎05-22-2018 03:19 AM

MDM: Management profile 'rights'

Hi,


I have been using Meraki MDM for a while at our workplace. All is good. We are expanding the use of it to personal devices (BYOD). It has been noticed that the MDM Management Profile requests the following rights on iOS...

 

  1. Erase all data and settings
  2. Lock device and remove passcode
  3. List configuration profiles
  4. Add/remove configuration profiles
  5. List provisioning profiles
  6. Add/remove provisioning profiles
  7. List device information
  8. List network information
  9. List installed applications
  10. List restriction information
  11. List security information
  12. Apply settings
  13. Install and remove applications and data

Some of these rights seem excessive, particularly 1, 2, 9 & 13.  Understandably, users with personal devices are hesitant to allow the profile. 

 

Is it possible to edit this list? Or change what rights the management profile requires? Is there a bare minimum list of rights required for the management to operate correctly?

 

The profile is only installing iOS mail settings. We are not using the agent app.

 

Thanks in advance.

 

Labels:
0 Kudos
Subscribe
1 ACCEPTED SOLUTION
jared_f
Kind of a big deal
‎05-22-2018 06:07 AM
‎05-22-2018 06:07 AM

Under Systems Manager > General (under the “Configure” heading) > Access Rights (you have to scroll down a bit to see it) you can restrict some of the SM capabilities. I believe these are per network rules, maybe create another SM network (aka “site”) for BYOD devices and apply these restrictions?

 

 

@Miyo360 wrote:

Hi,


I have been using Meraki MDM for a while at our workplace. All is good. We are expanding the use of it to personal devices (BYOD). It has been noticed that the MDM Management Profile requests the following rights on iOS...

 

  1. Erase all data and settings
  2. Lock device and remove passcode
  3. List configuration profiles
  4. Add/remove configuration profiles
  5. List provisioning profiles
  6. Add/remove provisioning profiles
  7. List device information
  8. List network information
  9. List installed applications
  10. List restriction information
  11. List security information
  12. Apply settings
  13. Install and remove applications and data

Some of these rights seem excessive, particularly 1, 2, 9 & 13.  Understandably, users with personal devices are hesitant to allow the profile. 

 

Is it possible to edit this list? Or change what rights the management profile requires? Is there a bare minimum list of rights required for the management to operate correctly?

 

The profile is only installing iOS mail settings. We are not using the agent app.

 

Thanks in advance.

 

 

Find this helpful? Click the kudos button. Thanks!

View solution in original post

Subscribe
2 REPLIES 2
jared_f
Kind of a big deal
‎05-22-2018 06:07 AM
‎05-22-2018 06:07 AM

Under Systems Manager > General (under the “Configure” heading) > Access Rights (you have to scroll down a bit to see it) you can restrict some of the SM capabilities. I believe these are per network rules, maybe create another SM network (aka “site”) for BYOD devices and apply these restrictions?

 

 

@Miyo360 wrote:

Hi,


I have been using Meraki MDM for a while at our workplace. All is good. We are expanding the use of it to personal devices (BYOD). It has been noticed that the MDM Management Profile requests the following rights on iOS...

 

  1. Erase all data and settings
  2. Lock device and remove passcode
  3. List configuration profiles
  4. Add/remove configuration profiles
  5. List provisioning profiles
  6. Add/remove provisioning profiles
  7. List device information
  8. List network information
  9. List installed applications
  10. List restriction information
  11. List security information
  12. Apply settings
  13. Install and remove applications and data

Some of these rights seem excessive, particularly 1, 2, 9 & 13.  Understandably, users with personal devices are hesitant to allow the profile. 

 

Is it possible to edit this list? Or change what rights the management profile requires? Is there a bare minimum list of rights required for the management to operate correctly?

 

The profile is only installing iOS mail settings. We are not using the agent app.

 

Thanks in advance.

 

 

Find this helpful? Click the kudos button. Thanks!
Subscribe
In response to jared_f
Miyo360
Getting noticed
‎05-24-2018 03:26 AM
‎05-24-2018 03:26 AM

Thanks very much. This was helpful. I created a new network and looked at the options you suggested. I set the following...

 

 

 

MerakiDashboard.png

 

 

 

 

 

 

 

 

I then added a device and checked the permission list and the differences are 

 

  1. Erase all data and settings
  2. Lock device and remove passcode
  3. List configuration profiles
  4. Add/remove configuration profiles
  5. List provisioning profiles
  6. Add/remove provisioning profiles
  7. List device information
  8. List network information
  9. List installed applications
  10. List restriction information
  11. List security information
  12. Apply settings
  13. Install and remove applications and data

Thanks again for your help.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki