Meraki

Community

SM: Resctict the scope of a security policy using tags

Solved
Johnny55
Here to help
‎Nov 13 2023 8:45 AM
‎Nov 13 2023 8:45 AM

SM: Resctict the scope of a security policy using tags

Greetings

 

Wondering If I am missing something obvious here so excuse me if that's the case.

 

Is is possible to resctict the scope of a security policy to a device group using tags?

In my dashboard, when I create a security policy, it is applied to all devices...

 

Shoud I use the Security policy mappings setting under System Manager -> ISE settings?

If so, excuse me for my ignorance but I don't understand why this setting falls under the ISE settings, so I haven't tried it yet in fear of messing up something... (we don't use the ISE SCEP Wi-Fi profile feature).

 

Thanks for your help!

Labels:
0 Kudos
1 Accepted Solution
kYutobi
Kind of a big deal
‎Nov 13 2023 9:59 AM
‎Nov 13 2023 9:59 AM

https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager

 

Hope this helps. 😀

 

Using Security Policies to Control Profiles

Similar to other types of tags, security policy compliance can be used to dynamically control which client devices will receive a particular profile. Both "Compliant" and "Violating" tags will be available for each configured security policy in the Scope for a given profile.

 

The example image below shows the Scope for a profile containing VPN settings, which should only be pushed to devices with the "vpn" tag and are compliant with the security policy indicated.

 

 

2017-07-20 09_22_06-Apps - Meraki Dashboard.png

Enthusiast

View solution in original post

3 Replies 3
kYutobi
Kind of a big deal
‎Nov 13 2023 9:59 AM
‎Nov 13 2023 9:59 AM

https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager

 

Hope this helps. 😀

 

Using Security Policies to Control Profiles

Similar to other types of tags, security policy compliance can be used to dynamically control which client devices will receive a particular profile. Both "Compliant" and "Violating" tags will be available for each configured security policy in the Scope for a given profile.

 

The example image below shows the Scope for a profile containing VPN settings, which should only be pushed to devices with the "vpn" tag and are compliant with the security policy indicated.

 

 

2017-07-20 09_22_06-Apps - Meraki Dashboard.png

Enthusiast
In response to kYutobi
PaulF
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 14 2023 2:47 AM
‎Nov 14 2023 2:47 AM

@kYutobi 's solution is correct. I'll feed back to Product Management that it would be advantageous to scope a security policy to a group of devices. 

 

But, you can, as @kYutobi mentioned, achieve this in a different way, such as:

 

Screenshot 2023-11-14 at 10.45.47.png

 

What is it that you're using the Security Policy for?

0 Kudos
In response to PaulF
Johnny55
Here to help
‎Nov 14 2023 10:30 AM
‎Nov 14 2023 10:30 AM

Profiles and target groups are great, but..
We use security policies to audit device compliance, we don't use them to apply profiles or tags.
So as of right now, we can't restrict the scope of security policies to specific devices.

Thanks for your anwers folks.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.