Overview

Deploying Point of Sale software like Upserve Breadcrumb POS, Revel Systems POS, Toast POS, or Cloudifi Kounta across geographically dispersed organizations can be challenging.  With the increasing focus on using app-based POS system, businesses are able to support using multiple platforms like Windows, iOS, Android, as well as Chrome.  Securing these devices is extremely important in order to protect company assets.  Using Meraki System Manager is key to a seamless deployment of an enterprise mobility solution.  Systems Manager allows for remote provisioning, monitor, as well as securing devices.

Getting Started

Creating an EMM Network

Before you can begin, be sure to login to your existing dashboard account. Once you’re signed in, navigate on the lefthand bar to Organization > Configure > Create network to create an EMM network. You can enroll all devices into a single network, or use multiple networks to organize your devices more granularly. If you have multiple EMM networks within your organization, you can easily move devices between them without needing to re-enroll them.

Device Enrollment

Systems Manager provides device enrollment through an agent installation and/or management profile for all major OS platforms. Most devices simply enroll with a management profile, but Windows and Macs can unlock additional management functionality with an agent install as well. 

Windows 

There are two methods for Windows installation: Agent or Profile. Either one can be used for enrollment, but since each enables a different subset of features, both should be utilized when possible to access all available MDM features.

 Profile installation is only supported on Windows 10 and Windows 10 Mobile, and only on non-Legacy Systems Manager accounts. Other Windows desktop versions and Legacy customers will need to use the agent installation.
Agent Installation

It is important to note that an agent installer package is network specific, meaning you must use an install package downloaded directly from the Systems Manager network from which you wish to manage your clients. In addition, Systems Manager software must be installed with local administrator privileges as applicable by the device type.

  • Navigate to Systems Manager > Add devices > Windows.
  • Click the Download button. MerakiPCCAgent.msi should begin downloading. Note that this installer will enroll devices into the Systems Manager network it was downloaded from.
  • After the installer finishes downloading, double-click MerakiPCCAgent.msi and click Run when prompted.
  • Accept the Licensing Agreement and click Install.
  • Once the Systems Manager Agent has finished installing, your Windows device will show up under Systems Manager > Monitor > Clients in Dashboard as soon as it has an Internet connection.
 You can also use methods like Systems Manager Sentry or Active Directory Group Policy Objects to install the agent en masse.
Profile Installation
  • Navigate to Systems Manager > Add devices > Windows.
  • From the device, open: m.meraki.com
    • For MDM, click the link to open the Work access settings page.
    • Otherwise, enter your network ID, where XXX-XXX-XXXX is the network-specific ID.
    • For the agent, click the link to download the Systems Manager Agent and install the downloaded executable.
  • Click Connect on mobile, or on native Windows 10 click ‘Enroll into device management’ or ‘Enroll only in device management’.
  • Enter your email address, click Connect or Continue.
  • In the Server box, enter your server URL (check your browser URL while signed into Dashboard, e.g. n7.meraki.com), and click Connect or Continue.
  • Enter your network ID, where XXX-XXX-XXXX is the network-specific ID.
  • Click register.
  • The device will automatically synchronize with the Meraki Cloud and appear in the client list.

macOS

There are two methods for Mac enrollment: Agent or Profile. Either one can be used for enrollment, but since each enables a different subset of features, both should be utilized when possible to access all available MDM features.

Agent Installation
  • Navigate to Systems Manager > Add devices > macOS
  • Click the Download button. An agent, “MerakiPCCAgent.pkg” will download. Note that this installer will enroll devices into the Systems Manager network it was downloaded from.
  • After the download is complete, double-click MerakiPCCAgent.pkg.
  • When the installer begins, click Continue.
  • Read the Software License and click Continue.
  • Click Agree to accept if prompted.
  • Click Install to perform a standard installation.
  • Once the installation has finished, your Mac device will show up under Systems Manager > Clients in Dashboard as soon as it has an Internet connection.

Profile Installation
  • Navigate to Systems Manager > Add devices > macOS
  • From the device, open m.meraki.com
  • Enter your network ID, where XXX-XXX-XXXX is the network-specific ID.
  • Press Register.
    • If using SM Enrollment Authentication then follow the prompts accordingly. For more information view the Enrollment Authentication article here.
  • In the profile that appears, press Install, then Install again to confirm.

iOS

When enrolling iOS devices, it is important to distinguish between supervised and unsupervised MDM enrollment. The below steps cover basic manual unsupervised enrollment, but please see the full iOS Enrollment article for info on bulk enrollment via the Device Enrollment Program (DEP), Apple Configurator, email, or SMS.

To manually enroll a device without supervising it, navigate to Systems Manager > Add devices > iOS in Dashboard and follow the below steps.

  • From the device’s browser, open: m.meraki.com
  • Enter your ten-digit Network ID found in Dashboard: XXX-XXX-XXX
  • Press register
  • In the profile that appears, press ‘install’, then ‘install’ again to confirm.
  • Click install, yet again, then confirm that you trust the enrollment.

Android

There are a few ways of enrolling Android devices – the below instructions cover normal BYOD enrollments, but for more info on device owner mode or KNOX enrollment and the differences between them, see the Android Enrollment article.

  • Navigate to Systems Manager > Add devices > Android and select the Android version for the devices you’ll be enrolling.
  • Follow the instructions based on your enrollment method: KNOX, work profile, or device owner mode.
  • For a QR code-based deployment, please scan the code listed on the current page
  • For a web-based deployment, follow these instructions:
    • From the device’s browser, open: m.meraki.com
    • Enter your ten-digit Network ID found in Dashboard: XXX-XXX-XXX
    • Press register
    • The Android Systems Manager app will install and enroll. If using a work profile, the app will prompt to set up an encrypted work container, install Systems Manager into the container, and uninstall the original app.

Chrome OS

See full instructions for enrolling Chromebooks in this documentation article.

  • Navigate to Organization > MDM > Chrome OS Device Management.
  • All Chrome OS devices that you want to manage must be enrolled with Google. More information here.
  • In the Google Admin console, enable API access to allow Cisco Meraki to retrieve information about your managed Chrome OS devices.
  • You can find the setting to enable API access in ‘Admin console’ > ‘Security’ > ‘API reference’ > ‘API access’. More details here.

SM Sentry Enrollment SSID

You can also use SM Sentry to force iOS, Android, Windows, and Mac devices to enroll in Systems Manager for an efficient mass deployment or BYOD. When enabled on a given SSID for a Cisco Meraki wireless AP, Sentry facilitates the secure and rapid onboarding and deployment of SM to mobile devices. For more information on Systems Manager Sentry enrollment, please visit the following page.

Automatic Network Discovery Enrollment

If your client devices are associated with a Meraki wireless network, you have the option to immediately enroll to a Systems Manager network within the same Organization when enrolling through the Android or iOS app. To disable this feature, please see Systems Manager > Configure > General.

App Deployment

Organizations have the options for app deployment:

  1. Store app deployment: deploying apps from Google Play or Apple App store
  2. Custom app deployment: proprietary apps deployed internally with an organization

Store App Deployment

Navigate to MDM > Apps and select ‘Add new’ at the top right of the page, and iOS or Android app to access.

Search for your application, and click the app entry found to enter the app configuration page.

Search for your application, and click the app entry found to enter the app configuration page.

Configuring Apps 

After adding an app, you’ll see an interface similar to the below. Note that Android apps may show slightly different options until changes are saved.

Scope  

By default, this app will be pushed down to all devices of the matching operating system, but this can be narrowed down by tag. See tag scoping for more info.

Installing Applications on Devices

Using Systems Manager, suites of applications can very easily be deployed to end user devices.

The following instructions outline how to deploy a new application, as well as overview additional installation options:

  1. Navigate to Systems Manager > MDM > Apps
  2. Click on the “Add new” dropdown and select either Windows or macOS Custom app:
    1. Once an OS Custom app is selected, fill in the following information about the application:
    • Application name: The name of the application as it will appear on the end device (e.g. Firefox, FileZilla, etc). If the application is already installed on managed clients, it will be listed in the drop-down menu. This name can be changed at any time.
    • Vendor: The vendor of the specified application.
    • Version: The version number of the application to be installed.
    • Description: A brief description of the application.
    • Install file host: This option denotes whether the application’s installer will be hosted in Dashboard, or on an external server (e.g. Dropbox).
      • Upload to the Meraki Cloud: Select this option and click Browse to upload the installer file directly to Dashboard. Please note that Dashboard can only host up to 3GB of installer files.
      • Specify a URL: Select this option if the installer file is hosted on an external server or file share site, and specify the URL for the hosted file. The URL field must point to the direct download link to a publicly hosted file such as the following, or an internally hosted server accessible by the end user’s device.

 The installer must be silent (require no user interaction) in order for the application to install correctly in the background. Windows applications can be installed in the foreground in order to prompt user interaction.

Note: The following installer file types are supported:
-Windows: .exe or .msi
-macOS: .dmg, .pkg*, or .app*.

*A .pkg or .app file can be used, but it must be wrapped in a .dmg. Please refer to Apple’s documentation for their recommended steps.

  • Scope: Specifies a scope of devices that will have this application installed. Please refer to our documentation for more information on scoping by device tag.
  • Disable install on save: By default, the application will be auto-installed the moment the Save button is clicked. If auto-install is disabled, the application won’t be installed until it’s manually pushed by navigating to Systems manager > MDM > Apps, and selecting Push > Push to all. Dashboard users can manually queue install requests via the device page, or by pressing the Repush buttons on this page.
  • Install in foreground (Windows-only): Allow the installer to show user prompts, instead of silently installing in the background.
  • Installation arguments (optional): If the installer must be run with specific command line arguments, they can be listed here.
    The following list shows the actual install command run on the end-device, where [arguments] refers to the contents of the Installation arguments field in Dashboard:

    • EXE: application_installer.exe [arguments]
    • MSI: msiexec /quiet /i application_installer.msi [arguments]
    • PKG: /usr/sbin/installer [arguments] -pkg application_installer.pkg -target /
  • Command line (optional): Specifies a command to run after installation has completed. This is commonly used to reboot the machine after installation, using the following commands:
    • Windowsshutdown /r
    • OS X: shutdown -r now

4. Click Save Changes. Unless auto-install is disabled, this will push out the application to all devices within the specified scope.

Creating Security Policies for Corporate Owned Assets

  1. Navigate to Systems manager > Configure > Policies.
  2. Click Add new along the right side of the page.
    4ea0e9bd-ad83-41de-9853-993618899110
  3. Enter a Security policy name that describes its intended use or purpose.
    Note: The name can only contain letters, numbers, dashes, underscores, and periods, and must not be blank.
  4. Select any of the traits that should be used to determine device compliance. See below for an example.
  5. Click Save Changes.

 

If additional policies need to be configured, click Back to list and repeat from Step 2.

Geofencing

Based on the use of the device, administrators have the option to enable geofencing limiting the device to a storefront.  Multiple geofencing rules can exist, with each potentially covering multiple physical areas. This allows administrators to limit the scope of different sets of devices to different physical locations.

  1. Navigate to Configure > Geofencing .
  2. Click Add new in the upper right corner.
  3. Enter a Name for this geofence.
  4. Select a Scope for which devices this geofence should apply to, based on tags.
  5. Select a Grace period which determines how long a device can be outside of the defined area before an alert is generated.
  6. Click Add a new area.
  7. Click the Geocode button under Find by address.
  8. In the box that appears, search for the address or location the geofence should cover, then click Submit.
  9. A geofence boundary indicator will appear, indicated by the semi-transparent blue circle, centered at the location provided. Click and drag the center indicator to move the boundary, while similarly using the scale indicator to control the size of the boundary, until it covers the desired area.
  10. Update the Description field for the row with a friendly name of the boundary, such as a building or campus name.
  11. If additional geofence boundaries are desired for this scope of devices, repeat steps 6-10 as needed.
  12. When done, click Save Changes.
  13. If additional geofences need to be configured with different scopes, click Back to list and repeat steps 2-12 as needed.

Device Profile and Configuration Settings

Device Profiles are a container of setting for devices enrolled in Systems Manager.  An administrator can choose to create profiles based on the device use case.  For example, the administrator for a major retailer created three profiles for device usage in store.

  1. Point of sale device profile: This will be a device used strictly for accepting payment from patrons.  No additional apps are allowed to be installed on this devices.
  2. Customer kiosk device profile: This device will be customer facing.  The company website is the only allowed site and will be deployed on the device.  No access to the app store, competition and content will need to stay family friendly.
  3. Employee device profile: This device will be used by employees in-store.  Used primarily to support day-to-day store operations but will have the ability to complete POS transactions and assist customers during peak hours.
 The following profile examples will be created on iOS, however, can apply to most major mobile platforms.

Creating Profiles

On the left-hand menu in Dashboard, navigate to Systems manager > MDM > Settings. Click the ‘+’ icon to create a new profile, or on the drop-down bar to see your existing profiles.

There are few different options for creating a new profile:

  • New Meraki managed profile: The most common type of profile – these profiles allow you to configure and push down all configuration settings available through Systems Manager.
  • Apple User Scoped: User-scoped profiles are used only for shared iPad configurations for Apple School Manager. These profiles contain fewer settings, specifically for iOS, but allow you to associate those settings to a particular managed Apple ID when scoped with user tags.
  • Custom Apple profile: Custom .mobileconfig profiles generated from Apple Configurator or Profile Manager can also be distributed and installed through Systems Manager, though the settings cannot be edited from the Meraki Dashboard. See this article for more information.
  • Copy another profile: Allows you to clone settings from an existing Meraki configuration profile in any of your organization’s Systems Manager networks into a new profile.

Point of Sale

Based on the administrators’ technical requirements, a device profile is created for new devices name “POS Devices”.

Based on the profile created above, all devices with the device tag “POS” with the following configuration settings:
The device will now only allow access to the single app deployed.
Customer Kiosk

Based on the administrators’ technical requirements, a device profile is created for new devices name “Customer Kiosk”.

Based on the profile created above, all devices with the device tag “Kiosk” with the following configuration settings:

Note the web content filters are enabled on the configurations settings restricting access to the competitor websites.

Employee Devices (Corporate owned assets)

Based on the administrators’ technical requirements, a device profile is created for new devices name “Employee”.

Based on the profile created above, all devices with the employee tag “employee” with the following configuration settings:

The configurations setting are restricting the use of two apps to be used on this device.

Conclusion

Incorporating Systems Manager into your Meraki organization can allow added security for mobile devices in the field.  Remote management and deployment grant administrators the ability to further comply with PCI DSS as well protect company owned assets.