Using Tags in Systems Manager

App white/blacklisting in security policies

Security Policies in Systems Manager

Tags Management Page for Systems Manager

HomeEndpoint ManagementTags and PoliciesUsing Tags in Systems Manager

Applying Tags with the Tags Management Page

Applying Tags without the Tags Management Page

Tags are powerful tools used to apply profiles, deploy apps, and organizegroupsof client devices together. This article will cover the types of tags available, and to how to add and remove them in Systems Manager.

Before creating and applying tags, its important to understand the different types of tags available.

For more information on the different types of tags in systems manager, refer tothis article.

Tags can now be applied simply from the Tags Management page.The Tags Management page allows Dashboard admins to holistically create, manage, and delete all their Systems Manager tags on one page. For more information on the Tags Management page, refer tothis article.

Tags manually created in Dashboard can be structured or named however your organization sees fit for your deployment model. Recall, these tags are used to map devices to applications andprofiles, so create tags that makes sense for how devices will be differentiated.

As an example, a business with multiple offices may want to tag devices HQ or san_francisco if different office locations receive different settings. A school may want to tag devices by grade level, or by subject topic if first_grade devices receivea different set of apps from second_grade. For more considerations, see ourdeployment guides.

The interface for adding or removing manual tags is the same forclients, owners, and geofences. Begin by navigating to the correct configuration pane from the lefhand Systems manager menu.

Note: Admin generated tags cannot contain spaces. E.g. example tag is not acceptable and would be treated as two separate tags, while example_tag would be treated as a single tag.

In all of the above pages, tags can be edited on multiple items at once.

In the box that appears, options will be available to add or remove tags.

Select the tag from the list suggested. Begin typing to locate a tag within the list.

Once selected, the tag will appear in the

Repeat steps 1-3 as needed. Then click

Note: Tags will continue to be listed as an option for addition until they are no longer in use anywhere.

Tags can also be removed on an individual basis by selecting a particular client, geofence, or owner.

As an example, instructions on modifying tags for a specific client are listed below:

To add an existing tag, select it from the list.

Which devices should receive a profile is controlled by theScopeof the profile, andtagsassociated with a device. From theSystems Manager Manage Profilespage, select the desired profile. Use theScopesection to indicate what the criteria are for receiving a profile. For more information on configuring the scope of a profile, refer to thearticle on using tags. Once configured, devices that are within scope will automatically receive the profile. If they are removed from the scope, the profile will automatically be removed.

For info on unscoping or removing profiles and apps, seethis article.

This example will quickly cover applying a basic profile to a device with a manual tag. This is how an administrator would manually designate devices that should receive settings.

Start by creating a profile and scoping it.

Tag the desired devices. In this case, manual tags are being used, butvarious optionsare available to dynamically tag devices based on different criteria.

Click the checkbox next to the desired client(s).

the desired tag. Detailed steps can be this case, the tag example_tag created earlier is used.

Once a device is in scope, the device must check-in before the settings can be applied. This may take a few minutes to occur, and requires that iOS devices be unlocked. To confirm if the profile was pushed to the device:

After you specify a scope to apply your profile or app, the bottom of the page will update to reflect which devices are in scopehave the profile/app either installed (or removed, if you are unscoping). In the below example, all 10 enrolled devices in Systems Manager will install the profile because the scope was set to All devices.

Note: Apps/profiles only be pushed to supported devices, even if an unsupported devices is within scope. For example, an iOS app will only install on iOS devices, even if the scope is set to All devices.

This example will illustrate how settings can be dynamically applied to a device based on more complex criteria. In this case, devices should only receive VPN access if they are considered secure.

Start byconfiguring a security policy. In this case, the policy is designed to confirm that devices have various security measures enabled.

Next, create a profile that is dynamically pushed to only devices which are compliant with the security policy.

Note: Multiple tags can be combined in various combinations, as discussed in thetags article. This can allow different sets of criteria to all be required in order for profiles to be applied to clients.

Then configure the policy with the desired settings. In this case, it contains VPN settings for connecting to the corporate network.

Once a device is in scope, the device must check-in before the settings can be applied. This may take a few minutes to occur, and requires that iOS devices be unlocked. To confirm if the profile was pushed to the device:

Since a security policy was configured, compliance for individual devices can be seen under theSecuritysection of the client details page. If a device isnt compliant, the profile will be removed automatically when the device next checks in. For more information, read the section onchecking device compliance in the security policies article.

Or using the appropriate columns in the clients list.

Scopingcombines a logic operator with your organizations tags to help you narrow down the set of devices that will receive apps/profiles.

All devices- The setting/feature will be applied to all supported devices.

with ANY of the following tags- Requires at least one tag. Supported devices matching 1 or more of the tags listed will receive the feature/setting. If 3 tags are defined, clients with 1 or more of those tags will receive the feature/setting.

with ALL of the following tags- Requires at least one tag. Supported devices matching all of the tags listed will receive the feature/setting. If 3 tags are defined, clients with all 3 tags will receive the feature/setting.

WITHOUT ANY of the following tags- Requires at least one tag. Supported devices that do not have any one or more of the tags listed will receive the feature/setting. If 3 tags are defined, clients that have 2 or less of them will receive the feature/setting.

WITHOUT ALL of the following tags- Requires at least one tag. Supported devices that do not have any of the tags listed will receive the feature/setting. If 3 tags are defined, clients that have 0 of them will receive the feature/setting.

At any time, the tags currently active on a device can be seen by navigating to theMonitor Clientspage and clicking on the client in question.

Manual tags will appear under theClient detailssection asTags. Click any of these tags to get a list of clients with that tag.

Schedule and device tags will appear under theClient detailssection asAuto tags.

Geofencing and security policy tags will appear underSecurityas their own respective fields.

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.