Skip navigation
Documentation

Trusted Endpoints - Cisco Meraki Systems Manager Device Deployment

Last Updated: October 15th, 2021

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Trusted Endpoints is part of the Duo Beyond plan.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Cisco Meraki Systems Manager configuration for iOS and Android mobile devices.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the Cisco Meraki Systems Manager Dashboard as an administrator with the rights to create managed apps, app profiles, API keys, and device profiles.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Meraki's API access.

Create the Cisco Meraki Systems Manager Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the listed integrations and click the Add this integration selector.
  4. Choose Android from the "Recommended" options, and then click the Add button.

The new Cisco Meraki Systems Manager integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Meraki management integration page to complete the Android configuration steps.

Configure Android Enterprise Managed Domain

  1. Log on to the Meraki Dashboard as an administrator and navigate to OrganizationConfigureMDM.

  2. Scroll down to the "Android Enterprise" section of the "MDM settings" page.

  3. Next to "Start a new enrollment", select Meraki managed deployment as the enroll type and then click the step 1 Get Signup URL button.

  4. The Meraki UI updates step 2 with a link to the Google Play store. Click the Continue to Google to set up Android Enterprise link. If you're prompted to sign-in to Google, ensure the email address used is associated with your organization, and not associated with a G Suite domain.

  5. Complete the Google Play for Work registration to return to the Meraki Dashboard. You should see your Google registration account's domain. Click Save.

Add Duo as a Managed App

  1. In the Meraki Dashboard, navigate to Systems ManagerManageApps.

  2. Click the + Add app button on the right.

  3. Click Android to filter to that platform, select the Play Store app app type, and click Next.

  4. Search for the Duo Mobile app using the search bar on the "Add new Android app" page. Click the search result for Duo Mobile to select it.

  5. In the options for Duo Mobile, scroll down to the "Approval Status" section and click Approve.

  6. In the "Targets" section of the Duo Mobile app page, change the Scope selection to All devices to apply to all Android devices, or with ANY of the following tags. If you choose the latter, select the Device tags you created to identify Android pilot or test devices.

  7. Scroll down to the bottom of the page and click the Save button.

Add a Duo App Profile for Android Devices

  1. In the Meraki Dashboard, navigate to Systems ManagerManageSettings.

  2. Click the + Add Profile button on the right.

  3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

  4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

  5. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

  6. Use the Device tags drop-down menu to select Android devices, or you may select a tag you created to identify Android pilot or test devices.

  7. Scroll down to the bottom of the New profile page and click the Save button.

  8. Scroll back to the top of your new Duo Android app profile, and click + Add Settings on the left.

  9. Use the search box to locate the Managed App Config settings payload. Click the Managed App Config tile to begin configuration.

  10. Set the Platform to Android and the App to Duo Mobile.

  11. Once you select the Duo Mobile app, Meraki fetches the app settings.

  12. Click the Add button (+) to add keys to the application.

  13. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Trusted Endpoints Configuration Key value. Paste this value in Meraki as the trustedEndpointConfigurationKey for Duo Mobile, with the "Type" as Text.

  14. Set the trustedEndpointIdentifier "Type" as Device: ID.

  15. Click the Save button.

Create the Duo REST API Key

  1. Navigate to OrganizationConfigureSettings in the Meraki Dashboard.

  2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API to enable API access.

  3. After enabling Dashboard API access, click the profile link shown right underneath the API access option to go to the "My profile" page.

  4. Scroll down to the "API access" section and click the Generate API key button.

  5. Copy the new API key from the Meraki Dashboard. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and paste the Meraki API key in the Enter the api details box in the "Create a REST API key" section.

  6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

  7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Configuration

This integration relies on having the Duo Mobile app present and activated on your Meraki-managed iOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by the Duo Mobile app with managed device information obtained from Meraki in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Create the Cisco Meraki with App Config Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the listed integrations and click the Add this integration selector.
  4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Cisco Meraki with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Cisco Meraki with App Config management integration page to complete the configuration steps.

Configure iOS Enterprise Managed Domain

  1. Log on to the Meraki Dashboard as an administrator and navigate to OrganizationConfigureMDM.

  2. Scroll down to the "Apple MDM" section of the "MDM settings" page. If the Apple Certificate is already activated, proceed to the Add Duo as a Managed App section. Otherwise, continue to step 3.

  3. Select Update/renew certificate and download the certificate signing request (CSR) file from Meraki, named Meraki_Apple_CSR.csr.

  4. Visit the Apple Push Certificate Portal and sign in with your Apple ID. Once logged in, select Create a certificate, and upload the Meraki CSR file you downloaded in step 2.

  5. Click Download and ensure the downloaded certificate file's name is MDM_Meraki_Inc._Certificate.pem.

  6. Return to the Apple MDM settings in your Meraki Dashboard. Enter the Apple ID you used to generate the certificate in the field provided, and upload the Meraki .pem certificate file that you downloaded from Apple.

  7. Click Save after uploading the Apple push certificate.

  8. Click Test Certificate to verify the new Apple push certificate.

For more information on Meraki Apple MDM Push Certificates, please refer to the Meraki Documentation for Apple MDM Push Certificates.

Add Duo as a Managed App

  1. In the Meraki Dashboard, navigate to Systems ManagerManageApps.

  2. Click the + Add app button on the right.

  3. Click iOS to filter to that platform, select the App Store app app type, and click Next.

  4. Search for the Duo Mobile app using the search bar on the "Add new Android app" page. Click the search result for Duo Mobile to select it.

  5. In the options for Duo Mobile, enable the Keep app up to date and Attempt to manage unmanaged additional options.

    Meraki must manage Duo Mobile for Meraki to push information to the Duo Mobile app. Enabling Attempt to manage unmanaged informs users with Duo Mobile already installed that Meraki will now manage that application.

  6. In the "Targets" section of the Duo Mobile app page, change the Scope selection to All devices to apply to all iOS devices, or with ANY of the following tags. If you choose the latter, select the Device tags you created to identify iOS pilot or test devices.

  7. Scroll down to the bottom of the page and click the Save button.

Add a Duo App Profile for iOS Devices

  1. In the Meraki Dashboard, navigate to Systems ManagerManageSettings.

  2. Click the + Add Profile button on the right.

  3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

  4. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and copy the Name value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

  5. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

  6. Use the Device tags drop-down menu to select iOS devices, or you may select a tag you created to identify iOS pilot or test devices.

  7. Scroll down to the bottom of the New profile page and click the Save button.

  8. Scroll back to the top of your new Duo iOS app profile, and click + Add Settings on the left.

  9. Use the search box to locate the Managed App Config settings payload. Click the Managed App Config tile to begin configuration.

  10. Set the Platform to iOS and the App to Duo Mobile.

  11. Once you select the Duo Mobile app, Meraki fetches the app settings.

  12. Click the Add button (+) to add keys to the application.

  13. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and copy the Trusted Endpoints Configuration Key value. Paste this value in Meraki as the trustedEndpointConfigurationKey for Duo Mobile, with the "Type" as Text.

  14. Set the trustedEndpointIdentifier "Type" as Device: ID.

  15. Click the Save button.

Create the Duo REST API Key

  1. Navigate to OrganizationConfigureSettings in the Meraki Dashboard.

  2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API to enable API access.

  3. After enabling Dashboard API access, click the profile link shown right underneath the API access option to go to the "My profile" page.

  4. Scroll down to the "API access" section and click the Generate API key button.

  5. Copy the new API key from the Meraki Dashboard. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and paste the Meraki API key in the Enter the api details box in the "Create a REST API key" section.

  6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

  7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Certificate Configuration

New Meraki certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Cisco Meraki integration to Cisco Meraki with App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Cisco Meraki iOS certificate deployments and will do so until the integration reaches end-of-life status, planned for the second half of 2022.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Meraki Systems Manager to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the Cisco Meraki Systems Manager Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the listed integrations and click the Add this integration selector.
  4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new Cisco Meraki Systems Manager integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Meraki management integration page to complete the iOS configuration steps.

Configure the Duo Trusted Endpoints SCEP Credentials

  1. Log on to the Meraki Dashboard as an administrator and navigate to Systems ManagerConfigureGeneral.

  2. Scroll down through the "Network administration" options to find the Duo Trusted Endpoints setting.

  3. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel.

  4. Copy the "Username" value from the "Add SCEP Credentials to Meraki" section on the iOS tab of your Meraki management integration (it will be similar to DUOPKI\p7oo8ld1a9d9ma8n). Paste this into the Meraki Dashboard as the Duo SCEP username value.

  5. Next, copy the "Password" value from the Duo Meraki management integration and paste this into the Meraki Dashboard as the Duo SCEP password value.

  6. Click Verify and then scroll down to the bottom of the page and click Save Changes.

Add a Duo SCEP Profile for iOS Devices

  1. In the Meraki Dashboard, navigate to Systems ManagerManageSettings.

  2. Click the + Add Profile button on the right.

  3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

  4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add a SCEP Profile to iOS Devices" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

  5. Copy the text SCEP profile for issuing Duo trusted endpoint certificates to iOS devices from the Duo Admin Panel and paste on the "New profile" page as the Description.

  6. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

  7. Use the Device tags drop-down menu to select iOS devices, or you may select a tag you created to identify iOS pilot or test devices.

  8. Scroll down to the bottom of the New profile page and click the Save button.

  9. Scroll back to the top of your new Duo iOS profile, and click + Add Settings on the left.

  10. Use the search box to locate the SCEP Certificate settings payload. Click the SCEP Certificates tile to begin configuration.

  11. Enter the SCEP Certificate information as follows (copy the values from the Duo Admin Panel as needed):

    Name

    Enter Duo Scep Cert.

    Subject Name

    Enter CN = $SM Device ID.

    Key size

    Select 2048.

    Key usage

    Leave both Signing and Encryption selected.

    CA Provider

    Select Duo PKI from the drop-down menu.

  12. Click the Save button at the bottom of the page.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Meraki managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Meraki trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one Cisco Meraki management integration, you must activate each one individually.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users see a device trust dialog on their iOS and Android devices when authenticating to a protected resource via the Duo Prompt.

iOS Trusted Endpoint Inline Verification - Step 1

Duo uses the API access you granted in Meraki to perform a permissions check to verify device information.

iOS Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the Meraki API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

iOS Trusted Endpoint Verification - Step 3

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

iOS Trusted Endpoint Verification - Step 4

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the Meraki Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Meraki integration from "Trusted Endpoints Configuration".

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.