Skip navigation
Documentation

Trusted Endpoints - Cisco Meraki Systems Manager Device Deployment

Last Updated: July 7th, 2020

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Cisco Meraki Systems Manager configuration for iOS and Android mobile devices.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the Cisco Meraki Systems Manager Dashboard as an administrator with the rights to create managed apps, app profiles, API keys, and device profiles.

Create the Cisco Meraki Systems Manager Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Cisco Meraki Systems Manager in the listed integrations and click the Select this integration link to the right.

The new Cisco Meraki Systems Manager integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Meraki management integration page to complete the Android and/or iOS configuration steps.

iOS Configuration

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Meraki Systems Manager to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Configure the Duo Trusted Endpoints SCEP Credentials

  1. Log on to the Meraki Dashboard as an administrator and navigate to Systems ManagerConfigureGeneral.

  2. Scroll down through the "Network administration" options to find the Duo Trusted Endpoints setting.

  3. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel.

  4. Copy the "Username" value from the "Add SCEP Credentials to Meraki" section on the iOS tab of your Meraki management integration (it will be similar to DUOPKI\p7oo8ld1a9d9ma8n). Paste this into the Meraki Dashboard as the Duo SCEP username value.

  5. Next, copy the "Password" value from the Duo Meraki management integration and paste this into the Meraki Dashboard as the Duo SCEP password value.

  6. Click Verify and then scroll down to the bottom of the page and click Save Changes.

Add a Duo SCEP Profile for iOS Devices

  1. In the Meraki Dashboard, navigate to Systems ManagerManageSettings.

  2. Click the + Add Profile button on the right.

  3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

  4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add a SCEP Profile to iOS Devices" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

  5. Copy the text SCEP profile for issuing Duo trusted endpoint certificates to iOS devices from the Duo Admin Panel and paste on the "New profile" page as the Description.

  6. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

  7. Use the Device tags drop-down menu to select iOS devices, or you may select a tag you created to identify iOS pilot or test devices.

  8. Scroll down to the bottom of the New profile page and click the Save button.

  9. Scroll back to the top of your new Duo iOS profile, and click + Add Settings on the left.

  10. Use the search box to locate the SCEP Certificate settings payload. Click the SCEP Certificates tile to begin configuration.

  11. Enter the SCEP Certificate information as follows (copy the values from the Duo Admin Panel as needed):

    Name

    Enter Duo Scep Cert.

    Subject Name

    Enter CN = $SM Device ID.

    Key size

    Select 2048.

    Key usage

    Leave both Signing and Encryption selected.

    CA Provider

    Select Duo PKI from the drop-down menu.

  12. Click the Save button at the bottom of the page.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Meraki's API access.

Configure Android Enterprise Managed Domain

  1. Log on to the Meraki Dashboard as an administrator and navigate to OrganizationConfigureMDM.

  2. Scroll down to the "Android Enterprise" section of the "MDM settings" page.

  3. Next to "Start a new enrollment", select Meraki managed deployment as the enroll type and then click the step 1 Get Signup URL button.

  4. The Meraki UI updates step 2 with a link to the Google Play store. Click the Continue to Google to set up Android Enterprise link. If you're prompted to sign-in to Google, ensure the email address used is associated with your organization, and not associated with a G Suite domain.

  5. Complete the Google Play for Work registration to return to the Meraki Dashboard. You should see your Google registration account's domain. Click Save.

Add Duo as a Managed App

  1. In the Meraki Dashboard, navigate to Systems ManagerManageApps.

  2. Click the + Add app button on the right.

  3. Click the Android to filter to that platform, select the Play Store app app type, and click Next.

  4. Search for the Duo Mobile app using the search bar on the "Add new Android app" page. Click the search result for Duo Mobile to select it.

  5. In the options for the Duo Mobile, scroll down to the "Approval Status" section and click Approve

  6. In the "Targets" section of the Duo Mobile app page, change the Scope selection to All devices to apply to all Anroid devices, or with ANY of the following tags. If you choose the latter, select the Device tags you created to identify Android pilot or test devices.

  7. Scroll down to the bottom of the page and click the Save button.

Add a Duo App Profile for Android Devices

  1. In the Meraki Dashboard, navigate to Systems ManagerManageSettings.

  2. Click the + Add Profile button on the right.

  3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

  4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

  5. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

  6. Use the Device tags drop-down menu to select Android devices, or you may select a tag you created to identify Android pilot or test devices.

  7. Scroll down to the bottom of the New profile page and click the Save button.

  8. Scroll back to the top of your new Duo Android app profile, and click + Add Settings on the left.

  9. Use the search box to locate the Managed App Config settings payload. Click the Managed App Config tile to begin configuration.

  10. Set the Platform to Android and the App to Duo Mobile.

  11. Once you select the Duo Mobile app, Meraki fetches the app settings.

  12. Click the Add button (+) to add keys to the application.

  13. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Trusted Endpoint Identifier value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the Trusted Endpoint Identifier for Duo Mobile, leaving the "Type" as Text.

  14. Copy the Trusted Endpoints Configuration Key value from the Duo Admin Panel and paste this in Meraki as the Trusted Endpoints Configuration Key for Duo Mobile, again with the "Type" as Text.

  15. Click the Save button.

Create the Duo REST API Key

  1. Navigate to OrganizationConfigureSettings in the Meraki Dashboard.

  2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API to enable API access.

  3. After enabling Dashboard API access, click the profile link shown right underneath the API access option to go to the "My profile" page.

  4. Scroll down to the "API access" section and click the Generate API key button.

  5. Copy the new API key from the Meraki Dashboard. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and paste the Meraki API key in the Enter the api details box in the "Create a REST API key" section.

  6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

  7. After you successfully test your configuration, click the Save & Configure button.

Finish Trusted Endpoints Deployment

Once your Meraki managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Meraki trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users on Android devices see a prompt to "check your permissions" when authenticating to a protected resource via the Duo Prompt.

Android Trusted Endpoint Verification - Step 1

Duo uses the API access you granted in Meraki to verify device information. Duo Mobile must be installed and activated for Duo Push.

Android Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the Meraki API access, then the user receives access to the protected application.

Android Trusted Endpoint Verification Failed

iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the Meraki Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Meraki integration from "Trusted Endpoints Configuration".

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.