Duo Trusted Endpoints - Cisco Meraki Systems Manager Device Deployment

Overview

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices, or deploy Duo Desktop to Windows and macOS managed systems.

This guide walks you through Cisco Meraki Systems Manager configuration for Windows and macOS endpoint clients and Android and iOS mobile devices..

Prerequisites

• Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
• Access to the Cisco Meraki Systems Manager Dashboard as an administrator with the rights to create managed apps, app profiles, API keys, and device profiles.

If you plan to verify trust status for Windows and macOS systems:

• Add your Windows and macOS devices to the Meraki device list and enroll your devices in Meraki Systems Manager.

• Deploy Duo Desktop for Windows 10 and later or macOS to your Meraki-managed endpoints. Refer to the Duo Desktop documentation to learn about different options for deploying the application.

  Note that you do not need to configure a Duo Desktop policy in order to use Meraki with Duo Desktop.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Meraki's API access.

Create the Cisco Meraki Systems Manager Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Android from the "Recommended" options, and then click the Add button.

The new Cisco Meraki Systems Manager integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Meraki management integration page to complete the Android configuration steps.

Configure Android Enterprise Managed Domain

1. Log on to the Meraki Dashboard as an administrator and navigate to Organization → Configure → MDM.

2. Scroll down to the "Android Enterprise" section of the "MDM settings" page.

3. Next to "Start a new enrollment", select Meraki managed deployment as the enroll type and then click the step 1 Get Signup URL button.

4. The Meraki UI updates step 2 with a link to the Google Play store. Click the Continue to Google to set up Android Enterprise link. If you're prompted to sign-in to Google, ensure the email address used is associated with your organization, and not associated with a G Suite domain.

5. Complete the Google Play for Work registration to return to the Meraki Dashboard. You should see your Google registration account's domain. Click Save.

Add Duo as a Managed App

1. In the Meraki Dashboard, navigate to Systems Manager → Manage → Apps.

2. Click the + Add app button on the right.

3. Click Android to filter to that platform, select the Play Store app app type, and click Next.

4. Search for the Duo Mobile app using the search bar on the "Add new Android app" page. Click the search result for Duo Mobile to select it.

5. Click “Select“ at the top of the app page.

6. In the "Targets" section of the Duo Mobile app page, change the Scope selection to All devices to apply to all Android devices, or with ANY of the following tags. If you choose the latter, select the Device tags you created to identify Android pilot or test devices.

7. Scroll down to the bottom of the page and click the Save button.

Add a Duo App Profile for Android Devices

1. In the Meraki Dashboard, navigate to Systems Manager → Manage → Settings.

2. Click the + Add Profile button on the right.

3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

5. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

6. Use the Device tags drop-down menu to select Android devices, or you may select a tag you created to identify Android pilot or test devices.

7. Scroll down to the bottom of the New profile page and click the Save button.

8. Scroll back to the top of your new Duo Android app profile, and click + Add Settings on the left.

9. Use the search box to locate the Managed App Config settings payload. Click the Managed App Config tile to begin configuration.

10. Set the Platform to Android and the App to Duo Mobile.

11. Once you select the Duo Mobile app, Meraki fetches the app settings.

12. Click the Add button (+) to add keys to the application.

13. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Trusted Endpoints Configuration Key value. Paste this value in Meraki as the trustedEndpointConfigurationKey for Duo Mobile, with the "Type" as Text.

14. Set the trustedEndpointIdentifier "Type" as Device: ID.

15. Click the Save button.

Create the Duo REST API Key

1. Navigate to Organization → Configure → Settings in the Meraki Dashboard.

2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API to enable API access.

3. After enabling Dashboard API access, click the profile link shown right underneath the API access option to go to the "My profile" page.

4. Scroll down to the "API access" section and click the Generate API key button.

5. Copy the new API key from the Meraki Dashboard. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and paste the Meraki API key in the Enter the api details box in the "Create a REST API key" section.

6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify Android Device Information with Search

After you configure the connection between Meraki and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

Windows Configuration

This integration relies on having Duo Desktop present on your Meraki-managed Windows endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by Duo Desktop with managed device information obtained from Meraki in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Create the Cisco Meraki with Duo Desktop Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Windows from the "Recommended" options, and then click the Add button.

The new Cisco Meraki with Duo Desktop integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration requires Duo Desktop to be installed on the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Cisco Meraki with Duo Desktop management integration page to complete the configuration steps.

1. Log on to the Meraki Dashboard as an administrator and navigate to Organization → Configure → Settings.

2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API.

3. After enabling Dashboard API access, click the profile link shown underneath the API access option to go to the "My profile" page.

4. Scroll down to the "API access" section of the "My profile" page and click Generate API key.

5. Copy the new API key shown in the Meraki Dashboard. Return to your Cisco Meraki with Duo Desktop management integration page in the Duo Admin Panel and paste the API key into the Meraki API Key field.

6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything is correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify Windows Device Information with Search

After you configure the connection between Cisco Meraki Systems Manager and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

macOS Configuration

This integration relies on having Duo Desktop present on your Meraki-managed macOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by Duo Desktop with managed device information obtained from Meraki in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Create the Cisco Meraki with Duo Desktop Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose macOS from the "Recommended" options, and then click the Add button.

The new Cisco Meraki with Duo Desktop integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration requires Duo Desktop to be installed on the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Cisco Meraki with Duo Desktop management integration page to complete the configuration steps.

1. Log on to the Meraki Dashboard as an administrator and navigate to Organization → Configure → Settings.

2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API.

3. After enabling Dashboard API access, click the profile link shown underneath the API access option to go to the "My profile" page.

4. Scroll down to the "API access" section of the "My profile" page and click Generate API key.

5. Copy the new API key shown in the Meraki Dashboard. Return to your Cisco Meraki with Duo Desktop management integration page in the Duo Admin Panel and paste the API key into the Meraki API Key field.

6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything is correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify macOS Device Information with Search

After you configure the connection between Cisco Meraki Systems Manager and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Configuration

This integration relies on having the Duo Mobile app present and activated on your Meraki-managed iOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by the Duo Mobile app with managed device information obtained from Meraki in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Create the Cisco Meraki with App Config Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Cisco Meraki with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Cisco Meraki with App Config management integration page to complete the configuration steps.

Configure iOS Enterprise Managed Domain

1. Log on to the Meraki Dashboard as an administrator and navigate to Organization → Configure → MDM.

2. Scroll down to the "Apple MDM" section of the "MDM settings" page. If the Apple Certificate is already activated, proceed to the Add Duo as a Managed App section. Otherwise, continue to step 3.

3. Select Update/renew certificate and download the certificate signing request (CSR) file from Meraki, named Meraki_Apple_CSR.csr.

4. Visit the Apple Push Certificate Portal and sign in with your Apple ID. Once logged in, select Create a certificate, and upload the Meraki CSR file you downloaded in step 2.

5. Click Download and ensure the downloaded certificate file's name is MDM_Meraki_Inc._Certificate.pem.

6. Return to the Apple MDM settings in your Meraki Dashboard. Enter the Apple ID you used to generate the certificate in the field provided, and upload the Meraki .pem certificate file that you downloaded from Apple.

7. Click Save after uploading the Apple push certificate.

8. Click Test Certificate to verify the new Apple push certificate.

For more information on Meraki Apple MDM Push Certificates, please refer to the Meraki Documentation for Apple MDM Push Certificates.

Add Duo as a Managed App

1. In the Meraki Dashboard, navigate to Systems Manager → Manage → Apps.

2. Click the + Add app button on the right.

3. Click iOS to filter to that platform, select the App Store app app type, and click Next.

4. Search for the Duo Mobile app using the search bar on the "Add new Android app" page. Click the search result for Duo Mobile to select it.

5. In the options for Duo Mobile, enable the Keep app up to date and Attempt to manage unmanaged additional options.

   Meraki must manage Duo Mobile for Meraki to push information to the Duo Mobile app. Enabling Attempt to manage unmanaged informs users with Duo Mobile already installed that Meraki will now manage that application.

6. In the "Targets" section of the Duo Mobile app page, change the Scope selection to All devices to apply to all iOS devices, or with ANY of the following tags. If you choose the latter, select the Device tags you created to identify iOS pilot or test devices.

7. Scroll down to the bottom of the page and click the Save button.

Add a Duo App Profile for iOS Devices

1. In the Meraki Dashboard, navigate to Systems Manager → Manage → Settings.

2. Click the + Add Profile button on the right.

3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

4. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and copy the Name value shown in the "Add App Profile to Duo" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

5. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

6. Use the Device tags drop-down menu to select iOS devices, or you may select a tag you created to identify iOS pilot or test devices.

7. Scroll down to the bottom of the New profile page and click the Save button.

8. Scroll back to the top of your new Duo iOS app profile, and click + Add Settings on the left.

9. Use the search box to locate the Managed App Config settings payload. Click the Managed App Config tile to begin configuration.

10. Set the Platform to iOS and the App to Duo Mobile.

11. Once you select the Duo Mobile app, Meraki fetches the app settings.

12. Click the Add button (+) to add keys to the application.

13. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and copy the Trusted Endpoints Configuration Key value. Paste this value in Meraki as the trustedEndpointConfigurationKey for Duo Mobile, with the "Type" as Text.

14. Set the trustedEndpointIdentifier "Type" as Device: ID.

15. Click the Save button.

Create the Duo REST API Key

1. Navigate to Organization → Configure → Settings in the Meraki Dashboard.

2. Scroll down to the "Dashboard API access" section, and if API access isn't already enabled check the box next to Enable access to the Cisco Meraki Dashboard API to enable API access.

3. After enabling Dashboard API access, click the profile link shown right underneath the API access option to go to the "My profile" page.

4. Scroll down to the "API access" section and click the Generate API key button.

5. Copy the new API key from the Meraki Dashboard. Return to your Cisco Meraki with App Config management integration page in the Duo Admin Panel and paste the Meraki API key in the Enter the api details box in the "Create a REST API key" section.

6. Click the Test Configuration button to verify Duo's API access to your Meraki instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Meraki configuration steps and entered the right information in the Duo Admin Panel.

7. After you successfully test your configuration, click the Save & Configure button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Verify iOS Device Information with Search

After you configure the connection between Meraki and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.

iOS Certificate Configuration

End of Life Information

New Meraki certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Cisco Meraki integration to Cisco Meraki with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Cisco Meraki iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Meraki Systems Manager to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the Cisco Meraki Systems Manager Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Cisco Meraki Systems Manager in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new Cisco Meraki Systems Manager integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Meraki management integration page to complete the iOS configuration steps.

Configure the Duo Trusted Endpoints SCEP Credentials

1. Log on to the Meraki Dashboard as an administrator and navigate to Systems Manager → Configure → General.

2. Scroll down through the "Network administration" options to find the Duo Trusted Endpoints setting.

3. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel.

4. Copy the "Username" value from the "Add SCEP Credentials to Meraki" section on the iOS tab of your Meraki management integration (it will be similar to DUOPKI\p7oo8ld1a9d9ma8n). Paste this into the Meraki Dashboard as the Duo SCEP username value.

5. Next, copy the "Password" value from the Duo Meraki management integration and paste this into the Meraki Dashboard as the Duo SCEP password value.

6. Click Verify and then scroll down to the bottom of the page and click Save Changes.

Add a Duo SCEP Profile for iOS Devices

1. In the Meraki Dashboard, navigate to Systems Manager → Manage → Settings.

2. Click the + Add Profile button on the right.

3. On the "Add new profile" dialog, leave Device profile (Default) selected and then click Continue.

4. Return to your Cisco Meraki Systems Manager management integration page in the Duo Admin Panel and copy the Name value shown in the "Add a SCEP Profile to iOS Devices" section. Paste this in the Meraki Dashboard as the new profile's Name on the "New profile" page.

5. Copy the text SCEP profile for issuing Duo trusted endpoint certificates to iOS devices from the Duo Admin Panel and paste on the "New profile" page as the Description.

6. In the "Targets" section of the "New profile" page, change the Scope selection to with ANY of the following tags.

7. Use the Device tags drop-down menu to select iOS devices, or you may select a tag you created to identify iOS pilot or test devices.

8. Scroll down to the bottom of the New profile page and click the Save button.

9. Scroll back to the top of your new Duo iOS profile, and click + Add Settings on the left.

10. Use the search box to locate the SCEP Certificate settings payload. Click the SCEP Certificates tile to begin configuration.

11. Enter the SCEP Certificate information as follows (copy the values from the Duo Admin Panel as needed):

    Name	Enter Duo Scep Cert.
    Subject Name	Enter CN = $SM Device ID.
    Key size	Select 2048.
    Key usage	Leave both Signing and Encryption selected.
    CA Provider	Select Duo PKI from the drop-down menu.

12. Click the Save button at the bottom of the page.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Meraki managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Meraki trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group, or activate for all users. If you created more than one Cisco Meraki management integration, you must activate each one individually.

Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users see a device trust dialog on their iOS and Android devices when authenticating to a protected resource via the Duo Prompt.

Duo uses the API access you granted in Meraki to perform a permissions check to verify device information.

If Duo successfully verifies the device information using the Meraki API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Windows and macOS with Duo Desktop

When Windows or macOS users access Duo-protected resources, Duo Desktop provides device information to Duo. If the information from the device matches the information in Cisco Meraki Systems Manager, Duo grants access to the trusted device.

Search for Device Identifiers

If you configured Duo Mobile for iOS with App Config or Android to determine device trust, you may want to search for specific device identifiers to verify that the identifier information for a given trusted device exists in Duo. This can be useful to verify a device you expect to be trusted was imported from Meraki into Duo.

To search for a device identifier in Duo:

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.

2. Locate the Meraki or Meraki with App Config device management integration you want to search for a device identifier in the list and click on it to view its details.

3. In the Check if devices have synced section, enter the identifier for the device you want to check and click Search.

4. A message appears indicating if the device identifier was either found or not found. If the device identifier is not found, check your Meraki API configuration and wait 24 hours.

Use these instructions to find the device identifier to search in Meraki.

1. Log in to the Meraki Systems Manager, navigate to Device list and select a device to view.

2. In the URL for the device view, there will be a URL parameter called "pn".

   Example: /manage/pcc/list#pn=123456789123456789

3. The "pn" is the device identifier. Copy this value and use it to perform the search in Duo.

Removing the Meraki Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Meraki integration from "Trusted Endpoints Configuration".

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.