Identity-centric UEM after Meraki SM sunset changes endpoint governance

At a glance

What this is: This is an analysis of Cisco Meraki Systems Manager’s end-of-sale and the shift from profile-based MDM to identity-centric UEM as a governance problem.

Why it matters: It matters because endpoint management, directory identity, and network access now need to be governed together across human users, devices, and machine-adjacent access paths.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read JumpCloud's analysis of the Meraki Systems Manager end-of-sale and identity-centric UEM

Context

Identity-centric UEM is a model where endpoint configuration, local login, and network authentication are bound back to the directory rather than managed as separate systems. Meraki SM’s sunset matters because many enterprises still separate device policy, identity, and network validation, which creates operational drift when access decisions are made in one plane and enforced in another.

That split is no longer just an endpoint admin problem. When local accounts, Cloud RADIUS, certificate-based access, and agent-based Linux control sit under different operational owners, lifecycle events such as joiner, mover, and leaver handling become harder to execute consistently across human, device, and workload-like identities. This is a governance issue, not simply a tooling swap.

Key questions

Q: How should teams migrate from profile-based MDM to identity-centric UEM?

A: Treat the move as a control-plane redesign, not a device rollout. Map every dependency between directory identity, local login, wireless authentication, and endpoint policy first, then migrate in stages so you can prove that revocation, certificate expiry, and role changes all still behave as intended.

Q: Why does identity-centric UEM matter for least privilege?

A: Because endpoint authority is no longer isolated from directory authority. When the same identity object governs login, posture, and network access, least privilege depends on how cleanly the directory is segmented and lifecycle-managed, not just on endpoint policy settings.

Q: What breaks when Cloud RADIUS and endpoint identity are poorly aligned?

A: Network access becomes inconsistent, especially when certificates, directory objects, and device state do not agree. Users may be denied access incorrectly, or stale trust material may continue to work longer than intended, which turns authentication drift into a governance problem.

Q: Who should own identity-centric endpoint governance?

A: Ownership should sit across identity, endpoint, and network teams with one accountable control owner. If those functions stay siloed, no one can reliably manage the lifecycle of directory objects, certificates, agents, and local access together.

Technical breakdown

Directory object binding in identity-centric UEM

Identity-centric UEM binds device state and resource authorization to a directory object rather than treating endpoints as isolated assets. That means login, configuration, and access policy all reference the same identity record, which reduces duplication but also raises the stakes of directory hygiene. If the directory object is stale, privileged, or poorly segmented, endpoint control inherits those weaknesses immediately. The architectural change is less about new features and more about making the identity layer the control plane for device behavior.

Practical implication: review which endpoint policies now inherit directory risk and tighten identity lifecycle controls before migrating.

Agent-based management versus profile-based MDM

Profile-based MDM pushes configuration through operating system management channels and is strongest when the goal is to distribute policy at scale with limited local execution. Agent-based management adds a persistent local process that can perform deeper actions such as script execution, privilege mapping, and patch orchestration. That makes it more powerful for Linux and mixed estates, but it also expands the local trust boundary. If the agent is isolated, blocked, or over-permissioned, enforcement and visibility diverge quickly.

Practical implication: validate agent permissions and containment controls before enabling deeper endpoint automation.

Cloud RADIUS and certificate-based network authentication

Cloud RADIUS replaces on-premises authentication dependencies with cloud-mediated network validation, often using EAP-TLS and client certificates. This shifts the trust decision from a local server to a directory-backed cloud control plane while preserving mutual authentication between device and network. The benefit is simpler central governance, but the failure mode is certificate mismatch, stale trust chains, or enrollment drift. In practice, network access now depends on identity and certificate lifecycle discipline, not just wireless configuration.

Practical implication: test certificate issuance, renewal, and revocation paths before moving access points to cloud authentication.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-centric UEM works because it collapses endpoint control into the same governance plane as identity, but that consolidation also exposes the quality of the directory itself. Once device access, local login, and network authentication share a control surface, stale identities and excessive privileges stop being separate problems. The field should treat UEM migration as a directory governance event, not a device project. Practitioners need to measure whether the directory can safely absorb endpoint authority.

Profile-based MDM and agent-based management solve different trust problems, and conflating them leads to governance blind spots. Profiles are good at standardized policy distribution, while agents create deeper execution capability on the endpoint. That extra reach is useful for Linux lifecycle control and scripting, but it also means the endpoint becomes a more active enforcement point. The implication is that control depth and control assurance must be evaluated together, not traded off blindly.

Cloud RADIUS turns network access into an identity lifecycle problem. Certificate-based authentication is only as reliable as issuance, renewal, and revocation discipline across the estate. If the organisation cannot track which identities and devices still hold valid trust material, it has not simplified access control, it has redistributed the failure mode. Practitioners should read cloud network authentication as part of the same access governance chain as endpoint and directory controls.

Endpoint modernisation is creating a broader identity blast radius. When one control plane governs directory objects, device posture, and network access, a single governance mistake can affect more of the environment than a standalone MDM silo ever could. That is why migration planning has to ask which identity assumptions are being centralised and which are being exposed to a wider failure domain. Teams should treat blast-radius reduction as the core success criterion.

Endpoint lifecycle management is no longer separable from identity lifecycle management. The move from standalone device administration to identity-centric UEM means joiner, mover, and leaver events influence device authority, certificate validity, and local access in one chain. That does not just streamline operations. It makes lifecycle discipline the primary security boundary for both people and machines. Practitioners need to govern the chain end to end, not by domain silo.

From our research:

• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• That same survey found that only 13% of security leaders feel extremely prepared for the reality of agentic AI, which shows how fast governance is lagging behind operational adoption.
• For a broader governance baseline, the Ultimate Guide to NHIs maps the lifecycle controls teams need when identity spans devices, secrets, and machine access paths.

What this signals

Identity-centric endpoint programmes are moving toward a single governance plane, but the real test is whether organisations can manage lifecycle risk at the same speed. If directory objects, certificates, and local access are all governed together, then offboarding, renewal, and privilege review must also be unified. Teams that still separate endpoint administration from identity governance will find the operational gaps first, not the architectural benefits.

Device control is becoming an identity-control problem with a larger blast radius. Once network access, login, and endpoint posture converge, a single entitlement mistake can propagate across more of the estate than it would in a standalone MDM environment. Practitioners should watch for hidden dependency chains between user identity, device trust, and certificate validity, especially where shared control ownership is unclear.

For practitioners

• Map identity dependencies before migration Inventory which device policies, login flows, and network checks depend on the same directory objects so you can spot hidden coupling before you replace legacy MDM. Identify where Cloud RADIUS, local accounts, and endpoint agents share trust decisions.
• Validate agent trust boundaries Test whether the new endpoint agent can be isolated by endpoint security tools, blocked by allowlisting errors, or over-granted local privileges. Focus on the execution directories, digital signatures, and administrative rights needed for stable control.
• Rebuild certificate lifecycle controls Treat EAP-TLS certificates as governed identities, not static configuration. Define issuance, renewal, and revocation ownership, and verify that expired or revoked certificates actually fail network authentication during staged tests.
• Run a joiner-mover-leaver check on endpoints Simulate user onboarding, role change, and offboarding across directory accounts, local login, and wireless access so you can confirm that permissions follow the lifecycle rather than lingering on endpoints.

Key takeaways

• Meraki SM’s sunset is forcing a governance rethink because endpoint management, directory identity, and network authentication are converging.
• The operational risk is not just migration complexity but control-plane coupling, where directory mistakes now affect login, device policy, and access together.
• Teams should treat identity lifecycle discipline, certificate governance, and agent trust boundaries as the deciding controls in any UEM transition.

Key terms

• Identity-Centric Unified Endpoint Management: An endpoint management model that binds device control, local login, and network access back to a directory identity. The security value is centralised governance, but the trade-off is that directory hygiene, lifecycle discipline, and trust boundaries become part of the endpoint control plane itself.
• Profile-Based Mdm: A device management model that relies on operating system profiles to push configuration and application settings to endpoints. It is efficient for standardisation, but it has limited reach into local execution and deeper lifecycle control, which can leave Linux and advanced admin use cases under-governed.
• Cloud Radius: A cloud-hosted RADIUS implementation that validates network access without depending on an on-premises authentication server. In identity-centric environments, it connects wireless and wired access to directory-backed trust decisions and certificate lifecycles, so certificate issuance and revocation become governance tasks, not just network tasks.
• Agent-Based Endpoint Control: A management approach that uses a persistent local agent to perform deeper endpoint actions such as scripts, privilege mapping, and patch orchestration. It extends control beyond profile distribution, which increases operational reach but also expands the trust boundary on each managed device.

Deepen your knowledge

Identity-centric UEM and endpoint lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning device access around directory identity, it is worth exploring.

This post draws on content published by JumpCloud: updated analysis of Cisco Meraki Systems Manager end-of-sale and identity-centric UEM. Read the original.