Creating a Compliance Rule

Learn how to create a compliance rule that monitors specific configuration changes across your Meraki infrastructure.

Written by Boundless

Updated 1 week ago

Pre-release Notice
Safeguard is currently in pre-release status. As we continue to refine and enhance this product, you may notice occasional unexpected behavior or variations in performance. Your feedback during this pre-release phase is invaluable — please share any issues or suggestions with our support team to help us deliver the best possible experience for general availability.

Overview

A compliance rule tells Safeguard exactly what to watch for in your Meraki configurations. When a change matches your rule’s criteria, Safeguard triggers an alert so you can investigate.

Every compliance rule is built from three components:

Settings: The configuration parameters that, if modified, should trigger an alert
Target: The entities (organizations, devices, templates, networks) where changes should be monitored
Source: The administrators whose changes should trigger alerts

The rule creation wizard guides you through each of these components step by step, plus a final review before saving. This guide walks you through the complete process.

Before You Begin

Before creating a compliance rule, make sure you have:

An active Boundless workspace with a valid subscription
At least one organization connected to your workspace
Automatic Change Detection enabled for the organization
Owner or User role in your workspace

Step-by-Step Guide

Step 1: Start the Rule Creation Wizard

Navigate to Compliance Alerts from the Safeguard main menu
Click the Create New Rule button

What you’ll see:

The rule creation wizard opens on the first step (Settings). A progress indicator at the top shows all four steps: Settings → Target → Source

Step 2: Select Settings

Settings define which configuration parameters Safeguard should monitor. Settings are organized by Product category.

Review the available Product categories:
- Organization
- Network-Wide
- Cameras
- Cellular Gateway
- Security & SD-WAN
- Sensor
- Wireless
- Switch
- Systems Manager
- Device-Level Settings
Select a Product category by clicking on it — this automatically selects all settings within that category
Expand the Setting category to manually select or deselect individual settings
Use the Select All checkbox at the top to select every setting across all categories
Review the settings count displayed (e.g., “45/45”)
Click Add new to add new Product categories to the rule
Click Select and continue to proceed

What you’ll see:

When you select a Product category, all settings underneath it are automatically checked. You can expand the Setting selector to fine-tune your selection.Helpful tip: Safeguard displays all Product categories and settings regardless of whether they are currently relevant to your organization’s infrastructure. This ensures your rule continues to work if you add new device types or features in the future.

Important: You must select at least one setting to proceed to the next step.

Step 3: Select Target Entities

Targets define where Safeguard should monitor for changes. You can select one or more entity types, according to the Products you selected on the previous step.

Important: Target selections are only relevant when combined with matching settings. For example, selecting device-level targets only triggers alerts if the selected settings apply to devices.

Organization

The Organization is automatically selected when monitoring changes to organization-level settings.

Templates

Select one or more Templates to enable template-level monitoring
Optionally, enable the Include bound networks toggle

What you’ll see:

When you enable the bound networks toggle, any network bound to a selected template is automatically included in monitoring.

Helpful tip: Enabling bound network selection is useful when you want comprehensive coverage — if a template is monitored, all networks inheriting that template’s configuration are monitored too.

Networks

Select one or more Networks to enable network-level monitoring
Choose a selection method:
1. All Networks — Monitor every network in the organization.
2. By Selection — Click individual Networks to pick specific networks.
3. By Tag — Click Select Tags to choose networks by their Meraki tags.

Devices

Select the Devices checkbox to enable device-level monitoring
Choose a selection method:
1. All Devices — Monitor every device in the organization.
2. By Selection — Click individual Devices to manually pick specific devices from a list.
3. By Tag — Click Bulk Device > Tags to choose devices by their Meraki tags.
4. By Device Type — Select Bulk Device > Device Type to choose one or more device types: MX, MS, MR, MV, MT, MG.

Click Select and Continue to proceed.

Step 4: Configure the Source

The Source defines which administrators’ changes should trigger alerts.

You have three options:

Option 1: Any Meraki admin

Select this option to trigger alerts when any administrator makes a matching change
This is the broadest setting and is recommended if you want full visibility

Option 2: Specific admin(s)

Select this option, then choose one or more administrators from the list
Alerts only trigger when a selected administrator is identified as a co-author of the change

Option 3: Any admin except

Select this option, then choose one or more administrators to exclude
Alerts trigger when any administrator not on the exclusion list makes a matching change

Click Select and Continue to proceed.

Important: Safeguard identifies change authors by checking the Meraki changelog during each snapshot interval. If multiple administrators made changes to the same entity during that interval, all of them are listed as co-authors. An alert triggers if any co-author matches your Source filter.

Step 5: Name, Describe, and Review

Enter a Rule Name (required, maximum 40 characters)
Enter a Description (optional, maximum 60 characters)
Review the summary of your rule configuration:
- Settings: Number of settings selected, organized by Product category
- Target: Entity types
- Source: Filter type and selected administrators (if applicable)
Click Create Rule to save

What you’ll see:

A character counter appears as you type in both the Name and Description fields, showing your current count against the maximum (e.g., “15/40”).

Helpful tip: Use the Name and Description to make your rule easy to identify later. A name like “HQ Wireless Security” is more helpful than “Rule 3” when you have multiple rules.What you’ll see: After saving, a success notification appears and you are returned to the Rules tab. Your new rule is listed in the table with a status of Active.

Using Preview Alert

At every step of the wizard, you can click the Preview Alert button on the right side to see what alerts this rule would have triggered over the past 30 days.

Click Preview Alert at any step
Review the results

What you’ll see:

A list of alerts that would have been triggered based on the current configuration. If you are still early in the wizard (e.g., Step 1), the preview assumes the broadest possible values for steps you haven’t configured yet (all entities, all admins).The preview modal clearly indicates which assumptions are being made. As you progress through the wizard and refine your selections, the preview results become more precise.

Helpful tip: Use Preview Alert after configuring your Target (Step 3) to see a realistic projection. If the preview returns a very high number of alerts, consider narrowing your settings or targets to reduce noise.

Best Practices

For selecting settings:

Start broad and narrow down — select an entire Product category, then deselect settings that aren’t critical to your compliance needs
Focus on settings that have direct security or operational impact
Remember that selecting all settings across all categories is valid if you want comprehensive monitoring

For defining targets:

Use tag-based selection when your network infrastructure is well-organized with consistent tagging
Enable bound network selection for templates when you want to ensure full coverage of inherited configurations

For configuring sources:

Use “Any Meraki admin” for full visibility, especially during initial setup
Switch to “Specific admin(s)” when you want to monitor changes from external contractors or new team members
Use “Any admin except” to exclude your own changes or those from automated systems

Common Questions

Q: Can I edit a rule after creating it?
A: No. Once created, compliance rules are locked to preserve audit integrity. If you need to make changes, duplicate the rule and save a new version with your updates. See Duplicating a Compliance Rule.

Q: Why are Product categories shown that don’t match my current infrastructure?
A: Safeguard displays all categories and settings by default to accommodate future changes in your network. If you add new device types later, your existing rules can already cover them.

Q: What happens if I don’t select any targets?
A: You must select at least one target entity to proceed. The wizard will not allow you to advance past the Target step without a selection.

Q: Does the Preview Alert create alerts?
A: No. Preview Alert analyzes historical snapshot data and does not create actual alerts or affect your rule in any way.

Q: Are rules active immediately after creation?
A: Yes. New rules are created with a status of Active by default and begin monitoring on the next snapshot cycle.

Next Steps

Now that you’ve created your first compliance rule, you might want to:

View your rule’s full configuration:
Inspect settings, targets, and source filters on the rule information page. See Viewing Rule Information.
Monitor triggered alerts:
Check the Alerts tab on the dashboard for any changes matching your rule. See Navigating the Compliance Alerts Dashboard.
Duplicate a rule for variations:
Create a copy with different parameters for layered monitoring.
See Duplicating a Compliance Rule.
Pause a rule temporarily:
Disable monitoring during maintenance windows without losing your configuration.
See Pausing and Activating Compliance Rules.

Did this answer your question?