I had a Meraki MDM management profile installed on about 100 iPads, and it was randomly removed from about 60 of them, for no obvious reason. It seems to coincide with internet outages. The dashboard indicates:
"Management profile has been removed from device!"
I've had to reapply them a few times over the course of the year, but whenever there's an internet outage, the profile just seems to delete itself again. It happened even when a removal password was set, but of course the password is useless when you reapply the profile without going through the preparation process again in Apple Configurator. I'm currently in contact with Meraki support and I am attempting to reproduce the problem, but it's hard because it appears to be random. Has anyone else encountered something like this before?
Thanks in advance
That is very odd - We have 1000s of devices and have not come across this issue.
Do you have any 'System Manager-> Security Policies' setup Or Geo-fencing? It sounds like the device has left compliance and been forced off. I have seen this issue on other MDMs where the previous MDM Admin over engineered the solution.
Thanks for the reply. I don't have any Security Policies or Geo-fencing set up. I failed to reproduce the problem by disconnecting Wi-Fi on an iPad for a few days. I will discuss this with Meraki support to explore other options. If I find anything, I'll post it here to help anyone else who's encountered this bizarre issue.
Couple of thing's we ran into. If the device was not purchased through Apple DEP or retail partner the Meraki Management can be removed for the first 30 days. Our Amazon orders had the option to remove the MDM and that's the root cause of it.
I saw you mentioned Configuration so I'm assuming you have these in supervised mode? Are they DEP enrolled? If it's in non-supervised mode then whoever has physical control over the device can simply remove the MDM as well. It used to require a password, but that's no longer the case with the newer SM client. Apple has been a pain to work with in my opinion, I understand why people like them, and I get that they are east to administer ONCE they are configured. It took us forever to get into the DEP program and we are still finding odds and end at every turn.
Hope that helps, I only had a chance to do a quick skim, but not I have to run to a meeting.
Thanks for your reply. All the devices were enrolled in DEP. When the devices first had the Meraki management profile loaded onto them, it was impossible to remove them without the password set in the Systems Manager > Manage > Settings section of the dashboard. Then one day the Meraki management profile disappeared en masse, which coincided with an internet outage. The situation repeated itself a couple more times since then. My guess was that once they lost connection to the internet for an extended period, the Meraki profile would uninstall itself. Weird, I know, especially since I was unable to reproduce the issue with a single test iPad. I manually reapplied the profile on each individual iPad, but anyone can just remove them now without a password, unless I run them through the Apple Configurator prepare process again, which is also a pain. As for your assessment regarding Apple - I agree!
To my knowledge they do not. Amazon largely doesn't own anything it sell's, you may be able to find the actual seller and mail them to ask. If you have DEP Apple can also setup a "Custom" business store where you can buy refurbs and new for pretty close to what you'd find elsewhere from what little comparison I've done in the past. You can even go through the local Best Buy if you want to, but the Apple rep we use told us each physical location normally has it's own Apple reseller ID.
My closest Apple Store is a good two or two and a half hours and a state line away from us. We pretty much go through CDW and Apple.com because it's simpler and have the local Best Buy for anything we need short notice. Working with Apple is not an enjoyable experience.
If they are configured via the Apple Configuration tool and enrolled into the company DEP then do you have the Meraki MDM server linked to DEP and are the devices assigned to that MDM server? If so you don't really even need to install SM itself because the device is still linked to the Meraki MDM. Is the device locked into supervised mode? I know the password option you are referring to, but that was removed from the MDM system. If it's linked to the DEP, the Meraki Server is linked to the DEP and the Device is listed under the Meraki Server (Some people have multiple MDM servers) then even a master reset should re-enroll the device on factory reset to my knowledge. It sounds like you may have the device in a non-supervised mode where you install the app and then scan the QR code on the Meraki Dashboard, but that's just what I can infer.
The devices are supervised, the Meraki MDM server is linked to DEP, and the devices are assigned to that MDM server. But somewhere along the line they became unmanaged en masse, and apps that were deployed via Meraki disappeared because at the time they were set to uninstall if the management profile was removed. The management profile was installed when the iPads were prepared using Apple Configurator. What I don't understand is how it is possible for the management profile, which was password protected, to simply disappear on multiple iPads, forcing me to either manually reapply the profile or take them through the prepare process again.
The first link does describe restoring the iPad's firmware using DFU mode. Which could work if I do it... to all one hundred iPads affected... This issue really kind of defeats the purpose of having an MDM.
The second link mentions looking at the change log. I see some entries mentioning that the profile has been removed, but it doesn't seem to describe how many devices have been affected, and doesn't account for the most recent profile removals.
As we established earlier, Geofencing is not enabled. I'll keep this thread open and continue to pursue this with Meraki support until I get a solution.