cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyone else seeing Unverified Certificates

Highlighted
Building a reputation

Anyone else seeing Unverified Certificates

Screen Shot 2019-09-24 at 11.26.37 AM.png

Screen Shot 2019-09-24 at 11.26.24 AM.png

 

thoughts?

8 REPLIES 8
Kind of a big deal

Re: Anyone else seeing Unverified Certificates

Where in particular are you seeing?

Building a reputation

Re: Anyone else seeing Unverified Certificates

on machine's enrolled in SM.
Kind of a big deal

Re: Anyone else seeing Unverified Certificates

Windows 10, Mac, IOS, Android, something else?

Building a reputation

Re: Anyone else seeing Unverified Certificates

MacOS, my Windows Clients are in the field.
Getting noticed

Re: Anyone else seeing Unverified Certificates

@Richard_W  This has definitely been seen by multiple admins across the community. I noticed it about a week back on a Catalina VM and figured since Catalina updates have yet to be pushed it was related to that. Then I saw this on roughly 800 machines. 

What appears to have happened was Meraki either let the certificate lapse on the 16th or didn't plan ahead to ensure the update was pushed out in time. If you go back to m.meraki.com and reinstall the configuration profile it pulls a new verified profile signed by another Authority (image attached). From the case I have open with this the agent said it was up to Apple to trust the certificate they had updated and that it should be fine. In my opinion pushing a new cert that you are waiting on Apple to trust (what?!) into production on the premise it should be fine is unacceptable regardless of having planned it or for some reason waiting until it expired.

The solution given is to ignore this on current machines, because it is a "cosmetic" issue, or push an update to each profile to every machine to update this which again should work. I can verify that new profiles pushed are verified and signed by the updated certificate, but this doesn't address the entire fleet of machines that didn't happen to start this week. 

Ive said it elsewhere, but while I don't see this as having a huge impact or presenting an immediate issue it just seems par for the course for issues we have seen and it is endlessly frustrating. We place implicit trust in Meraki as an MDM provider and an assumed part of that would be Meraki staying on top of upcoming changes. Do mistakes happen? Yes. That could easily be addressed by clear communication ahead of possible breaks or changes that make it easier on all of us managing hundreds and thousands of machines that may be impacted. 

Rant over but TLDR; it's happening because of that cert expiration, you get to push the changes to fix it. 

Meraki Employee

Re: Anyone else seeing Unverified Certificates

@jm_peterson You've captured the details of the "unverified profiles" very well and your rant is justified: once we knew that the Certificate Authority change was going to take place we should have done a better job at informing our customers about what was going on.

 

With regard to the current situation, as you pointed out, the warning is indeed cosmetic. However, clearly it is not a tenable situation for you to leave management profiles in place that are not part of a proper certificate trust chain. 

 

As far as what to do right now:

 

* For profiles that are not the main management profile: any minor change, such as modifying the name of the profile, will cause it to refresh with the new root CA.

 

* For the main management profile, a re-enrollment will fix it, but as pointed out this is only useful when dealing with small numbers of devices directly. To solve the "at scale" issue we are developing a feature to re-install the management profile as a bulk action initiated by the Meraki Admin. I can't provide an ETA just yet but it is an important issue for us to get fixed, we don't want to leave those "unverified" profiles sitting out there confusing your users.

 

Once again, to all of our customers affected by this, please accept my apologies for how this issue was handled. We are hopeful we will have this remedied shortly.

 

Noah Salzman

Product Manager for Meraki SM 

Building a reputation

Re: Anyone else seeing Unverified Certificates

Kudoed to signal the importance 🙂

Meraki Employee

Re: Anyone else seeing Unverified Certificates

If this was twitter we would have to continually restate: "Kudos are not necessarily endorsements".  😉

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels