It’s been a busy month for Apple releases. We released new profiles and restrictions for iOS 13 in September. And today we support a number of new profiles and restrictions for macOS Catalina, with more on the way.
While our goal was to have all features synchronized with Apple’s release, we have identified a significant issue with our macOS Agent. macOS Catalina introduces new and important security controls which require the Agent to adapt accordingly. The issue affects Agent enrollment and Agent-based features such as command line execution and remote view. Profile enrollment and all non-agent functionality, including MDM profile delivery and App Store app management, are unaffected and function correctly today on Catalina.
As we work on preparing a new version of the Agent that will resolve this issue, we wanted to make sure the Meraki Community was kept up-to-date with our status. We’ll keep you posted as we make progress finishing the Catalina compatibility effort. Thank you for your patience.
Thank you for the heads up. It's always nice to see information like this as soon as possible.
One question though, can we now deploy the Education Profile through Meraki to Macs? I know this has been a problem in the past in trying to get Apple Classroom working on Macs.
So will the fixes to the SM Agent in macOS Catalina trickle down to Mojave too, in respect to Remote View/Desktop?
Because at this point I have had a case active since January of this year, with no resolution for Remote Desktop.
What worries me now is that Catalina out and we still have no resolution to an issue affecting a major tent-pole feature of SM.
Important security controls were introduced with Mojave too, in September 2018, so you can probably guess my concern…
I know it probably seems odds for us to tackle Catalina first and then get back to older Mojave issues, but that is indeed what we are going to do.
My apologies for the macOS Remote Desktop issues. We are indeed working on them but it is taking much longer than we would like to fix.
<rant> @Noah_Salzman The only issue I have with this is that we run a pretty typical production environment and the thought of upgrading to macOS Catalina is way in the future, especially with the dropped 32bit support and getting all app developers up to speed (mostly plug-ins). So what I have now are a bunch of Macs steadily upgraded to macOS Mojave from older OS's but no means to control them.
From what I understand the most pertinent issues with remote access require a signed application and explicit granting of access, these things were introduced in Mojave. Yes there have been even more changes in Catalina, but it seems before you can run you may wish to walk as the fixes for Catalina surely have some grounding in those for Mojave. A stop-gap solution would provide a modicum of relief.
I just find it frustrating that an advertised feature has not worked for the lifetime of an OS. </rant>
Does the "Support for brand new macOS Catalina Settings payloads" mentioned in the blog post include the ability to grant applications full disk access via MDM similar to what JAMF is doing? https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-...
Hi there, just checking in on the status of this (and subscribing for updates here). I also opened a support case for my organization so hopefully this will be resolved sooner rather than later.
Case ID: 04594888
Support said the dev team is still working on a solution. They didn’t give a timeline but left the case open to give me updates should they arise. I seriously hope it’s sooner rather than later. From a technical perspective I get the complexity, but we still need a solution.
A new version of the macOS agent (v 3.0.1), with fixes for Catalina, is now ready for general testing. For access to the agent, please contact your support representative through your case thread.
I was wondering the same thing. I reached out to support about testing the new agent and their response seemed to indicated that testing the new agent would involve making it available to all clients. I asked for further clarification on whether or not that applied to currently deployed devices or just any devices enrolled after having the new version made available.
Will post an update when I hear back.
Are we going to also get change logs / release notes for these Meraki SM Agent updates? Something similar to the other Meraki firmware updates? Hoping there are some other bug fixes / features in the v 3.0.1 besides "Catalina now Supported"?
Thanks, I'm just excited there will be notes at all! Looking forward to it. Should we expect them in this thread or some other distro method? I don't want to miss the notes once released.
PS. I know this thread is all about SM and Catalina, but will the Windows agent also be getting an upgrade or will it still be a 1.0.98 version?
"Don't cross the streams, it would be bad."
Windows unaffected by this change. This was largely about updating to support Catalina's new code-signing feature (aka Notarization).
The hang up is support told me that when they enable version 3 for your org it updates the agent on all already deployed clients rather than being able to test on one or two first. I'm not really comfortable with that given what happened with the 25.14 firmware for access points especially since it was pulled without adding an announcement to the dashboard.
My support tech had me create a new SM network for testing. I took a new Mac and installed the agent (1.0.98) then had the tech upgrade that SM network to the 3.0.1 agent to test auto updating. So far nothing has auto updated and we are looking into potential causes / diagnostics.
Hoping the profile is not a prerequisite since I have so many systems out in the field that had the agent installed way before the profile method existed.
You do have to install both to get full functionality (I have often joked that SM Agent and SM Profile should be marketed as separate products since much of the documentation often assumes you have both when I typically do not get that experience). We were Legacy SM customers before the paid version existed, and before the profile was an option existed (or at least we were not aware of it back then). For years we always just installed the agent. For new laptop builds, it's easy to install the profile and the agent as part of our build process (we don't have DEP currently due to a challenge with our Procurement process).
The challenge is I have 500+ devices that are deployed (no longer at a company office with IT staff) with only the agent and no profile. Figuring out a way to enroll those devices so they can use the profile is a challenge. Most of these user laptops don't have access to admin rights so they can't self enroll even if we were to email them the links.
I have long hoped that the agent would gain the ability to self install / enroll the profile. In the past, I once was able to repackage the profile file into a .pkg file (agents can install pkgs) as a work around, but unsure if it still works (it was also annoying since SM always thought the pkg never finished installing). I need to recreate this and test if it's even possible with the new Mojave / Catalina challenges. That would solve so many challenges for managing our Mac devices.
If anyone else has cracked this code, please let me know!
@tfriedrich I'm in a similar boat, testing 3.0.1, I have machine support said was updated to the new SM agent but it appears it's not (still 1.0.99 from prior Meraki pushed update), so back to support. I have both profile and agent installed.
It seems you are referencing the System Policy All Files permission, which you can enable today in the "Privacy Preferences" settings payload. According to Apple's documentation, enabling this permission will "allow the application access to all protected files, including system administration files."
Please contact support, they can help you get the 3.0.1 agent in place. If you are having issues and already have 3.0.1 then you should open a case.
Thanks for the quick response @Noah_Salzman - is 3.0.1 now in production, or still in testing? I'm still seeing 1.0.98 as the version in my dashboard, and not keen on rolling it out in beta form.
We are slow-rolling 3.0.1, as you have noticed. However, it is fully supported, and -- as it is with most development teams -- it is much easier for us to address issues in a recent version than it is in older versions.
I have created one for Teamviewer as remote access doesn't fully work without whitelisting Teamviewer in a few of the privacy settings.
I can succeed with creating a Full Disk Access settings profile.
I’ve tried from Meraki with the built-in process, using Profile Creator, using its successor iMazing Profile Editor.
Even profile sent from my RMM provider (SolarWinds) doesn’t work.
It appears fine on the profile preference pane, but isn't acknowledged by the system.
I double-checked using the command:
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'
and it doesn’t appear in the list.
Other PPPC types (like screenrecording) are applied fine.
Is this a limitation from the current agent version?
does anyone else experience issues with updating VPP Apps on macOS? Thought it would be resolved with the new agent but still having issues.
I have a few new Macbook Airs running Catalina and I’m having trouble getting SM Agent installed on them.
Agent version 3.02 shows in th App list, which I believe is the latest version, I’ve made a PPPC profile according to the instructions in Meraki’s documentation, allowing m_agent Accessibility and Full Disk Access. Is there anything else?
The new laptops enrol successfully, download their profiles and Store apps, but will not install enterprise apps and have only OS Update, Bluetooth and Filevault available under MDM commands. This tells me the Agent is not installed properly although m_agent and its log are present on the device. If I try to re-install it, SM reports success, but nothing changes. I’ve tried installing it manually on the laptop, no difference.
Has anyone got this wokring on 10.15.6? Thanks for any help anyone can offer.
I am, we are only deploying Slack through VPP at this time. It deploys with no problems however upgrading I'm at only about 40% success on our whole environment. Issue is both on supervised and unsupervised macs.
Are you also going to m.meraki.com and enrolling the device with your company identifier? The agent only does half the job in SM on a mac.
Hope this helps!