cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SM Agent and macOS Catalina

Highlighted
Meraki Employee

SM Agent and macOS Catalina

It’s been a busy month for Apple releases. We released new profiles and restrictions for iOS 13 in September.  And today we support a number of new profiles and restrictions for macOS Catalina, with more on the way.

 

While our goal was to have all features synchronized with Apple’s release, we have identified a significant issue with our macOS Agent. macOS Catalina introduces new and important security controls which require the Agent to adapt accordingly. The issue affects Agent enrollment and Agent-based features such as command line execution and remote view. Profile enrollment and all non-agent functionality, including MDM profile delivery and App Store app management, are unaffected and function correctly today on Catalina.  

 

As we work on preparing a new version of the Agent that will resolve this issue, we wanted to make sure the Meraki Community was kept up-to-date with our status. We’ll keep you posted as we make progress finishing the Catalina compatibility effort. Thank you for your patience.

49 REPLIES 49
Highlighted
Head in the Cloud

Re: SM Agent and macOS Catalina

@Kevin_C 

 

Thank you for the heads up. It's always nice to see information like this as soon as possible.

 

One question though, can we now deploy the Education Profile through Meraki to Macs? I know this has been a problem in the past in trying to get Apple Classroom working on Macs.

 

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

@vassallon  Education Profile delivery for macOS is on my roadmap. However, it's still probably a few months away.

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

So will the fixes to the SM Agent in macOS Catalina trickle down to Mojave too, in respect to Remote View/Desktop?

 

Because at this point I have had a case active since January of this year, with no resolution for Remote Desktop. 

What worries me now is that Catalina out and we still have no resolution to an issue affecting a major tent-pole feature of SM.

 

Important security controls were introduced with Mojave too, in September 2018, so you can probably guess my concern…

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

Hi Richard,

 

I know it probably seems odds for us to tackle Catalina first and then get back to older Mojave issues, but that is indeed what we are going to do. 

 

My apologies for the macOS Remote Desktop issues. We are indeed working on them but it is taking much longer than we would like to fix. 

 

  --Noah--

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

<rant> @Noah_Salzman The only issue I have with this is that we run a pretty typical production environment and the thought of upgrading to macOS Catalina is way in the future, especially with the dropped 32bit support and getting all app developers up to speed (mostly plug-ins). So what I have now are a bunch of Macs steadily upgraded to macOS Mojave from older OS's but no means to control them.

 

From what I understand the most pertinent issues with remote access require a signed application and explicit granting of access, these things were introduced in Mojave. Yes there have been even more changes in Catalina, but it seems before you can run you may wish to walk as the fixes for Catalina surely have some grounding in those for Mojave. A stop-gap solution would provide a modicum of relief.

 

I just find it frustrating that an advertised feature has not worked for the lifetime of an OS. </rant>

Highlighted
Conversationalist

Re: SM Agent and macOS Catalina

Does the "Support for brand new macOS Catalina Settings payloads" mentioned in the blog post include the ability to grant applications full disk access via MDM similar to what JAMF is doing?  https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-...

Highlighted
Here to help

Re: SM Agent and macOS Catalina

Please keep us updated as this drives whether or not rolling out upgrades to Catalina on some of our clients workstations!

Caribou
Highlighted
Here to help

Re: SM Agent and macOS Catalina

Same question here 😉

Caribou
Highlighted
Here to help

Re: SM Agent and macOS Catalina

Hi there, just checking in on the status of this (and subscribing for updates here). I also opened a support case for my organization so hopefully this will be resolved sooner rather than later. 

 

Case ID: 04594888

 

Best,

 

Kurtis

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Same. This is really starting to hurt. 

Highlighted
Here to help

Re: SM Agent and macOS Catalina

Support said the dev team is still working on a solution. They didn’t give a timeline but left the case open to give me updates should they arise. I seriously hope it’s sooner rather than later. From a technical perspective I get the complexity, but we still need a solution.

Highlighted
New here

Re: SM Agent and macOS Catalina

Any updates as to when the Agent will be fixed for Catalina?

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

A new version of the macOS agent (v 3.0.1), with fixes for Catalina, is now ready for general testing. For access to the agent, please contact your support representative through your case thread.  

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

any word for those on Mojave?

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

@Richard_W The v3.0.1 agent was tested on 10.12 and up, so Mojave should be fine. 

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Since when did the Agent have published version numbers?  How can I find out which version of the agent I'm running?

Highlighted
Conversationalist

Re: SM Agent and macOS Catalina

I was wondering the same thing.  I reached out to support about testing the new agent and their response seemed to indicated that testing the new agent would involve making it available to all clients.  I asked for further clarification on whether or not that applied to currently deployed devices or just any devices enrolled after having the new version made available.

 

Will post an update when I hear back.

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

SM > Apps for the app version of System Manager. And the device page lists the version too.

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

That has not been my experience.  Can you show a screenshot for this?  Versioning with Meraki SM has long been a mystery.

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

Screen Shot 2020-01-13 at 4.12.28 PM.pngScreen Shot 2020-01-13 at 4.11.53 PM.png

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Interesting, seems kinda crazy that we are going from version 1.0.99 to 3.0.1.  I wonder what happened to 2.0? XD

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

It's hanging out somewhere with with IPv5 and Windows 9.

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Are we going to also get change logs / release notes for these Meraki SM Agent updates? Something similar to the other Meraki firmware updates?  Hoping there are some other bug fixes / features in the v 3.0.1 besides "Catalina now Supported"?

 

tfriedrich_0-1578952034747.png

 

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

Yes, my apologies for not having that at the same time as the release. We'll have notes later this week. 

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Thanks, I'm just excited there will be notes at all!  Looking forward to it.  Should we expect them in this thread or some other distro method?  I don't want to miss the notes once released.

 

PS.  I know this thread is all about SM and Catalina, but will the Windows agent also be getting an upgrade or will it still be a 1.0.98 version?

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

"Don't cross the streams, it would be bad." 

 

Windows unaffected by this change. This was largely about updating to support Catalina's new code-signing feature (aka Notarization).

Highlighted
Conversationalist

Re: SM Agent and macOS Catalina

How can get to the new SM agent for Catalina? i can only see 1.0.98 in my SM / Apps?

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

you need to reach out to your support, read a few posts up. Kevin mentioned it already

Highlighted
Conversationalist

Re: SM Agent and macOS Catalina

The hang up is support told me that when they enable version 3 for your org it updates the agent on all already deployed clients rather than being able to test on one or two first. I'm not really comfortable with that given what happened with the 25.14 firmware for access points especially since it was pulled without adding an announcement to the dashboard. 

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

My support tech had me create a new SM network for testing.  I took a new Mac and installed the agent (1.0.98) then had the tech upgrade that SM network to the 3.0.1 agent to test auto updating.  So far nothing has auto updated and we are looking into potential causes / diagnostics.

 

Hoping the profile is not a prerequisite since I have so many systems out in the field that had the agent installed way before the profile method existed.

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

To my experience, I always had to install the agent and the profile if not coming over DEP

Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

You do have to install both to get full functionality (I have often joked that SM Agent and SM Profile should be marketed as separate products since much of the documentation often assumes you have both when I typically do not get that experience).  We were Legacy SM customers before the paid version existed, and before the profile was an option existed (or at least we were not aware of it back then). For years we always just installed the agent.  For new laptop builds, it's easy to install the profile and the agent as part of our build process (we don't have DEP currently due to a challenge with our Procurement process).  

 

The challenge is I have 500+ devices that are deployed (no longer at a company office with IT staff) with only the agent and no profile.  Figuring out a way to enroll those devices so they can use the profile is a challenge.  Most of these user laptops don't have access to admin rights so they can't self enroll even if we were to email them the links.  

 

I have long hoped that the agent would gain the ability to self install / enroll the profile.  In the past, I once was able to repackage the profile file into a .pkg file (agents can install pkgs) as a work around, but unsure if it still works (it was also annoying since SM always thought the pkg never finished installing).  I need to recreate this and test if it's even possible with the new Mojave / Catalina challenges.  That would solve so many challenges for managing our Mac devices. 

 

If anyone else has cracked this code, please let me know!

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

@tfriedrich I'm in a similar boat, testing 3.0.1, I have machine support said was updated to the new SM agent but it appears it's not (still 1.0.99 from prior Meraki pushed update), so back to support. I have both profile and agent installed. 

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

Now live and testing, thus far we have remote access, with control, to 10.14.6 Mac with SM Agent 3.0.1 installed.

Highlighted
Kind of a big deal

Re: SM Agent and macOS Catalina

Any update on full disk access profiles that @Baustinceltic asked about @Noah_Salzman

MRCUR | CMNO #12
Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

@MRCUR @Baustinceltic 

It seems you are referencing the System Policy All Files permission, which you can enable today in the "Privacy Preferences" settings payload.  According to Apple's documentation, enabling this permission will "allow the application access to all protected files, including system administration files."

 

 

Kevin_C_0-1581116914822.png

 

Highlighted
Kind of a big deal

Re: SM Agent and macOS Catalina

Thanks @Kevin_C. Great to see that's supported now. 

MRCUR | CMNO #12
Highlighted
New here

Re: SM Agent and macOS Catalina

@KevinC @Noah_Salzman Any updates on this? With a lot more remote work happening with the pandemic, this has become a much more dire need for my team.

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

Please contact support, they can help you get the 3.0.1 agent in place. If you are having issues and already have 3.0.1 then you should open a case.

Highlighted
New here

Re: SM Agent and macOS Catalina

Thanks for the quick response @Noah_Salzman - is 3.0.1 now in production, or still in testing? I'm still seeing 1.0.98 as the version in my dashboard, and not keen on rolling it out in beta form.

Highlighted
Meraki Employee

Re: SM Agent and macOS Catalina

We are slow-rolling 3.0.1, as you have noticed. However, it is fully supported, and -- as it is with most development teams -- it is much easier for us to address issues in a recent version than it is in older versions.

Highlighted
New here

Re: SM Agent and macOS Catalina

Understood, thanks again for the quickness!
Highlighted
Kind of a big deal

Re: SM Agent and macOS Catalina

There is an application called PPPC Utility that allows you to make up privacy policy profiles and deploy them using an MDM.

 

I have created one for Teamviewer as remote access doesn't fully work without whitelisting Teamviewer in a few of the privacy settings.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Highlighted
Getting noticed

Re: SM Agent and macOS Catalina

Were these release notes ever released?  If so, where can I find them? 🙂

 

Thanks!

Highlighted
Comes here often

Re: SM Agent and macOS Catalina

I can succeed with creating a Full Disk Access settings profile.

I’ve tried from Meraki with the built-in process, using Profile Creator, using its successor iMazing Profile Editor. 

Even profile sent from my RMM provider (SolarWinds) doesn’t work. 

It appears fine on the profile preference pane, but isn't acknowledged by the system. 

I double-checked using the command:

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'

and it doesn’t appear in the list. 

Other PPPC types (like screenrecording) are applied fine. 

Is this a limitation from the current agent version? 

Highlighted
A model citizen

Re: SM Agent and macOS Catalina

Hello all,

 

does anyone else experience issues with updating VPP Apps on macOS? Thought it would be resolved with the new agent but still having issues.

Highlighted
New here

Re: SM Agent and macOS Catalina

I have a few new Macbook Airs running Catalina and I’m having trouble getting SM Agent installed on them.

 

Agent version 3.02 shows in th App list, which I believe is the latest version, I’ve made a PPPC profile according to the instructions in Meraki’s documentation, allowing m_agent Accessibility and Full Disk Access. Is there anything else?

 

The new laptops enrol successfully, download their profiles and Store apps, but will not install enterprise apps and have only OS Update, Bluetooth and Filevault available under MDM commands. This tells me the Agent is not installed properly although m_agent and its log are present on the device. If I try to re-install it, SM reports success, but nothing changes. I’ve tried installing it manually on the laptop, no difference.

 

Has anyone got this wokring on 10.15.6? Thanks for any help anyone can offer.

Highlighted
Conversationalist

Re: SM Agent and macOS Catalina

I am, we are only deploying Slack through VPP at this time. It deploys with no problems however upgrading I'm at only about 40% success on our whole environment. Issue is both on supervised and unsupervised macs.

Highlighted
Just browsing

Re: SM Agent and macOS Catalina

Are you also going to m.meraki.com and enrolling the device with your company identifier? The agent only does half the job in SM on a mac.

 

Hope this helps!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels