Hi All,
We use systems manager sentry for our student SSID. Students have individual WiFi usernames and passwords authenticated from Active Directory via Radius.
The sentry is configured in "focused" mode with only iOS devices set to be enforced, as there are a few Android, Mac and Windows devices which we don't want to enforce MDM enrolment on. The Sentry ensures that students keep MDM installed so restrictions like age limits for apps can be maintained.
This worked well for a couple of years but more recently it has been badly broken, and I had not appreciated the full extent to how badly it was broken until last week. The first crack in the armour I reported to Meraki last year through a ticket, and also referenced here:
https://community.meraki.com/t5/Endpoint-Management-Systems/Meraki-Systems-manager-no-longer-recogni...
This was that students could simply uninstall the Meraki profile while they were not connected to WiFi and remove the profile without Meraki being aware of it. So a small handful of students were still "authenticated" on WiFi even though they removed the profile weeks or months ago. After a back and forth with Meraki tech support the end result was "working as intended". (!!)
However last week I discovered a much bigger problem. Something like a quarter of all our student iPads were just sailing on through the sentry without being redirected to install the MDM management profile - and it appears this may have been going on for somewhere between months and a full year unknown to us.
After some to and fro with Meraki support in the last few days and some testing of my own my conclusion is the "focused" mode which tries to detect OS type is utterly, utterly broken at the moment, allowing over 100 of our 600 iPads through despite the fact that most of them are actually reported as iPads when you look in the wireless client list. (Some are reported as "Other")
This is unbelievable, to be frank. Discussion with Meraki support is ongoing. So as a workaround I've changed it to strict with the intention of having to manually whitelist non iOS devices. 😐
Then I had an idea - we have a group policy called Bypass Meraki Enrolment which does what it says for S5 and S6 students based on a Radius attribute (which works fine) so thought what about leveraging this with "Assign group policies by device type" to whitelist specific non iOS devices.
So I set it to assign this group policy with devices of type Android, Chrome OS, Mac OS and Windows. The idea being doing it this way around is "failsafe" because if an iPad is detected incorrectly as an unknown device it would still be required to enrol, only if a device was specifically identified as one of the above OS's would it be allowed to bypass enrollment.
Unfortunately this utterly failed as well as over 100 iPads duly had this group policy assigned to them despite the fact that they're all listed as iPad or other !!! (I then had to manually revert all these incorrect policies)
So Assign group polices by device type is also utterly, utterly broken as well so I've had to revert that and go back to manual whitelisting of devices.
Anyone else experiencing problems like this ? Without the sentry to block internet access we have no way to enforce students BYO devices remaining enrolled in MDM, and without the Sentry working we might as well not have an MDM system to be honest.
