im failiar with meraki systems manager from managing iPads with it however we now want to add our 20 iMacs to systems manager i have successfully made a profile to my liking on a test MacBook i have however i was wondering since these iMacs will be liked to AD if there is a way to make admins exempt from the policy so should i need to get into the settings ect. im ablle to without diabling the profile and then reenabling it when im done.
I don’t believe so, profiles in macOS are applied on a system level and are always enforced. It would be helpful to know what settings you need to “disable” to make changes and then “re-enable” as Meraki doesn’t talk to AD in this way.
You mention “a” profile, does this mean you loaded all of the settings/payloads you want into a single mobileconfig profile? If so, you should consider breaking that down into multiple, smaller profiles.
For example: I used to have a single profile that enforced the firewall, and set a message at the lock screen with contact info in case the laptop was stolen. For various reasons, I had to uninstall the profile from a user’s Mac to test firewall settings. During that process, the user’s laptop was stolen. It eventually checked into the Meraki portal to report an updated location, but our interaction with the local police dept would have been smoother had the owner contact info been easily visible on the lock screen (which was removed when the profile was uninstalled).
Now I have a separate profile for each function, so if I need to remove or update a profile it doesn’t affect multiple settings. Also, because profiles will enforce the setting there are some adjustments that can be made with the defaults command in a script. For example: I want to ensure my Macs are set to Central US time zone during the user provisioning phase, however the user may be traveling and needs the ability to adjust their time zone as needed. So I don’t use a profile, which would always enforce Central US time. I’ll run this:
usr/sbin/systemsetup -settimezone "America/Chicago"
Nope. I would really like this too. I wish when a user logged into a AD or OD bounded Mac that the user would get profiles scoped at the user level to him/her.
yeah thats exactly what im after cause I work in a school and i dont want the kids all messing around in the settings ect and with the dock caus of course the kids always like to make the dock massive. but its annoying when i need to actually fix the machine
Hmmm yeah you make a point about the seperate profiles yeah, we do that with the all the GPOs on the windows machines so should of thought of that. When i as i disable the profile what i really mean is i go into systems manager remove the setting for macos system preferance which i have everything unaccessable then once ive finished fixing the machine/machines i go in and add the restrictions to system preferances back in. So obviously not ideal as all the other computers are also unrestricted at that time.
For the dock, check out this site.
You can “lock” apps to the dock to prevent changes and set additional dock prefs. Then upload the profile it makes to Meraki.
@pjd Instead of turning off the profile, unrestricting all the machines why not search the specific computer in the device inventory and do a Selective Wipe on that machine. That will get rid of everything managed on the machine, but leave behind the MDM Profile. Once you re-authorize the machine, everything will come back down.
I am thinking a workaround for this would to have a script run at login getting the AD user and use the Meraki API (if possible) to re-assign the device to that user. Then whatever groups that user is in are scope to configs, they will come down.
Does anybody have any API skills here and know if it is possible. Only workaround I could see.