Am not able to use multiple mobileconfig files to enroll MacOS devices

eatyourpeas747
Conversationalist

Am not able to use multiple mobileconfig files to enroll MacOS devices

I am using the free < 100 tier for my organization.  I am looking to use the MDM for our MacOS devices. If I browse to m.meraki.com and enter my network ID I can download the mobileconfig policy and it will successfully enroll. However if I remove the profile and try to reenroll it using the same mobileconfig file I get an internalerror error 1. Is that the expected behavior? That I need to download a new file for every macos device? Or am I missing the correct procedure? I will be deploying the profile to multiple computers.  I have tried deploying the profile to another MacOS device and the same issue happens.

16 REPLIES 16
Nick
Head in the Cloud

Thats very interesting....

 

We came across this issue recently on a new client setup while on a trial. Previously we had used an individual config and wrapped it up into a full enrolment package, SM Agent and our own software. This time it wasn't working.

 

We thought this may be because the SM was on a trial. However we tested last week with a normal paid version and had the same issue. We went back and re-ran an enrolment install from a previous client from last year that did work, it isn't working anymore either.

 

We concluded that something has changed on the config side and they now appear to be single use only, potentially only live and valid for a short period of time. Though we didn't complete the testing to confirm it was time based rather than simply single use.

 

So yes we have seen this and it seems to be how it works now. It may be worth opening up a case with Meraki about it. Its on our list to look at for our next large enrolment to check this out 

 

 

im on the free < 100 user tier and they wouldnt give me any support.

Oh well thats not very nice is it... 

 

I can open up a case for you if you'd like?

 

Id love that. Thank you.

It doesnt seem like a timing issue, because I tried it pretty quickly after making it and it didnt work.

Seems like a single use then - no problem i'll open a case up now for you. It will be helpful as I am sure others will come across this as well!
sshort
Building a reputation

This is a change on Apple's end to prevent malicious actors from joining your org's MDM server if they obtain a copy of the enrollment profile.

How do you create bulk enrollments? Is the assumption that we have to use DEP?
sshort
Building a reputation

@eatyourpeas747 @Nick Yeah, Apple has been nudging admins towards DEP for a few years now. The user-approved MDM requirement starting in macOS 10.13.4 (where a user must explicitly approve the MDM enrollment) is the final nail for any attempt at automating enrollment outside of DEP.

Nick
Head in the Cloud

Ah sorry I mis-understood. I was aware of the explicitly approve part, when we did our testing we tried copying a single mobileconfig over to two machines. It only worked once then failed to install on the next one. 

 

I think this is more to do with SM that MDM on the macOS side, though I could be wrong!

Nick
Head in the Cloud

Interesting - we wondered about that but couldn't see how they would enforce this accross random machines?

Nick
Head in the Cloud

Case opened so we'll see what comes back. I'll update the thread with any input

much appreciated

any update about this?

Yes i've had this back

 

Though I don't think this is the main reason so i've gone back to ask if the configs are single use as well


Due to security reasons, our developing team deployed a timer of the mobileconfig to expire in about 20 minutes. This may be the reason you are having this issue. A workaround you can try doing this by using the URL when trying to enroll the devices. If this still does not work out for you then what we can do is enable a feature in our end so the mobileconfig timer does not expire quickly. Please note that this is not best practice and is a security issue.

curious if other MDM's are doing this or not
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels