We are currently looking at making the jump over from JAMF to Meraki - partially give us more control over other non-apple devices. (which we will be deploying in the future ) for the moment we are pretty much 100% MacOS based. (just portable systems, not IOS)
I've hit a pretty hard block though, and I'm hoping others here have run into this and can provide me with some ideas.
User Approved Kernel Extensions. the Kextpocylipse.
Introduced in 10.13.2 this was a major major impact across all of our managed systems.
Cisco anyconnect, crowdstrike, vmware fusion, google file stream, and multipe other applications are part of our standard system deployment. The end users needing to go into system pref/security and hit "allow" each time they try to run these apps (the first time) after upgrading, is totally unacceptable. I have many users who will NOT go and do this - as such, things like our endpoint protection (crowdstrike) will not even be able to run. I still have a good 50% of my user base running 10.12.x - When they upgrade all of them will hit this wall, UNLESS I have some sort of profile I can push out to them. If it applies fast enough during login, they may not get the wall of "system extension blocked!" error messages (I had almost 12 of them when I first upgraded)
In JAMF I was able to use their user approved kernel extensions policy to specify a list of team pre-approved TeamIDs - thus making the system just automatically allow these applications to work, without the user having to go into system preferences/security and hit "allow"
I'm now trying to figure out how I can accomplish this in Meraki Systems Manager - they do not (yet?) have a payload option for this -
Is there a 3rd party program I can use to make a whitelist profile, then user Systems Manager to push it to my 10.13.2+ systems?
I tried Apple Configurator 2, but it doesn't have a kext part as of yet.
I'm stuck in a hard place here. What have any of you done to get past this?
@Dagan You can definitely create them in the macOS Server app ($20 in the app store), under the Profile Manager section. If you're coming from Jamf, that Profile Manager is going to be your best friend b/c it offers multiple templates (including kernel extension approval) and the ability to create custom profiles that Meraki does not support.
I'm still fairly new to this remote-management world, and despite using Meraki for a year, I'm certain I'm scratching the surface here with what I can accomplish with it.... Anywho~ let me see if I understand your solution correctly:
From your post above, it seems like all I would need to do is create a .mobileconfig profile via the macOS Server app and then push it out to the users via System Manager > MDM Settings > Add Profile > Upload custom Apple profile
Is that correct?
Then moving forward, I just need to create a new profile each time we have a program/app that runs into the System Extension Blocked error when we attempt to install.
JAMF is fantasic and super powerful for *just* Mac OS and iOS devices. My end users want more. They want Windows OS, BYOD, Chrome OS..etc... JAMF just won't do that. So, we either buy a SECOND tool to do that, or migrate to one tool to use them all.
Plus, cost wise, 1 year of JAMF = 3 years of Meraki.... My accounting guy really loved that math.