I am using the free < 100 tier for my organization. I am looking to use the MDM for our MacOS devices. If I browse to m.meraki.com and enter my network ID I can download the mobileconfig policy and it will successfully enroll. However if I remove the profile and try to reenroll it using the same mobileconfig file I get an internalerror error 1. Is that the expected behavior? That I need to download a new file for every macos device? Or am I missing the correct procedure? I will be deploying the profile to multiple computers. I have tried deploying the profile to another MacOS device and the same issue happens.
Thats very interesting....
We came across this issue recently on a new client setup while on a trial. Previously we had used an individual config and wrapped it up into a full enrolment package, SM Agent and our own software. This time it wasn't working.
We thought this may be because the SM was on a trial. However we tested last week with a normal paid version and had the same issue. We went back and re-ran an enrolment install from a previous client from last year that did work, it isn't working anymore either.
We concluded that something has changed on the config side and they now appear to be single use only, potentially only live and valid for a short period of time. Though we didn't complete the testing to confirm it was time based rather than simply single use.
So yes we have seen this and it seems to be how it works now. It may be worth opening up a case with Meraki about it. Its on our list to look at for our next large enrolment to check this out
im on the free < 100 user tier and they wouldnt give me any support.
Oh well thats not very nice is it...
I can open up a case for you if you'd like?
This is a change on Apple's end to prevent malicious actors from joining your org's MDM server if they obtain a copy of the enrollment profile.
@eatyourpeas747 @Nick Yeah, Apple has been nudging admins towards DEP for a few years now. The user-approved MDM requirement starting in macOS 10.13.4 (where a user must explicitly approve the MDM enrollment) is the final nail for any attempt at automating enrollment outside of DEP.
Ah sorry I mis-understood. I was aware of the explicitly approve part, when we did our testing we tried copying a single mobileconfig over to two machines. It only worked once then failed to install on the next one.
I think this is more to do with SM that MDM on the macOS side, though I could be wrong!
Interesting - we wondered about that but couldn't see how they would enforce this accross random machines?
much appreciated
Yes i've had this back
Though I don't think this is the main reason so i've gone back to ask if the configs are single use as well
Due to security reasons, our developing team deployed a timer of the mobileconfig to expire in about 20 minutes. This may be the reason you are having this issue. A workaround you can try doing this by using the URL when trying to enroll the devices. If this still does not work out for you then what we can do is enable a feature in our end so the mobileconfig timer does not expire quickly. Please note that this is not best practice and is a security issue.