Meraki

Community

Anyone else seeing Unverified Certificates

Solved
Richard_W
A model citizen
‎Sep 24 2019 8:27 AM
‎Sep 24 2019 8:27 AM

Anyone else seeing Unverified Certificates

Screen Shot 2019-09-24 at 11.26.37 AM.png

Screen Shot 2019-09-24 at 11.26.24 AM.png

 

thoughts?

Labels:
0 Kudos
1 Accepted Solution
In response to Noah_Salzman
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 11 2020 9:12 PM
‎Mar 11 2020 9:12 PM

So everyone is aware, the command mentioned in the previous post is now live in your Dashboard. Use the Refresh Management Profile for any devices that have a profile that appears as Unverified. 

 

Note that in the unlikely chance of a failure on the endpoint device, in refreshing the profile, you will have to manually re-enroll that device in SM. For this reason you should use this command selectively on devices known to have an issue rather than refreshing all devices at once. 

View solution in original post

24 Replies 24
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 24 2019 11:23 AM
‎Sep 24 2019 11:23 AM

Where in particular are you seeing?

0 Kudos
In response to PhilipDAth
Richard_W
A model citizen
‎Sep 24 2019 11:25 AM
‎Sep 24 2019 11:25 AM

on machine's enrolled in SM.
0 Kudos
In response to Richard_W
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 24 2019 11:30 AM
‎Sep 24 2019 11:30 AM

Windows 10, Mac, IOS, Android, something else?

0 Kudos
In response to PhilipDAth
Richard_W
A model citizen
‎Sep 24 2019 11:34 AM
‎Sep 24 2019 11:34 AM

MacOS, my Windows Clients are in the field.
0 Kudos
jm_peterson
Getting noticed
‎Sep 24 2019 1:57 PM
‎Sep 24 2019 1:57 PM

@Richard_W  This has definitely been seen by multiple admins across the community. I noticed it about a week back on a Catalina VM and figured since Catalina updates have yet to be pushed it was related to that. Then I saw this on roughly 800 machines. 

What appears to have happened was Meraki either let the certificate lapse on the 16th or didn't plan ahead to ensure the update was pushed out in time. If you go back to m.meraki.com and reinstall the configuration profile it pulls a new verified profile signed by another Authority (image attached). From the case I have open with this the agent said it was up to Apple to trust the certificate they had updated and that it should be fine. In my opinion pushing a new cert that you are waiting on Apple to trust (what?!) into production on the premise it should be fine is unacceptable regardless of having planned it or for some reason waiting until it expired.

The solution given is to ignore this on current machines, because it is a "cosmetic" issue, or push an update to each profile to every machine to update this which again should work. I can verify that new profiles pushed are verified and signed by the updated certificate, but this doesn't address the entire fleet of machines that didn't happen to start this week. 

Ive said it elsewhere, but while I don't see this as having a huge impact or presenting an immediate issue it just seems par for the course for issues we have seen and it is endlessly frustrating. We place implicit trust in Meraki as an MDM provider and an assumed part of that would be Meraki staying on top of upcoming changes. Do mistakes happen? Yes. That could easily be addressed by clear communication ahead of possible breaks or changes that make it easier on all of us managing hundreds and thousands of machines that may be impacted. 

Rant over but TLDR; it's happening because of that cert expiration, you get to push the changes to fix it. 

In response to jm_peterson
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Sep 24 2019 7:15 PM
‎Sep 24 2019 7:15 PM

@jm_peterson You've captured the details of the "unverified profiles" very well and your rant is justified: once we knew that the Certificate Authority change was going to take place we should have done a better job at informing our customers about what was going on.

 

With regard to the current situation, as you pointed out, the warning is indeed cosmetic. However, clearly it is not a tenable situation for you to leave management profiles in place that are not part of a proper certificate trust chain. 

 

As far as what to do right now:

 

* For profiles that are not the main management profile: any minor change, such as modifying the name of the profile, will cause it to refresh with the new root CA.

 

* For the main management profile, a re-enrollment will fix it, but as pointed out this is only useful when dealing with small numbers of devices directly. To solve the "at scale" issue we are developing a feature to re-install the management profile as a bulk action initiated by the Meraki Admin. I can't provide an ETA just yet but it is an important issue for us to get fixed, we don't want to leave those "unverified" profiles sitting out there confusing your users.

 

Once again, to all of our customers affected by this, please accept my apologies for how this issue was handled. We are hopeful we will have this remedied shortly.

 

Noah Salzman

Product Manager for Meraki SM 

In response to Noah_Salzman
beks88
A model citizen
‎Sep 26 2019 5:40 AM
‎Sep 26 2019 5:40 AM

Kudoed to signal the importance 🙂

0 Kudos
In response to beks88
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Sep 26 2019 10:25 AM
‎Sep 26 2019 10:25 AM

If this was twitter we would have to continually restate: "Kudos are not necessarily endorsements".  😉

 

0 Kudos
In response to Noah_Salzman
Richard_W
A model citizen
‎Jan 24 2020 7:51 AM
‎Jan 24 2020 7:51 AM

@Noah_Salzman any word on this bulk fix for main management profile?

In response to Richard_W
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Feb 4 2020 3:54 AM
‎Feb 4 2020 3:54 AM

Hey All, sorry for the delay on this one. The feature we are building to address this is still in our queue, it just got put behind a couple more critical issues. I'll provide an update as we get closer to delivering it.

 

0 Kudos
In response to Noah_Salzman
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Feb 21 2020 8:01 AM
‎Feb 21 2020 8:01 AM

Update: we've made good progress on our feature for refreshing certificates. We're trying to get this wrapped up and tested by the second week in March. 

 

What are we delivering? The way to fix the Unverified Certificates is to refresh the management profile on the device. We are adding a new command so that you can pick the time and targets rather than Meraki doing this en masse in the backend. The new command will be next to "Refresh Device Details". 

 

Screen Shot 2020-02-21 at 7.46.47 AM.png

 

Every deployment is a little different and because of that it's always prudent to run tests before pushing out a change to the management profile. We will be recommending that you run this command on a subset of your devices before performing this command on all devices that are showing "unverified". We do not expect issues with refreshing the profiles, however, if there is an issue the device will need to be manually re-enrolled. 

 

We will update this thread once the feature has been released.

In response to Noah_Salzman
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 11 2020 9:12 PM
‎Mar 11 2020 9:12 PM

So everyone is aware, the command mentioned in the previous post is now live in your Dashboard. Use the Refresh Management Profile for any devices that have a profile that appears as Unverified. 

 

Note that in the unlikely chance of a failure on the endpoint device, in refreshing the profile, you will have to manually re-enroll that device in SM. For this reason you should use this command selectively on devices known to have an issue rather than refreshing all devices at once. 

In response to Noah_Salzman
Richard_W
A model citizen
‎Mar 12 2020 6:04 AM
‎Mar 12 2020 6:04 AM

All that leaves is a quick way to figure out which machines need to be refreshed then, any ideas?

 

R.

 

0 Kudos
In response to Noah_Salzman
BlockM
Conversationalist
‎May 27 2020 10:07 AM
‎May 27 2020 10:07 AM

Where in the Dashboard is this new command "Refresh Management Profile?"

0 Kudos
In response to BlockM
beks88
A model citizen
‎May 27 2020 1:42 PM
‎May 27 2020 1:42 PM

@BlockM 

Bildschirmfoto 2020-05-27 um 22.41.29.png

In response to beks88
AndrewMorales
New here
‎Jun 30 2020 4:27 PM
‎Jun 30 2020 4:27 PM

A little late to the party, and not sure if I'm missing something, but I'm not seeing the option to refresh management profiles from the Commands dropdown. 

Screen Shot 2020-06-30 at 4.25.28 PM.png

0 Kudos
In response to AndrewMorales
vassallon
Kind of a big deal
‎Jul 20 2020 9:35 AM
‎Jul 20 2020 9:35 AM

@AndrewMorales I asked @Noah_Salzman about this myself and he said the command has been removed.

 

I believe that when you used this command it would cause some devices to remove the Meraki Management Profile all together rather than re-installing the profile. 

 

About this time is when the profiles stopped mysteriously being removed when iPad changed networks and all of the issues with profiles within Meraki not behaving correctly appeared.

 

I'm still waiting for them to fix the profiles not being removed when a device changes networks as this is a very much needed functionality within Meraki. The response of profiles not being deleted or a device should be reset is not a valid response.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to vassallon
alexis_cazalaa
Building a reputation
‎Aug 27 2020 8:13 AM
‎Aug 27 2020 8:13 AM

we have a big number of iPads which mysteriously got their management profile removed by itself without any action.

this happened on the 29th of March 2020

 

Problem is that communication is impossible thru the dashboard and impossible to enroll again with m.meraki.com because of the Ui Configuration Profile Installation restriction set to NO still present

 

is there a magic fix instead of having to manually reset the iPad ?

0 Kudos
In response to Noah_Salzman
Richard_W
A model citizen
‎Dec 14 2020 9:56 AM
‎Dec 14 2020 9:56 AM

Is there any solution to this?

 

A year and more has passed with a solution offered then removed.

 

What are we to do?

0 Kudos
In response to Richard_W
jm_peterson
Getting noticed
‎Dec 14 2020 10:03 AM
‎Dec 14 2020 10:03 AM

My solution was to switch to a different MDM that didn't do things like this that made me want to rip my hair out every day. 

In response to Richard_W
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Dec 16 2020 4:03 PM
‎Dec 16 2020 4:03 PM

Richard, do you still have devices that have unverified certificates from the original incident in this thread? (Also, if you have a case number, can you send it to me in a private message.)

0 Kudos
In response to Noah_Salzman
T1
Building a reputation
‎Jan 3 2021 3:56 PM
‎Jan 3 2021 3:56 PM

Are there any security implications? We have quite a few devices enrolled in 2019 that have 3 out of 5 signing certificates expired, which marks Management Profile as "Not Verified". I'd rather not re-enroll a thousand odd devices.

0 Kudos
In response to Noah_Salzman
alexis_cazalaa
Building a reputation
‎Jan 27 2021 12:58 PM
‎Jan 27 2021 12:58 PM

is there a reason why this option has disappeared from Dashboard ?

0 Kudos
In response to alexis_cazalaa
Richard_W
A model citizen
‎Sep 20 2022 7:51 AM
‎Sep 20 2022 7:51 AM

Is there a solution for this ongoing issue?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.