I've tagged an iOS device and the Meraki SM was pushed to the device. While it appears location services are enabled, the last location is still based on IP.
I've pushed it and the user accepted but that was it... so technically they have the app to meet the requirements and they show as Geofenced compliant based on IP because they never enabled the access to the location for the app. They never get prompted and I can't make it happen until they accept it. If they don't accept it, they'll stay Geolocation compliant because their location will show as IP based.
We can push the Meraki App and it will keep bugging the user to install it.. but in some cases, I can see people have it but GPS is off (they never allowed it; or get prompted to enable it) so they are still reporting via IP.. and there's no way to force that. So if we do deploy it, they can just turn it off and still be Geofence compliant ... and use apps that require them to be Geofence compliant.
Is there a way to enforce Geolocation based on IP addresses? I know by default GPS is necessary to truly enforce triggers that add or remove devices but maybe there's a switch that could enforce based on IP location?
At this point it's more of an honor base system or one that is good for devices that are corporate controlled but in a BYOD environment where you want to enforce Geolocation compliance for certain apps, it is not ideal.
These BYOD devices aren't in supervised mode so pushing the Meraki app would be on the honor system which really means, why do it at all. 90% of the users won't click the app to even see the prompts to enable GPS and if they skip it, and have the app, they will be compliant anyway.
If there was a way in Meraki to lower the criteria to IP based location vs GPS, it would work but I don't see that happening without a feature change.
At this point it's just as easy to review the Map daily (as that does update based on IP) and then simply setup Apps to NOT have the following tags and then just manually tag the devices. That should trigger a removal based on a tag vs GPS location.
Just unfortunate you cannot simply lower the standards for Location Based Triggers
So, here's a thought: You get both LAN and WAN IP address via the API... It wouldn't take much coding to use the Devices API to get the IP address of every device, and set a tag based on compliancy against IP address.... It would save you having to do this through the UI, and means you could run it several times a day.... Let me know if this is something you'd consider...
Paul - Interesting because long story short... my Dir of Sec ended up using Okta Workflows to use the Meraki API to get the location, tag the device... circle back and check locations every 6 hours and tag again if they came back.. "outsideUSA" and "insideUSA".
It's been working very well minus an edge case which was solved.
We run this daily and can reasonably determine the locations of enrolled devices and Okta workflows make it nice to schedule and monitor.