Installing SM enrollment profile on Non-DEP macs

binarydaze
Here to help

Installing SM enrollment profile on Non-DEP macs

Our current deployment process for Non-DEP, non-T2 Macs is imaging-based through DeployStudio. The imaging ends with the installation of the Munki Agent, which installs the Meraki agent and all the other apps. However, the SM profile .mobileconfig needs to get on there in an automated way, and I can't find one that works.

 

I can doubleclick on it, while logged in as an admin and install it manually, but who has time for that?

Munkiimport will not import the .mobileconfig as downloaded from the Dashboard "Add Devices" page.

MunkiAdmin will not import it either.

I tried wrapping in a package with Profile-to-PKG.py (Thanks, Tim Sutton!). It makes a PKG file, but the installation fails. Works fine with other .mobileconfig files...

 

I know something is weird and unholy about this mobileconfig when I can't even install it from the command line in its pure form.

 

profiles -I -F /Users/myuser/Downloads/meraki_sm_mdm.mobileconfig -f -v

(The operation couldn’t be completed. (InternalError error 1.))

 

What is it about this .mobileconfig file? Is it haunted? Is it from another dimension of space and time? Endpoint management is all about automating your devices... so why do I have to do a manual process to implement it. Am I crazy? (Yes, but that's beside the point)


I contacted Meraki support, and they sent me here. The wisdom is in the group...

2 REPLIES 2
BlakeRichardson
Kind of a big deal
Kind of a big deal

@binarydaze  I don't think profile installs can be automated unless using an MDM, pretty sure this is a privacy restriction Apple has put in place to stop any potential silent installs of malicious profiles. 

 

 

Green_Ghost
Meraki Employee
Meraki Employee

A few years ago I had assisted a Meraki customer to script profile installations using the agent. Recently, we revisited this, so I'll share my findings with anyone else who may be in a situation where they do have the agent installed but do not have the profile installed.

 

Before MacOS Big Sur, the "Profiles -I" command could be used to install profiles, but Apple has deprecated this. I can only speculate, but I would assume this falls in line with many changes that Apple has been making lately focusing on user privacy and user knowledge of the permissions that their admins have. This means that if the device does not receive the profile through a DEP enrollment, the only method of installing a profile is via user action. 

 

DEP would be the ideal scenario, but anyone reading this probably knows that ideal scenarios are rare for admins.

 

Although we can't silently install this anymore, we can utilize the agent to push a script that will prompt the user to install. As a proof of concept we did the following, this will download the profile and present the user with the following screen:

 

UserPrompt.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Baseline:
Machines DO have the agent installed, but DO NOT have the profile

 

Step 1:

  • Have Meraki support alter your network so that your enrollment profiles do not expire. Without doing so, profiles expire 5 minutes after they’re downloaded, and they will fail to install after 5 minutes.

Step 2:

Step 3:

  • Wrote a simple script. This was very simple in my case, it was just a proof of concept. The script simply loads the profile into MacOS, and then opens the UI to the exact location where the user can click “install”. You can get fancy here and include an image if you want:

#!/bin/bash
sudo open photo.jpeg # open a picture file
sudo open meraki_sm_mdm.mobileconfig # load enrollment profile to system preferences
sudo open -b com.apple.systempreferences /System/Library/PreferencePanes/profiles.prefPane meraki_sm_mdm.mobileconfig # open system preferences profiles, which presents the user with the install option

 

Steps 4+ follow the process from this document:

https://documentation.meraki.com/SM/Apps_and_Software/Deploying_Scripts_in_Systems_Manager_using_Sof...

 

Step 4:

  • Bundled my script and the non-expireing .mobileconfig profile into a .pkg installer file (this doesn’t install anything, its just how we run scripts via the agent)

Step 5:

  • Wrapped my .pkg into a DMG

Step 6:

  • Uploaded the DMG to Dashboard as an “app”

Step 7:

  • Scoped the app, making sure auto install was not selected

Step 8:

  • Manually pushed install command

 

The script can be as elaborate as you want. For example, you could likely use the "Profiles -list" command to check if the profile is installed, and only prompt the user if it isn't installed.

 

Feel free to reply to my post if there are questions about this.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels