A few years ago I had assisted a Meraki customer to script profile installations using the agent. Recently, we revisited this, so I'll share my findings with anyone else who may be in a situation where they do have the agent installed but do not have the profile installed.
Before MacOS Big Sur, the "Profiles -I" command could be used to install profiles, but Apple has deprecated this. I can only speculate, but I would assume this falls in line with many changes that Apple has been making lately focusing on user privacy and user knowledge of the permissions that their admins have. This means that if the device does not receive the profile through a DEP enrollment, the only method of installing a profile is via user action.
DEP would be the ideal scenario, but anyone reading this probably knows that ideal scenarios are rare for admins.
Although we can't silently install this anymore, we can utilize the agent to push a script that will prompt the user to install. As a proof of concept we did the following, this will download the profile and present the user with the following screen:
Baseline:
Machines DO have the agent installed, but DO NOT have the profile
Step 1:
- Have Meraki support alter your network so that your enrollment profiles do not expire. Without doing so, profiles expire 5 minutes after they’re downloaded, and they will fail to install after 5 minutes.
Step 2:
Step 3:
- Wrote a simple script. This was very simple in my case, it was just a proof of concept. The script simply loads the profile into MacOS, and then opens the UI to the exact location where the user can click “install”. You can get fancy here and include an image if you want:
#!/bin/bash
sudo open photo.jpeg # open a picture file
sudo open meraki_sm_mdm.mobileconfig # load enrollment profile to system preferences
sudo open -b com.apple.systempreferences /System/Library/PreferencePanes/profiles.prefPane meraki_sm_mdm.mobileconfig # open system preferences profiles, which presents the user with the install option
Steps 4+ follow the process from this document:
https://documentation.meraki.com/SM/Apps_and_Software/Deploying_Scripts_in_Systems_Manager_using_Sof...
Step 4:
- Bundled my script and the non-expireing .mobileconfig profile into a .pkg installer file (this doesn’t install anything, its just how we run scripts via the agent)
Step 5:
- Wrapped my .pkg into a DMG
Step 6:
- Uploaded the DMG to Dashboard as an “app”
Step 7:
- Scoped the app, making sure auto install was not selected
Step 8:
- Manually pushed install command
The script can be as elaborate as you want. For example, you could likely use the "Profiles -list" command to check if the profile is installed, and only prompt the user if it isn't installed.
Feel free to reply to my post if there are questions about this.