Our current deployment process for Non-DEP, non-T2 Macs is imaging-based through DeployStudio. The imaging ends with the installation of the Munki Agent, which installs the Meraki agent and all the other apps. However, the SM profile .mobileconfig needs to get on there in an automated way, and I can't find one that works.
I can doubleclick on it, while logged in as an admin and install it manually, but who has time for that?
Munkiimport will not import the .mobileconfig as downloaded from the Dashboard "Add Devices" page.
MunkiAdmin will not import it either.
I tried wrapping in a package with Profile-to-PKG.py (Thanks, Tim Sutton!). It makes a PKG file, but the installation fails. Works fine with other .mobileconfig files...
I know something is weird and unholy about this mobileconfig when I can't even install it from the command line in its pure form.
(The operation couldn’t be completed. (InternalError error 1.))
What is it about this .mobileconfig file? Is it haunted? Is it from another dimension of space and time? Endpoint management is all about automating your devices... so why do I have to do a manual process to implement it. Am I crazy? (Yes, but that's beside the point)
I contacted Meraki support, and they sent me here. The wisdom is in the group...
@binarydaze I don't think profile installs can be automated unless using an MDM, pretty sure this is a privacy restriction Apple has put in place to stop any potential silent installs of malicious profiles.
A few years ago I had assisted a Meraki customer to script profile installations using the agent. Recently, we revisited this, so I'll share my findings with anyone else who may be in a situation where they do have the agent installed but do not have the profile installed.
Before MacOS Big Sur, the "Profiles -I" command could be used to install profiles, but Apple has deprecated this. I can only speculate, but I would assume this falls in line with many changes that Apple has been making lately focusing on user privacy and user knowledge of the permissions that their admins have. This means that if the device does not receive the profile through a DEP enrollment, the only method of installing a profile is via user action.
DEP would be the ideal scenario, but anyone reading this probably knows that ideal scenarios are rare for admins.
Although we can't silently install this anymore, we can utilize the agent to push a script that will prompt the user to install. As a proof of concept we did the following, this will download the profile and present the user with the following screen:
Baseline: Machines DO have the agent installed, but DO NOT have the profile
Have Meraki support alter your network so that your enrollment profiles do not expire. Without doing so, profiles expire 5 minutes after they’re downloaded, and they will fail to install after 5 minutes.
Wrote a simple script. This was very simple in my case, it was just a proof of concept. The script simply loads the profile into MacOS, and then opens the UI to the exact location where the user can click “install”. You can get fancy here and include an image if you want:
#!/bin/bash sudo open photo.jpeg # open a picture file sudo open meraki_sm_mdm.mobileconfig # load enrollment profile to system preferences sudo open -b com.apple.systempreferences /System/Library/PreferencePanes/profiles.prefPane meraki_sm_mdm.mobileconfig # open system preferences profiles, which presents the user with the install option