Hi,
I was wondering if anyone else was facing this issue and how they deal with it. We are a school whose students have BYO devices which are enrolled in Meraki MDM, (non-supervised) we also use a Meraki wireless network so have integration between the two.
We have Systems manager sentry enabled on the SSID used by students, who use their own individual radius authenticated username and passwords to connect to the SSID. Sentry detects the device is not enrolled in MDM and blocks internet access, redirecting them to the enrolment page, once they enrol and MDM restrictions are applied, they are granted internet access via the SSID.
This has worked great for us for a couple of years. If they removed the profile the device in MDM would show up as having the management profile removed and next time they tried to connect to the school WiFi internet access would once again be blocked and they would be forced to re-enrol.
Unfortunately some time in the last year something has changed at Meraki and this no longer works properly. If the MDM profile is removed while the device has internet access it will be properly flagged as removed, however if the profile is removed while the device does not have internet access the student is allowed to get away with removing the profile without consequences.
Even months later MDM will still not say the profile is removed from the device and they will be granted full access on Wifi, and on the Wifi side the users device will still say authenticated with systems sentry manager. If I click on "revoke" in the wifi device status page approximately 10 minutes later access will be granted again by sentry manager despite the device not having checked in to MDM for months!
The only way to force the device to lose internet access and re-enrol is to delete the device from MDM completely, which of course loses any tags that have been assigned to the device (such as year group etc) which is unsatisfactory.
Prior to some time in the last year if an MDM profile was removed without internet access Meraki would detect this situation within a few hours of the device re-connecting to Wifi and mark the profile as removed.
My assumption of how it used to work is that if it saw a device on Meraki Wifi that was also listed in MDM (correlated by MAC address) and it had not checked into MDM for more than a certain time it would time out.
I've written a Python script of my own which takes the Systems Manager.csv and Wireless Network Clients.csv exports from MDM and Wifi respectively and does just that - it uses the MAC address as the primary key to link the two sets of data together and compares last MDM checkin times with last seen on Wifi times and gives me a report with:
802.11x username, Device type, Mac address, Last seen on Wifi time, Last MDM checkin, Tags, Device Policy, and Time on Wifi without checkin.
When I run that report now I see that 31 devices are using Wifi without having checked in for a long time - the worst offender last checked in 103 days ago but is using Wifi today...my only recourse is to manually delete these devices in MDM losing their tags.
I have raised this issue with Meraki support multiple times over the last year without result and their final word on the situation is that it is "working as expected" and that there is nothing they can do about it, despite me insisting that this used to work properly in the past.
What I don't understand is that the data to detect this situation is clearly available to them - they can see a device identified by MAC address is connecting to Wifi on a systems manager sentry controlled SSID, and that it last checked in 103 days ago, when it should be checking in every few hours. Why can't they put 2 and 2 together and realise that the end user has removed the profile from their device to cheat the system...
I have done this easily with my python script, however it is a manual process for me to run this.
Is anyone else in the same situation ? I can provide a copy of the python script for anyone who is interested as if you rely on Sentry manager to enforce MDM enrolment you might be surprised to find that many of your users have either accidentally or on purpose removed the MDM profile while the device was not internet connected and got away with fooling Sentry manager...