Meraki, custom rom and work profile

stevenwhiting
Getting noticed

Meraki, custom rom and work profile

Getting more and more annoyed as the days go by.

 

FRP (Factory Reset Protection) might be all well and good but when you have a device where a user had left in anger, their Google account is long gone, trying to recover that device to be reused is seemingly impossible.

 

Then you get a Samsung device where it has NO custom stock ROM but get the following when trying to enroll.

 

"The security policy prevents the creation of a work profile because a custom OS has been installed on this device."

 

So Meraki support checked the logs of the device and thought they might be able to see the issue. They think some files missing from the OS is causing it, but weren't sure. They said try factory resetting which will go back to an old ROM (it doesn't) and that also hasn't helped.

 

Their next option was to download a stock ROM to the Samsung tablet so it should now be back to stock and no longer flagged as custom.

 

Nope, that doesn't work either as the only option to get a stock ROM is to backup a known good tablet using TWRP. But the act of putting TWRP onto the tablet causes the ODIN Mode to flag it now as a custom ROM. Then Meraki won't allow you to create a work profile anymore, because of the CUSTOM ROM!!!!

 

):o(

9 REPLIES 9
stevenwhiting
Getting noticed

So we have success it getting it back to Samsung Official ROM. It states in Odin Mode it is Samsung Official ROM. Yet, Meraki still WON'T allow it to enroll because it thinks it has a custom ROM on it. It NEVER did and still doesn't!

 

):o(

 

So Meraki itself is essentially saying the tablet is a brick as can't be used with Meraki anymore so can't be used as a corporate device anymore!


Are there no options to tell Meraki "Yes, you might think it's a custom ROM, it's not, but just enroll it anyway! We understand the risks" but nope, I can't find said option.

Other engineer here pointed out the policies area of Meraki dashboard and I've discovered in there DEVICE IS NOT COMPROMISED was ticked. I've unticked it, 99% sure this is what is causing the enroll issue, but how long before the device will see it? It states 1-2 mins but it's been 10 mins now, rebooted the tablet and it's still saying the same suggesting this policy still isn't seeing the change.

Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hey @stevenwhiting ... did it eventually update it's configuration status (such that you could get passed the 'compromised' state)? 

Hi Noah

 

Sorry for slow reply. No. Still claims it can't create the profile because of a Custom OS and it's been two weeks since I set that setting. It's as if it's now ignoring that we've told it "We don't care if it's a custom/rooted OS, create the profile anyway". I now have a 3rd tablet doing this. This is making Meraki pretty useless at the moment.

 

I've logged the issue with support about the security policy seemingly being ignored.

 

Steve

Been over a year and still no fix and Meraki support have been next to useless. Told me to get a original ROM for the Samsung tablets. I shouldn't have too, the tablet DOESN'T have a custom ROM in the first place, Meraki is incorrectly claiming they have. And despite all this we have the policy set to ignore custom ROMs and allow Meraki anyway, its ignoring that policy and still flagging this up.

 

Posting again as had yet another Samsung Galaxy Tab A - SM-T580 get reset and then Meraki refuse to allow it to register due to a "Custom ROM" and custom ROM that doesn't exist!

We now have BRAND NEW tablets and Meraki is refusing to register them claiming they have custom ROMS.

 

Again, the policy to check for Jailbroken or Rooted devices is OFF!

 

Meraki has become useless.

I've just purchased fifty Samsung Tab A7's , and I've also go the problem straight out of the box complaining that the device can't create a work profile due the security policy claiming a custom OS on the device.

 

These devices are new out of the box and I've made sure that the security police within Meraki does not have the "Device is not compromised" checked.

 

I'll be logging a support ticket, but judging from other posts in this thread, I'm not holding much hope.

VictorM
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hi, @DamonBCSA 

 

Once you do open a support ticket, could you please message me the case number? I would like to check in with our support team so that we can take a closer look at what might be happening here from the product side.

 

Cheers!

For anyone that comes across this same problem, I lodged a ticket with Meraki,  and whilst they looked at it, there was no fix coming, just saying it was an issue with Samsung.  They also went with the possibility of the knox security bit being flagged (but like I said, brand new, straight from the factory devices, so I know they never had any other OS images on them)

 

As luck would have it, these new A7's are bleeding edge, so over the last 3 weeks there have been 2  OTA updates, the first one didn't fix anything, but the second that arrived yesterday has resolved the issue and we can now register the devices.

 

The only down side is you have to skip through the setup without using the MDM so you can run the software update on the tablet, then factory reset it so you can then put the device on the MDM, but at least it works.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels