Just to be clear, this new restriction is not available through Meraki yet, only through Apple Configurator.

I am using this thread (and the make a wish button) to try to bring it forward in the Meraki development plan!

If other users also use the make a wish button, that might help too.

Yes please, I would like to see this as well! +1 for me

Thanks, @jared_f, worked a treat!

Also gave us access to some Apple Classroom-related restrictions that some of our teachers were having problems with.

Hi @jared_f,

Hold up a minute!...Can you upload the a profile just forcing the date/time and manage everything else via the remote profiles? If so, any chance you could share the raw xml for the profile?

Thank you,
Peter James

Hi All,

Meraki does give you the ability to upload profiles. Here is a write up for everyone to follow:

Step 1: Create new profile. Give it a name, identifier (I usually name it the same as the name), and organization (Meraki Inc. will work for this also). 

Step 2: Adjust Restrictions to Take Care of AC2 Bugs

Apple Configurator 2 has two bugs to be aware of. Even if you do not check to enforce delayed software updates it will change to 30 days. To get around this, check the software update delay and change it to ONE (1) day. This is the only work around I have found and will save you dozens of Help Desk tickets when none of your devices will update! 

In addition, AC2 has some restrictions defaulted to change for contacts that your organization may not to push to your devices. Please check the following below so they DO NOT push (another Apple bug).

Step 3: Add Restriction to Enforce Data and Time

Step 4: Save Profile

NOTE: Please save you profile with the name you want it to Appear with in the settings panel of Meraki.

Step 5: Upload to Meraki

Systems Manager > Settings > Add Profile

Click "Upload custom Apple Profile" and choose it from your save location. Then scope. 

All,

In addition, I cannot stress the importance of fixing those current bugs in any restrictions profile you make in Apple Configurator 2 (available in the Mac App Store for Free) by setting software updates to 1 day and checking it and checking the two contact settings. I also want to bring attention to a few issues that can be solved with configuration profiles (especially in K-12).

Issue 1

Sharing of WiFi codes via proximity has been an issue many K-12 admins have brought up on other forums. This can be fixed with an Apple Configurator Profile with the following restrictions - push out both:

• Proximity password request not allowed
• Password sharing not allowed

Issue 2

VPN creation to bypass network filtering. This restriction is available in Meraki. This stops user's from configuring manual VPNs in settings, but does not stop VPN apps from working. I use a policy tied to a configuration profile and email alert to take care of this. I am using wildcard matches to take care of this. I published a solution here to take care of this, also add *betternet* and *aloha* to take care of this. Here is my most updated list:

Issue 3

Installing third party "enterprise apps" to bypass app store restriction. Enforce the following - both available in Meraki:

• Installing configuration profiles not allowed
• Trusting enterprise apps not allowed

Sometimes a policy can help you detect apps like TweakBox and VShare tied to a profile and email notification, but stopping them from being installed in the first place is helpful. There are new ones popping up everyday.

This one is more of a tip, not an issue:

Enforce & Lock Device Name

I shared an overview of how I am doing this here. I also invite you to "Make a Wish" for automated naming by pulling AD information (see here for more information).

I hope the above post and maybe some info in here is helpful. Please don't hesitate to reach out to me at my email below with any questions about Meraki SM iOS or Mac related.

Jared Flitt

jflitt@caregivershomecare.com

Thanks, @jared_f, there's some really useful information in there - wasn't aware of that AC2 defer updates bug.

What I'm a little confused about is how you can create a profile just to enforce automatic date and time without the profile also applying all the other settings in the restrictions payload? Can you have a profile like this applied to a device AND a Meraki restrictions profile at the same time? And what if the two profiles clash, i.e. one says you can do something and one says you can't?

Basically we were going to replace our existing Meraki-created restrictions profile with an AC2-created restrictions profile, but if we can just use the AC2 one to enforce date and time (and a couple of Apple Classroom related ones) and leave the Meraki one in place that would be much easier.

@misterharrison The rule is that the most restrictive profile will take precedence. Having separate profiles is not a problem. You can leave your Meraki profile in place.

Thanks, @jared_f, I think I remember reading that before.

Thanks for the reminder.

Hi @jared_f,

Thank you - Excellent post!

Given this brings its own issues to watch/monitor; I will probably skip doing this for now.

I was hoping you could upload a single profile that forces the date/time and leave everything untouched. I guess Apple have some work to do in bringing the MDM API and AC2 on-par in terms of features.

The one that is currently baffling me is the Bluetooth option; you can enable or disable it, but get no feedback from the device to say which state it is in.

Thank you,
Peter James

@PeterJames As long as you do those two fixes above it should be pretty smooth rolling out the custom profile. The only thing is the software updates will be delayed 1 day. I will look into editing the actual profile code and seeing it that solves the bugs I am seeing. 

I agree with the bluetooth problem (especially in K-12 for Apple Classroom). My recommendation is to enforce the bluetooth restriction on any new DEP devices. In addition, you could possibly send the bluetooth command to your entire fleet and then tie that to a timed configuration profile to take effect 5 minutes after the command is sent then edit the scope to make sure is stays static. It is all about timing!

Jared

Hi @PeterJames, I'm afraid I'm not sure exactly what was changed - I suspect that the student moved the year into the future, although I'll have to check with our IT team for the exact details.

We have now tested the process suggested by @jared_f of creating the restrictions Payload in Apple Configurator (including the "force automatic date and time") and applying it via Meraki ("upload custom Apple profile") and it works a treat - greys out the switch so they can't manually change it.