There is a new iOS restriction available through Apple Configurator:
"Force automatic date and time (Supervised only)"
This is needed because students have worked out that they can break their device's connection to Meraki (and therefore all their restrictions) by manually changing the date and/or time on their device.
Please add this to the supervised restriction options in Meraki asap to prevent this!
Just to be clear, this new restriction is not available through Meraki yet, only through Apple Configurator.
I am using this thread (and the make a wish button) to try to bring it forward in the Meraki development plan!
If other users also use the make a wish button, that might help too.
We would also like this and Meraki to provide support for ALL new restrictions. Jamf has day one support.
Tip for everybody. If a restriction is available for iOS in Apple Configurator you can create the profile there and upload it to Meraki. But, I would like everything to be in Meraki to make changing restrictions easier.
Yes please, I would like to see this as well! +1 for me
Hi @misterharrison ,
In one of our customer setups we enable "Location Services" so the device date/time is accurate. But when they do not do this, the device sets itself to California date/time. But the profile policies on the device (enrolled via DEP) still get applied and remain in place.
I would be very interested to know in the exact scenario this occurs in; Are you using DEP or the Systems Manager App? And how much does the date/time need to change for the restrictions to get removed?
Hi @PeterJames, I'm afraid I'm not sure exactly what was changed - I suspect that the student moved the year into the future, although I'll have to check with our IT team for the exact details.
We have now tested the process suggested by @jared_f of creating the restrictions Payload in Apple Configurator (including the "force automatic date and time") and applying it via Meraki ("upload custom Apple profile") and it works a treat - greys out the switch so they can't manually change it.
Thanks, @jared_f, worked a treat!
Also gave us access to some Apple Classroom-related restrictions that some of our teachers were having problems with.
Hold up a minute!...Can you upload the a profile just forcing the date/time and manage everything else via the remote profiles? If so, any chance you could share the raw xml for the profile?
Meraki does give you the ability to upload profiles. Here is a write up for everyone to follow:
Step 1: Create new profile. Give it a name, identifier (I usually name it the same as the name), and organization (Meraki Inc. will work for this also).
Step 2: Adjust Restrictions to Take Care of AC2 Bugs
Apple Configurator 2 has two bugs to be aware of. Even if you do not check to enforce delayed software updates it will change to 30 days. To get around this, check the software update delay and change it to ONE (1) day. This is the only work around I have found and will save you dozens of Help Desk tickets when none of your devices will update!
In addition, AC2 has some restrictions defaulted to change for contacts that your organization may not to push to your devices. Please check the following below so they DO NOT push (another Apple bug).
Step 3: Add Restriction to Enforce Data and Time
Step 4: Save Profile
NOTE: Please save you profile with the name you want it to Appear with in the settings panel of Meraki.
Step 5: Upload to Meraki
Click "Upload custom Apple Profile" and choose it from your save location. Then scope.
In addition, I cannot stress the importance of fixing those current bugs in any restrictions profile you make in Apple Configurator 2 (available in the Mac App Store for Free) by setting software updates to 1 day and checking it and checking the two contact settings. I also want to bring attention to a few issues that can be solved with configuration profiles (especially in K-12).
Sharing of WiFi codes via proximity has been an issue many K-12 admins have brought up on other forums. This can be fixed with an Apple Configurator Profile with the following restrictions - push out both:
VPN creation to bypass network filtering. This restriction is available in Meraki. This stops user's from configuring manual VPNs in settings, but does not stop VPN apps from working. I use a policy tied to a configuration profile and email alert to take care of this. I am using wildcard matches to take care of this. I published a solution here to take care of this, also add *betternet* and *aloha* to take care of this. Here is my most updated list:
Installing third party "enterprise apps" to bypass app store restriction. Enforce the following - both available in Meraki:
Sometimes a policy can help you detect apps like TweakBox and VShare tied to a profile and email notification, but stopping them from being installed in the first place is helpful. There are new ones popping up everyday.
This one is more of a tip, not an issue:
Enforce & Lock Device Name
I hope the above post and maybe some info in here is helpful. Please don't hesitate to reach out to me at my email below with any questions about Meraki SM iOS or Mac related.
Thanks, @jared_f, there's some really useful information in there - wasn't aware of that AC2 defer updates bug.
What I'm a little confused about is how you can create a profile just to enforce automatic date and time without the profile also applying all the other settings in the restrictions payload? Can you have a profile like this applied to a device AND a Meraki restrictions profile at the same time? And what if the two profiles clash, i.e. one says you can do something and one says you can't?
Basically we were going to replace our existing Meraki-created restrictions profile with an AC2-created restrictions profile, but if we can just use the AC2 one to enforce date and time (and a couple of Apple Classroom related ones) and leave the Meraki one in place that would be much easier.
Thank you - Excellent post!
Given this brings its own issues to watch/monitor; I will probably skip doing this for now.
I was hoping you could upload a single profile that forces the date/time and leave everything untouched. I guess Apple have some work to do in bringing the MDM API and AC2 on-par in terms of features.
The one that is currently baffling me is the Bluetooth option; you can enable or disable it, but get no feedback from the device to say which state it is in.
@PeterJames As long as you do those two fixes above it should be pretty smooth rolling out the custom profile. The only thing is the software updates will be delayed 1 day. I will look into editing the actual profile code and seeing it that solves the bugs I am seeing.
I agree with the bluetooth problem (especially in K-12 for Apple Classroom). My recommendation is to enforce the bluetooth restriction on any new DEP devices. In addition, you could possibly send the bluetooth command to your entire fleet and then tie that to a timed configuration profile to take effect 5 minutes after the command is sent then edit the scope to make sure is stays static. It is all about timing!
@misterharrison The rule is that the most restrictive profile will take precedence. Having separate profiles is not a problem. You can leave your Meraki profile in place.
Thanks, @jared_f, I think I remember reading that before.
Thanks for the reminder.