Quarantine Mobile Devices via API

wperry1
Here to help

Quarantine Mobile Devices via API

I use the Meraki API do do a handful of things in EM. Reporting, marking old devices, etc.

I am looking to automatically quarantine devices when a user is terminated but I don't see a quarantine function anywhere in the API reference. The API does allow you to wipe a device or remove management from the device, but not quarantine. In either the wipe or remove scenario, we lose control of the device at that point. Quarantine allows us to remove email, disable VPN, etc but retain control of the device (Most are company owned) until it can be reassigned, or management can be manually removed in the case of BYO devices.

 

Right now I am working on moving devices to a new network with no profiles in order to remove managed data and access from them on termination. I would rather use quarantine as it is quicker and this is really what quarantining devices is intended for. 

 

I welcome any input or ideas.

 

 

2 Replies 2
jm_peterson
Getting noticed

@wperry1 I ran into the same issue. The two options I came up were 1. What you are doing by moving the device(s) to a new network. 2. Tie access to x,y,z to tags and then as apart of your termination script loop through the tags and delete all of them. Below is an example of that I used in python. This way all the access was removed but the device was still managed. You can play with the hostname variable too so that they show up something like `Termed-useraccount`.

def get_all_tags ():

    url = "https://api.meraki.com/api/v0/networks/%s/sm/devices" % network_id

    querystring = {
        "serials": serial_number
    }

    payload = ""
    
    try:
        r = requests.request("GET", url, data=payload, headers=meraki_headers, params=querystring)
        r.raise_for_status()
    except requests.exceptions.HTTPError as err:
        print (err)
        sys.exit(1)

    machine_info = r.json()

    global users_machine_id, machine_tags
    
    users_machine_id = machine_info['devices'][0]['id']
    machine_tags = machine_info['devices'][0]['tags']

def update_meraki_hostname ():

    print ("Attempting to update hostname in Meraki.")
        
    headers = {
        'X-Cisco-Meraki-API-Key': meraki_api_key,
        'Content-Type': "application/json",
    }
        
    data = {"serials":serial_number, 
            "deviceFields":
            {"name":host_name}
        }

    requests.put('https://api.meraki.com/api/v0/networks/%s/sm/device/fields', headers=headers, data=data)  % network_id

def meraki_tag (action, ttype):
    
    url = "https://api.meraki.com/api/v0/networks/%s/sm/devices" % network_id
    
    args = {
        "updateAction":action,
        "tags": ttype,
        "serials":serial_number} 
    
    payload = ""  
    
    headers = {
        'X-Cisco-Meraki-API-Key': meraki_api_key,
        'Content-Type': "application/json",
        'cache-control': "no-cache",
    }  
    
    try:
        r = requests.request("PUT", url, data=payload, headers=headers, params=args)
        r.raise_for_status()
    except requests.exceptions.HTTPError as err:
        print (err)

def meraki_tag_loop ():
    
    for t in machine_tags:
        meraki_tag ('delete', t)

Thanks @jm_peterson I thought about using tags, unfortunately we have some settings in a default profile that is applied to all devices. (Stupid move in hind site) For now, I will just move them all to a network with no profiles. I also opened a case with support. Maybe if they hear us asking for it they'll add a quarantine function to the API.

 

I got an update on my open case and they stated there is not currently any support for quarantine/selective wipe via the API. The support tech could not give me an ETA and did not state whether this was on the roadmap. He only suggested that I use the "Make a Wish" link to request the feature, which I have done. Hopefully this is a feature that they will enable soon.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels