SM Agent and macOS Catalina

Kevin_C
Meraki Employee

SM Agent and macOS Catalina

It’s been a busy month for Apple releases. We released new profiles and restrictions for iOS 13 in September.  And today we support a number of new profiles and restrictions for macOS Catalina, with more on the way.

 

While our goal was to have all features synchronized with Apple’s release, we have identified a significant issue with our macOS Agent. macOS Catalina introduces new and important security controls which require the Agent to adapt accordingly. The issue affects Agent enrollment and Agent-based features such as command line execution and remote view. Profile enrollment and all non-agent functionality, including MDM profile delivery and App Store app management, are unaffected and function correctly today on Catalina.  

 

As we work on preparing a new version of the Agent that will resolve this issue, we wanted to make sure the Meraki Community was kept up-to-date with our status. We’ll keep you posted as we make progress finishing the Catalina compatibility effort. Thank you for your patience.

52 REPLIES 52
vassallon
Head in the Cloud

@Kevin_C 

 

Thank you for the heads up. It's always nice to see information like this as soon as possible.

 

One question though, can we now deploy the Education Profile through Meraki to Macs? I know this has been a problem in the past in trying to get Apple Classroom working on Macs.

 

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Noah_Salzman
Meraki Alumni (Retired)

@vassallon  Education Profile delivery for macOS is on my roadmap. However, it's still probably a few months away.

Richard_W
A model citizen

So will the fixes to the SM Agent in macOS Catalina trickle down to Mojave too, in respect to Remote View/Desktop?

 

Because at this point I have had a case active since January of this year, with no resolution for Remote Desktop. 

What worries me now is that Catalina out and we still have no resolution to an issue affecting a major tent-pole feature of SM.

 

Important security controls were introduced with Mojave too, in September 2018, so you can probably guess my concern…

Noah_Salzman
Meraki Alumni (Retired)

Hi Richard,

 

I know it probably seems odds for us to tackle Catalina first and then get back to older Mojave issues, but that is indeed what we are going to do. 

 

My apologies for the macOS Remote Desktop issues. We are indeed working on them but it is taking much longer than we would like to fix. 

 

  --Noah--

<rant> @Noah_Salzman The only issue I have with this is that we run a pretty typical production environment and the thought of upgrading to macOS Catalina is way in the future, especially with the dropped 32bit support and getting all app developers up to speed (mostly plug-ins). So what I have now are a bunch of Macs steadily upgraded to macOS Mojave from older OS's but no means to control them.

 

From what I understand the most pertinent issues with remote access require a signed application and explicit granting of access, these things were introduced in Mojave. Yes there have been even more changes in Catalina, but it seems before you can run you may wish to walk as the fixes for Catalina surely have some grounding in those for Mojave. A stop-gap solution would provide a modicum of relief.

 

I just find it frustrating that an advertised feature has not worked for the lifetime of an OS. </rant>

Baustinceltic
Conversationalist

Does the "Support for brand new macOS Catalina Settings payloads" mentioned in the blog post include the ability to grant applications full disk access via MDM similar to what JAMF is doing?  https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-...

Same question here 😉

Caribou
MRCUR
Kind of a big deal

Any update on full disk access profiles that @Baustinceltic asked about @Noah_Salzman

MRCUR | CMNO #12
Kevin_C
Meraki Employee

@MRCUR @Baustinceltic 

It seems you are referencing the System Policy All Files permission, which you can enable today in the "Privacy Preferences" settings payload.  According to Apple's documentation, enabling this permission will "allow the application access to all protected files, including system administration files."

 

 

Kevin_C_0-1581116914822.png

 

MRCUR
Kind of a big deal

Thanks @Kevin_C. Great to see that's supported now. 

MRCUR | CMNO #12
Caribou
Here to help

Please keep us updated as this drives whether or not rolling out upgrades to Catalina on some of our clients workstations!

Caribou
Kurtis
Here to help

Hi there, just checking in on the status of this (and subscribing for updates here). I also opened a support case for my organization so hopefully this will be resolved sooner rather than later. 

 

Case ID: 04594888

 

Best,

 

Kurtis

Same. This is really starting to hurt. 

Support said the dev team is still working on a solution. They didn’t give a timeline but left the case open to give me updates should they arise. I seriously hope it’s sooner rather than later. From a technical perspective I get the complexity, but we still need a solution.

Levi_
New here

Any updates as to when the Agent will be fixed for Catalina?

Kevin_C
Meraki Employee

A new version of the macOS agent (v 3.0.1), with fixes for Catalina, is now ready for general testing. For access to the agent, please contact your support representative through your case thread.  

any word for those on Mojave?

Noah_Salzman
Meraki Alumni (Retired)

@Richard_W The v3.0.1 agent was tested on 10.12 and up, so Mojave should be fine. 

Since when did the Agent have published version numbers?  How can I find out which version of the agent I'm running?

I was wondering the same thing.  I reached out to support about testing the new agent and their response seemed to indicated that testing the new agent would involve making it available to all clients.  I asked for further clarification on whether or not that applied to currently deployed devices or just any devices enrolled after having the new version made available.

 

Will post an update when I hear back.

SM > Apps for the app version of System Manager. And the device page lists the version too.

That has not been my experience.  Can you show a screenshot for this?  Versioning with Meraki SM has long been a mystery.

Screen Shot 2020-01-13 at 4.12.28 PM.pngScreen Shot 2020-01-13 at 4.11.53 PM.png

Interesting, seems kinda crazy that we are going from version 1.0.99 to 3.0.1.  I wonder what happened to 2.0? XD

Noah_Salzman
Meraki Alumni (Retired)

It's hanging out somewhere with with IPv5 and Windows 9.

Are we going to also get change logs / release notes for these Meraki SM Agent updates? Something similar to the other Meraki firmware updates?  Hoping there are some other bug fixes / features in the v 3.0.1 besides "Catalina now Supported"?

 

tfriedrich_0-1578952034747.png

 

Noah_Salzman
Meraki Alumni (Retired)

Yes, my apologies for not having that at the same time as the release. We'll have notes later this week. 

Thanks, I'm just excited there will be notes at all!  Looking forward to it.  Should we expect them in this thread or some other distro method?  I don't want to miss the notes once released.

 

PS.  I know this thread is all about SM and Catalina, but will the Windows agent also be getting an upgrade or will it still be a 1.0.98 version?

Noah_Salzman
Meraki Alumni (Retired)

"Don't cross the streams, it would be bad." 

 

Windows unaffected by this change. This was largely about updating to support Catalina's new code-signing feature (aka Notarization).

Were these release notes ever released?  If so, where can I find them? 🙂

 

Thanks!

Kamen
Conversationalist

How can get to the new SM agent for Catalina? i can only see 1.0.98 in my SM / Apps?

beks88
A model citizen

you need to reach out to your support, read a few posts up. Kevin mentioned it already

The hang up is support told me that when they enable version 3 for your org it updates the agent on all already deployed clients rather than being able to test on one or two first. I'm not really comfortable with that given what happened with the 25.14 firmware for access points especially since it was pulled without adding an announcement to the dashboard. 

My support tech had me create a new SM network for testing.  I took a new Mac and installed the agent (1.0.98) then had the tech upgrade that SM network to the 3.0.1 agent to test auto updating.  So far nothing has auto updated and we are looking into potential causes / diagnostics.

 

Hoping the profile is not a prerequisite since I have so many systems out in the field that had the agent installed way before the profile method existed.

To my experience, I always had to install the agent and the profile if not coming over DEP

You do have to install both to get full functionality (I have often joked that SM Agent and SM Profile should be marketed as separate products since much of the documentation often assumes you have both when I typically do not get that experience).  We were Legacy SM customers before the paid version existed, and before the profile was an option existed (or at least we were not aware of it back then). For years we always just installed the agent.  For new laptop builds, it's easy to install the profile and the agent as part of our build process (we don't have DEP currently due to a challenge with our Procurement process).  

 

The challenge is I have 500+ devices that are deployed (no longer at a company office with IT staff) with only the agent and no profile.  Figuring out a way to enroll those devices so they can use the profile is a challenge.  Most of these user laptops don't have access to admin rights so they can't self enroll even if we were to email them the links.  

 

I have long hoped that the agent would gain the ability to self install / enroll the profile.  In the past, I once was able to repackage the profile file into a .pkg file (agents can install pkgs) as a work around, but unsure if it still works (it was also annoying since SM always thought the pkg never finished installing).  I need to recreate this and test if it's even possible with the new Mojave / Catalina challenges.  That would solve so many challenges for managing our Mac devices. 

 

If anyone else has cracked this code, please let me know!

@tfriedrich I'm in a similar boat, testing 3.0.1, I have machine support said was updated to the new SM agent but it appears it's not (still 1.0.99 from prior Meraki pushed update), so back to support. I have both profile and agent installed. 

Now live and testing, thus far we have remote access, with control, to 10.14.6 Mac with SM Agent 3.0.1 installed.

frankman
New here

@KevinC @Noah_Salzman Any updates on this? With a lot more remote work happening with the pandemic, this has become a much more dire need for my team.

Noah_Salzman
Meraki Alumni (Retired)

Please contact support, they can help you get the 3.0.1 agent in place. If you are having issues and already have 3.0.1 then you should open a case.

Thanks for the quick response @Noah_Salzman - is 3.0.1 now in production, or still in testing? I'm still seeing 1.0.98 as the version in my dashboard, and not keen on rolling it out in beta form.

Noah_Salzman
Meraki Alumni (Retired)

We are slow-rolling 3.0.1, as you have noticed. However, it is fully supported, and -- as it is with most development teams -- it is much easier for us to address issues in a recent version than it is in older versions.

Understood, thanks again for the quickness!

There is an application called PPPC Utility that allows you to make up privacy policy profiles and deploy them using an MDM.

 

I have created one for Teamviewer as remote access doesn't fully work without whitelisting Teamviewer in a few of the privacy settings.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

I can succeed with creating a Full Disk Access settings profile.

I’ve tried from Meraki with the built-in process, using Profile Creator, using its successor iMazing Profile Editor. 

Even profile sent from my RMM provider (SolarWinds) doesn’t work. 

It appears fine on the profile preference pane, but isn't acknowledged by the system. 

I double-checked using the command:

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'

and it doesn’t appear in the list. 

Other PPPC types (like screenrecording) are applied fine. 

Is this a limitation from the current agent version? 

Hello all,

 

does anyone else experience issues with updating VPP Apps on macOS? Thought it would be resolved with the new agent but still having issues.

ChrisATX
Conversationalist

I am, we are only deploying Slack through VPP at this time. It deploys with no problems however upgrading I'm at only about 40% success on our whole environment. Issue is both on supervised and unsupervised macs.

Jas_n
New here

I have a few new Macbook Airs running Catalina and I’m having trouble getting SM Agent installed on them.

 

Agent version 3.02 shows in th App list, which I believe is the latest version, I’ve made a PPPC profile according to the instructions in Meraki’s documentation, allowing m_agent Accessibility and Full Disk Access. Is there anything else?

 

The new laptops enrol successfully, download their profiles and Store apps, but will not install enterprise apps and have only OS Update, Bluetooth and Filevault available under MDM commands. This tells me the Agent is not installed properly although m_agent and its log are present on the device. If I try to re-install it, SM reports success, but nothing changes. I’ve tried installing it manually on the laptop, no difference.

 

Has anyone got this wokring on 10.15.6? Thanks for any help anyone can offer.

RowanR
Comes here often

Are you also going to m.meraki.com and enrolling the device with your company identifier? The agent only does half the job in SM on a mac.

 

Hope this helps!

Little_Mac
Conversationalist

In response to @Jas_n -  Did you ever find a solution to this?  I have an active case with support for this exact issue, but have no resolution as of yet.  This only happens with Catalina clients provisioned via DEP in our organization.  Mohave and High Sierra work as expected.

No solution here either, upgrading to macOS 11 Big Sur didn’t change anything.

My issue was resolved with the help of the support organization.  There were 2 records in the SM dashboard for the same UUID (i.e. device) although I could not see that by filtering on the device name.  I had to query the device in question, copy it's UUID, filter the Devices page by the UUID and delete the incomplete device entry.

 

Now if I could just get remote Screen Sharing (Remote Desktop) to work without prompting the user in Catalina...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels