Hi All,
In my SM dashboard I re-name devices to the users "first, last" name. The issue I was running into was the name was being reset and it was causing issues with computer syncs with iTunes. To remedy this, I started locking the name from being changed right after I set it. Here is how I am doing it (currently only new devices going through DEP).
Create the following policy that checks to see if the Meraki app is installed:
- Systems Manager > Policies (under "Configure" heading) > "Add New" > Add Name (I called it Meraki_App) > Check "Mandatory App" (under "All Devices" heading) > type in the SM app identifier (I just used the wildcard: *Meraki* > Click "Save Changes"
Create Two Separate Settings [configuration profiles]:
- CONFIGURATION #1: Check the restriction "Keep device name up-to-date with Dashboard (iOS 9+)" and scope it statically to the devices.
- CONFIGURATION #2: Uncheck (disallow) the restriction "Allow modification of device name (iOS 9+)". This is going to be scoped a little differently than the first one. I used the "with ALL of the following tags" option and scoped it to my iPad group. In ADDITION to that, scope it to the policy that was created to check and see if the user installed the Meraki MDM App, in my case "Meraki_App - compliant devices".
Summary
What basically happens is the device will roll through DEP and the name will be set by the MDM server (this is why we created the first profile). Then, once the Meraki MDM app syncs down, the device becomes compliant with the lock policy and that name gets locked.
Addressing the concern about if the user deletes the Meraki MDM app. To my knowledge, policy compliance is checked when the device checks in to the server. During this time, the dashboard would re-install the MDM app (I have it set to auto-install). My testing shows that the user would have only about 10 - 20 seconds when that name lock restriction pulls off to re-name the iPad to something other than what you name it.
Can this be used with already enrolled/supervised devices?
Yes. As long as that name is synced from dashboard then you can lock it. I am currently running this on new DEP devices right now and going to roll it our next week on already enrolled devices.
I invite you to test this and share feedback! Please let me know if you have any questions.
Jared
I feel this is implied, but I just want to note it if anyone did not know. If you are doing this on DEP devices you need to name them before setup takes place.
For already enrolled/supervised devices, you should have no problem enforcing this if you already named them. If you are going to start naming them to something (i.e. User Last, First or Serial #) then you have to give that time to cycle to each device before applying this.
Thanks for this Information @jared_f! More Kudo's coming your way 🙂
Thanks @MilesMeraki! I am just hoping naming automation is in the works!
I don't understand why (after all these years) Meraki hasn't implemented the ability to auto-name the device with the user name from authenticated enrollment. The current "name" and "system name" fields are useless to me because I'm not inclined to manually set the name for nearly 8k iPads. The devices in scope for each app doesn't include the owner field, only the name fields so you can see my issue especially since "devices in scope" also doesn't let you search on the auto-tag field which are the AD groups I use for app assignment. And yes, I've entered it in the wish list multiple times. I'm sure the genie that reads the wishes is sick of me.
Exactly @Diane. I am so tired of submitting wishes and tickets - it is just a waiting game, similar to the DEP agent install.
Jared
But, it was well worth the wait.
Considering the other major MDMs have been auto naming based on a field for the last 6 years I'd say this should be a simple thing to add. Instead, time is apparently being spent on building a new overview page. I'd prefer they get the existing pages working properly before starting a new project (but they didn't ask me.) I have a list of things that aren't working right or don't have continuity with the other dash functions but when I ask about it I'm told to enter it as a feature request. For example: We have the App Store removed for our students and I add the apps the teachers want them to have to the App Management page for them to choose from. They're assigned to the appropriate grade levels based on their Active Directory groups. We're up to 600 apps in that feature. On the individual app pages the Devices In Scope are not searchable by the AD group. In every other console such as clients, the AD group is a searchable item.
I'd also like to see the page numbers, forward, and back option at the top of the screen as well as the bottom because when you're working with thousands of devices you have to scroll to the bottom to change the page, scroll to the top to select all then do the function such as add or whatever, scroll to the bottom and repeat. Seriously... how hard would it be to put page numbers at the top and bottom? I asked for that a couple of years ago. Radio silence. I could go on but it feels like wasted effort.
<Rant Mode Off>
Hi @Diane! Can you help me understand what you're looking to do here?
It sounds like you want to scope apps to your existing AD groups.
AD groups would appear in the "User Tags" when scoping apps like this screen shot of an app page below - I'm not sure why you would need owners or names fields when scoping apps if the goal is to use AD groups. Can you help me understand the issue?
I didn't make that very clear. I'm sorry. I already scope to AD groups. I want to be able to search the devices in scope by the AD group for various things that come up. Since devices in scope doesn't include the owner name (from authenticated enrollment) the only way to find a particular iPad in that window is to get the serial number from the Clients console then paste it into the DIS search field. Aside from that I sometimes need to find a subset of student iPads and can't search based on an auto-tag. I hope that makes sense. It's hard to articulate in text. The other consoles will search on auto-tags.
Thank you @Diane!! That makes sense.
I think the Tags Management page will definitely help you -can you email support@meraki.com and ask for them to enable it on your dashboard? (They should be able to enable this for any paid SM account)
The Tags Management page will let you see all devices, apps, and profiles in scope for any given tag - including auto tags (like device tags or security profile tags) and user/owner tags (like AD groups or ASM groups!)
Here are some screenshots of that below:
I had tag management when it was in beta then it disappeared. Not sure why considering what we pay for Meraki Enterprise and the size of our deployment. That doesn't help me anyway. I need to find a subset of iPads with a particular app assignment so I need it in the app devices in scope window so I can update, remove, or whatever. When I just needed to find all devices by tag I do that from the Clients console. The point being that there's auto-tag search functionality in all the other console windows except that one. Seems like a simple fix since the code is already written. I consider it a bug in Apps2, not a feature request.
Got it - this makes sense. You'd like to be able to search devices by tag within an individual app.
I can look into this!
That's definitely a feature request 🙂 I'll double down on it for you with the team. I can see how it would help your workflow!
That would be amazing. Thank you!!
This is what you want. Had to submit multiple tickets and send multiple emails to get that pretty basic feature.
i'm sure "Melissa" can have this enabled for you...
That's in the client list. I know I can search it there. That option is NOT available in the apps devices in scope.