This is how I do it - create a packet capture on the MX for "port 53".  This will capture all DNS queries.  Power cycle the IoT device.  99.9% of the time they do a DNS lookup for what they want to connect to.  Create a firewall allowing that DNS entry.
 
I have also written a tool that can ingest a packet capture and automatically create a group policy with the required firewall rules to allow the device to work.
https://www.ifm.net.nz/cookbooks/meraki-sas.html