Group Policy not working

bluemoon61
Here to help

Group Policy not working

Hello - new to using the Meraki GP and probably doing something wrong but has anyone managed to successfully block social media from a device with Group Policies ?

We have a teenage daughter who has "an addiction" and we are trying to stop the "addiction" interfering with homework time by blocking access on a device that should be being used for schoolwork. Apple Screentime has failed us too many times so we are now trying to use GPs.

This is a set of L7 FW rules that I have added to a GP and applied that same GP to my iPad but I still see all 3 apps from my iPad

Any ideas what I am missing ?

Screenshot 2020-11-24 at 08.53.11.png 

13 Replies 13
Bruce
Kind of a big deal

You’ll still see the apps, group policy doesn’t remove them. You need to test them and see if they work...

bluemoon61
Here to help

Thanks and yes I realise that but the issue is that they do still work.....was not expecting to see them removed but was not expecting them to work 

bluemoon61
Here to help

 

 

GreenMan
Meraki Employee
Meraki Employee

It's possible your MX still holds active sessions for those applications from the device in question, which are likely to be maintained.   Have you tried disconnecting the device from the network for a period of time - or even just rebooting the MX - to clear?

bluemoon61
Here to help

Honestly not but can try that later when I am no longer working.....rebooting will take my business network down 

bluemoon61
Here to help

Just tried and no dice - Instagram and Facebook still loaded on a device that was supposed to be restricted 

GreenMan
Meraki Employee
Meraki Employee

When you select the client device in the Dashboard (under Network-wide > Clients), does it show your configured Group Policy as being applied to that device?   (Bottom left, under 'Device policy:')

Assuming so, have you checked for any permit rules which might apply to these flows and be applied before the Group Policy rules you have configured?   as per: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

bluemoon61
Here to help

Thanks and yes have checked both - see attachedScreenshot 2020-11-26 at 08.38.03.pngScreenshot 2020-11-26 at 08.38.15.png

bluemoon61
Here to help

Meraki have just suggested that we also need to block UDP 443 so added a rule for this too 

bluemoon61
Here to help

Searching wider this looks like it will block QUIC which does not strike me as a major issue because she is on an iPad and mainly using Safari and because her Chrome can still fall back to HTTP/HTTPS but am I missing anything else ? 

All of the apps that she is supposed to be using from the iPad are Google Classroom based but I don't imagine these need QUIC ?

Crocker
A model citizen

Any chance the 'Private Addresses' setting is toggled on, on the devices in question? That could stop the GP from applying to the device.

Cmadiam82
Comes here often

Hi @bluemoon61,

 

Instead of using the Layer 7 settings, try to use the Blocked website categories option under Security appliance only just below the Layer 7 settings. Choose the Social Networking  as Facebook, Snapchat and Instagram falls into this category. You can also block other categories if you want.

 

Cmadiam82_0-1606546611165.png

 

Hope it helps.

bluemoon61
Here to help

Thanks for the suggestion - can I ask why this is a better approach ? Just trying to understand ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels