URL Filtering has broken SM monitoring

Solved
soomeGUy
Here to help

URL Filtering has broken SM monitoring

I have MR42, MX64 and MS220-8

 

Based on the guides I created a Group policy that blacklists * and whitelists 2 websites and also meraki.com

 

I have applied this group policy to a VLAN for a specific SSID (for some reason group policy applied via sentry tags wasnt working which I created a post about here: https://community.meraki.com/t5/Network-Wide/Group-Policy-via-Sentry-Tag-not-working/m-p/2972#M76

 

However, this has broken Systems Manager MDM on the ipads.  When I added meraki.com to the whitelist it caused the Meraki app on the Ipad to show all green check marks but the ipads show offline in Systems Manager and I can not send commands to them anymore.  The guide doesnt say what I need to put in the URL filtering whitelist, it mentions meraki.com but that clearly isnt enough.  These are URL filters so I cant whitelist ip addresses afaik.

 

This was the guide I followed: https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Content_Filtering

 

Anyone can help me with this?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Try whitelisting *.apple.com.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Try whitelisting *.apple.com.

soomeGUy
Here to help


@PhilipDAth wrote:

Try whitelisting *.apple.com.


I totally didnt think that MDM might go through apple, I thought it was direct to meraki, going to whitelist *.apple.com now.  Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

Apple devices are very much tied to Apple (consider Apple push notifications).

 

Have you got any way to log the DNS queries being made (even if by a packet capture)?  If so use that method to get a definitive list of what is needed.

soomeGUy
Here to help

I whitelisted *.apple.com and it fixed my issue, thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels