I've been testing a tighter ruleset for my CA enabled MVs. It appears allowing 443 to *.vision.meraki.com is working (in addition to the other cloud destinations needed for mgmt, streaming proxy, etc).
They appear to also need port 80 to 142.250.0.0/15 which must be part of the broader port 80 to any suggested rule.
Ryan / SE If you found this post helpful, please give it
Kudos. If my answer solves your problem please click
Accept as Solution so others can benefit from it.