We would like to prevent devices of a specific type, i.e. iPhones, from connecting to one of our networks. Having done some research, it seems that the way Meraki identifies the OS of a device is when the device makes a HTTP GET request after having connected to the network. Is there any way of applying a policy that prevents users from connecting to the network at all, or being able to hide an SSID from particular device types?
Thanks in advance.
I'd try to stear clear from using the device type for policies as they are known to be inaccurate at times:
You can't hide SSIDs for specific users/devices it's all or nothing.
You'll be better of using other access control methods like 802.1X (WPA2-Enterprise), authentication through a captive portal, manual via the client details page, Cisco ISE, ... Which one is the best choice depends on your use case.
If you use splash page authentication then the OS fingerprinting works fine, but if you use WPA2 with a PSK or Enterprise modes then the device might not make an http request after login, and consequently per device type group policy doe snot work.
The best option is to use WPA2 Enterprise mode with certificate based authentication. Then strickly only devices you put a certificate on can attach. If you have mostly windows clients this is easier, as you can create a group policy to deploy certificates onto machines automatically.
Just to add to the good advice that everyone has provided below. You might also want to look at using Cisco Identity Services Engine (ISE) if you want to try and block access by device type. It is generally more robust at determining the device type and may serve your purpose well - but that said, it is obviously more $$$, which may not be wanted.
Thanks for the responses. We have decided to shore things up by making use of the Google authentication splash page for access to the relevant SSID. Thanks again for the replies!