Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Assign group policy by device type NOT working whatsoever

ronnieshih75
Building a reputation
2 weeks ago
2 weeks ago

Assign group policy by device type NOT working whatsoever

Have been trying to get this feature to work literally for years.  We need to block iphone and android devices on 2 SSIDs.  The SSIDs are configured through a template with the template assigned to over 200 wireless networks.  I can obviously see iphones with specific IOS versions being detected under Monitor/Clients but these devices are not getting blocked at all according to the policy I configured.  I've called Meraki support about this in the past and was given a fudge-over type of vague answer why this feature does not work and they are working on a different method to make this work.

Advise on whether anyone has this working at all.

ronnieshih75_0-1713535185506.png

 

0 Kudos
Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This is a bit complicated as client identification may not be accurate.

 

Note: Some clients may misidentify themselves when specifying the User-Agent string field of an HTTP GET request. Device type policy enforcement is done on a best-effort basis, dependent upon the information that the client provides. When needing to enforce security-focused policies based on device type, please leverage solutions such as Meraki Systems Manager, or Cisco ISE. 

 

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Applying_Policies_by_Device_Type

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ronnieshih75
Building a reputation
2 weeks ago
2 weeks ago

So the solution is to spend another half a million dollars?!  I am looking to block personal mobile devices from getting on wifi, not MDM enterprise managed devices.  None of these personal devices would be managed whatsoever with MDM software but needs to be blocked off specific wifi networks.

Because we deployed Forescout and it has its shortcoming is cannot fingerprint mobile devices properly either.

0 Kudos
Subscribe
In response to ronnieshih75
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Unfortunately yes. 😞

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to ronnieshih75
mlefebvre
Building a reputation
2 weeks ago
2 weeks ago

Mobile device fingerprinting is difficult for any platform, because it relies on how the mobile device works and in the case of some vendors like Apple they are often taking steps to prevent this sort of fingerprinting because it is a privacy risk. What I would recommend instead is whitelisting your approved enterprise devices and blocking other devices by default

0 Kudos
Subscribe
In response to ronnieshih75
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

> I am looking to block personal mobile devices from getting on wifi

The #1 deployed solution for this is to use certificates.  Most companies have Active Directory, so there is nothing to buy.  It is just a configuration exercise.

0 Kudos
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Have you considered WPA2-Enterprise with 802.1X and only deploy the certificate to your managed devices ?

0 Kudos
Subscribe
ronnieshih75
Building a reputation
2 weeks ago
2 weeks ago

We already have a SSID using RADIUS servers with 802.1X auth using internal CA issued certificates, for all windows machines.  I will be turning off PEAP authentication off that network then personal devices with no enterprise issued certs can get on that network.  However, I have 1 PSK based network that I cannot readily change the preshared key on, that is why I'm looking for this feature to work.   My question is that if Meraki is detecting some clients properly under the "device type,os" field, then why isn't the feature at least working for those identified devices?  I get the whole user agent string thing through DHCP request and I've been down this path with meraki support.  I usually get a fall-off-the-cliff answer with support but noting this problem to them at the Cisco corporate office in Chicago only gets me pulled into a small room so I don't embarrass them in front of a large crowd red faced.  If this feature does not work at all, then by all means it should be taken off the dashboard completely.

0 Kudos
Subscribe
In response to ronnieshih75
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

In fact, it is a two-way process, the device itself is the one sending the information to Meraki. So it depends more on the device than on Meraki itself.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ronnieshih75
Building a reputation
yesterday
yesterday

I opened a Meraki support ticket and they played it as a firmware update as always, using v30.6 .  But this really doesn't fix the problem either after I upgraded ap firmware for some 40 wireless networks.  They did note that this feature does not work for 802.1x authenticated wireless network, and I accept that.  He did state that this should work for a PSK wireless network but it is not, no matter what firmware version the AP's are sitting on.

Once again, I have a PSK network that I cannot get rid of and readily change password on as many IoT devices are connecting to it.  We just need to block personal mobile apple and android devices not MDM managed.

0 Kudos
Subscribe
In response to ronnieshih75
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Unfortunately, this is a feature that doesn't work well precisely because it depends on the device sending the correct information. ISE or MDM are the key.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.