If it's possible in Outlook for iOS you would find the exact preference key here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune   Then create a custom/managed config profile for iOS in Meraki ... View more

There are a couple of methods you can use, but definitely with some caveats.   1. If the Mac is enrolled in DEP and is running 10.13.4 (or later) you can use the Software Update command on an individual client page in the Meraki dashboard. It should appear in the same grouping as remote desktop/remote lock/etc on the client page. This is super manual however, I don't know of a Meraki-supported way to do this in batches.   2. You can use startosinstall as part of the macOS Mojave installer, however Meraki would also need to support this in some way to remotely push out. You could use an app management tool like Munki to force an update with startosinstall, as an example.   https://support.apple.com/en-us/HT208020 ... View more

@eritho I would start with the binaries you find in the locations below. just drag into the PPPC Utility /usr/local/sbin/m_agent /usr/local/sbin/m_agent_upgrade ... View more

@eritho It's definitely possible that m_agent needs to be added to the profile, but not necessarily each app it's trying to install. I recently started a new gig (that doesn't use Meraki) so I don't have immediate access to the Meraki dashboard any more to test.   I would recommend starting with allowing m_agent access to SystemPolicyAllFiles, as well as 3 AppleEvents that whitelist control of Finder, SystemUIServer, and System Events.   https://help.apple.com/deployment/mdm/#/mdm38df53c2a ... View more

I created some app whitelist profiles if anyone wants to be lazy 🙂   https://github.com/ducksrfr/mac_admin/tree/master/Privacy%20Preferences%20Policy%20Control%20Profiles ... View more

There are a couple of potential causes, one is that Apple only allows "observe" by default unless the user activates Remote Management in the Sharing prefs pane. I know you mentioned that's turned on, but I'm wondering if Apple is enforcing a "user-approved" methodology, where the user has to enable those settings in the GUI vs it being activated as part of a script/another management tool.   The other possibility is that m_agent or some other Meraki binary needs to be whitelisted for accessibility/AppleEvents and/or full disk access as part of the new Privacy Preferences Policy Control payload  ... View more

Another thing to note about the software update delay payload: it defers X days from when Apple releases the update to their catalog, it does not defer from the date you push/install the profile. ... View more

The template in Meraki acts as a whitelist, so anything 3rd party essentially gets blacklisted by default. You can use Profile Manager in the macOS Server app to specifically white or black list any prefs pane. My GitHub has an example profile I made in that tool that just blocks the Profiles prefs pane, thereby allowing anything else not explicitly blacklisted.     ... View more

For fonts specifically, another option is a uploading a custom configuration profile with a font payload, that's how my org distributes fonts. You will need Apple's Server app, and the Profile Manager section allows you to create custom profiles from additional templates that Meraki may not provide. ... View more

oops! sorry looks like you already found it 🙂 ... View more

@Phil Check out this thread: https://community.meraki.com/t5/Endpoint-Management-Systems/whitelisting-kernel-extensions-via-team-id-s/m-p/21443#M2436     You can use the Profile Manager section of macOS Server to create a kernel extension approval payload and upload to Meraki, that's what I'm doing in my environment until Meraki provides one. ... View more

I make a scheduled task every 3 months to clean up my Dashboard. I'll just sort by the Connected column, and I'll remove anything that hasn't connected in that 3-month period.   If you remove a device that is still "active" it will re-appear in Systems Manager so long as the profile/agent is still installed on the device, so I don't really worry about accidentally removing something. ... View more

This issue seems to have worked itself out. I'm not sure if Meraki did anything on their end to address it but the DEP list loads normally now. ... View more

@rguthrie Yep, here's an example of the profile I made for Symantec: https://github.com/ducksrfr/mac_admin/blob/master/profiles/kernelext_symantec.mobileconfig   In terms of "finding" the bundle identifers or Team IDs, I recommended installing the apps you need to find this info from on a test Mac. Approve the Kernel extensions as needed if prompted.   Find the bundle identifiers of apps requiring kernel extension approval:  kextstat | grep -v com.apple   Find the Team ID of apps requiring kernel extension approval:  sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy SELECT * FROM kext_policy; ... View more

For the dock, check out this site.   You can “lock” apps to the dock to prevent changes and set additional dock prefs. Then upload the profile it makes to Meraki.  ... View more

I don’t believe so, profiles in macOS are applied on a system level and are always enforced. It would be helpful to know what settings you need to “disable” to make changes and then “re-enable” as Meraki doesn’t talk to AD in this way.    You mention “a” profile, does this mean you loaded all of the settings/payloads you want into a single mobileconfig profile? If so, you should consider breaking that down into multiple, smaller profiles.    For example: I used to have a single profile that enforced the firewall, and set a message at the lock screen with contact info in case the laptop was stolen. For various reasons, I had to uninstall the profile from a user’s Mac to test firewall settings. During that process, the user’s laptop was stolen. It eventually checked into the Meraki portal to report an updated location, but our interaction with the local police dept would have been smoother had the owner contact info been easily visible on the lock screen (which was removed when the profile was uninstalled).    Now I have a separate profile for each function, so if I need to remove or update a profile it doesn’t affect multiple settings. Also, because profiles will enforce the setting there are some adjustments that can be made with the defaults command in a script. For example: I want to ensure my Macs are set to Central US time zone during the user provisioning phase, however the user may be traveling and needs the ability to adjust their time zone as needed. So I don’t use a profile, which would always enforce Central US time. I’ll run this:   usr/sbin/systemsetup -settimezone "America/Chicago"     ... View more

@Dagan You can definitely create them in the macOS Server app ($20 in the app store), under the Profile Manager section. If you're coming from Jamf, that Profile Manager is going to be your best friend b/c it offers multiple templates (including kernel extension approval) and the ability to create custom profiles that Meraki does not support.   Here's an example profile I made in Profile Manager for Symantec: https://github.com/ducksrfr/mac_admin/blob/master/profiles/kernelext_symantec.mobileconfig ... View more

@Salem_kommun I haven't had too much time for additional testing, but I would at least open a support ticket so this issue is on Meraki's radar (and hopefully, they can update their documentation on this issue).   a couple of things i've noticed:    1- I can never get this to work from an external source (even double-checking that the Google/OneDrive/Box link is publicly accessible). i see the same unpack error you get   2- Starting in High Sierra Apple is checking for both a pkg identifier *AND* a "Product ID," which I've had to manually add to some existing packages. Check out this link for more info, and an example. ... View more

There's definitely a conversation to be had between IT and your employees, whether that's an info campaign/executive-level communication/workshops/etc.   I would recommend drawing up a list of the benefits your users will see by having Meraki on their devices. At my org that means company-owned Macs, but in your case I'm guessing this is either personal or company-owned iOS devices?   -We played up the ability to push updates or have remote help on Macs without users needing to be in the building or connect to VPN first. -Tracking a device if it's lost or stolen -Password resets if a user is on/off network -Data security, something required by clients. (You don't want to be the employee that caused a breach that makes the news...) ... View more

I highly recommend buying Apple's Server app for $20. You're able to create custom profiles and the Profile Manager section has additional templates that Meraki does not offer.   That being said, I have a custom payload that enforces the firewall you can use 🙂   https://bazaarvoice.box.com/s/nfrkdo2gz3tplcgxqgtxoqvxweqdreaj     ... View more

deadline to support iPhone X for existing apps is July: https://appleinsider.com/articles/18/05/07/apple-sets-july-compliance-deadline-for-using-ios-11-sdk-and-iphone-x-display-in-app-updates ... View more

Ok, there's some updated documentation on FileVault escrow but you need to "fill-in-the-blank" by generating your own public/private ssl cert to upload to Meraki. Also: as noted in Meraki's documentation this will not work on existing deployments. Newly enrolled devices (or freshly re-imaged Macs) will be able to take advantage of the escrowed keys. The escrow payload must be installed before (or simultaneously) with a separate FV personal + institutional key payload for this to work.    Generate the public key certificate in Terminal using openssl: https://developer.xero.com/documentation/api-guides/create-publicprivate-key   OR this site (scroll down to the create SSL section): http://brianflove.com/2014/12/01/self-signed-ssl-certificate-on-mac-yosemite/ ... View more