Meraki

PaulF · ‎Aug 8 2022

So, once step that many people miss is assigning the device to a network when it appears in the ADE list in Meraki. This is a step unique to Meraki SM as it has the ability to partition SM into Virtual MDM instances: You'll note that each device is assigned to a Network. You can do this in two ways Either assign the devices to a network like this: or ensure that there's a default network in Organization > MDM

PaulF · ‎Aug 4 2022

Macs have to be wiped and restored for the addition to ADE to work...

PaulF · ‎Aug 4 2022

This really does depend on how the device is managed But, if MDM enrolled, you should be able to wipe the computer If agent enrolled, you could either wipe the computer from the command line or Remote Desktop, or use the following command: net user username /delete Where username is the username of the user in question. I don't know if this logs the user out instantly....

PaulF · ‎Jul 29 2022

add the app to Systems Manager. Then, go to Systems Manager > Settings and click the + in the top right hand corner Create a new Device Profile Click the + on the left hand side and add managed App Config Select the device platform, then the newly added application You'll now be able to add the keys and values relevant to the app

PaulF · ‎Jul 29 2022

This is done through managed app config. Chrome has a surprising amount of things that can be managed in this way. details of which are here: https://chromeenterprise.google/policies/#ManagedBookmarks It does go into some detail, so I'll give an example of some simple bookmarks We'll create a new policy using Managed App Config for Android We can add a new entry, find Managed Bookmarks in the list and add something like the following: [{"toplevel_name": "Acme Bookmarks"}, { "name": "Cisco", "url": "cisco.com" }, { "name": "Meraki", "url": "meraki.com"}]

PaulF · ‎Jul 13 2022

1. Correct: Ticking them will allow managed apps to see unmanaged data and vice versa. Obviously this is downgrading the security of the device a little, so have a think about the consequences of doing so. 2. Tags are the answer. As the screenshot below, I've gone to profile configuration, and, because I want to EXCLUDE devices from this, I've selected WITHOUT ANY of the following tags and created a tag called ExemptFromStuff. I've then tagged the device with the same tag. This should exclude the device from this policy. Obviously, there's a tonne of flexibility here

PaulF · ‎Jul 12 2022

Before you make any changes: Do you already have a restrictions policy applied to devices? I want to make sure that this is the cause of the issue Do you wish to make changes to just your device, or every device?

PaulF · ‎Jul 12 2022

Is what your company likely has set.

PaulF · ‎Jul 12 2022

You company has enforce what is called Containerisation (apple call it Managed Open In). You'll be able to see this restriction under Settings > General VPN and Device Management, MDM profile, restrictions There's no workaround for this: I'd contact your MDM admin and discuss your use case

PaulF · ‎Jul 4 2022

So, as each device enrolled through DEP will also be Supervised, you can look for: You can also, in the device list, hit the + button and choose "Supervised" or "DEP Enrolled" if you want to search between the two enrollment types

PaulF · ‎Jun 14 2022

The only way to achieve this is to use managed apple IDs, which is currently only achievable for User Enrollment and Shared iPad enrollment types Outside of these use cases, you can only BLOCK the ability to Manage account settings, including Apple ID As @BlakeRichardson mentioned, this is an Apple limitation not Meraki

PaulF · ‎May 19 2022

Wasn't aware that the "homepageisnewtabpage" flag was Dev only, so thanks for pointing that out. As the description above is hosted in Google Play (That's where the managed app config descriptions come from), and there's obviously a deficiency in Google's Chrome which doesn't fit your use case (a use case that I fully understand), then you have two options 1) Use a product whose sole purpose is a browser that can be systematically control through managed app config 2) Raise your requirement with Google and have them create a feature request As per your last point: There are many people who wish to manage Chrome on Android. I felt that giving some context as to why it appears not to be possible would be helpful for them

PaulF · ‎May 18 2022

There isn't a limit set by Apple Sounds like a bug to me, although let's not rule out application issues also

PaulF · ‎May 18 2022

I'd use a quota size and temporary session timeout to ensure that data is cleansed. However, due to the way that DEP profiles are installed, you'd need to do a device wipe

PaulF · ‎May 18 2022

In the list of settings I found, as you did. HomepageLocation Setting the policy sets the default homepage URL in Google Chrome. You open the homepage using the Home button. On desktop, the RestoreOnStartup policies control the pages that open on startup. If the homepage is set to the New Tab Page, by the user or HomepageIsNewTabPage, this policy has no effect. The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in Google Chrome. Leaving both HomepageLocation and HomepageIsNewTabPage unset lets users choose their homepage. On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX. I've highlighted two bits of the text that appear relevant. There appears to be more detail here: https://chromeenterprise.google/policies/

PaulF · ‎May 4 2022

So, here's a thought: You get both LAN and WAN IP address via the API... It wouldn't take much coding to use the Devices API to get the IP address of every device, and set a tag based on compliancy against IP address.... It would save you having to do this through the UI, and means you could run it several times a day.... Let me know if this is something you'd consider...

PaulF · ‎Mar 28 2022

Wanted to add to what @BlakeRichardson said: Don't rely on the Apple Configurator provisioned WiFi profile still being there after enrollment. Ensure that you also provision a WiFi profile through SM too. Also, SM cannot remove a profile it didn't install.

PaulF · ‎Mar 4 2022

The best way would be a combined package. As the roaming client downloads as a PKG, it does make life easier: You're going to follow exactly the same instructions as above: mkdir InstallFile cd InstallFile mkdir Content mkdir scripts cd Content touch OrgInfo.plist cd ../scripts touch postinstall chmod a+x postinstall Drop the OrgInfo.plist into the Content folder ALSO drop the RoamingClient_MAC_3.0.5.pkg into the same Content folder NOTE: Watch out for the name of the roaming client changing with each new release Edit the postinstall file: #!/bin/bash mv /tmp/OrgInfo.plist /Library/Application\ Support/OpenDNS\ Roaming\ Client exit 0 But add a new line after the #!/bin/bash installer -pkg /tmp/RoamingClient_MAC_3.0.5.pkg -target / NOTE: again, make sure that, whenever creating a new package after a roaming client update, that you update the name of the package. Also note the spaces above too. You can test using the Installer command on your Mac at the command line: sudo installer -pkg RoamingClient_MAC_3.0.5.pkg -target / Password: installer: Package name is Umbrella Roaming Client installer: Installing at base path / installer: The install was successful. Just to ensure it installs with no issues, and that the relevant directories are created Now, back to Terminal. The command the build the package is identical, but I've changed the names to something a little more appropriate: sudo pkgbuild --identifier com.meraki.umbrellaroamingclient --root Content --script scripts --install-location /tmp/ umbrellaroamingclient.pkg pkgbuild: Inferring bundle components from contents of content pkgbuild: Adding top-level postinstall script pkgbuild: Wrote package to umbrellaroamingclient.pkg And you're all done.

PaulF · ‎Mar 3 2022

Hi Anthony An example would be this: #!/bin/bash mv /tmp/OrgInfo.plist /Library/Application\ Support/OpenDNS\ Roaming\ Client exit 0

PaulF · ‎Mar 2 2022

Hi Anthony. App Store applications have a capability that allows for the usage of Managed App Config. However, as the AnyConnect package is a custom app, this is not available. So, there's several ways this could be achieved, but it's going to take some work... The first one is to have two apps: A generic dmg containing the AnyConnect package, but also a separate packing containing a script that will create the plist for you: https://documentation.meraki.com/SM/Apps_and_Software/Deploying_Scripts_in_Systems_Manager_using_Software_Installer Contains most of the information that you need. However, you can also use the pkgbuild application to create a script AND files: In Terminal, type the following: Navigate to somewhere where you want to store your packages mkdir InstallFile cd InstallFile mkdir Content mkdir scripts cd Content touch OrgInfo.plist cd ../scripts touch postinstall chmod a+x postinstall You can now edit the OrgInfo.plist Edit the postinstall file to copy the plist, which will be in /tmp/OrgInfo.plist to wherever you wish Now we can run the following command: sudo pkgbuild --identifier com.meraki.scriptpackage --root Content --script scripts --install-location /tmp/ packagename.pkg pkgbuild: Inferring bundle components from contents of content pkgbuild: Adding top-level postinstall script pkgbuild: Wrote package to packagename.pkg You'll now have a pkg called packagename.pkg which you can deploy!

PaulF · ‎Nov 10 2021

Again, please use the "make a wish" link at the bottom of your dashboard

PaulF · ‎Oct 27 2021

Thank you for checking @Shany !

PaulF · ‎Oct 21 2021

They tend to be referenced in the release notes: https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-15_1-release-notes However, as it's not released yet, expect this page to update

PaulF · ‎Jul 16 2021

Yes..... When sending a notification to an android, you can select the messaging type:

PaulF · ‎Jun 29 2021

I know that there's many of you that have workflows that involve the manual install of the SM agents on macOS, such as Silent installer for MacOS However, with the changes in the SM agent 3.1.0 and above, instead of being able to do silent installs, you know have to specify your enrollment code manually, as per Mac Enrollment - Command Line Options You can optionally specify the network enrollment code / string with the following command: sudo launchctl unsetenv enrollment_code && sudo launchctl unsetenv organization_id && sudo launchctl setenv enrollment_code <network enrollment code or enrollment string> && sudo installer -pkg <path/to/package.pkg> -target / && sudo launchctl unsetenv enrollment_code && sudo launchctl unsetenv organization_id There's two optional parameters here: <network enrollment code or enrollment string> : This is the enrollment code that's quoted in Systems Manager > Add Devices, or Network Wide > General <path/to/package.pkg> : This is the path to the SM agent installer This is, understandably, unwieldy, primarily due to not being able to pass parameters to installers in macOS. However, there is an alternative: You can actually build an installer that allows you for silent enrollments, and this is how 1. Download the Current SM Agent Installer From Systems Manager > Add devices > macOS, download the SM agent 2. Create a new folder on your Desktop: SMAgent3.1.1 (for example) 3. Open Terminal and type the following cd ~/Desktop/SMAgent3.1.1 mkdir Scripts cd Scripts touch postinstall chmod a+x postinstall cd .. mkdir Content cd Content open . This last command will open the Content directory Move the previously download SM agent into here and rename it SMAgent.3.1.1.pkg Go back to terminal and type cd .. cd Scripts open . This will open the Scripts directory in Finder. 4. Edit postinstall With a suitable text editor, open the postinstall file and type: #!/bin/bash sudo launchctl unsetenv enrollment_code && sudo launchctl unsetenv organization_id && sudo launchctl setenv enrollment_code XXXX-XXXX-XXXX && sudo installer -pkg /tmp/SMAgent-3.1.1.pkg -target / && sudo launchctl unsetenv enrollment_code && sudo launchctl unsetenv organization_id NOTE: Replace XXXX-XXXX-XXXX with the network enrollment code or string Save this file 5. Create installer Go back to Terminal and type: cd .. sudo pkgbuild --identifier com.meraki.smautoenroll --root Content --script Scripts --install-location /tmp com.meraki.SMAgent3.1.1-autoenroll.pkg This should result in: paulf@Paul-F-MBP-680 SM3.1.1pkg % sudo pkgbuild --identifier com.meraki.smautoenroll --root Content --script Scripts --install-location /tmp com.meraki.SMAgent3.1.1-autoenroll.pkg Password: pkgbuild: Inferring bundle components from contents of Content pkgbuild: Adding top-level postinstall script pkgbuild: Wrote package to com.meraki.SMAgent3.1.1-autoenroll.pkg You should now have an installer that will silently install the SM agent without prompts!

About PaulF

PaulF

Community Record

Badges