Community Record
77
Posts
37
Kudos
6
Solutions
Badges
Oct 22 2021
4:27 PM
I have always been under the impression that to remove DEP enrolled devices from the network, you need to "Unassign settings" under Systems Manager > Manage > DEP. Which is direct opposite of enrolling them by "assigning settings" in MDM which consumes a license and activating the device establishing the link between the two. Deleting them from the devices list works for other types of enrollment,
... View more
Oct 7 2021
5:46 PM
There are 3 ways to enroll iOS device in MDM. Company owned devices should ideally be enrolled via DEP, device enrollment is a decent alternative for BYOD and user enrollment is a joke and a pain to set up and manage.
... View more
Oct 1 2021
4:23 PM
2 Kudos
Did you choose a Device profile (Default) or User Profile (Apple)? Former has all available settings, latter what you have on your screenshot.
... View more
Jan 3 2021
3:56 PM
Are there any security implications? We have quite a few devices enrolled in 2019 that have 3 out of 5 signing certificates expired, which marks Management Profile as "Not Verified". I'd rather not re-enroll a thousand odd devices.
... View more
Oct 23 2020
1:44 AM
1 Kudo
Just spin up a separate MDM network per each domain. We have four in our tenant with different authentication methods.
... View more
May 28 2020
9:55 PM
1 Kudo
If anyone is still interested, this is how I did it. In Okta create a new app, type Web. In General Tab set the following: Initiate login URI: https://m.meraki.com Login redirect URIs: merakismoauth://com.meraki.pcc https://m.meraki.com https://mp.meraki.com/ssp/login https://mp.meraki.com/ssp/loginsuccess https://portal.meraki.com/loginsuccess Allowed grant types: Authorization code tick Implicit (Hybrid) tick Allow ID Token with implicit grant type tick Allow Access Token with implicit grant type In MDM go to System Manager > General and scroll down to User authentication settings. Choose OpenID Connect from the drop down menu. Authorization endpoint: https://TENANT.okta.com/oauth2/v1/authorize Token endpoint: https://TENANT.okta.com/oauth2/v1/token Client ID: XXXXXXXXXXXXXX (Okta app Client ID) Token issuer claim: https://TENANT.okta.com Public Keys Endpoint: https://TENANT.okta.com/oauth2/v1/keys?client_id=XXXXXXXXXXXXXXX Public Keys Format: JWK Endpoints can be looked up via this API call: https://TENANT.okta.com/.well-known/openid-configuration?client_id=XXXXXXXXXX I suppose this approach can be used with any IDP and then you need to double check what claims IDP returns to Meraki. Meraki expects "email" claim with user email as a value. Okta sends all default info in its claim so there is no need to set up a custom authorization server. With other IDPs it can be different. I asked support to include this example to official docs.
... View more
Mar 24 2020
6:17 PM
2 Kudos
Apple is very clear what MDM has access to. Texts, calls, photos, apps data etc are not accessible via MDM. Even in DEP mode you need something like Apple classroom just to see the screen of the managed device. The original question was about BYOD enrollment, I believe, which doesn't allow for any kind of access to a phone. New self service portal portal.meraki.com provides a good view what Meraki admins can see and do from the Dashboard. This scaremongering you started is really unnecessary.
... View more
Feb 17 2020
3:44 PM
1 Kudo
I had this error with an iPad running iOS 12 when I assigned DEP settings to it that had items relevant to iOS 13 only. Normally I configure settings to skip most configuration steps like Apple ID, Fingerprint etc. There are two sets in DEP at the moment, one was created when iOS 12 came out and another when iOS 13 came out. There are more things to skip in iOS 13 than in iOS 12. So I thought I could use iOS 13 one for everything and DEP settings would apply to relevant items to devices running older iOS but it just didn't work outright. I had to restore an iPad in question and assign "iOS 12" settings profile in DEP.
... View more
Dec 17 2019
5:32 PM
I'm afraid we don't have any setup documentation left, even if we did it would be outdated by now. Look at O365 licensing first. If you University is licensed for Azure AD Premium or Azure AD Basic + MFA than by all means go for NPS option: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension That comes with MFA capabilities as well. If University has Azure AD Basic license only (like we do), then you need to be more creative. Tekradius + Windows Server is arguably the easiest way to do it. Note that Tekradius is not free. Freeradius on Linux is not beginner friendly, if you haven't touched Linux before, don't bother. Regardless of the choice you will need to spin up a few VMs is Azure. I haven't touched NPS options myself, but if memory serves TekRadius and FreeRadius couldn't handle more than 30 auth requests per second, so depending on your user base you may want to budget for this accordingly. With our 1000+ users and 30 days WiFi auth validity we make do with two VMs which costs us about $50 a month.
... View more
Dec 11 2019
2:40 PM
It is possible via different options. Go for NPS or Tekradius on Windows platform if you are familiar with it or even Freeradius on Linux. We've been running Tekradius on Windows Server and Freeradius on CentOS for the last 3 years or so without any problems whatsoever.
... View more
Dec 10 2019
2:40 PM
2 Kudos
1. Add basic support for Windows 10 devices in Systems manager, for example password/pincode enforcement. 2. Fix OpenID connect integration and add SAML as authentication option for WiFi and MDM enrollment. 3. Add CRL (Certificate Revokation List) feature to Systems Manager and expose it via API.
... View more
Aug 19 2019
2:30 PM
2 Kudos
Prevent Android Debug Bridge (ADB) access sits under Android Restrictions.
... View more
Jul 23 2019
9:41 PM
remove settings + remove device (in Systems Manager > Manage > DEP) coupled with a factory reset This is sufficient, we do it all the time with devices temporarily used by Marketing teams at conferences etc. We only remove (or disown as Apple puts it) devices from Apple business portal when they are written off or replaced under warranty to keep it clean.
... View more
Jul 23 2019
9:40 PM
1 Kudo
remove settings + remove device (in Systems Manager > Manage > DEP) coupled with a factory reset This is sufficient, we do it all the time with devices temporarily used by Marketing teams at conferences etc. We only remove (or disown as Apple puts it) devices from Apple business portal when they are written off or replaced under warranty to keep it clean.
... View more
Jul 3 2019
10:03 PM
We do BYOD enrollment via Azure for all staff devices at the moment. DEP is for service devices: wall iPads, demo iPads/iPhones, room Macs etc. and we don't need any additional layer of auth here even if it was supported. Meraki doesn't offer native Okta or SAML at enrollment, so the only option is Open ID protocol which Okta supports. After discussing with Support yesterday, looks like there is something off in Meraki backend and OPs team is looking into it.
... View more
Jul 2 2019
6:55 PM
No, this is about authenticating users during enrollment. At the moment they authenticate via Azure AD which was very easy to set up. Other options include G-Suite or Open ID which I'm trying to configure against Okta. Logs don't register any events related to authentication and Meraki Open ID set up instructions are appalling at best.
... View more
Jun 28 2019
6:41 AM
Has anyone configured user auth during enrollment with OpenID Connect via Okta or any other IDP? Meraki documentation is not very detailed to say the least.
... View more
Labels:
- Labels:
-
Enrollment
Jun 24 2019
2:34 PM
3 Kudos
I have a new avatar! But I'd like to see MDM feature updates more often than marketing campaigns.
... View more
Jun 24 2019
2:28 PM
Apple can unlock any device as long as you provide a proof of purchase. Unfortunately even enterprise customers are required to visit Apple store in person to make that happen, at least here, in Australia.
... View more
Jun 22 2019
6:09 AM
1 Kudo
1. Enrol in DEP to push apps without Apple ID on devices. 2. Notifications settings below work quite well for our room control iPads. You may want to suppress notifications for particular apps you are using.
... View more
May 9 2019
8:59 PM
Any updates on Bitlocker management in Windows 10? It's been in beta for over a year now.
... View more
Sep 25 2018
6:13 PM
You can choose to block iOS update servers as part of iOS configuration payload which is effectively the same thing. Blank blocking iOS updates company wide is not something I'd recommend.
... View more
Jul 31 2018
6:48 PM
1 Kudo
If you create an owner account in System Manager > Owners you will be able to authenticate, Google or Azure AD credentials (in our case) don't work here. I created a separate MDM network for DEP enrolled devices as mentioned above. Don't forget to set this network as default for DEP enrollment.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 3117 | Oct 1 2021 4:23 PM | |
| 2436 | Oct 23 2020 1:44 AM | |
| 7631 | May 28 2020 9:55 PM | |
| 14779 | Aug 19 2019 2:30 PM | |
| 22847 | Jul 23 2019 9:40 PM | |
| 13822 | Jul 31 2018 6:48 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 50825 | |
| 2 | 3117 | |
| 2 | 10454 | |
| 2 | 47662 | |
| 2 | 14779 |
