My solution was to switch to a different MDM that didn't do things like this that made me want to rip my hair out every day.  ... View more

If you are just looking to block mass storage USB devices you can use the following profile <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures Allowed Media settings</string> <key>PayloadDisplayName</key> <string>Allowed Media</string> <key>PayloadIdentifier</key> <string>9D5EA197-E941-48CD-84BA-28373017A52C.com.apple.systemuiserver.2C31DE6A-E143-4800-ABD4-369EA4474521</string> <key>PayloadOrganization</key> <string>MegaCorp</string> <key>PayloadType</key> <string>com.apple.systemuiserver</string> <key>PayloadUUID</key> <string>2C31DE6A-E143-4800-ABD4-369EA4474521</string> <key>PayloadVersion</key> <integer>1</integer> <key>logout-eject</key> <dict> <key>harddisk-external</key> <array> <string>deny</string> <string>eject</string> </array> </dict> <key>mount-controls</key> <dict> <key>harddisk-external</key> <array> <string>deny</string> <string>eject</string> </array> </dict> <key>unmount-controls</key> <dict> <key>harddisk-external</key> <array> <string>deny</string> <string>eject</string> </array> </dict> </dict> </array> <key>PayloadDescription</key> <string>USB Management</string> <key>PayloadDisplayName</key> <string>USB Settings</string> <key>PayloadIdentifier</key> <string>9D5EA197-E941-48CD-84BA-28373017A52C</string> <key>PayloadOrganization</key> <string>MegaCorp</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>9D5EA197-E941-48CD-84BA-28373017A52C</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> ... View more

A mere 473 days later its good to know there is a resolution.  ... View more

@davidson2020 I think the thread you are looking for might be https://community.meraki.com/t5/Endpoint-Management-Systems/Anyone-else-seeing-Unverified-Certificates/m-p/62026#M5509  Maybe that shouldn't effect is at play.  ... View more

@Richard_W  This has definitely been seen by multiple admins across the community. I noticed it about a week back on a Catalina VM and figured since Catalina updates have yet to be pushed it was related to that. Then I saw this on roughly 800 machines.  What appears to have happened was Meraki either let the certificate lapse on the 16th or didn't plan ahead to ensure the update was pushed out in time. If you go back to m.meraki.com and reinstall the configuration profile it pulls a new verified profile signed by another Authority (image attached). From the case I have open with this the agent said it was up to Apple to trust the certificate they had updated and that it should be fine. In my opinion pushing a new cert that you are waiting on Apple to trust (what?!) into production on the premise it should be fine is unacceptable regardless of having planned it or for some reason waiting until it expired. The solution given is to ignore this on current machines, because it is a "cosmetic" issue, or push an update to each profile to every machine to update this which again should work. I can verify that new profiles pushed are verified and signed by the updated certificate, but this doesn't address the entire fleet of machines that didn't happen to start this week.  Ive said it elsewhere, but while I don't see this as having a huge impact or presenting an immediate issue it just seems par for the course for issues we have seen and it is endlessly frustrating. We place implicit trust in Meraki as an MDM provider and an assumed part of that would be Meraki staying on top of upcoming changes. Do mistakes happen? Yes. That could easily be addressed by clear communication ahead of possible breaks or changes that make it easier on all of us managing hundreds and thousands of machines that may be impacted.  Rant over but TLDR; it's happening because of that cert expiration, you get to push the changes to fix it.  ... View more

@Kevin_C Any other suggestions?  ... View more

@Kevin_C Thanks for the info. Unfortunately I have tried that approach both en masse (pushing the update to all users) and selecting users one by one and nothing updates.  ... View more

@Newt Maybe you will have better luck with this approach. I followed https://documentation.meraki.com/SM/Device_Enrollment/Systems_Manager_Agent_and_MDM_Profile_Enrollment#Auto-installing_the_macOS_Agent  The silent update feature has worked on 9 machines out of roughly 800. And some of those may have been removed from the network and re-added so I cannot confirm if this worked for any of them.  The documentation says this should work, and while I doubt its something in my configuration and not just SM not working correctly, you may have better results.  ... View more

@Kevin_C  I also have the Agent pushed to roughly 800 machines and it has silently updated a total of 9 since the update. Anything we need to do for this to work? ... View more