Call me paranoid but I dont like the fact that a packet capture can be run if someone got access to my meraki dashboard.  I use 2 factor but that doesnt protect against a possible security flaw someone exploits in the dashboard itself at some point.   Is it possible to disable packet capture in the hardware firmware so that no matter what a packet capture cant be done from the cloud dashboard?  I like everything else about the cloud management, its just this feature that makes me wary.   Thanks     ... View more

I have some wifi clients i need to block internet access to so they can only access a few URLS.  I created a group policy, set the blacklist to * and the whitelist to the urls they need.  I then used a sentry policy and apply this group policy to devices with specific tags.   I then tagged the devices and it shows 3 clients are affected by the group policy, the 3 i tagged.  when the client connects, it shows that the correct group policy is being applied.  (PS. I only have 1 group policy in my entire network, so its not like there are multiples with one taking precedence).  However it doesnt apply.   I have a MX64, MR42 and MS225-8.     I changed my network config and instead of using NAT mode on the MR42, I changed it to layer 3 roaming, tagged the SSID to a VLAN, created a VLAN in the MX64 and applied the same group policy to the VLAN on the MX64.  Now the blocking works perfectly.   Is this normal?  Am I doing something wrong?  It clearly says the policy is being applied to the client in the networkwide->client view but it doesnt block anything.   I guess there is no reason I cant leave it this way, however it should work the other way too with tags according to the documentation.  ... View more

I have some Ipads that I need to lock down to a single website.   I tried to create a webclip and then run the ipad in single app mode using webclip but it doesnt work, it gives a black screen and since you cant specify which webclip to run single app mode with, i am not surprised.   I was going to lock to Safari and then filter urls but if I set the web filter restriction to whitelist bookmark mode it works but the problem is the website loads assets from other sites and its not really feasible to add a bookmark for all the sites CDN's especially as htye seem to change sometimes.   Does anyone have a suggestion?  I  was thinking I could perhaps try and create an IOS app that just loads a website but then I need to sign up for all of apples programs to publish apps, etc which seems like over kill to lock the ipad to the website.  I cant do it on the firewall level as meraki security appliance doesnt let you filter urls by VLAN for some odd reason. ... View more

Hi. I have a few questions regarding locking down an Ipad for classroom use (not using school program, its not an official school).     First, I am using all meraki gear + SM.  MX64, MR42, MS220-8.   I also use cisco umbrella for DNS filtering.     The first problem is that even though my ipads are locked down to the tilt the user can simply go in to the wifi settings and change the DNS servers away from my own that use umbrella and just change to 8.8.8.8 or something similiar to bypass my blocks.  Is there a way to prevent this?  (These are supervised DEP Ipads).  I recall IOS11 had some new locks regarding DNS but i dont know if this was included.  Actually, its all network settings that can be changed, in my classroom they are certainly going to mess these settings up on purpose to cause chaos.   I could probably block dns traffic on my security appliance mx64 but id rather not do this, id really rather lock this in the ipad, I dont want people messing with those settings and breaking the ipad connectivity so easily by putting in a dummy dns address.  if this is not possible its a huge oversight by apple I would think.   Also, if I deploy my ipads using DEP and get meraki profiles loaded on them on first boot, and i uploaded my configurator p12 cert to meraki, should that not let me connect these ipads to my macbook pro which has the p12 cert on it for apple configurator?  I have host pairing disabled and when I connect it, it tells me host pairing is not allowed unless I am using the supervision certificate but I thought that was the point of me uploading it to Meraki in the first place?   I also had an issue with WIFI whitelisting, what happens is it doesnt get all the profiles loaded and the wifi whitelisting applies and then i lost connectivity and then had to factory restore the ipad to get it working again as it was wiifi whitelisting on with no wifi loaded, is this normal?     Thanks   ... View more

Is there any guide or article on how to use eap-tls (and also peap mschapv2) with system manager devices when not using meraki AP?  I want to push out eap-tls certs or peap mschapv2 credentials to all the ipads i have in SM but its not exactyl clear how you do this in the manuals.   Also, can anyone explain SCEP and if its useful outside of meraki hardware?  I am having trouble understanding waht its used for exactly.  could i use it with freeradius and eap-tls for example? ... View more

I want users to be able to remove the apps they install themselves but not the meraki MDM app on ios 11 tablets.  They are supervised.  Is this possible?     Also, is it still not possible to force location on so users who take the ipads home with them cant just disable locations services to not trigger geofencing?     ... View more