The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About DBMandrake
DBMandrake

DBMandrake

Here to help

Member since Dec 4, 2019

‎06-21-2021
Kudos from
User Count
NolanHerring
NolanHerring
2
MeredithW
Community Manager MeredithW
1
Noah_Salzman
Meraki Alumni (Retired) Noah_Salzman
1
davidson2020
davidson2020
1
View All
Kudos given to
User Count
Noah_Salzman
Meraki Alumni (Retired) Noah_Salzman
1
davidson2020
davidson2020
1
View All

Community Record

13
Posts
5
Kudos
0
Solutions

Badges

First 5 Posts
Lift-Off View All
Latest Contributions by DBMandrake
  • Topics DBMandrake has Participated In
  • Latest Contributions by DBMandrake

Re: Python Script - Rebooting Devices

by DBMandrake in Developers & APIs
‎06-21-2021 06:57 AM
‎06-21-2021 06:57 AM
Thanks for the heads up.   However to clarify, the  /devices/ {serial} /reboot API endpoint has always been there, (since the first release of the API a couple of years ago, as I was doing this already back then) but it was undocumented and it was also not exposed in the python client bindings, which is why I had to manually construct the http request to call to that endpoint in the reboot_ap() function.   I see from your link that the API endpoint is now finally documented, however I have not checked to see if there is a new version of the meraki python client bindings which add it as a proper python function call yet. (At the time of my post a month ago, it was not in the python client bindings)   In any case the script above is still working and I use it to auto reboot our AP's once a week. ... View more

Re: Python Script - Rebooting Devices

by DBMandrake in Developers & APIs
‎05-13-2021 03:05 AM
2 Kudos
‎05-13-2021 03:05 AM
2 Kudos
Here's my own version of a bulk AP reboot script...   Because Meraki steadfastly refuse to add any sort of bulk AP reboot facility to the dashboard (I've asked them on several occasions and they say they won't consider it, and that I "shouldn't need to reboot multiple AP's" without considering the use case where yes, you do actually want to do this and every other vendor providing a way) a couple of years ago I wrote a stand alone python script to do bulk AP reboots based on device tags, so that I can reboot either all AP's in the network, or AP's with a specific tag.   As we have building name tags on our AP's to make it easier to group AP's based on building it makes it easy to reboot AP's in a certain building for example, and it would also be easy to add tags to AP's based on collections of AP's you might want to bulk reboot.   The script originally used the v0 API but when I recently tried to use it I found it was broken due to changes in the API (such as tags going from a space separated list in a single string, to an array of tags) and python Meraki module changes so I've updated it to work with the current V1 API and current Meraki python module.               #!/usr/bin/env python3 import json import requests import time import meraki import sys import datetime def reboot_ap(apikey, networkid, serial, suppressprint=False): base_url = 'https://api.meraki.com/api/v1' calltype = 'Device' posturl = '{0}/networks/{1}/devices/{2}/reboot'.format( str(base_url), str(networkid), str(serial)) headers = { 'x-cisco-meraki-api-key': format(str(apikey)), 'Content-Type': 'application/json' } postdata = { 'serial': format(str(serial)) } dashboard = requests.post(posturl, data=json.dumps(postdata), headers=headers) print(dashboard.status_code, dashboard.text, calltype) return apikey = 'api_key_here' network_id = 'network_id_here' reboot_all = False cmdline = False if len(sys.argv) > 1: cmdline = True if sys.argv[1] == '--all': reboot_tag = None reboot_all = True else: reboot_tag = sys.argv[1] dashboard = meraki.DashboardAPI(apikey, suppress_logging=True) deviceList = dashboard.networks.getNetworkDevices(network_id) tag_list = [] for device in deviceList: new_tags = device['tags'] for tag in new_tags: if not tag in tag_list: tag_list.append(tag) now = datetime.datetime.now() print(now.strftime("%H:%M:%S %d-%m-%Y")) print('Available Tags:\n') for tag in tag_list: print(tag) if cmdline is False: reboot_tag = input("\nEnter Tag of APs to reboot or press enter for all APs: ") if not reboot_tag: reboot_all = True print('\nRebooting Devices:\n') for device in deviceList: if reboot_tag in device['tags'] or reboot_all: try: name = device['name'] except: name = 'unknown' print(name, device['serial'], device['lanIp'], device['tags'], '- ',end='') reboot_ap(apikey, network_id, device['serial']) time.sleep(0.5) print()               I'm pretty rusty with Python and this was a quick expedient script to get the job done in a hurry so I'm sure the Pythonistas in the audience will be rolling their eyes at the coding... 🙂   If you run the script without command line arguments it will scan all the devices in the wireless network gathering the tags from each device to build a list of all available network device tags, these tags are then displayed. You are then prompted to either press enter (which will reboot ALL AP's in the network, be careful.. press CTRL-C if you want to back out) or enter a tag name to reboot only those AP's with that tag.   There is a 0.5 second delay between each reboot API call as if you call more than about every 0.2 seconds the API will reject the request. The success/failed result for each device will be displayed.   If you use a single command line argument '--all' can be used to reboot all AP's without prompting (for example from a cron script) or you can use a tag name to reboot devices with that Tag without prompting.   I use this script on Python 3.8 on Linux with the Meraki pip module installed. I don't think it relies on any other non-standard modules. While this version of the script hasn't been tested on Windows it should work as my original version did.   Incidentally the Meraki Python module doesn't seem to have a reboot API call, nor does the official documentation list a reboot call, hence why the actual reboot action is hand coded as an HTML query using the requests library - I simply took one of the other example requests, changed the action to reboot and it worked! 🙂   Hope someone finds this useful. ... View more

Re: IOS 14.0 MAC Address Randomization

by DBMandrake in Mobile Device Management
‎09-24-2020 02:38 AM
‎09-24-2020 02:38 AM
Hi Paul,   Thanks for the reply. I watched your video as well but as we don't push out WiFi protocols for BYO devices (users have their own username and password authenticated via radius) that doesn't help our situation. (Although I have enabled that in the WiFi profile we push to company owned and managed devices before they update to iOS 14)   One small saving grace is that Systems Manager Sentry is not able to authorize a device with MAC randomisation enabled (since it can't correlate the WiFi and MDM MAC addresses) so a user can't get past the sentry until they manually disable MAC randomisation in their WiFi settings. Not very user friendly (they need to be informed out-of-band that they need to do this) but at least it prevents devices connecting and being able to use WiFi until this is done, and at that point all MAC based functionality will be working again.   I agree that there needs to be a device wide MDM setting for this for enterprises to disable this feature on their managed devices, although even then they would still initially connect with a randomised MAC address until they had enrolled and received the profile, at which point the device would presumably reconnect with the correct MAC address, leaving behind a "ghost" device in the WiFi device list.   A bit a of a mess really but this is typical of Apple introducing far reaching changes to how fundamental technology works without providing a way for enterprises to manage it properly. ... View more

Re: IOS 14.0 MAC Address Randomization

by DBMandrake in Mobile Device Management
‎09-21-2020 07:58 AM
‎09-21-2020 07:58 AM
MAC address randomisation (or "Private address" as iOS settings call it) on iOS 14 breaks Systems Manager sentry enrolment which we've relied on for the last 3 years.  😐   The sequence goes like this:   1) The user connects to the SSID, attempts to browse and is redirected to the enrolment page by the Sentry. 2) The user downloads and installs the MDM profile which registers the MAC address of the device in MDM. 3) Meraki whitelists the MAC address found in the MDM profile on the SSID to allow the user to access the internet. 4) The WiFi Mac address of the device does not match the MDM Mac address so the user remains trapped in the Sentry being redirected back to reinstall the profile again and again...   So far I haven't found any fix other than telling users to manually turn off the Private Address setting in their WiFi settings, which is a huge pain in the neck when you have hundreds of users and they're all under 18 so aren't good at following instructions...   While there is an MDM profile setting to disable Private address it looks like it can only be applied to WiFi networks which are deployed by profile. We don't use WiFi profile deployment for BYO devices - users have their own individual usernames and passwords to gain access to the SSID, and the Sentry then takes care of ensuring they enrol their device before they can have internet access. (Although that is also broken at the moment due to an unrelated issue)   Once again Apple adds a "user privacy" feature which breaks enterprise use of iOS devices without providing an enterprise mechanism to turn it off! ... View more

Systems Manager sentry broken due to broken OS detection

by DBMandrake in Mobile Device Management
‎09-21-2020 07:06 AM
‎09-21-2020 07:06 AM
Hi All,   We use systems manager sentry for our student SSID. Students have individual WiFi usernames and passwords authenticated from Active Directory via Radius.   The sentry is configured in "focused" mode with only iOS devices set to be enforced, as there are a few Android, Mac and Windows devices which we don't want to enforce MDM enrolment on. The Sentry ensures that students keep MDM installed so restrictions like age limits for apps can be maintained.   This worked well for a couple of years but more recently it has been badly broken, and I had not appreciated the full extent to how badly it was broken until last week. The first crack in the armour I reported to Meraki last year through a ticket, and also referenced here:   https://community.meraki.com/t5/Endpoint-Management-Systems/Meraki-Systems-manager-no-longer-recognising-MDM-profile-has/m-p/69440   This was that students could simply uninstall the Meraki profile while they were not connected to WiFi and remove the profile without Meraki being aware of it. So a small handful of students were still "authenticated" on WiFi even though they removed the profile weeks or months ago. After a back and forth with Meraki tech support the end result was "working as intended". (!!)   However last week I discovered a much bigger problem. Something like a quarter of all our student iPads were just sailing on through the sentry without being redirected to install the MDM management profile - and it appears this may have been going on for somewhere between months and a full year unknown to us.   After some to and fro with Meraki support in the last few days and some testing of my own my conclusion is the "focused" mode which tries to detect OS type is utterly, utterly broken at the moment, allowing over 100 of our 600 iPads through despite the fact that most of them are actually reported as iPads when you look in the wireless client list. (Some are reported as "Other")   This is unbelievable, to be frank. Discussion with Meraki support is ongoing. So as a workaround I've changed it to strict with the intention of having to manually whitelist non iOS devices.  😐   Then I had an idea - we have a group policy called Bypass Meraki Enrolment which does what it says for S5 and S6 students based on a Radius attribute (which works fine) so thought what about leveraging this with "Assign group policies by device type" to whitelist specific non iOS devices.   So I set it to assign this group policy with devices of type Android, Chrome OS, Mac OS and Windows. The idea being doing it this way around is "failsafe" because if an iPad is detected incorrectly as an unknown device it would still be required to enrol, only if a device was specifically identified as one of the above OS's would it be allowed to bypass enrollment.   Unfortunately this utterly failed as well as over 100 iPads duly had this group policy assigned to them despite the fact that they're all listed as iPad or other !!! (I then had to manually revert all these incorrect policies)   So Assign group polices by device type is also utterly, utterly broken as well so I've had to revert that and go back to manual whitelisting of devices.   Anyone else experiencing problems like this ? Without the sentry to block internet access we have no way to enforce students BYO devices remaining enrolled in MDM, and without the Sentry working we might as well not have an MDM system to be honest. ... View more
Labels:
  • Labels:
  • Enrollment
  • iOS
  • Sentry

Re: Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎04-01-2020 02:56 AM
1 Kudo
‎04-01-2020 02:56 AM
1 Kudo
Thanks - I tested this yesterday and it has worked for me on both VPP accounts as well.   Normally this would be a minor problem but in these days of needing to provision apps to staff working remotely at home it became a critical problem for us, so it's a relief to see it fixed. ... View more

Re: Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎03-30-2020 07:01 AM
‎03-30-2020 07:01 AM
Strangely I was able to add one user as well but only the one... every attempt since has failed including email addresses that have never been invited before. ... View more

Re: Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎03-26-2020 02:53 AM
‎03-26-2020 02:53 AM
Hi Noah,   DM sent.   ... View more

Re: Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎03-25-2020 04:36 AM
‎03-25-2020 04:36 AM
Hi,   Meraki support have now acknowledged a "known issue" regarding not being able to invite VPP users however it is still not fixed and no ETA. Like you all our staff are now working from home for the forseeable future so this is a major problem for us.   I am continuing to chase Meraki but do not feel they are taking this seriously. ... View more

Re: Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎03-18-2020 03:17 AM
1 Kudo
‎03-18-2020 03:17 AM
1 Kudo
Hi,   I've been on the phone to Apple Education Support for an hour this morning, the guy was very helpful and went out of his way but the end conclusion is that the problem is not on Apple's side and that it must be a problem with Meraki or the Meraki Dashboard.   So back to Meraki I go again....   ... View more

Cannot add users in Apple Volume Purchase Program

by DBMandrake in Mobile Device Management
‎03-13-2020 03:01 AM
‎03-13-2020 03:01 AM
Hi,   Is anyone else having problems adding / inviting new users in Apple Volume Purchase Program in Meraki Dashboard ?   This is not something we do very often as most of our staff were invited a long time ago, so I am usually just assigning apps to already invited users, however with recent new staff and a need to invite new users I have found this is now not working, although I have no idea how long it has been like this.   The symptom is that if I manually add a new user I get the usual "users will be registered shortly - all users registered", but no user is added, and no invite is sent. I can try adding the same user multiple times, each time it says it has succeeded, rather than saying that the user already exists. It even says in the recent activity tab that the user has been added, but it has not!   If I try a CSV import I get a different message, something like -  " Found 1 rows, 0 valid users" where it lists the number of users but says 0 of them are valid.   I've been in touch with Meraki support (an hour on the phone and an open case) and so far they've not been able to help and have all but said "everything looks fine from our end, we can't see any problem". When I asked them to try adding the users for me as a test I was told that they're "not allowed to make changes on a customers dashboard" which seems like a fob off to me.   This is very frustrating because we have just recently migrated our legacy VPP account into our Apple School Manager portal - which has transferred all unused licenses to the new VPP pool. This means I'm not even able to assign licenses to existing users because I need to re-invite all the users to the new VPP pool and can't invite anyone at the moment.   Anyone else having problems like this ? ... View more
Labels:
  • Labels:
  • VPP

Re: Meraki Systems manager no longer recognising MDM profile has been remov...

by DBMandrake in Mobile Device Management
‎12-05-2019 06:04 AM
1 Kudo
‎12-05-2019 06:04 AM
1 Kudo
Wall of text would be if I didn't leave any paragraph breaks....  😉   So nobody else has noticed that Systems Manager Sentry doesn't actually enforce enrolment and is easily bypassed by end users ? I can't be the only one to notice this... ... View more

Meraki Systems manager no longer recognising MDM profile has been removed

by DBMandrake in Mobile Device Management
‎12-04-2019 02:29 AM
‎12-04-2019 02:29 AM
Hi,   I was wondering if anyone else was facing this issue and how they deal with it. We are a school whose students have BYO devices which are enrolled in Meraki MDM, (non-supervised) we also use a Meraki wireless network so have integration between the two.   We have Systems manager sentry enabled on the SSID used by students, who use their own individual radius authenticated username and passwords to connect to the SSID. Sentry detects the device is not enrolled in MDM and blocks internet access, redirecting them to the enrolment page, once they enrol and MDM restrictions are applied, they are granted internet access via the SSID.   This has worked great for us for a couple of years. If they removed the profile the device in MDM would show up as having the management profile removed and next time they tried to connect to the school WiFi internet access would once again be blocked and they would be forced to re-enrol.   Unfortunately some time in the last year something has changed at Meraki and this no longer works properly. If the MDM profile is removed while the device has internet access it will be properly flagged as removed, however if the profile is removed while the device does not have internet access the student is allowed to get away with removing the profile without consequences.   Even months later MDM will still not say the profile is removed from the device and they will be granted full access on Wifi, and on the Wifi side the users device will still say authenticated with systems sentry manager. If I click on "revoke" in the wifi device status page approximately 10 minutes later access will be granted again by sentry manager despite the device not having checked in to MDM for months!   The only way to force the device to lose internet access and re-enrol is to delete the device from MDM completely, which of course loses any tags that have been assigned to the device (such as year group etc) which is unsatisfactory.   Prior to some time in the last year if an MDM profile was removed without internet access Meraki would detect this situation within a few hours of the device re-connecting to Wifi and mark the profile as removed.   My assumption of how it used to work is that if it saw a device on Meraki Wifi that was also listed in MDM (correlated by MAC address) and it had not checked into MDM for more than a certain time it would time out.   I've written a Python script of my own which takes the Systems Manager.csv and Wireless Network Clients.csv exports from MDM and Wifi respectively and does just that - it uses the MAC address as the primary key to link the two sets of data together and compares last MDM checkin times with last seen on Wifi times and gives me a report with:   802.11x username, Device type, Mac address, Last seen on Wifi time, Last MDM checkin, Tags, Device Policy, and Time on Wifi without checkin.   When I run that report now I see that 31 devices are using Wifi without having checked in for a long time - the worst offender last checked in 103 days ago but is using Wifi today...my only recourse is to manually delete these devices in MDM losing their tags.   I have raised this issue with Meraki support multiple times over the last year without result and their final word on the situation is that it is "working as expected" and that there is nothing they can do about it, despite me insisting that this used to work properly in the past.   What I don't understand is that the data to detect this situation is clearly available to them - they can see a device identified by MAC address is connecting to Wifi on a systems manager sentry controlled SSID, and that it last checked in 103 days ago, when it should be checking in every few hours. Why can't they put 2 and 2 together and realise that the end user has removed the profile from their device to cheat the system...   I have done this easily with my python script, however it is a manual process for me to run this.   Is anyone else in the same situation ? I can provide a copy of the python script for anyone who is interested as if you rely on Sentry manager to enforce MDM enrolment you might be surprised to find that many of your users have either accidentally or on purpose removed the MDM profile while the device was not internet connected and got away with fooling Sentry manager... ... View more
Labels:
  • Labels:
  • Enrollment
  • iOS
  • Sentry
Kudos from
User Count
NolanHerring
NolanHerring
2
MeredithW
Community Manager MeredithW
1
Noah_Salzman
Meraki Alumni (Retired) Noah_Salzman
1
davidson2020
davidson2020
1
View All
Kudos given to
User Count
Noah_Salzman
Meraki Alumni (Retired) Noah_Salzman
1
davidson2020
davidson2020
1
View All
My Top Kudoed Posts
Subject Kudos Views

Re: Python Script - Rebooting Devices

Developers & APIs
2 9679

Re: Cannot add users in Apple Volume Purchase Program

Mobile Device Management
1 4280

Re: Cannot add users in Apple Volume Purchase Program

Mobile Device Management
1 4446

Re: Meraki Systems manager no longer recognising MDM profile has been remov...

Mobile Device Management
1 2374
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki