About jared_f

jared_f

Also experiencing a similar problem. It seems Meraki doesn't like having to DC's plugged in or it throws off the sync. I removed one DC and re-synced AD groups and it seemed to have solve the problem.

jared_f

Is there any specific reason why target groups do not query auto-tags? For example, I want to have a target group for: iOS Devices + Security Policy 1 + Security Policy 2 The auto tags are more helpful than you think.

jared_f · ‎12-17-2018

@alexis_cazalaa In iOS, there was usually a delay as profiles were coming down. It makes sure all profiles, wifi, webclips, etc. are installed right after the device is enrolled and while the user is completing setup. I think the target groups is just to simplify scoping. I have no real use for it, but I guess if your scoping restrictions based on a student being enrolled in a grade and all grades get the restrictions you could make a target group called "All_Students" and target AD security groups containing students in 2019, 2020, 2021, 2022, etc.

jared_f · ‎12-16-2018

@Mike_YMCAMIDTN Add an exclusion tag to the restriction profile causing problems and then add that exclusion tag to the device you want to exclude. Follow the example below. Use WITHOUT ANY of the following tags Add iOS Devices & Exclusions Make sure installation target states: iOS Devices without any of the followings tags Exclusions

jared_f · ‎12-12-2018

@PeterJames Noticed the same thing here. Our domain controllers were re-done and Exchange moved from 2010 so we re-enrolled everything with the agent so we can query for AD membership.

jared_f · ‎12-12-2018

Also experience all the same issues as above. @BlakeRichardson - How is pricing of Jamf vs. Meraki? If we were to do Jamf for Macs, I think we would switch all iOS over too - it is much more powerful, and cloudhosted like Meraki

jared_f · ‎12-12-2018

Hi All, I re-enrolled a test iPad today and noticed that neither the wireless or a lock screen asset tag configuration came down. Both of these are scoped based on membership in an AD group. Upon further inspection under "Users" in Meraki I was missing my AD groups... odd - I clicked the sync button and realized it was coming back that everyone in there was not a member of an AD group. Of course I did not click save as that would have messed up the scope on a lot of things. I did remote into both DCs (one replicates the other) and none of the users fell out of their security groups. Is anybody else experiencing this issue? This can be quite a problem if AD does sync... 50+ apps and a lot of configuration profiles are scoped on group membership. Thanks! Jared

jared_f · ‎12-12-2018

1. If you did not see, you can now create Target groups in Meraki. See Systems Manager > Tags (Under "Configure") 2. Also, you can now push profiles before the user reaches the lock screen in iOS. You will have to re-create your DEP configuration and set it as default. You can default it so it takes affect on all newly enrolled/re-enrolled devices. So, hopefully naming based on AD information coming? Also, when an AD user logs in, push profiles scoped to his/her role (Meraki already pulls security group info, pulling departments here would also be useful) soon... (?) Thanks Meraki team, these are two great features. Thanks! Jared

jared_f · ‎12-05-2018

@misterharrison The rule is that the most restrictive profile will take precedence. Having separate profiles is not a problem. You can leave your Meraki profile in place.

jared_f · ‎12-05-2018

@PeterJames As long as you do those two fixes above it should be pretty smooth rolling out the custom profile. The only thing is the software updates will be delayed 1 day. I will look into editing the actual profile code and seeing it that solves the bugs I am seeing. I agree with the bluetooth problem (especially in K-12 for Apple Classroom). My recommendation is to enforce the bluetooth restriction on any new DEP devices. In addition, you could possibly send the bluetooth command to your entire fleet and then tie that to a timed configuration profile to take effect 5 minutes after the command is sent then edit the scope to make sure is stays static. It is all about timing! Jared

jared_f · ‎12-05-2018

@licenseNOW When a license is assigned to a device, it is revocable. Navigate to Systems Manager > VPP (under "Manage" Heading) and check the app you are having problems with then click "Edit Auto Management" and check the following options. Finally, click Apply changes and your license count should update. I prefer to apply these options to all app I place in Self Service for users.

jared_f · ‎12-04-2018

All, In addition, I cannot stress the importance of fixing those current bugs in any restrictions profile you make in Apple Configurator 2 (available in the Mac App Store for Free) by setting software updates to 1 day and checking it and checking the two contact settings. I also want to bring attention to a few issues that can be solved with configuration profiles (especially in K-12). Issue 1 Sharing of WiFi codes via proximity has been an issue many K-12 admins have brought up on other forums. This can be fixed with an Apple Configurator Profile with the following restrictions - push out both: Proximity password request not allowed Password sharing not allowed Issue 2 VPN creation to bypass network filtering. This restriction is available in Meraki. This stops user's from configuring manual VPNs in settings, but does not stop VPN apps from working. I use a policy tied to a configuration profile and email alert to take care of this. I am using wildcard matches to take care of this. I published a solution here to take care of this, also add *betternet* and *aloha* to take care of this. Here is my most updated list: Issue 3 Installing third party "enterprise apps" to bypass app store restriction. Enforce the following - both available in Meraki: Installing configuration profiles not allowed Trusting enterprise apps not allowed Sometimes a policy can help you detect apps like TweakBox and VShare tied to a profile and email notification, but stopping them from being installed in the first place is helpful. There are new ones popping up everyday. This one is more of a tip, not an issue: Enforce & Lock Device Name I shared an overview of how I am doing this here. I also invite you to "Make a Wish" for automated naming by pulling AD information (see here for more information). I hope the above post and maybe some info in here is helpful. Please don't hesitate to reach out to me at my email below with any questions about Meraki SM iOS or Mac related. Jared Flitt jflitt@caregivershomecare.com

jared_f · ‎12-04-2018

Hi All, Meraki does give you the ability to upload profiles. Here is a write up for everyone to follow: Step 1: Create new profile. Give it a name, identifier (I usually name it the same as the name), and organization (Meraki Inc. will work for this also). Step 2: Adjust Restrictions to Take Care of AC2 Bugs Apple Configurator 2 has two bugs to be aware of. Even if you do not check to enforce delayed software updates it will change to 30 days. To get around this, check the software update delay and change it to ONE (1) day. This is the only work around I have found and will save you dozens of Help Desk tickets when none of your devices will update! In addition, AC2 has some restrictions defaulted to change for contacts that your organization may not to push to your devices. Please check the following below so they DO NOT push (another Apple bug). Step 3: Add Restriction to Enforce Data and Time Step 4: Save Profile NOTE: Please save you profile with the name you want it to Appear with in the settings panel of Meraki. Step 5: Upload to Meraki Systems Manager > Settings > Add Profile Click "Upload custom Apple Profile" and choose it from your save location. Then scope.

jared_f · ‎12-03-2018

Hi All, I virtualized both Exchange and Active Directory and I am trying to enroll them with the Meraki agent on Windows Server 2016. Neither will enroll. Is anybody experiencing this problem? I have hit a wall because I cannot query AD during enrollment. I have verified that I am whitelisted at the network level (both DNS filtering and at the Firewall). Thanks! Jared

jared_f · ‎11-26-2018

Tip for everybody. If a restriction is available for iOS in Apple Configurator you can create the profile there and upload it to Meraki. But, I would like everything to be in Meraki to make changing restrictions easier.

jared_f · ‎11-26-2018

We would also like this and Meraki to provide support for ALL new restrictions. Jamf has day one support.

jared_f · ‎10-28-2018

When is SM going to be updated to be compatible with payloads for iOS 12. In addition, allowing configuration profiles to be installed before the user gets to the home screen? Any information about the future of SM would be helpful!

jared_f · ‎10-21-2018

Is the user the owner of the device? Try adding the owner option with the plus button.

jared_f · ‎10-21-2018

You guys are not the only one seeing this problem. Things are just becoming ridiculous with Meraki. We don't have plenty of Mac devices, but a decent amount of iOS. Jamf is sounding better and better each day for out use case even though it comes with a hefty price tag. I understand bugs; but the amount of them is ridiculous and support's response is either a sham work around or to submit a wish. Why bother updating the SM UI when other features are needed and the community shows interests in them? For example, the automated naming of iOS devices based on a users directory username has been a feature that has received top kudos from the community. We are responsible for rolling out a mobile clock-in/out app for employees by 1/1/19. This is going to require enrolling each users phone and pushing the application out. Reliability of this is mandatory. Ok... rant over!

jared_f · ‎09-27-2018

I haven't come across that specific error, but the things that usually pop out to me are APN certificates or a network problem (something is blocking Meraki/Apple from syncing down the profile). Seeing that anything prior to 10.13.4 is enrolling, I am pretty sure you can rule those out. The only other option I could think of is to manually retrieve the profile from dashboard instead of running manual enrollment from m.meraki.com. Another option would to be a force install of the profile via the command line.

jared_f · ‎09-27-2018

I would look into USB tethering. I believe it was released in iOS 11 last year.

jared_f · ‎09-26-2018

Anytime a new user is signing in with his/her AD credentials they were being prompted for an administrator username/password to bypass secure token. Here in an excerpt from the attached article explaining what causes the problem: "Ahh SecureToken; the gift that keeps on giving! macOS 10.13.4 introduced this new, undocumented dialog that would appear on first login under the following conditions: If the filesystem is APFS Whether or not FileVault is enabled If the Mac is bound to a directory service (e.g. Active Directory or LDAP) If there is a local administrator account present that has logged in at least once (e.g. the one created during the Setup Assistant). If the account currently logging in will be a directory based mobile account (i.e. it hasn’t been created yet and is logging in for the first time)" Luckily the author of this article has us covered with a custom profile that you can install on the computer level with Meraki to fix this. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>com.apple.MCX</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>cachedaccounts.askForSecureTokenAuthBypass</key> <true/> </dict> </dict> </array> </dict> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Custom</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>FF71CE36-0F95-42CB-81C6-67F1288AA037</string> <key>PayloadOrganization</key> <string>Your Organisation</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>FF71CE36-0F95-42CB-81C6-67F1288AA037</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>System - SecureToken Dialog Bypass</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>139BEF61-F90E-4BBB-9A3E-EAF3FE090B91</string> <key>PayloadOrganization</key> <string>Your Organisation</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>139BEF61-F90E-4BBB-9A3E-EAF3FE090B91</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> Thanks to the author Neil Martin. Here is the link to the article: https://soundmacguy.wordpress.com/2018/06/02/bypassing-the-securetoken-dialog-for-mobile-accounts/

jared_f · ‎09-26-2018

@vassallon Are students assigned the device with their AD username and password or do they log in with their Apple School Manager address? I don't have access to ASM so I can't really play around with it. It seems like you sync ASM with your SIS and then ASM with Meraki. Then the education configuration takes care of the rest when you check the box to configure with ASM. Is there anyway to map student AD username (i.e. student ID) and match it with their ASM so an administrator doesn't have to re-assign the devices on already deployed iPads to get the education configuration properly scoped.

jared_f · ‎09-26-2018

Thanks for sharing!

jared_f · ‎09-26-2018

I am not positive of this so please correct me if wrong. Couldn't you uncheck and push "Allow modifying account settings (iOS 7+)" profile? The nice thing is that you could login with the Apple ID during setup (DEP) or even with manual enrollment (m.meraki.com) and then the option would be restricted. Seems way better than going to each device and trying to keep track of restriction passcodes.

jared_f

Community Record

Badges