It would seem like using a PSK together with MAC address whitelisting should be a pretty simple option. Why is it that while Meraki's interface is very simplified, you can never seem to do the simple things that you might need to do?

Once you create the "deny any" rule (just one single rule), it's like 4 mouse clicks (just tried it) to whitelist a client from the client view.

I'm not sure how Meraki could make this simpler or easier.

Okay so I'm trying to track with you here. I create a deny rule on the particular SSID I need to lock down. How do you then whitelist a client from the client view?

It's called "Allow" rather than "Whitelist".  You can do it in several places, but the client's view is an easy way to do it.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Block_Listing_and_All... 

Okay thanks Philip, I'm going to play with this and see if I can test it successfully. Thanks again for the help.

Within Wireless - Access Policy "Assign group policies by device type"... then select ALL the types and assign your PSK-ONLY-BLOCK-Group Policy 😉 

Then within Network-Wide clients page - Add client section to override and assign a group policy to actually allow things 😉 

Thanks @Paul_H, I'm going to try Philips method first and will come back to this if I can't get that working. Thanks again!

Hey @WarrenG !

I've definitely encountered this before and as mentioned above you could leverage a firewall to do it like @PhilipDAth and or leverage @Inderdeep 's ideas as well!

A 3rd option... (because Meraki is SO flexible 😉 ) You can:
--> Create an SSID with PSK and enforce a group policy to be applied that has deny ANY ANY.
--> Under Network-Wide, Clients - Add a client by MAC address
    --> Specify a unique Group Policy that grants access to that client MAC either globally or PER-SSID

--> Sit back like a Dashboard DJ!

Hope that helps as well!