Hey Sarge,   That would require customizing the script to be checking devices for their tags, and then batched on a match running an update call to send back the address for the device.   Depending how many you have to do I'd check out this tool: https://create.meraki.io/build/dashboard-api-react-toolbox-demo/   There is even a live demo which you could use if you don't want to download and deploy the docker package.  https://meraki-api-react-toolbox.herokuapp.com/   This would let you put in your API key, and in one swoop update the addresses for every single device in a particular network to the same thing. So my script likely provided you with all the networks where there are devices missing addresses, and you could use this to bulk import addresses.   Let me know if this helps!    ... View more

PM'd you! with the script.  ... View more

I'll see myself out! Great discussion. ... View more

Nothing to see here.. haha. ... View more

One of the reasons the idea of terminating at the "core" stuck with me is because eventually (hopefully), i'll be deploying a second MX250 as a warm spare and I wanted to build a foundation/standards for the way we'll be doing WAN links. Yeah it's a very common approach, good to put some forethought into it now. Also yes, totally forgot the MX250 has SFP+ WANs so you'll need to convert the media.    At this point, I should have 2 direct routes, both default, from each of the ISP's and another direct route from the LAN interface(granted there is only a single flat VLAN for local) In order to be able to manipulate traffic, I believe I would modify the Primary WAN option within the MX interface to change the metric for which route traffic would be going out of. Do I need to setup any static routes? How do I specify the default route config or is that automatic and handled by the MX? Not sure I entirely follow, but let me just over answer it and hope I cover your questions. The core switch if it's L2 will just use the trunk up to the MX where the MX will hold the gateway for all the VLANs you've created. If the core switch is L3 you'd probably have one transit VLAN between the MX and the Core and you'd put a 0.0.0.0/0 route on the core up to the other end (MX) of the transit VLAN, so that all traffic goes back to the MX. You'd have no routes configured on the MS250 if you're running it in L2 mode, and only one configured if you ran it in L3 mode (route to the MX).   The MX then would have it's two WAN links which come through the MS250. The MX will NAT the traffic for any private addresses into the two public addresses from each ISP by default. The MX by default is going to not load balance those links, but make WAN1 it's primary. Within Security Appliance > Traffic Shaping in dashboard you're able to turn on load balancing if you want the MX to utilize both internet links, you can make WAN 2 primary, or you could even define certain local VLANs take different internet links based on source or destination. But no default route configuration on the MX is required, by default it will send any traffic it doesn't know about out the WAN interfaces.   ... View more

Does anyone see any issues with the above design/statements? There isn't an issue with that, but a few things to be aware of. I typically turn off RSTP just so I'm not putting this onto the ISP network - but be careful you're not making any loops.  On top of that, if you set port 48 as access into VLAN 1000 which has your ISP link into it, you can just make port 47 access on VLAN 1000, and plug that into the MX on WAN 1 without having to tag a VLAN on the MX.  As WANKiller said, if you only have one MX250 you don't really need to do this, and you can plug the ISP link directly into WAN1. People usually go with this design when they need to split that one RJ45 handoff into 2 different edge MX250's for warm spare.   When I configure a port on the MX for the local LAN, on a completely different port with a completely different vlan, do I need top make sure that port is able to carry vlans 1000//1001 or does the Meraki somehow automagically mask that requirement and builds a routing table that will provide connectivity? You don't want to do this. Keep the WAN & LAN side separate. When you configure a trunk link between the MX LAN and your downstream switch you'll want to only allow certain VLAN's on that trunk - basically all VLAN's except 1000 & 1001. On the MS port when you set the link type to trunk, just specify the specific VLANs and list all the VLANs between the MX and MS (and again don't include 1000 or 1001 in that list).    Physical Connectivity - for clarity Cable 1: ISP Link into Port 48 on MS250 - configured access VLAN 1000 disabled RSTP Cable 2: MX WAN 1 interface into Port 47 on MS250 - MX default configuration, MS250 port 47 configured access VLAN 1000 disabled RSTP.  Cable 3: MX LAN 1 interface into Port 1 on MS250 - trunk on both sides, allowed VLANS: 1,5,10,15 (or whatever VLANs you've created on the MX - don't include 1000 or 1001).   Hope this helps! ... View more

          Alright so heres the results of the simple script, just need to put your API key in it with the organization ID.  PM me for the script.  ... View more

Hey Adam,   As mentioned before I think your best bet would be to use API's to accomplish this.    There is a Bulk Address Changer - created by one of our SE's on our solutions page at https://create.meraki.io/build/dashboard-api-react-toolbox-demo/  You could use the demo without even having to host it yourself, by just putting in your API key and running it.   This is only used initially to go set an address for every device in your network. You could technically use this if you wanted to run through every network, and make sure ALL the devices have matching addresses. But it is a network by network basis, and requires you to put in the addresses.    However if you have a ton of networks (and don't know which need updating) this wouldn't exactly be ideal. In that case, if it were me, I'd download the source code, and see if you could add a feature to it where one of the checkboxes would make it just cycle through networks and take the address of any device which is already set in that network and copy it to make sure all devices have a matching address.  Milage may vary depending on your comfort with programming.      ... View more

Hi amorb,   It is not possible. The bluetooth is really only a means of beaconing and will not be able to pair with a device. Here is a list of the specified fields we can receive via the bluetooth radio: https://documentation.meraki.com/MR/Monitoring_and_Reporting/Location_Analytics#Bluetooth_Scanning_API     Regards ... View more

Feel free to PM me your email address or a dashboard link if you want me to have a quick look. But ultimately I'd suggest getting in contact with support who can deep dive in with you and see why this may be failing. ... View more

It's likely that the Meraki AP and the MX can't talk somehow.  The MX needs a route to the management IP of the AP and the reverse is true that the AP need to be able to get back to the MX.      I would start by checking to make sure the AP can ping the MX using the Live Tools on the AP page. If that works, I would consider any firewall in the path, etc.      ... View more

This is absolutely something you should be able to easily do, and is a very common deployment technique.  If you press the test connectivity button when you select the VPN options on the Wireless > Access Control page does the test come back okay? -- I'm wondering if the remote AP is having a hard time building the tunnel back to your MX.      ... View more

Appreciate the recognition @PhilipDAth! I've been trying to make an effort to be more active within the community, but I have a long way to go if I ever want to reach your level. Thanks for all you do for the community, it doesn't go unnoticed!  ... View more

There isn't any way to default block all inter-vlan traffic with a setting in dashboard. However you could simply add a global firewall rule Security Appliance > Firewall under the Outbound rules section which would Deny, Any protocol, with a Source: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, and Destination: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8.   This would add a default to prevent any local traffic from being routed between VLANs. That would be your last rule, and above it you could add more specific allows/deny's as required. ... View more

You may be able to get creative and apply these in different ways. But there is no way to apply two group policies to a user at once. For instance, if you don't want anyone on the Wifi between those hours you could schedule the SSID to be shutoff at that time.   ... View more

You can accomplish this by creating a group policy. Network Wide > Group Policies.   At the top of your policy, you can set a schedule for when it is enforced. And then subsequent firewall/traffic shaping rules within that policy.   On the Security Appliance > Addressing & VLANs, you can apply that policy to an entire VLAN. Or on Wireless > Access Control, you can tie that policy to a device type such an Android, iPhones, etc. Finally, the Network Wide > Clients page, you can put the policy on individual devices manually. https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Policies     Hope this helps! Happy to help with any further questions. ... View more

Ah makes perfect sense. I'm assuming you've tried to disable the "Allow Erase All Content and Settings (iOS 8+)" setting on a supervised device, and tested that the iCloud wipe of a device still gets enforced?   Short of that unfortunately, I believe our hands are tied. For better or worse we are at the mercy of Apple for these restrictions, and since they give us no way to prevent that action I'm not sure there would be other options that we have.   ... View more

Appreciate the level of detail in the question. What would be the usefulness of preventing them from wiping the device if they really wanted to? If the device is a DEP enrolled device, they wouldn't be able to get around having the profile automatically re-installed once they go through the device setup process.  ... View more

Nothing technically gets transferred to Meraki. When you make a purchase and the reseller notes the DEP ID, it is Apple whom associates that device with your organization.  Apple maintains the DEP side of the house, and it is their servers who know iPad S/N:1234 belongs to XYZ Corp.   When you link your Meraki EMM account with Apple's DEP, Apple then knows when the iPad is being turned on and registered, that it belongs to XYZ Corp based on it's serial number and forces the device to have the associated Meraki profile installed.    The big benefit to DEP, is that if someone was able to wipe one of your iPads, they'd never technically be able to unassociate it with your DEP, and it would always end up being force enrolled back to your company.   https://images.apple.com/business/docs/DEP_Guide.pdf  ... View more