Apple Classroom

Apple Classroom is an application developed by Apple for educational environments. It is designed to assist teachers in managing and monitoring students' iPad activities during class. With Apple Classroom, teachers can launch apps, lock screens, send and receive documents, view students' screens, and control their iPad usage remotely. It provides educators with tools to guide and enhance the learning experience, promote collaboration, and maintain a focused classroom environment. Apple Classroom enables teachers to better engage with students and tailor instruction to individual needs using iPads as educational tools.

Classroom – Feature Overview


This is Apple's application for teachers allowing them to manage a class of students using iPads. The application is available on the iTunes App Store and the Volume Purchase Program (VPP) App Store. Apple has a video about the application in the "Meet your new teaching assistant" section at this link: http://www.apple.com/education/products/


Main features:

Note: The Classroom app should only be installed on teacher iPads. Do not install it on a student device; it will only produce an error when launching…
Apple School Manager (ASM)
ASM can be thought of as a "Super Device Enrollment Program (DEP)" account, including VPP, DEP, Student Information System (SIS) data management, and Apple ID management. Existing customers will have to upgrade their DEP account to ASM. Customers are encouraged to read and follow this Apple knowledgebase article to prepare their setup for conversion: https://support.apple.com/en-us/HT206590.
ASM is only mandatory to create and manage Apple IDs. Which means that the only features requiring ASM are:

Everything else - Classroom included - works without an ASM account.
How FileWave supports it
FileWave helps with deploying the Classroom app to devices. After deployment, the app has to be configured, which requires:

FileWave will do all of this for you:


Unique FileWave benefits:

Classroom – Shared iPad

Terms and Definitions


Classroom – this is this is Apple's application for teachers allowing them to manage a class of students using iPad devices. Main features:

Shared iPad - this is a special mode in which iPad devices can be put, which allows multi-users on a single iPad.

Apple School Manager - this is Apple "Super DEP" portal for education.

One-to-One (1:1) context - this is a deployment model where a person is getting a device that is not shared with another person.
Cart - this is a Group of devices that usually stay in one classroom, and that are shared by students. They do not have to actually be stored in a cart; this is just a logical grouping that we chose to call a Cart.

While Classroom and Shared iPad share the same underlying concepts, it is not mandatory to use both together:

Hardware Requirements
Apple has the hardware requirements listed here: https://help.apple.com/classroom/ipad/1.1/#/cadc1b9b4f8a (I know that it's an ugly URL, but it takes you where you need to go). On this page, you will see that the following applies:

How it works: Classroom

How it works: Shared iPad

Classroom – SIS Data

SIS Support


To know how to configure devices, FileWave needs to import SIS data; mainly person details and class organization.
We currently support:

ASM data will be synchronized once every day (at midnight). You can force a refresh in Education settings of FileWave Admin Preferences.

Classroom
Classroom has import settings. The format for the CSV files is the same, but the syntax to import these is different 


Importing CSV files for students, teachers, and classes for Classroom
SSH into the FileWave Server, then run the following commands as appropriate (note, the full path to python and django have to be specified):

/usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc sis_csv_data_import -teachers <full path to teachers.csv> [full|-incremental]
/usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc sis_csv_data_import -students <full path to students.csv> [full|-incremental]
/usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc sis_csv_data_import -classes <full path to classes.csv> [full|-incremental]

Required Data
Classroom is an application that allows teachers to use their iPads  to manage student devices during a class. Classroom requires the devices to be configured by MDM; with the configuration defining:
For teacher devices:

For student devices (1:1):

For cart (shared) devices:


This means that in order to configure Classroom, you need to know:

  1. Which devices you are managing
  2. SIS data, which tells you which students are in a class lead by which teacher
  3. A link between the device(s) and person(s):
    1. Either a direct link for 1:1 (teachers or for 1:1 students deployment model); or
    2. A link between a Group of devices ("a cart") to a Group of students ("a class")


Devices
Single devices
Any device already enrolled in FileWave can be used for Classroom. However, at times it may be useful to prepare your deployment system upfront, before devices are actually enrolled. This is more important in a 1:1 deployment model where you want to have your students unboxing and enrolling devices with their own usernames, but you don't want to wait hours (or days) until all VPP licenses finally land to the device.
FileWave 11.1+ allows the creation of placeholders for iOS devices and preparation of your deployment workflow as well as your classroom settings before real enrollment occurs:


Carts
Classroom support introduces concept of Carts, which are nothing more than a special Group of iOS devices. These apply to the term Cart:


Define how persons are using devices
You need to tell FileWave who will be using which device. This can be:


Note: Shared iPads can only be used with carts. If you make a 1:1 association between a shared iPad and a user, it will not work as part of a "Cart" Grouping of iPads.
FileWave offers you different ways of providing these mappings:

  1. Import a CSV file for 1:1 associations

  1. Import a CSV file for cart:class associations

  1. Authentication for 1:1 with LDAP

You can configure FileWave to automatically associate a device to a person using the enrollment auth username. Upon enrollment, FileWave can then look into SIS data and if there is a person having the same identifier in your SIS data, then the auth username link will be made. This can be enabled in Classroom preferences.

  1. Manually via drag-and-drop


In order to import CSV files, you have to first specify that you will be using CSV files using the SIS pane of the Education settings of FileWave Admin Preferences, by clicking on the "Edit Settings…" button, authenticating as the super user (fwadmin), as shown on the next page.


The import dialog should default to "None / CSV" in the selection box of "SIS data source."


If not, select that option.


You then need to enable Classroom support in FileWave Admin by selecting the following checkbox in the "Apple Classroom" pane the Education tab of FileWave Admin Preferences.


Classroom security relies on SSL Certificates, which will be deployed on each device. FileWave has to create those certificates prior to configuring Classroom. The first time you enable Classroom, you'll then be prompted to generate those certificates:


You'll then be able to save the main CA (certificate authority) private key - you'll need it if you want to revoke / renew certificates. (You also need super user credentials for that):


You will then be warned that the Private Key will not be stored within FileWave. It is your responsibility to maintain a copy of this in a safe location. Be sure to note where you are saving this so that you can put is somewhere safe. Also note that the file will be named "FileWave Classroom Private Key.key."


Note: If you have Keynote installed on your admin machine, the icon for this file will be a Keynote deck icon!


The dialog will display the certificates in a tree structure, where the root CA certificate is the top level item in the tree. The serial number and the expiry date of each certificate are also displayed. Certificates that will expire in less than one month are displayed with a yellow background, while expired certificates are displayed with red letters. You can sort by any column and filter certificates by typing some criteria in the search box and pressing Enter.


You can renew and revoke any certificates. In order to do so, select one or more certificates. The view supports multiple selection by holding the Ctrl key (Command or ⌘ on Mac) and clicking entries. You can then either right-click to get a contextual menu or use the corresponding buttons on the lower left corner of the dialog. When revoking a certificate, all its child certificates will also be revoked. The certificate and its child certificates will be renewed automatically right after revocation.


You don't need the private key for renewing or revoking leader or member certificates. However, renewing/revoking any intermediate CAs requires the private key of the Root CA that was generated before. The first time you renew or revoke an intermediate CA certificate, you will be asked to open the private key. It will be remembered for the duration of the dialog, so you won't need to open it again for any subsequent operations on CA certificates, unless an operation fails. If you close the dialog and open it again later, you will need to provide the private key again for renewing/revoking CA certificates.


Although not recommended, it is possible to revoke the root CA without providing the private key by clicking "Cancel" in the file dialog to open the private key. This is useful for example in case you lose the private key. After revoking the root CA, the whole certificate tree will be regenerated automatically.


After getting the certificates taken care of and storing your Private Key, clicking OK in the Preferences will result in the main window of FileWave Admin having a new category listed in the left-hand column labeled "Classroom."

CSV File Formats


The Entities supported
Before importing your mappings for Person:Device and Cart:Class associations, you first have to get Teacher, Student, Class data into the database, which you can do through the use of CSV files. You must get class/student/teacher data into FileWave for use with Classroom. You can do that with CSV files. There are three different entities for which you can import/update instances in the DB. Here they are with the supported fields you can specify in the CSV files:


Students:

Teachers

Classes:

To import the CSV file, change your path to:
/usr/local/filewave/Django/ (on Mac or Linux) 
then run this command:

/usr/local/filewave/python/bin/python manage.pyc sis_csv_data_import -classes <path to classes.csv> --teachers <path to teachers.csv> --students <path to students.csv> [-full|–incremental]

Note: This is a single command without carriage returns at the end of the line.


Where:

It's possible also to specify only one file

CSV Structure

Each file is a CSV with a header. In the header you have to specify which fields you want to insert/update for each of the records. Each entity type has a field that uniquely identifies it (see entity description for detailed info).


When a CSV file is imported, we try to find the corresponding record in the DB with that identifier. If we can we update the fields that are specified in the file (and leave the other fields as they were before).


The new "Classroom" view is not enabled by default. We do not want to have this showing for all customers unless they are using Classroom.



From the Classrrom view you can:


Clicking on "Import one-to-one association(s)" results in this dialog box:


Note the "Download template" button, which produces a CSV file that is commented to make it easy for you to produce files in the proper format.


Clicking on the "Import Cart:Class association(s)" button results in this dialog box, which also has a "Download template" button:


Once the import is successfully done, you will receive a prompt asking if you want to re-generate the Education Profiles. In cases where you are importing both 1:1 associations and carts mappings, the suggested workflow is to generate the Profiles only after the second import.
Cart CSV File
You can also produce the Cart:Device associations via CSV import. The file format needs to contain three columns:

This is an example
cart_name,devices,classes
cart-1,SN-1|SN-2|SN-3,class-1|class-2
cart-2,SN-4|SN-5,class-2
Notes:

cart_name,classes
cart-1,class-1|class-2
cart-2,class-2

cart_name,devices
cart-1,SN-1|SN-2|SN-3


Mappings Validity
To validate the mappings (1:1 or cart/class) the code applies the following rules:

Each time the check is performed a mapping is validated only if it is compliant with all the rules, otherwise it will be marked as invalid.


Invalid mappings are not taken in account for Education Profile generation

Information about invalid mappings are shown in the Dashboard

Classroom – Image Service

The Classroom app is able to display pictures of students - by default, initials will be used. FileWave has to be configured regarding where to get images.


Classroom uses SSL for communication and will use the device certificate to authenticate itself to the imaging service. FileWave will receive the request from the device and check if the certificate is valid. If it is, then FileWave will request the image from the image (picture) hosting service and serve back the image to the device


People, in the Classroom environment, whether teachers or students, all have an identifier (sis_id) and images are stored on the referenced server in two sizes (large, small). Our recommendation regarding image size are 675x1024 pixels for the small image and 2700x4100 pixels for the large image. Test a few before deploying hundreds of images to ensure that these sizes work well with your student devices.


In FileWave Admin Preferences, Education Tab, Apple Classroom pane, you can specify where FileWave will request images from. We support http and https protocols, as well as basic and digest authentication.


Classroom app and shared iPad login screens have a long time cache based on the image URL. The cache can be "reset" by clicking the corresponding button above. Iit does not clear the cache (there is no way to do so), but it generates a new URL for each image, so devices will be forced to re-download them.


For more information regarding setting up your Classroom Image service, see this FileWave knowledgebase article: Getting student images into Classroom

Classroom – Shared iPad

Keep in mind that Shared iPad and Classroom are independent; they use the same configuration system (education profile), but they can be used separately.

Enable Shared iPad


Shared iPad and multiple users


Shared iPad users are not "concurrent" users (as you could see with fast user switching on macOS); they just "share" iPad space and applications. Their personal data is stored in iCloud (this is why Managed Apple IDs are required) and will by synchronized on the device upon login.


Maximum resident users


You can define, in the DEP profile, the maximum number of users that can use a Shared iPad. Note: this only configures how many slices the user space will be divided into. For instance, on a 128 GB iPad, if you allocate 10 max users, each user will have an equal amount of storage space for personal data. Ten students can log into the device and will have a nearly instant login once their data is cached on the device. If an 11th student logs in, the oldest account will be deleted to free space for this user - so the login will be pretty long (sync user 1 data to iCloud, remove user 1 data from device, download user 11 data from iCloud).

User Management


There is a new entry in the Client Info dialog showing users on a shared device:


It returns data regarding who is logged in and the amount of space used by that user.
You can:

 

Shared iPad and Login


To login to a Shared iPad, you need to enter a Managed Apple ID. To ease login, Apple provides different ways:



Passcode is still required; this is pre-login only.
By default, FileWave will use passcode type "four." This can be changed.

  1. add this in settings_custom.py and restart apache
  2. supported values are "four", "six", "complex"
    settings.CLASSROOM_DEFAULT_PASSCODE_TYPE = "six"
    Supported values are complex, four, or six
    This file is located at:
    on Mac OS X / Linux -  /usr/local/filewave/django/filewave 
    Roster API currently only returns "Name" - no distinction between first and last name. In that case, FileWave will take the first word as first name and the rest as last name.

    Shared iPad restrictions
    Application installation
    Applications can only be installed when there is no logged in User - MDM will report invalid MDM command when it's done while a user is logged in on a shared iPad.
    The recommended workflow is:

Classroom – Different Deployment Scenarios

To have Classroom working, you need:

So you will have to:

FileWave does not require a specific order for these actions.
Some scenarios:

  1. Enroll Cart devices and create carts
  2. Import SIS data
  3. Associate classes to carts
  4. Create placeholders for teacher devices
  5. Associate each teacher device to its teacher
  6. Deploy Classroom to teacher devices
  7. Have a 1:1 enrollment process (with auto enroll) where MDM auth username matches SIS identifier, so students can unbox their iPad and do the enrollment themselves

You can also prepare everything upfront:

  1. Import SIS data
  2. Import placeholders for 1:1 devices
  3. Enroll cart devices
  4. Associate classes to carts, devices to persons
  5. Deploy Classroom to teacher devices
  6. Enroll one-to-one devices

Changes can be incremental - so if, for instance, you have a new student, you can add the device:person association later without re-doing everything.

Classroom – What we don’t support

  • Carts are always associated to a whole Class. There is no way to indicate to FileWave that this cart is for the 10 first students while the second cart is for the last 10 students.
  • Passcode options - we can't get the passcode type from ASM for a person, so we can't prepare the right passcode keyboard.
  • We don't Group classes by Department.
  • Class-level deployment (i.e. make an association to a Class, all devices used by that class will get the app, users in that class will see the app, others won't. However, it is still possible to deploy apps outside of the Classroom use case, so you can't say that just because an iPad is in a Cart Group that only apps that have been deployed to the class(es) associated with the cart can be seen by students in a given class…).

Managed Apple IDs

Apple IDs has always been the central piece of Apple ecosystem - linked to an iTunes account, it was the only way to get software licenses until VPP device based licenses have been added. It was becoming more and more complicated for Education Organization to maintain, even after Apple introduced education / under-age Apple ids.


This is why Apple introduced, in conjunction with Apple School Manager, "Managed Apple Ids" - those Apple Ids behave like any other, but instead of being "owned" by a user, they are "managed" by an education organization.

Silent invite

It is now possible to assign licenses to Managed Apple IDs, via VPP Users. While most of the apps now support Device Based assignment, a few apps still require user based licenses, and books are still using User Based Licenses. On this level, Managed Apple IDs are like normal Apple IDs: they have to be associated to a VPP user for the corresponding VPP token so the token organization can assign licenses to the Apple ID.


To improve customers workflow, Apple introduced the ability for MDMs to automatically and silently link a VPP user and a Managed Apple IDs. This makes organization life easier as they don't have to rely on human interaction to link their Apple ID to your VPP organization.


With the release of FileWave 12.7 FileWave have implemented this feature for 1:1 devices. Whenever a change occurs in the "Classroom" panel, FileWave will link the VPP user to the device;

  • from the same Organization as the DEP token used for SIS extraction
  • used in a 1:1 association for SIS

When this happens a VPP user will be associated to the user Managed Apple ID - and therefore user based licenses, including those for books, can be deployed, without the need of manually joining the organization. You will no longer need to accept the Apple terms and conditions on each device you are managing.


How to implement Managed Apple IDs with user assignment with FileWave


The user will need to sign in to the App store on their device with their managed Apple ID. Without this there is no way to know what managed Apple ID should be on which device. To do this the user will need to go to Settings -> iTunes & App Store -> Sign in with the account. If you are already signing the devices in with the managed Apple ID for iCloud you still will need to sign them in to the iTunes App store settings on the device.


One tip with this setup would be to sign in with the Managed Apple ID on the device during DEP setup on the individual devices. This would allow you to skip a step of signing the devices in after Enrollment is finished. So for this you would want to Enable Apple ID setup in your DEP profile so that this is not skipped during initial activation.



Getting student images into Classroom

Do you want student images to show up in Apple's Classroom tool? You have come to the right place.

Overview

  1. Images
  2. Large and small format of each student's image
  3. Properly named
    • %user_identifier% = SIS/Student ID
    • %size% = large or small
  4. Web server to host images
  5. Some form of security
  6. Enter the URL into FileWave Admin Preferences

Images

Many photography companies will name and resize images to whatever you need. Try contacting them before spending too much time creating perfect images.
It might also be work checking out how you SIS and/or Library checkout system store and share images, you may just be able to share that folder.

Image Name

Student image files have three requirements.

%user_identifier%

If I was looking at ASM (Apple School Manager), and my students were showing with IDs like S0001, S0002 etc.

Studnet images in Apple School Manager


Then I would know that S0001 should be used for %user_identifier%
Be Careful: Apple School Manager lists "Person Number" and "Person ID" and you want to use "Person Number" when naming the images

%size%

As of the writing of this document, Apple has specified small and large versions of images are needed, but not the size.

FileWave's recommendation regarding image size are:

Small: 675x1024 pixels 
Large: 2700x4100 pixels

Test a few before deploying hundreds of images to ensure that these sizes work well with your student devices.

Web Server

There are two main ways to list and share images (with some minor variation)

We will only talk about option one here, if you are advanced enough to program option two, you probably don't need FileWave's help.

What if I don't know which one to do?
If you don't know which one is best or you can do. A directory of images is by far the easiest. But always feel free to contact support with further questions and help.

Directory

In this setup you typically have a flat structure (meaning images are not in folders, just one folder will all student images in it), and would look something like:

apache directory of student images


Setup for your web server will vary depending on which one you selected. But if you can navigate via a browser to a URL simular to

https://fwusa.filewave.com/images/stu/S0001-small.jpg

Then you are ready to move on

Security

Student images are personally identifiable pieces of information and are important to maintain privacy. You will want to give reasonable assurance that you have done your best to prevent these images being released into the wild.
Below could be considered minimum recommendation, but always make things as secure as you can.
Setup will vary depending on the web server selected, so please refer to best practice or hardening guides of the respective server solution.

Internal only

This web server should not be accessable from outside your network. So using the main district web server, a computer sitting in a Firewall's DMZ or a hosted server are all insecure solutions.

You could start up a virtual machine running a free linux OS, enable server.app's webserver on an macOS computer, or use windows. Whichever you do, use something that will always have the same IP/domain name, and is always running.

HTTPS

These days there are few excuses for not doing https. Certificates are cheap or free, and using a secure connections helps prevent data interception from source to destination. Just do https (Port 443/TCP), and even disable http (Port 80/TCP)

Password Protected

Many web servers can enable password protection for a whole site or even just a section of a site. If using apache an .htaccess file simular to this:

AuthType Basic
AuthName "Protected Student pictures"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require valid-user

Can be placed inside the student images folder to password protect it.
(see https://httpd.apache.org/docs/current/howto/htaccess.html for more info on apache .htaccess files including setup and use)
And a user can be created by something like:

htpasswd -c /var/www/.htpasswd picture_user

Note: that the password file is the same /var/www/.htpasswd in both .htaccess and htpasswd (see https://httpd.apache.org/docs/current/programs/htpasswd.html for usage).

Constructing the URL for Admin Preferences

If we were able to access the images via browser at a URL like

https://fwusa.filewave.com/images/stu/S0001-small.jpg


Then we can use that as our template

https://fwusa.filewave.com/images/stu/S0001-small.jpg


Would become:

https://fwusa.filewave.com/images/stu/%user_identifier%-%size%.jpg

Note how the - needed to stay in the URL, and that it was an https server.


Force shared device passcode type

There is a limitation (As of July 2018) in Apple's Roster API by which FileWave uses to obtain all SIS (student information system) data like classes and student passcode requirements.

For example, on ASM (Apple School Manager - school.apple.com) you can define that a user's password requirements are for a 4 digit pin to a complex alpha-numeric. This information should then be shared via Apple's Roster API to FileWave, so that we can show the appropriate keyboard, like a simple 10 button numeric keypad if a pin only user, but it's currently not available.

Until Apple adds this information to the Roster API, you can force all devices to one type:

Linux/MacOS FileWave Server:

/usr/local/filewave/django/filewave/settings_custom.py

# add this in settings_custom.py and restart apache
# supported values are "four", "six", "complex"
settings.CLASSROOM_DEFAULT_PASSCODE_TYPE = "six"

You can use either

four
six
complex

Which corresponds to Apple's different Password Policy options: 




Classroom – Identity Certificate Management

Overview

FileWave 11.1 includes support for Apple Classroom. The setup recommended by Apple for MDM providers is to have one root CA, intermediate CAs for leaders (teachers) and members (students) and one certificate per device. This means we need a UI where administrators are able to generate, view and manage those certificates, which allows renewing/revoking certificates, as well as creating the initial root CA and intermediate CAs.

In the Admin

Dashboard

First place where you might see anything that is related to classroom is in the dashboard. By default we check if all the certificates are ok. It goes into warning state (yellow) if a certificate is about to expire (in less than 30 days) or if the whole classroom CA/certificate chain is absent. IT goes into error if at least on the the certificate is already expired.

In case of warning or error, you can click on "Go to settings" and it will ask you the super user credentials and if you want to create the defaut CA/Certificates (see following on how to proceed).

image.png

After it has refreshed (can take a few seconds), it will look like that:

image.png

Preferences

The certificate management UI is available in the Preferences, in the Education section, on the Apple Classroom tab. Click "Manage Certificates" to open the Classroom certificate management UI. You will need to enter fwadmin credentials.

image.png

The first time you open the Manage Certificates dialog, no certificates exist at all. Therefore, FileWave Admin asks you whether you want to generate the certificates:

image.png

As part of the process, a private key for the root CA certificate is generated. FileWave does not store a copy of this private key. It is your responsibility to store this key in a secure location, as you can see in the warning that is displayed.

image.png

FileWave will ask you to store the private key as soon as the certificate generation is completed successfully. The private key is a PKCS #8 key stored in DER format. FileWave Admin saves this private key in the local disk of the computer where it is running and sets restrictive permissions on the file. You will need to provide this private key when renewing or revoking certificates. The default file name is "FileWave Classroom Private Key.key" and it is stored on the Desktop by default. If you press Cancel or the Esc key by mistake while on the save dialog, FileWave stores the private key on the default location anyway, so you won't need to regenerate the root CA.

The dialog displays the certificates in a tree structure, where the root CA certificate is the top level item in the tree and child certificates appear as child items. The serial number and the expiry date of each certificate are also displayed next to it. Certificates that will expire in less than one month are displayed with a yellow background, while expired certificates are displayed with red letters. You can sort by any column and filter certificates by typing some criteria in the search box and pressing Enter.

image.png

You can renew and revoke any certificates. In order to do so, select one or more certificates. The view supports multiple selection by holding the Ctrl key (⌘ on Mac) and clicking entries. You can then either right-click to get a context menu or use the corresponding buttons on the lower left corner of the dialog. When revoking a certificate, all its child certificates will also be revoked. The certificate and its child certificates will be renewed automatically right after revocation.

You don't need the private key for renewing or revoking leader or member certificates. However, renewing/revoking any intermediate CAs requires the private key of the Root CA that was generated before. The first time you renew or revoke an intermediate CA certificate, you will be asked to open the private key. It will be remembered for the duration of the dialog, so you won't need to open it again for any subsequent operations on CA certificates, unless any operation fails. If you close the dialog and open it again later, you will need to provide the private key again for renewing/revoking CA certificates.

image.png

Although not recommended, it is possible to revoke the root CA without providing the private key by clicking Cancel in the file dialog to open the private key. This is useful for example in case you loose the private key. Beware it will not be possible to revoke intermediate CAs before renewing the root CA certificate. However, after revoking the root CA, the whole certificate tree will be regenerated automatically, including intermediate CA certificates and their child certificates.

What is the impact if I lost my private key? You can revoke and start a new one. On devices they will get the new keys when they check in. Shared iPads will need each user to logout and login again. 

Under the Hood

Device certificates are valid for 10 years. FileWave takes care of renewing device certificates automatically when they are about to expire. This is done 30 days before the expiry date. On the other hand, CAs cannot be renewed automatically because the private key is required. For this reason, administrators should take care of renewing the CA certificates manually. When the CA certificates are about to expire, a warning is displayed in the Dashboard.