Apple MDM
With the exception of macOS, all Apple devices are managed purely through MDM. macOS devices on the other hand, relies upon the FileWave Client, however, when MDM enrolled, benefit from the additional features
Apple MDM Lost Mode
What
Lost Mode locks devices from use until Lost Mode is disabled. This enhances the security whilst devices are in an unknown location.
Why
On occasion, users can misplace devices. To assist the protection of data and prevent anyone from using the device until relocated, an MDM command may be sent to Lock the device.
Information
Lost Mode is enabled by setting a device into the 'Missing' Client State, via the right click contextual menu:
To disable Lost Mode, select any other Client State, Tracked or Untracked. A Model Update is required after altering the Client State before the MDM command will be sent to the device.
Devices require network to receive the command to enable or disable Lost Mode.
If a device is Locked and unable to receive network due to the surrounding W-Fi networks not yet being configured, consider connecting the device to ethernet (adaptor may be required).
Locating Devices
Whilst locked, as well as devices being unusable, additional features help locate the device
Location
After being set as Lost, location data will be sent back to the FileWave Server, where the device has a network connection. Location may be viewed on a map from the Client Info view as well as related location data being available from Inventory Queries.
Sound
Location is all very well, but what if the device is in a bag, cupboard or similar. To further assist retrieval of the device, when in the Lost Mode 'missing' state, an additional option will be available from the right click menu: 'Play Lost Mode Sound'. Previous set volume is not a consideration and the device will make an audible set of tones.
Apple MDM Command History
What
Any Apple devices that are MDM enrolled should receive MDM Requests. Each Client Info lists the requests for that device.
Why
MDM Command History exists to display all requests queued and sent to devices, along with the result of those requests; additionally showing if the request was designed for the User of the device or the System
When referring to Users and MDM, Apple allow for any amount of directory users to be managed, but only one local user is considered to be managed. This is the first local user to log into the device after enrolment. System requests impact all users.
The Request Types include:
- Inventory
- Profile instals and uninstalls
- VPP App instals and uninstalls
- Commands, e.g. erasing a device, renaming the device, etc.
Information
Opening the Client Info for an Apple MDM enrolled device and selecting the Command History tab should show something similar to the below image:
Request Types are defined by Apple and details may be viewed on the Apple Development Pages
Status and Error messages are those reported by Apple, with the exception of 'not sent'. The possible values are:
| Status | Details | Apple Request Response |
| not sent | The command is queued and awaiting for the device to reply to the APNs request | - |
| acknowledged | Device has processed the request | Acknowledged |
| not now | Device has received the request, but is unable to process the request at this time | NotNow |
| command error | An error has occurred | Error or CommandFormatError |
As of FileWave 15.5, the status of Command Queue requests are now accessible from within standard Inventory Queries
'not sent'
Before any requests may be sent to a device, the FileWave Server sends an Apple Push Notification (APN) request to Apple. Apple queue these APNs requests and only after the device checks in with Apple and pulls the APNs request, will the device then check-in with the defined server.
APNs request is nothing more that a notification for the device to check-in with the defined server.
Whilst waiting for the device to receive the APNs request and check-in, the Command History will display 'not sent'
Where requests are 'not sent' or 'not now', new requests will not be added to the queue for the same Request Types, since there is already a queued request waiting. The 'Creation Date' displays the time and day the request was added to the queue.
Response Commands
Once the APNs request has been received by the device, on check-in, queued requests may then be sent to the device.
'acknowledged'
The request has been received by the device, processed and reported back to the FileWave Server as completed.
'not now'
Some requests will not be accepted, until the device is in a certain state. For example, a user may need to be logged into the device to process the provided request.
Hence, the request has been received and the device has responded, but the request is awaiting the desired state before it will finish processing the request and report back as much.
'command error'
In some instances, the request may not be able to complete, due to an error. Apple have two defined error status values:
- 'Error' - An error occurred (the device will report error details in the response to the request)
- 'CommandFormatError' - The request protocol was incorrect, e.g. a malformed request
The 'Error Msg' column shown in the Command History view reports information provided by the device back to FileWave Server and contains information as set out by Apple.
Apple's developer page demonstrates greater depth on MDM requests:
Sending MDM Commands to a Device
User vs System
The user column contains the channel used for the request. Where the user column is blank, this implies the request is a System Channel request. Otherwise the name of any managed users existing on the device will be displayed for those requests.
Some Request Types are required for both User and System, e.g.
DeviceInformation may report inventory regarding the System and the User. As such there are multiple requests, one per Managed User and one for System.
Profile Installation
Profile Settings defines whether a Profile should be Installed for the System or User:
As with other Request Types, if the Profile is configured for System Installation, the User channel column should be blank, whilst those set as User should show a Request Type of 'InstallProfile' per managed user.
The below image shows installation of two differing Profiles, one set as System and the other set as User:
There was a period of time where all Profiles could be set as either User or System regardless. Apple enforced 'correct' Installation channels several major versions back. As such, if Profiles were delivered before such change, it may be possible that the User column may show a User despite the Profile being set as System. This should no longer be the case for newly delivered requests
Although altered values in a Profile Payload will just cause the Profile to be updated on a device, changing the Installation channel from User to System or vice versa, will cause the Profile to be uninstalled and then re-installed using the newly defined Installation channel.
Only some Profile Payloads may be defined as either User or System. If one option is greyed out, the Profile Setting cannot be changed.
Commands
Some requests are commands designed to action an event, e.g. rename a device, erase a device, etc. If the request is altering a setting, the Request Type reported is 'Settings' and the 'Settings Items' column will display details regarding the setting to be altered.
The below image shows a request to alter the name of the device:
An Update Model will be required before the Setting request is added to the device's request queue.
Further details regarding 'Command Policy' Fileset Payloads can be viewed in the following KB:
Troubleshooting
Some typical items to consider when reviewing Command History:
- The Command History tab will not be present if the device is not MDM enrolled (i.e. a macOS device with only the FileWave Client installed)
- A profile does not show on the device, yet command is acknowledged. This is typically seen where a Profile is set as User, but the currently logged in user is a local user, but not the local managed user. Compare the Command History User column with the currently logged in user.
- Where possible, it only might be prudent to set Profiles as System rather than user, if all local users require management (Note: this may also impact Administrators logging into systems, when attempting to fix a user's issue)
- Where an error has occurred, review the 'Error Msg' column. If the error message does not appear clear, consider raising a ticket with the FileWave Support team.
- As noted above, when a Profile Setting is changed, the existing Profile is removed before being re-delivered through the newly specified Installation channel (User or System). If the Profile is essential for network connectivity, the device will lose its network connection, making it impossible to receive the updated Profile.