Apple School & Business Manager Apple School Manager (ASM) is a web-based portal for educational institutions to manage Apple devices, apps, and user accounts. It simplifies device deployment and content distribution for schools. Apple Business Manager (ABM) is a web portal for businesses and organizations to manage Apple devices and services. It streamlines device procurement, deployment, and management, enhancing productivity and security. Apple Customise User Access in ASM/ABM What A new feature for iOS 17 , iPadOS 17 , and macOS 14 from Apple, Customise User Access controls Managed Apple IDs access to Apps and services. Requires either Apple School or Business Manager Access control includes: iCloud and App FaceTime and iMessage Apple Wallet Apple Developer AppleSeed for IT Device Sign In  Privacy and Security along with other features for instructors and students. When As of FileWave 15.5.0, Apple's required, new Get Token endpoint has been included. Some features require the device is Managed, whilst other features require the devices to be Supervised. Further details may be viewed from either: Apple School Manager User Guide - Customise User Access Apple Business Manager User Guide - Customise User Access Information Apple's Customise User Access offers admins much greater granular control over users and the access of devices, services and apps. Perhaps it is desirable to block iCloud or only allow iCloud on Managed devices.   Which Apps should be allowed to use iCloud?  Maybe organisational users should be the only ones allowed to collaborate with Pages, Numbers or Keynote files. Should iMessage or FaceTime be allowed and if so, who should this include? Can an Apple ID log into all or only some devices? Then there's examples of management regarding developers and testing Apple OS releases and other options for students, instructors and security. The above features are all managed through the Apple Business or School Manager portal.  Please follow the links provided for configuration of each feature. Apple VPP/ADE Volume Content Terms What are Apple's new terms? Apple periodically updates the Volume Content Terms on Apple Business Manager. Upon the release of an updated version, your organization will be unable to enroll devices or deploy new apps until an Administrator signs into Apple Business Manager or Apple School Manager and accepts the new agreement. This will also trigger an error on the FileWave Central Dashboard, and synchronization with Apple will fail until the issue is resolved. Beginning with the July 27, 2023 changes, Administrators are granted the ability to accept the Volume Content Terms on behalf of the entire organization. This change means that Content Managers and Administrators will no longer need to individually accept these terms once an Administrator has done so for the organization. The update also introduces clearer language regarding the redemption of unused Volume Content balances. Bear in mind that while the updated Volume Content Terms as of July 27, 2023, can serve as an example, changes to the VPP (Volume Purchase Program) and ADE (Apple Device Enrollment) terms occur several times a year. These changes can potentially cause disruptions, for example, if FileWave is unable to sync with Apple due to unanticipated terms changes. Apple helps organizations stay updated by sending an email about a week prior to the implementation of new terms and conditions. However, these notifications can sometimes be overlooked or end up in the inbox of an unavailable person. To prevent disruptions to ADE and VPP operations, it is critical to promptly accept these terms when they are updated. In summary, this update facilitates smoother operations within the organization, allowing Administrators to accept terms on behalf of all users and providing more transparent language concerning unused Volume Content balances. Keep a close eye on emails from Apple notifying you of upcoming changes to avoid potential disruptions. Related Content Apple Business Manager, Apple Business Essentials Apple School Manager asks you to approve new terms and conditions   Apple Configurator 2 Enrollment The following steps will assist you in the enrollment process for iOS devices with Apple Configurator 2 into FileWave. This guide assumes you've already set up DEP in FileWave and that your devices are assigned to a MDM server within Apple School/Business Manager. If not, please review the KB article to add devices to Apple School/Business Manager . Prepare Before starting be sure you have: A running FileWave server with your HTTPS certificate, APN, and DEP (if using DEP) settings in the preferences completed To set up DEP, see " VPP and DEP preferences " and " Working with Apple’s Device Enrollment Program (DEP) " For HTTPS certificate and APN setup, follow the  Quick Start— MDM  guides for OS X or Win, according to which OS your Admin is installed on:  Apple General Settings (APN) Wi-Fi profile: This can be created in AC2 File > New Profile > Wifi; alternatively, you can create this in FileWave. An OS X 10.11 device with Apple Configurator 2 installed iOS device 7.0+ and lighting cable Access to the ports specified below Network Considerations Clients and the FileWave server need to be able to connect to each other and to Apple with the following ports: 20443-20445 2195-5223 DEP AC2 Enrollment Make sure you've created your association in FileWave, in the DEP Association Management window under the Assistants menu (between the DEP profile and devices). Simply click and drag the devices over to the right pane, on top of the profile you created. This profile contains settings such as whether the device will be supervised, setup items, and how the device will be named. You're now ready to work in AC2, so connect the iPad to your Mac with a lightning cable and launch AC2. When you see the device in the Connect Device pane, left-click the device and hit the Prepare button at the top, with the gear icon. Select the Automated Enrollment option from the drop-down menu and hit Next. You'll then need to upload a Wi-Fi profile. Hit Choose and locate the profile via Finder. When you create the Wi-Fi profile, select the "(iOS8 or later except Apple TV)" option for your WPA2 security types.  Choose the Security Type You'll now be prompted for Automated Enrollment Credentials, which should have been created during your FileWave MDM setup using the Quick Start guides (linked to in the Prepare section at the top of this article). If you want to use LDAP authentication, you'll need to type in one set of credentials. If you have multiple devices connected, you won't be able to use a different user name/password for each device with AC2. After you type in your credentials, hit Prepare, which will start the configuration. If you've already prepared the device, you'll be prompted to hit Restore or Stop. You must hit Restore to allow AC2 to finish the process as follows: Downloading iOS Unzipping iOS Installing iOS Downloading activation record for the iPad Activating iOS on the iPad Downloading and applying cloud configuration Awaiting final MDM configuration The iOS device will prompt you to "Slide to continue" at the Hello screen. Next, go through the setup options (such as Location Services) that you previously set up to enable or skip in the DEP profile in FileWave. Completing these steps will land you on the home screen of the iOS device, where you'll see the FileWave App Portal. If you don't have auto-enrollment set up in FileWave (located in the Checked-in Clients section), go into the Admin to bring the device into the system. Congratulations! You have now enrolled a DEP iOS device with Apple Configurator 2 into FileWave! Non-DEP AC2 Enrollment Copy the URL at the bottom of the Device Enrollment tab in the Enroll iOS Device window. (Assistants > Enroll iOS). Under the AC2 Preferences, create an organization Under the Servers tab, hit the + sign at the bottom left. Name the server, and then paste the Enrollment URL you got from the FileWave Enroll iOS window. Hit Save.  Note:  AC2 tries to change the URL to "DEP" instead of "device_enrollment," so after you save the server, hit the Edit button, paste the enrollment profile, and save again. You're now ready to connect the iPad to your Mac with a lighting cable and launch AC When you see the device in the Connect Device pane, left-click the device and hit the Prepare button at the top, with the gear icon. Select the Manual option from the drop-down menu and hit Next. You will then be at the "Enroll in MDM Server" screen, use the drop-down menu to select the server you created in step 4 On the next screen, choose whether to supervise your device. Supervision determines the amount of control you have over your device in FileWave. If you decide to start supervising the device later, the device will first have to be wiped. On the Assign to Organization screen, pick the organization you created in Step 2 Your final task in AC2 is to configure the iOS setup screen. This will allow you to skip certain steps during the configuration on the Hello screen.  Note:  If you're planning to use the location-tracking feature in FileWave, you'll want to enable Location Services during setup. Hit Prepare to start the configuration. If you've already prepared the device, you'll be prompted to hit Restore or Stop. You must hit Restore to allow AC2 to finish the process as follows: 1. Downloading iOS 2. Unzipping iOS 3. Installing iOS 4.Downloading activation record for the iPad Note:  If you get the AC2 error "This operation couldn't be completed. (NSCocoaErrorDomain - 0x64 91000))," hit Stop and try to prepare the device again. The preparation will go more quickly this time, taking only two steps. The iOS device will now be at the Hello screen. Hit Next and enter the Wi-Fi. Next, go through the setup options (such as Location Service) that you previously set up to enable or skip. Prompted now will be "your organization can automatically configure your iOS device". You'll be asked to apply or skip the configuration. After you hit Apple Configuration, you'll be prompted for a user name and password. This needs to be created on your FileWave server. To create a new user, use the following command on your FileWave Management Server, where [username] is the name you would like to use: fwcontrol mdm adddeuser [username] Then submit a password for the new user. After you accept the Terms and Conditions from Apple, hit Get Started. The iOS device will be on the home screen. If you don't have auto-enrollment set up in FileWave (located in the Enrolled Mobile Devices section), go into the Admin to bring the device into the system. Congratulations! You have now enrolled a Non-DEP iOS device with Apple Configurator 2 into FileWave! Adding macOS devices to Apple Business or School Manager using Apple Configurator 2 With iOS 16 and Apple Configurator 2, it is possible to add macOS devices to ASM and ABM. This means that devices not acquired via an Apple Purchasing Account tied to an Apple account can now be added manually using Apple Configurator on an iPhone. Requirements iPhone running iOS 16 or greater, with Apple Configurator 2 installed and connected to the internet The macOS device was never part of any Automated Device Enrollment (ADE) program, or has since been released/disowned The macOS device to enroll is either Apple silicon or has an Apple T2 Security Chip and is running macOS 12.0.1+ The macOS device to enroll is erased and not yet set up ASM or ABM account which has permissions to add devices, for example: Administrator, Site Manager (Apple School Manager only) or Device Enrollment Manager If a device is already in use, it must be completely erased before commencing this process.  In this instance, all necessary data stored on the device must be backed up in advance. Directions Launch Apple Configurator on the iPhone and sign in to Apple Configurator using the required ABM or ASM account Turn on the macOS device to enroll and connect to the network.  Consider connecting the power adaptor to prevent the device from sleeping Place the iPhone next to the Mac, ready to scan the upcoming image The macOS device should display an image to capture using the iPhone On capturing the image, the device should report success and be added to the list of devices within your ABM/ASM account.  Alternatively, choose to 'Pair Manually' and use the code provided to complete this process. When prompted with the options to Restart or Shutdown, refrain from restarting until steps below have been completed. Now that the device has been added to ASM/ABM, continue with the typical ADE process, explained below: Assign the device to the FileWave MDM server within the ABM/ASM account Synchronize ADE the FileWave Admin console from either: FileWave Admin > Preferences > VPP & ADE,  or Assistants > ADE Association Management If there aren't any Assignment Rules setup to associate an enrollment profile, assign one manually to the new device that is now showing in the list and sync ADE again (step 2). The device may now be enrolled into FileWave using ADE! For more information on ADE Enrollment: Automated Device Enrollment (ADE) Adding non macOS devices to business.apple.com (ABM) and Apple School Manager (ASM) using Apple Configurator 2.5+ What With iOS 11 and Apple Configurator 2.5+, it is possible to add non macOS devices to ASM and ABM. This means that devices which were not acquired via your Apple Purchasing Account tied to DEP can be now added manually by preparing the device using Configurator. Requirements device running iOS 11.0 or greater device was never part of any Device Enrollment Program or device that got released/disowned from Device Enrollment Program ASM or ABM account with Administrator rights For 30 days after device is added to DEP with Apple Configurator 2.5 a user has an option to "Leave Remote Management" on the device. Clicking this option will wipe the device and disown/release device from DEP. For this reason, try to keep the device for 30 days before deployment; this will mitigate the problem of users un-enrolling the device during that 30 day period. Step-by-step guide Plug your device to machine running Apple Configurator 2.5+. Right click the device and press "Prepare". Check checkboxes as on the picture below. Press 'Next'. Select your MDM server.  Press 'Next'. Select your organization. If you haven't configured one, you'll be asked to configure one (enter your ABM / ASM account credentials and sign in). Press 'Next'. Choose which steps will be presented to the user in Setup Assistant. Your DEP profile will overwrite what you select in this tab. Press 'Next'. Choose WiFi profile. Press 'Prepare'. If device is already activated you'll be asked for permission to erase the device. After selecting "Erase" you will now see screens similar to below.  Once this is finished, you will have to assign the device to an appropriate MDM server in the ABM / ASM portal. Please consult Apple's DEP documentation for assistance on this process. In the DEP portal, the device will appear as follows (initially will appear as "Devices Added by Apple Configurator 2", then will change to point to your MDM server once the assignment is made): Now that the device is assigned to an MDM server, open the FileWave Admin and go to FileWave Admin → Preferences → VPP & DEP tab → Under "Device Enrollment Program" at the bottom, press the "Option / Alt" key and select "Synchronize (full sync)". Next you will need to assign a DEP profile to the devices. To do this go to Assistants → DEP Association Management → and Assign your DEP profile to the device.  Now you are ready to start your device from the "Hello" screen and enroll in to your FileWave server with the assigned DEP profile from Step 9.  Automated Device Enrollment (ADE) This was formerly known as the Device Enrollment Program (DEP). Apple's Automated Device Enrolment What From inception known as Device Enrolment Programme (DEP), Apple's Automated Device Enrolment (ADE) is a zero touch enrolment method for Apple devices. This article aims to cover the generic processes. When/Why Typically this process is used with new devices or those erased. Registration The basics: Devices, purchased from a supplier signed up to Apple's programme, are registered with Apple FileWave MDM server is registered with Apple Devices are assigned to the FileWave MDM server within the Apple Business or School account: ABM or ASM Enrolment Profile Enrolment Profile has options, e.g which Setup Assistant items are shown.  When an Enrolment Profile is associated with one or more devices, the Enrolment Profile is sent to Apple; differing Enrolment Profiles may be configured and associated with different devices. Working with Apple’s Device Enrollment Program (DEP) How Enrolment Stages Enrolment Profile delivery When the device is first connected to a network, the device will initially communicate with Apple.  Apple observe the identity of the device and if there is an associated Enrolment Profile with this device, the Profile is sent to the device. Once the Enrolment Profile is delivered, it will remain on the device, even if rebooted.  Only a subsequent erase of the device will remove the Enrolment Profile and the process be re-triggered from scratch. A key item in the Enrolment Profile is the MDM Server URL. Check-in The device reads the MDM Server URL and the enrolment process can then begin. Authentication The next requirement from check-in is authentication.   On initial check-in, FileWave server returns a 401 due to no authentication and then informs the device how to authenticate. Local Authentication FileWave is configured with a local username and password encrypted on the FileWave Server (Default) No Authentication FileWave Server is configured to allow devices to enrol with no authentication required LDAP An LDAP server, e.g. Active Directory, is configured, allowing directory users to authenticate enrolment IdP Okta, Google or Entra users may authenticate enrolment Local and No authentication are configured through the server command line,  LDAP may be configured through FileWave Central, whilst IdP is configured through FileWave Anywhere. Basic Authentication IdP Authentication IdP requires a special mention here due to the additional steps involved. FileWave server informs the device with a URL to direct the authentication; the IdP.  The IdP custom authentication screen should be presented to the user and on entering details, if successful, the IdP uses the configured redirect, to contact the FileWave server to inform of success. Redirects provided to IdP for connection with FileWave Server may be viewed from FileWave Anywhere, for example: FileWave Server informs the IDP where to respond to the FileWave Server once complete.  The FileWave returned URL to send on the code from the device will be through port 20443 and includes the auth code as a parameter within the URL. Federated Authentication An extension of IdP, Federated Authentication is an offering from Apple, which allows Apple IDs/passwords to be synchronised with an IdP.  This is configured within Apple's Management portal; FileWave is not involved with this configuration. https://support.apple.com/en-gb/guide/apple-business-manager/axmb19317543/web Working with Apple’s Automated Device Enrollment (ADE) ADE only works with devices purchased from Apple authorized sources or added via Configurator to ABM/ASM. For information on approved devices in ADE, see the following reference: https://help.apple.com/deployment/business/ The features of ADE include: Zero-touch configuration - devices (iOS and macOS) can have configurations preset to take place at activation with pre-assigned applications, profiles, and settings. Automatic enrollment and management - devices can be configured to automatically enroll with the FileWave MDM server and receive management profiles without hands-on by the IT staff. Devices can also be locked into management settings so the user cannot remove profiles. Over the air supervision - iOS devices can be put into supervised mode over the wireless network, providing an added layer of management control. Streamlined setup assistant - devices can be configured to skip certain steps in the setup assistant, preloading some settings. ADE Workflow Overview IT signs up for ADE account (or accounts) Institution purchases devices via an authorized seller IT doesn't see devices in the online ADE list until the shipping confirmation arrives from Apple (prior to that, Apple doesn't know what serial numbers are going to be shipped) IT assigns the devices from the online ADE list to the FileWave MDM server by serial number (You can also assign defaults in ASM & ABM) Wait for the ADE list and the FileWave MDM list to synchronize (24hr default sync, or triggered manually in the DEP UI IT assigns ADE profiles to the serial numbers of the devices prior to arrival ( Automatically Assign ADE profiles ) Devices arrive and, at first boot, are auto-enrolled and configured as managed devices (macOS computers will auto-enroll if connected to the Internet for push notification and the MDM server for enrollment.) For more information see: https://support.apple.com/en-us/HT204142 Configuring ADE with FileWave This process is covered in VPP and ADE preferences FileWave Client for macOS ADE The macOS computers that are being brought into FileWave through Apple's ADE require a custom FileWave client installer. To be installed via MDM, the FileWave Client .pkg needs to be signed. The supported way is to generate your package via our web site, so you can pre-configure it ( https://custom.filewave.com/py/custom_client_mac.py ). When you have filled in the web form, you will get an email with a download link to the custom client installer package (.pkg). Download that custom installer, then go to your FileWave Admin/Preferences/Mobile to add the custom package to the FileWave server for use by macOS Clients. "Use for initial enrollment only" is highly recommended. This means that FileWave will only attempt to install the PKG the first time a devices enrolls. If it is unchecked, and you upload a new PKG, FileWave will send this out via an APN immediately. This could cause existing devices to loose their configuration (like boosters) Understanding devices and profiles for ADE Once you have registered your FileWave Server with the ADE system, you can begin setting up your devices for automatic enrollment and management. You will be able to view a list of your devices along with certain characteristics of those devices, such as model number, color of the device, asset tag information, and serial number. You will also be able to apply a "profile" to the device. The "profile" in ADE is not the same as a management profile. Instead of a property list (plist), the ADE profile is a set of data formatted in JSON (JavaScript Object Notation) format. The profile is applied through Apple when the device is initialized. It will contain settings that you configure including: The MDM server URL MDM options, such as supervision and management profiles MDM server certificate(s) Pairing certificates Device setup assistant options The process for setting up your devices is done through the /Assistants/ADE Association Management… pane:   The ADE  Associations pane looks similar to other FileWave windows with three sections. In this case, they are: The Device list in the upper left, which you can filter by the different accounts devices are purchased under; The Profiles list in the upper right, which lists all of the profiles available to associate to devices with the number of devices each is assigned to; and, The Associations list on the bottom, which displays the device by serial number, the name of the profile it is associated with, and various date-time Groups showing assignment dates and times. Security prerequisites for ADE ADE uses Basic and Digest Authentication. Basic is for iOS v7.1(+) devices, and we implemented Digest Authentication for iOS v7.0.x devices. In order to configure up your FileWave MDM server for Digest Authentication, you need to use a separate command, similar to the fwcontrol mdm adduser command used for your MDM server configuration. The command is: sudo fwcontrol mdm adddepuser The  adddepuser command requires you to provide a user name in the command, and respond to the prompt to add a password for that user, then to confirm the password. This user name and password will be requested by the device during ADE enrollment. These commands are issued on the FileWave MDM server either directly or remotely through terminal services. Authentication with LDAP If you are using LDAP and ADE, you will have to use iOS v7.1.x(+) devices. The  mdm_auth.conf.example_ldap_auth file we provide is based on basic authentication, while the default is using digest. If you have not already edited the mdm_auth.conf , then review the information in LDAP Preferences Configuring ADE profiles You create ADE profiles within the ADE Associations pane by clicking on the + button in the profile section of the window. Here is a view of the ADE Profile creation window: Information This information will be set in the MDM profile once installed on the MDM device. Options These settings are for the key behaviors of the registered device: Do not allow user to skip enrollment step - the device must become enrolled in order to complete setup Supervise (iOS only) - the device will have supervision enabled Is MDM removable - if unchecked, the MDM profile is locked to the device and cannot be removed by the user through the UI Allow pairing - if checked, the user can pair the device with their own iTunes account to synchronize personal content Automatic Advance - if checked, the Apple TV will automatically advance through setup assistant (If you use the remote on the Apple TV this option will be canceled) Enable Shared iPad   - Device will be configured as a Shared iPad. Devices that do not meet requirements ignore the option. Maximum number of users   - Sets the maximum number of users that can use a shared iPad, based on the storage capacity. If greater than the maximum possible number of users supported on the device, the device will be configured with the maximum possible number of users instead. Setup Assistant Skip setup items - this allows the FileWave administrator the ability to configure which portions of the setup assistant are made available to the end user when they configure the device. If none of the items are allowed, then the device must be pre-configured using MDM profiles with all of the appropriate settings to ensure functionality. Account (requires client running macOS v10.11+) A feature in ADE is the ability to create a local administrator account in advance of a user being guided through creating their own local account. If you configure this pane with a local administrator account, then the user will be allowed to create a local account of their own; but it will be a non-admin user. The local admin account can be somewhat hidden (the home directory will still be in /Users/ but it will not show up in the Users and Groups System Preference pane). If this pane is configured with only the local account setup, the user setting up the device will be guided through setting up a local administrator account of their own. Note: Disallowing "Local Account Setup" During ADE enrollment may prevent your machines from completing their enrollment steps unless the local administrator account logs in on the machine. Anchor Certs & Supervising Certs The "Certs" tabs are for adding the necessary certificates to the device to allow trusted connections and specialized pairing permissions. The FileWave MDM server certificate is automatically added to the Anchor Certs list. Device Naming The devices being enrolled can have a rule-based name applied. In a 1:1 deployment with users authenticating with LDAP credentials, the device name can reflect an institutionally-derived naming convention punctuated by the user's name. This function is limited to supervised iOS devices running iOS 9+ and macOS computers running 10.11+. See: ADE Naming for more information Activation Lock Apple provides an anti-theft feature called Activation Lock. When wiped and activated again, the device is locked and will require an Apple ID credential to be unlocked. FileWave can ease the process by escrowing a bypass code which can be used to bypass iCloud credentials. The code can either be entered manually or automatically, typically just before refreshing the device. Activation Lock can be against: a normal Apple ID - end user has to log in with iCloud on the device and enable Find My Phone a ADE (ASM or ABM) account ; in this case, the corresponding Apple ID is the Apple ID managing the ADE server. In both cases, FileWave can escrow the key and use it to unlock the device during refresh. You can configure Activation Lock: for each ADE device, at the ADE profile level globally, for all non ADE devices For ADE devices: No lock AKA Disabled Use iCloud Use your AMS/ABM account Associations Associating a ADE profile to a device (or set of devices) is done using the same drag & drop functions used in the other FileWave associations panes. You can drag a profile on top of a device, or select a set of devices and drag them on top of a profile. The associations will appear in the lower section of the ADE Associations window. The device will have the associated profile applied upon activation. To automate see: Automatically Assign ADE profiles End Result of ADE associations The end result of associating ADE profiles to devices is that upon activation, the device will automatically become a FileWave Client with specific setup settings. You can have device Placeholders  prepositioned in your FileWave Clients view, assigned to Groups, with Filesets ready to activate as soon as the device checks in.  Add or Renewing your ADE (DEP) Account Token Description ADE is the optimal way to enroll your Apple devices. ADE enrollment is required for countless features and management tools. Once added, you will need to renew your ADE token every year. If you're renewing your token, it's not necessary to re-upload the server certificate (steps 1, 2, 5 & 6) each time unless the cert has changed or you are receiving a FORBIDDEN error when syncing ADE. Step-by-step guide  Download the ADE Certificate from FileWave Admin  Save the certificate "FileWave ADE" to your desktop. FileWave Anywhere Sources > ADE Accounts > '+' > Download FileWave Central Preferences > VPP & ADE 3. Go to the relevant Apple ADE site,  school.apple.com  or  business.apple.com 4. Once signed in, go to Preferences under your account name in the bottom left of ASM/ABM 5. Select the MDM Server that needs to be renewed and click edit 6. Under MDM Server settings, 'Upload New' MDM certificate 7. Once saved, download the token from ASM/ABM 8. Go back to FileWave Central and upload the token NOTE: At the end of this step, If any attributes have changed in the token, note that the dialog in FW may not reflect the new values for 10 - 30 minutes. (i.e. Server Name) and that is normal. Renewing Token FileWave Anywhere In Sources, under ADE Accounts, select the ellipses next to the correct ADE account and choose ‘Edit’. Select Browse and upload the Apple Token downloaded in step 7 of this document. Click Save. FileWave Central In Preferences > VPP & ADE, select Configure Accounts and enter your password. Select the correct ADE account and select ‘Upload new Access Token’. upload the Apple Token downloaded in step 7 of this document and click Open. Now you can close this window. Adding New Token FileWave Anywhere In Sources, under ADE Accounts, select the '+' to the right. Steps 1 & 2 were completed earlier, so skip down to Step 3 and upload the Apple Token downloaded in step 7 of this document. Click Save. FileWave Central In Preferences > VPP & ADE, select Configure Accounts and enter your password. Select the '+' on the bottom left of the Configure Accounts window and select the token downloaded in step 7 of this document. Click Save and close the window. 9. After the token is uploaded, run a full ADE sync. Perform full ADE sync FileWave Anywhere In the Sources tab, select the Sync icon next to ADE Account and choose Full Sync. FileWave Central Go to Preferences > VPP & ADE. While holding down the option/alt key, press ‘Synchronize (full sync)’. You’re all set! If you renewed your token, you should see a new expiration date. If you added a new token, you can learn more about managing your devices with ADE and FileWave here: Apple ADE Enrollment . ADE Naming This article is for individuals who want to customize naming of ADE (formerly known as DEP) devices. It will cover placeholders and their ability to accept name, as well as using custom and built-in strings in the ADE profile. Placeholders are most useful for new incoming devices where the name is highly customized. And where you want to use additional attributes like custom fields. Placeholders Step-by-step guide Generate a text file, ideally of serial numbers as one column and the custom name as the other. See Importing Computer Clients from a file and Enrolling Computer Clients Import any custom field values if needed See Custom Fields : Importing CSV for more information Variables in the ADE profile Step-by-step guide Generate a ADE profile See Working with Apple's Device Enrollment Program (ADE) In the naming tab of the ADE profile you can use any:  Built-in inventory variables (for a list of variables see  Using variables in Apple iOS/macOS Profiles  ) Custom inventory variables, using the %custom_field.INTERNAL_NAME% (see more at  Custom Fields  ) It would also be recommended that you create an automatic ADE rule to only assign this profile to devices that have the variables set: see the example in Automatically Assign ADE profiles FileWave Foundry Video Sign into FileWave Foundry and watch a video here regarding  ADE Naming . Apple ADE - MDM Certificate vs. MDM Trust Chain What For ADE/DEP enrollments there are certificates that go in the enrollment profile. In FileWave 16.2.0 we have made a change to what is included in that profile by default. When/Why We've had some support issues where customers would see ADE/DEP profiles duplicate. Investigation has found that because of the way we would include the certificates we would sometimes have to update the profiles when certain things like renewing your SSL certificate would happen. After investigation with Apple we had found that our method was very secure, but created complexity that could be avoided. The root cause of DEP profile duplication is that we add MDM server in ADE profile, which is the most secure (device checks if MDM server has the same certificate as the one in ADE profile), but it requires us to recreate profiles when certificate is renewed. How In FileWave 16.2 we are changing what we are including in the ADE/DEP enrollment profiles by default. We have new setting to only add trust chain (parent certificates), so enrolment will work, but the device will not verify the cert (cert must still be valid, but device won't verify it's the same cert). It's a bit less secure, but still secure (unless someone has a way to create his own cert with your fqdn). But this allows us to not recreate ADE profiles each time we renew certificates, because it's not required anymore. You'll find the setting in Central's Preferences as shown in the below image. It is in the VPP & ADE tab there. We recommend leaving it on MDM Trust Chain to avoid duplication of ADE/DEP enrollment profiles. We have left the option there to pick MDM Certificate in case there was a customer who had the security requirement to do that, but know that it can result in profiles being duplicated when you update your SSL certificates if you change it to MDM Certificate. Related Content Automated Device Enrollment (ADE) Automatically Assign ADE profiles Starting in FileWave version 13.1.0 you now have the ability to automatically assign ADE (formerly known as DEP) profiles to devices. Step-by-step guide Start by opening up the ADE Profiles UI (Assistant → ADE Association Management), and verify you have profiles created. It is recommended that you have a highly generic rule that will work with all iOS and macOS devices, and then profiles for your needed situations. Assign Default Rule Open the "Edit Assignment Rules" UI Choose a Default ADE Profile (Figure 1.1) Hit OK to save it You can then choose between creating rules on simple things or advanced things:  Assign based on model/operating system (Simple) Open the "Edit Assignment Rules" UI Hit the [+] to create a new profile rule Select your default profile for an OS (iOS in this example) Drag the ADE Devices / Operating System component from the left into the Criteria Set to "Contains" : "iOS" (See figure 2.1) Save Repeat again for "OS X" and "tv" as needed Assign based on custom fields (Advanced) Create Custom fields (in this example "usage" and "location") See Custom Fields for more information Use: Provided: Admin, Type: string, Restricted: True, Values: None (DEFAULT), Faculty, Student, Administration (See Figure 3.1) Location: Provided: Admin, Type: string, Restricted: True, Values: None (Default), Site A, Site B... (Figure 3.2) Take note of the "Internal Name" from the custom fields Open the ADE UI Hit the [+] to create a new ADE profile Use the internal name in naming (see Figure 3.3) See  ADE Naming for more information Open the "Edit Assignment Rules" UI Hit the [+] to create a new profile rule Select the profile you just created You will now see the Custom Fields component on the left Component list Open it and bring in location and use set them both to is not None (Figure 3.4) Excluding serials from Auto Rules You will notice a column named "Excluded from automatic assignment" with True or False (Figure 4.1) Figure 4.1 - Exclude Column true - Device will not be included in automatic rules.  Note: "true" is NOT applicable when manually clicking the "Apply Assignment Rules" button...when that button is clicked all rules will be applied for any selected devices (after confirmation prompt).  Selecting no devices infers ALL devices as selected. false - Devices will be included in automatic rules, both automatically and when "Apply Assignment Rules" is triggered true is the default for devices that were in your ADE list before an upgrade to 13.1 to protect those devices from changing before you have built new rules Figure 1.1 - Default Rule Figure 2.1 - iOS Simple Rule Figure 3.1 - Custom Use Figure 3.2 - Custom Location Figure 3.3 - Custom Naming Figure 3.4 - Custom Name Rule Control Await Configuration state (ADE enrolled devices) What When Apple devices are enrolled via the Device Enrollment Program (DEP) —now known as Automated Device Enrollment (ADE) —they enter an “Await Configuration” state during the initial setup. In this mode, the user cannot interact with the device until the configuration process is complete, ensuring that devices are properly set up according to organizational policies before they are handed over to end-users. Starting with  FileWave 15.5.0 , administrators have enhanced control over this process. You can now specify when a device is released from the “Await Configuration” state, rather than having FileWave automatically release it as soon as possible. This provides greater flexibility and control over the deployment and configuration of devices. Supported Devices and OS Versions : iOS Devices : iPhone and iPod touch running iOS 11 or later. iPad running iOS 11 or later (before the introduction of iPadOS). iPadOS Devices : iPad running iPadOS 13 or later. macOS Devices : Mac computers running macOS 10.13 High Sierra or later. tvOS Devices : Apple TV running tvOS 11 or later. This feature is applicable to all the above device types enrolled via DEP/ADE and managed through FileWave 15.5.0 or later. When/Why Use this feature when you need devices to remain in the “Await Configuration” state until all necessary configurations, apps, and policies are fully deployed. This is particularly beneficial in scenarios where: Security Compliance : Ensuring that all security measures are in place before the device becomes operational. Standardization : Guaranteeing a consistent user experience by applying all organizational settings prior to device use. Controlled Deployment : Managing the timing of device readiness, especially in large-scale rollouts or staged deployments. By controlling the release of the device, you enhance security, ensure compliance with organizational policies, and provide users with a fully configured device from the moment they begin using it. How When enrolled via ADE, devices are in a specific mode where the user is not allowed to interact with the device, which will stay in this state until configuration is over. By default, FileWave releases the device as soon as possible to shorten initial setup times. FileWave 15.5 now allows controlling when the device is released: You can edit the ADE Profile used for enrolling your devices and go to the Options tab where you can check the " Do not allow devices to complete Setup Assistant without FileWave approval " which will make it so that devices will not finish setup until they are released. When creating a Profile to release devices you can see in the image below that there is a checkbox in Command Policy -> Security -> " Allow devices waiting for configuration to complete the Setup Assistant " and if a profile with this set is sent it will release the devices from setup to be able to be used.  It is also possible to send the Device Configured command either manually (context menu) by right clicking one or more devices in FileWave Central and picking MDM -> Send Device Configured Command. Devices will report their " Awaiting Configuration " state so that you can check on a device or make a Query to report on many devices to track if they are still in the setup process. Related Content Automated Device Enrollment (ADE) Apple ADE Enrollment Digging Deeper The introduction of this feature in FileWave 15.5.0 provides administrators with enhanced control over the device enrollment and configuration process. By keeping devices in the “Await Configuration” state, you can ensure that: All Required Configurations are Applied : Devices won’t be accessible to users until every necessary app, profile, and setting is installed. Improved Security : Prevents users from accessing the device with incomplete security policies, reducing potential vulnerabilities. Customized Deployment Workflow : Aligns device readiness with organizational schedules, training sessions, or specific events. Automating the Release Process Using Command Policy Filesets to send the Device Configured command allows for automation based on specific triggers or conditions, such as: Time-Based Triggers : Release devices at a specific time as set in the Association or Deployment properties. Configuration Completion : Automatically release once all deployments are confirmed as installed. Event-Based Triggers : Release devices in batches aligned with department needs or project phases. Considerations User Experience : Communicate with end-users about the deployment timeline to manage expectations. Testing : Before wide-scale implementation, test the process with a small group to ensure configurations apply as intended. Monitoring : Utilize FileWave’s monitoring tools to track the status of devices in the “Await Configuration” state. By leveraging this feature, organizations can enhance their deployment strategy, ensuring devices are secure, compliant, and fully configured right out of the box. Apple TV Automatic Advance (ADE/DEP) Description This recipe will walk you through the steps of enrolling an Apple TV HD 4th gen into FileWave with ADE (formerly known as DEP) utilizing the Automatic Advance setting. This setting is only available if you are using an Apple TV HD 4th gen and FileWave v12. Recommended to use wired connection for Automatic enrollment. In the steps below please remember do not set up the Apple TV manually in anyway or the Automatic Advance feature will not work. This includes pairing the remote. Touching anything stops the process. Ingredients ADE setup Ethernet Cable USB 3 Cable Direction Go to the Assistants menu -> ADE Association Management This opens the ADE Associations window Fill out as much of the profile as you need in the Options, Setup Assistant, and the Device Naming tabs.  At the very least you will need to have the  Automatic Advance   option set. Please Note:  If you do not setup the  Device Naming  tab it will default as the serial number. Save the profile and assign it to your devices.  All you have to do is find your Apple TV(s) on the left pane, find your profile on the right, then click, drag, and drop.  You will see the association(s) in the bottom pane. Now you will need to plug your Apple TV(s) into power and ethernet. If you are going to attach it to a TV/Monitor at this point remember do no pair the remote or go through any of the prompts. The settings you setup will automatically advance through all those for you but will not if you do any setup at this point. When the Apple TV(s) is at the Pair your Remote prompt if will wait 19 secs or so then the device will auto advance through all prompts. After the Apple TV(s) completed the setup you can now bring it into FileWave as you would any other Mobile device through the Admin. DEP Notify - How to provide progress visibility during ADE activation (macOS) New to Automated Device Enrollment (ADE) process? Do you have a create full of macOS devices that need to be prepared and issued to end users? Did this need to happen yesterday? The world of ADE device provisioning has been a great help and has improved the speed at which devices can be issued to end users. Gone are the days of monolithic imaging! Long live ADE! But what is happening when a macOS device is going through the Setup Assistant process? Want to get some visibility on what is being installed during the device activation? Traditionally, when a device goes through the ADE assistant, any number of applications can be deployed to the device. The problem with this approach is that there is not any indication given to the end user as to what is happening during this time interval. To an end user, it could appear that there is a problem with the device, and they may create support tickets to your Help Desk on the subject.  In order to avoid that, we need to provide some visual indication of what is happening behind the scenes during this setup time. To do so, we will leverage two separate open source projects that are in use in the mac community, namely InstallApplications and DEPNotify.  FileWave, by default, will provision a ADE device, enroll it into the MDM server, then deploy the custom macOS client to the device. The process looks something like this: We need to instruct the FileWave server to deploy the open source package InstallApplications first so that we can set up the DEPNotify package and get feedback with all the great logging information that FileWave gives via its client log. The modified process looks something like this: Step-by-step guide Create, configure, and deploy the InstallApplications package Create boostrap.json  Visit Erik Gomez's blog to get a practical example of configuring InstallApplications as well as some history and background on the project. Visit Erik Gomez's github site  and download the latest code. For the purposes of this document, I have used version 1.1. Follow the instructions on the above site to configure your bootstrap.json file. Also, see the section below "Generating your bootstrap.json" for a simple example to get started with. To make troubleshooting easier, configure one or two packages defined in your bootstrap.json and ensure your packages are downloading correctly and your Install Application launch agent and launch daemon work successfully. If you have too many packages defined, it may be more difficult to determine where your configuration problem lies. Generate your bootstrap.json with the generatejson.py script on Erik's site, which automatically generates the SHA256 hashes for you. Once you have the bootstrap.json file generated (below is a sample boostrap.json), you will need to host it somewhere (like your filewave server) in order for the macOS client to download it during DEP activation.  bootstrap.json { "preflight": [], "setupassistant": [ { "file": "/some_path/DEPNotify_installer.pkg", "url": "https://:20443/some_folder/DEPNotify_installer.pkg", "packageid": "com.package.depnotify", "version": "1.0", "hash": "some_long_hash", "name": "DEPNotify", "type": "package" }, { "file": "/some_path/FileWave_installer.pkg", "url": "https://:20443/some_folder/filewave_installer.pkg", "packageid": "com.package.filewaveinstaller", "version": "1.0", "hash": "some_long_hash", "name": "FileWave Client", "type": "package" } ], "userland": [ { "file": "/some_path/EnergySaver.py", "url": "https://:20443/some_folder/EnergySaver.py", "hash": "some_long_hash", "name": "Energy Saver Profile", "type": "rootscript" } ] } Note: In the above bootstrap.json, the preflight stage is required, even if it is empty. If you don't have it defined, the script will error out (01/20/2018). Hosting and Serving your packages via the FileWave Server (Linux) To serve packages from FileWave, we will need to modify the httpd_custom.conf file for apache. To do this: On the FileWave server, open "/usr/local/filewave/apache/conf/httpd_custom.conf" and add the following: Alias /custompkg /usr/local/filewave/custompkg Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all Restart apache with "fwcontrol apache restart" Create the folder "custompkg" within /usr/local/filewave/. This will be the storage location for all of the packages that you defined in your boostrap.json file. Testing the InstallApplications workflow outside of the ADE activation process Testing the InstallApplications workflow outside of the ADE workflow will save you time.  To do this, execute the installapplications.py using the following command line on any macOS test device, such as a VM: Launching installapplications.py manually sudo python /Library/Application Support/installapplications/installapplications.py --jsonurl https://:20443/bootstrap.json There is also an option to skip the validation of the bootstrap.json file. Use this option to include the bootstrap.json in the installapplications package rather than download it via url. sudo python /Library/Application\ Support/installapplications/installapplications.py --jsonurl https://:20443/bootstrap.json --skip-validation It turns out that the installapplications.py really doesn't like urls that have redirection. So, if you want to use some file hosting site like Dropbox, etc. think again. You may choose to host all the files on github, but then convert to raw links using  rawgit.com ; these links do not seem to redirect and worked fine to download installer packages via installapplications.py. Alternatively, you can choose to serve these files directly from your FileWave server. Configure the InstallApplications LaunchDaemon and LaunchAgent LaunchDaemon: Edit payload/Library/LaunchDaemons/com.erikng.installapplications.plist Label com.erikng.installapplications ProgramArguments /usr/bin/python /Library/Application Support/installapplications/installapplications.py --jsonurl https://:20443/custompkg/bootstrap.json --depnotify DEPNotifySkipStatus Command: WindowTitle: Welcome to your Mac! Command: NotificationOn: Command: Quit: Thanks for your patience while we setup your new mac. Command: WindowStyle: ActivateOnStep DEPNotifyPath: /Applications/Utilities/DEPNotify.app DEPNotifyArguments: -filewave --skip-validation RunAtLoad StandardOutPath /var/log/installapplications.log StandardErrorPath /var/log/installapplications.log In the above example, I left the reboot and fullscreen option disabled, but feel free to adjust this according to your needs. LaunchAgent: There was no need to adjust this, but if you wish to customize the install applications bundle ID, you will have to edit this file. Signing your InstallApplications package Prerequisite: Membership in  Apple's Developer Program Use a package creation utility to generate the .pkg for installapplications. One type of tool to use is  Apple's command line pkgbuild , for example: pkgbuild --identifier com.erikng.installapplications --root InstallApplications.pkg Only distribution style packages are supported, so to convert from a flat package to a distribution package: productbuild --package InstallApplications.pkg InstallApplicationsDistr.pkg To sign the distribution package: /usr/bin/productsign --sign "Developer ID Installer: (XXXXXXXX)" InstallAppplicationsDist.pkg FileWaveClientInstaller.pkg To check your signing, you can issue: pkgutil --check-signature FileWaveClientInstaller.pkg The above command should return "Status: signed by a certificate trusted by Mac OS X". Test the "InstallApplications.pkg" thoroughly on a test mac before attempting to deploy via the ADE Setup Assistant. Steps for deploying your signed InstallApplications.pkg using FileWave Instead of deploying the macOS custom pkg, you will be deploying the InstallApplications.pkg. If you are currently deploying the custom FileWave client in your ADE workflow as the starting point, I highly recommend testing this workflow out on a test server before deploying to production. The deployment scenario below considers that we are running FileWave on the linux appliance and have NEVER previously deployed the custom FileWave client before using the InstallApplication ADE workflow.   Open an ssh connection to your FileWave server $ ssh root@ Run a complete backup of your filewave server.  Backup the current ADE macOS installer package $ cd /usr/local/filewave/fwcld $ mv FileWaveClient.pkg FWClient_old.pkg Copy your signed InstallApplications.pkg on your mac to the /usr/local/filewave/fwcld folder on your FileWave server and change its name at the same time $ scp /InstallApplications.pkg root@yourfilewaveserver.com:/usr/local/filewave/fwcld/FileWaveClient.pkg Remove the MD5 hash of the old FileWave macOS custom pkg from the database. You should see that the above query should affect one row only. $ /usr/local/filewave/postgresql/bin/psql mdm django -c "DELETE from ios_preferences WHERE key = 'dep_osx_package_md5';" Set the MD5 checksum and version of the "FileWaveClient.pkg" (really now the InstallApplications package disguised as the FileWave client package). macOS FileWave Server: # sudo /usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc shell from ios.fwcld_utility import get_package_sha256; get_package_sha256(force=True) from ios.preferences_manager import PreferencesManager; PreferencesManager.set_dep_osx_package_version("14.0.3") exit() fwcontrol server stop fwcontrol server start Linux FileWave Server: # sudo /usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc shell from ios.fwcld_utility import get_package_sha256; get_package_sha256(force=True) from ios.preferences_manager import PreferencesManager; PreferencesManager.set_dep_osx_package_version("14.0.3") exit() fwcontrol server stop fwcontrol server start Command to execute to generate the new MD5 for the "fake" Custom Client (InstallApplications.pkg): from ios.fwcld_utility import get_package_md5; get_package_md5(force=True) This will generate a result like: ['70c829ddd9bd2aeafbe07fdd35f91c03'] Command to set the new "version" of the package: from ios.preferences_manager import PreferencesManager; PreferencesManager.set_dep_osx_package_version("12.7.1") Exit the psql shell with "\q" Restart the filewave server: fwcontrol server restart Result During setup assistant, you will no longer get the custom FileWave client delivered first. The FileWave client will be installed by the InstallApplications script, along with any other crucial application / setup file that is needed (such as the Energy Saver) during ADE provisioning. Once the FileWave client is on the device, all other associated filesets can be deployed according to the needs of the end user. Minimum OS version for enrolling Apple devices via ADE What MDM servers have the ability to enforce a minimum operating system version on enrolling devices when using Automated Device Enrollment (ADE).  This feature was added in  FileWave version 15.1.0 for  macOS 14.0 Sonoma and iOS/iPadOS 17.0. Apple does not support this feature on older versions of macOS or iOS/iPadOS. When/Why Minimum OS version allows to ensure that devices are on the necessary OS version before being put into production. The MDM will send a JSON 403 response when the device requests the enrollment profile. If the minimum operating system version is needed, the user will be guided through a process of updating the device. Restarts will be performed automatically. Once completed, the device returns to Setup Assistant and the user can finish the enrollment and setup process. How With FileWave 15.1.0 support of minimum OS version was added. To specify minimum OS versions open DEP profile and go to Options → Requirements section. There are separate fields for macOS and iOS / iPadOS minimum OS versions. The supplemental version identifiers can be specified in addition to standard MAJOR.MINOR.PATCH format (for example “17.1 (a)“). What is displayed on the device? When minimum OS version is requested by MDM server specific dialog appears on the device. For macOS: For iPadOS: If macOS device cannot install requested OS version next dialog appears: On iPadOS there is no specific dialog in this case, just “Next“ button is grey and no way to pass. Related Content Automated Device Enrollment (ADE) Digging Deeper MachineInfo from the device is parsed on server side during DEP profile handling. If it contains MDM_CAN_REQUEST_SOFTWARE_UPDATE flag and it’s True, the specified minimum OS version from DEP profile is compared with OS_VERSION from MachineInfo according to the device type (macOS or iOS/iPadOS). Software update request is sent to the device by MDM server in 2 cases: If current OS version is less than minimum OS version If current OS version equals minimum OS version but current supplemental version identifier is less than required supplemental version identifier. The software update request from the server looks like 403 JSON response with next body: { "code": "com.apple.softwareupdate.required", "details": {"OSVersion": } } In this case enrollment is interrupted by dialogs mentioned above. Test macOS ADE (DEP) Enrolments with a Virtual Machine Description Testing macOS device enrolments can be very time consuming, since a device must be erased and OS reinstalled on each attempt.  A Virtual Machine (VM) may be used to substantially reduce the amount of testing time.  Although VMware has been used in this example, other Virtualisation software could be used, e.g Parallels. Requirements Copy of VMware Fusion macOS installer, e.g. Install macOS High Sierra.app or a VMware Fusion installed on a relevant macOS device A registered macOS device serial number and optionally a Model Identifier, e.g. MacBookPro15,1 Obtain a serial number for a device that is registered in ABM or ASM. Any one serial number of a device should only occur once in FileWave.  Therefore, if there is an old or broken device which is registered in ABM/ASM, consider using the serial number from this device otherwise a serial number from a usable, physical device will need to be taken, meaning that physical device cannot be used within FileWave otherwise. Mactracker may be used to show the Model Identifier of devices, since ASM/ABM only provides the Model Name Directions Use VMware Fusion to create a new image from disc and use the macOS installer app or choose to create an image from the recovery partition Once completed, do no hit play .  Instead, locate the virtual machine in Finder.   If the VM starts, shut it down before continuing . From Virtual Machine Library, right click and choose show in Finder. From Finder, right click the highlighted VM and choose 'Show Package Contents' or use Terminal to navigate inside this VM Locate the file with a .vmx extension and choose an editor to edit this .vmx file Two lines need to be added as below.  Replace Serial Number and Model Identifier as appropriate (remove brackets, but keep quotes): serialNumber = "[Serial Number]" hw.model = "[Model Identifier]" Now Play the VM Select language and once the option to re-instal the operating system is shown, choose utilities and Terminal Type the following line to confirm that the VM has the appropriate serial number: ioreg -l | grep "IOPlatformSerialNumber" Quit Terminal and choose to re-instal the operating system Have a cup of tea! Disable network settings at the earliest, allowable moment, before the device comes back up and finalises the installation Snapshot the VM when the Choose Language prompt is shown A device receives an associated ADE profile before the option to select the language appears after installing the operating system. Once in place, the device will maintain this profile across reboots.  If the network is not disabled before receiving the Enrolment profile, then changes to the Enrolment profile associated or assigning a new ADE profile subsequently, will have zero impact on a fresh Enrolment; the original Enrolment settings will continue to apply. By disabling the network before the Enrolment profile is in place and then taking the snapshot, multiple Enrolment profiles or changes may be tested with each restore of the snapshot.  On each restore, the network should require enabling. Tested on VMware Fusion 10, 11 and 12 ADE Troubleshooting Apple Automated Device Enrollment (ADE) formally known as DEP, is a service provided by Apple that allows organizations to easily deploy and manage iOS, iPadOS, macOS, and tvOS devices. It streamlines the initial setup and configuration process for large-scale device deployments, making it easier for businesses, educational institutions, and other organizations to integrate Apple devices into their workflows. Correct ADE Workflow Figure 1.1 - ADE Workflow Device activates to apple (see ports: Default TCP and UDP Port Usage ) Devices is not in ADE - Apple responds with done - Setup Assistant skips enrollment Devices is in ADE - Apple responds with enrollment ownership info Apple sends the ADE profiles to the device (See: Working with Apple’s Automated Device Enrollment (ADE) ) Devices installs the ADE profile which makes it reach out to FileWave MDM server Device MDM enrolls  (if macOS) Devices then installs the macOS PKG Things to Test Check the connectivity Check the  Default TCP and UDP Port Usage  KB article for the needed ports. You can download a FileWave port testing tool from https://supportresources.filewave.com/ Get a devices (like a laptop) onto the same wifi devices enroll with  Try enrolling iOS/iPadOS devices with ethernet or a mobile hotspot to see if the network restrictions are doing something to block traffic. You can get devices to join ethernet by creating an adapter using Apple's "Lightning to USB 3 Camera Adapter" (the one with a female USB and another lightning port) Apple's "Apple USB Ethernet Adapter" A USB charger suppling 2+ amps of power Plug in the device and make sure you get a link light. Check the profile Because these profiles are stored with Apple for the devices, when new options become available in ADE profiles FileWave can't just auto-update existing ones. If you have upgraded your FileWave instance recently you might want to create a new one and change your auto assignment rules ( Automatically Assign ADE profiles ). Do not duplicate an existing profile. DEP/ADE Forbidden Error Description On creating an ADE (Formerlly known as DEP) Association or from any other ADE synchronisation action, the following error may be observed: DEP error: Forbidden The most likely causes are: Server SSL certificate change. Check Preferences > Mobile tab to ensure the server SSL certificate is not revoked or expired. A change to the external IP address of the FileWave Server.  Apple store the external IP of the FileWave Server from the last successful contact.  If this differs at the time of a synchronisation , the action will fail and the ADE Server Token will need to be replaced. The stored IP may be observed from the relevant ADE account: Apple Business Manager Apple School Manager The Last Date and IP Connected may be seen from the Settings view; select the MDM Server and choose Edit.   Requirements FileWave MDM ADE Certificate Resolution Forbidden error requires the token be replaced and not updated. From FileWave Admin > Preferences > VPP & ADE: Choose 'Download certificate' (requires fwadmin password) to save the certificate From the relevant Apple ADE account Apple Business Manager  or  Apple School Manager : Select 'Settings' Highlight the MDM server from the list and choose Edit Select 'Upload New...' and select the saved downloaded file from above When prompted, select to download the ADE Server Token From FileWave Admin  > Preferences > VPP & ADE: Click 'Configure Accounts' (requires fwadmin password) Select the Forbidden token and use the '-' button to remove that token Select the '+' button to select the ADE Server Token downloaded from Apple Run a ADE Synchronisation Full Sync (Hold down ALT(macOS), Option(Windows)), then select to synchronise (the name of the button will change) At this stage synchronisation should now be successful. If the ADE Server Token is currently configured in the Education tab of Preferences, this association will need to be removed prior to removing the ADE token, but may be re-added again afterwards. Volume Purchase Program (VPP) Apple’s Volume Purchase Plan and License Management What is VPP? VPP, or more formally, Apple's Volume Purchase Program, is a mechanism by which an organization or institution can purchase macOS and iOS applications and books in bulk and provide these to their end users. The process revolves around creating a VPP administrator account, creating one or more VPP facilitator accounts, enrolling devices into the MDM (mobile device management) system, and assigning applications and books to the end users. More details on Apple's requirements and capabilities with VPP are available at the following two URLs: http://help.apple.com/deployment/ios/ https://help.apple.com/deployment/macos/ VPP is supported in FileWave for both iOS and macOS. There are two mechanisms for assigning applications and books to clients - redeemable codes and managed distribution licenses . Redeemable codes provide a set of codes to be used for content distribution, but once given out, the content legally belongs to the owner of the Apple ID that redeemed the code. Managed Distribution provides licenses that can be associated and revoked, so the purchasing authority retains ownership of the license (with the exception of books, which always are owned by the person to whose Apple ID the license was distributed to). This allows you to assign institutionally-purchased applications to end users as needed; then revoke the licenses for those apps at a specific time, returning the licenses to your control. Differences between redeemable codes and managed distribution licenses The original model for mass deployment of content was using redeemable codes . The VPP administrator purchased applications from the Apple VPP site. Apple provided a set of codes in a spreadsheet that could be downloaded. Those codes were then used to create an application Fileset for installation on managed devices, or were provided to the end user for them to redeem. Once a code has been redeemed, it cannot be reclaimed by the MDM administrator. VPP redeemable codes are available for applications and books. Note: With the current VPP system, free apps and books cannot be obtained with redeemable codes, only managed licenses. It is also possible to have all of your redeemable codes exchanged for Managed Distribution licenses. This Apple Support article describes the process: https://support.apple.com/en-us/HT202863 . Apple's newer model for application license management allows you to assign licenses to users and revoke those licenses at a future date. This mechanism is called Managed Distribution and it applies to VPP purchases of any free content, applications, and books. When a license is assigned to a user, that user sees the item in their Purchases list, as well as in FileWave's Kiosk. When the application is no longer needed, or the user is no longer associated with that institution, the MDM administrator can revoke or remove the license. FileWave regains that license for distribution to another user. Note: This process is only valid for applications since Apple requires all book distributions to be permanently assigned to personal Apple IDs. Managed Distribution - user versus device assignment Initially, Managed Distribution required association to a unique Apple ID for any deployed content. With the release of iOS 9 and OS X 10.11, VPP managed distribution licenses acquired the ability to be assign applications directly to a device, provided the developer allows it. This method opens up a huge benefit in layered deployment models. Now an institution can assign core applications directly to devices in carts, labs, or even on 1:1 deployments. How FileWave works with VPP There are several approaches to using FileWave with VPP. The deployment workflows relate to the overall control of the application(s) to be deployed. The actual workflows discussed are covered in detail later in this Chapter. Redeemable Codes - A Fileset is created that links to the App Store and provides a redeemable code for each device that is associated with that Fileset. When the user accepts the installation, the code is redeemed against that user's Apple ID. The code, once redeemed, belongs to the end user and cannot be retrieved by the FileWave administrator. If the user refuses the installation, the code is reserved for the next 24 hours against that device, then it is returned to the pool for that Fileset. Note: Under OS X, all application associations must be done as Kiosk items. Managed Distribution licenses - For the managed distribution method, FileWave doesn't manage users directly; but associates users with specific devices. All of this is done through the linkage of an Apple ID and the FileWave MDM. Whether you use individual Apple IDs, in the case of a BYOD or full 1:1 deployment, or institutional Apple IDs in the case of a managed lab or cart, the application licenses remain under your control. If you assign the licenses to devices, there is no longer a requirement to match an Apple ID with the device. You can, for example, use a generic LDAP or fixed MDM authentication account to enroll the device(s), then just configure your Filesets to be assigned to the device. When you assign or associate Apple Store content through a Fileset to a user's Apple ID, the end user will see that content in their Purchases in the App Store. For iOS devices, you could use Apple Configurator to prepare, and possibly supervise, the device; then turn it over to an end user to add their own content using their personal Apple ID. You could use VPP direct device association to place the applications onto the device, then let the user add items as they see fit. With this model, you, as the FileWave administrator, would be responsible for maintaining the institutional content and software, while the end users would be responsible for any applications and content they install. Setting up your FileWave server for VPP In order to provide your users with content from VPP, you need to establish an institutional VPP account and link that account with your FileWave server. If you are an educational institution, you need to follow the steps provided by Apple on setting up VPP for Education: http://www.apple.com/education/it/vpp/ . If you are a business or enterprise customer, you need to use the VPP for Business instructions: http://www.apple.com/business/vpp/ . Once you have your VPP account, you are ready to configure FileWave for VPP support. Important - Ensure you do not have another VPP system, such as Apple's Profile Manager or Apple Configurator, active with your VPP token when you set up FileWave for VPP. This will cause problems with your ability to manage VPP user accounts. Set the VPP token(s) When you signed up for your VPP account, you were provided a coded token that allows you to configure FileWave for VPP. Use the instructions in Chapter 2 to configure your FileWave Admin Preferences for VPP. Synchronize data with the VPP server for VPP Once your token(s) are active, the FileWave Server will automatically synchronize with Apple's VPP service. Depending on how many items you have in your purchase list, this process may take a while. When you have synchronized your VPP data with your FileWave Server, you should see any VPP Managed Distribution purchases listed in the License Management section of FileWave Admin. The first time after you set up VPP, you can force a full synchronization by holding down the option key, and clicking on the Synchronize button. You should see entries in the License Management view that match your purchase history. Note: Only VPP Managed Distribution licenses will be displayed here. The older VPP Redeemable Codes, if you have any, will still be located in the "VPP Code Management" assistant in FileWave Admin. When you purchase redeemable codes, you must download the spreadsheet and import it into FileWave using this assistant. Adding licensed applications to your FileWave Server The process of adding content for VPP code redemption or managed distribution is extremely simple. When you purchase any content in the VPP Store, upon a VPP sync with your FileWave server, the items will appear in your License Management pane. First, you make your purchase in the VPP Store: Once you receive confirmation that the purchase is completed, you can force a sync of VPP in your Preferences, or wait for the overnight sync. In FileWave Admin, go to the License Management pane and click the Refresh button in the toolbar. You will get the following dialog: That dialog tells you that your purchase information has been loaded into FileWave; but there is no corresponding Fileset. At this point, you should click on Yes and follow up by updating the Model to refresh the database. You will be taken to the Filesets pane, and your new VPP application Fileset will be waiting: Back at the License Management view, it will display the new license: At this point, you can begin associating the new content with your enrolled devices. VPP and iBooks If you purchase managed distribution licenses, you have control over the assignment of those licenses to end users, regardless of the deployment model. The one exception to this is with books. Free books can only be provided with managed distribution licenses, yet the item becomes permanent property of the assigned user. Books available for a cost do allow the use of redemption codes; but the same rules apply - books cannot be revoked or reassigned. Books must also be assigned to personal Apple IDs; they are not allowed to be assigned to institutional Apple IDs per Apple's legal guidelines, nor can they be assigned to devices. Manually creating Filesets from VPP managed distribution content By default, your VPP managed distribution license purchases should automatically show up in License Management, and upon a Refresh of the pane, you should get a dialog asking you to create a Fileset for your purchases. If, however, you have items that are displayed in the License Management pane, and they do not have a corresponding Fileset, you can manually correct that problem. Create a mobile Fileset for a managed content item All VPP purchases now appear in License Management as soon as the FileWave server syncs with the Apple VPP site. The first time you access this area after setting up your FileWave Server, you will get a dialog box telling you that a Fileset can be created for each of the licenses. You can also right-click on any purchase and create a Fileset. Redeemable codes For redeemable codes, you will need to download the code spreadsheets. Log into your VPP account online, and select your Purchase History . For any content that you purchased using redeemable codes, you will see that you are able to download the codes in the form of an .xls spreadsheet. Note: This spreadsheet will always be kept up to date on the VPP site. As you, or your users, redeem codes, the online spreadsheet will be updated to show remaining codes. Once you have downloaded the spreadsheet(s) as needed, you will need to go to Assistants / VPP Code Management . This pane is used only for linking redeemable codes to Filesets. You have two methods for bringing codes into FileWave Admin, by importing the spreadsheet or manually entering the code information. The Import Spreadsheet… method is quite simple. Select the Fileset (if there are multiple Filesets for a purchased item, just pick one), then click on the Import Spreadsheet… button, locate your downloaded VPP .xls file, and import it. The dialog box tells you to verify that the codes you are uploading into FileWave Admin match the item you want to link them too. You will get errors if you try to match codes to the wrong content, or try to import an older spreadsheet into the set once you have begun redeeming codes. Once you have imported codes, you will see them listed next to your selected Fileset. The Import Manually… button lets you import a custom text file you create. The format is the URL as you would see it on the App Store or on the VPP spreadsheet, or just the redeemable codes. For example, the file custom_codes.txt could look like this : https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/freeProductCodeWizard?code=Y6XJ69TFXDEJ Y4XJ69HYTFEB A benefit of using FileWave for working with redeemable codes is that you don't need to breakdown your spreadsheets into separate sections to match the different sets of the same content you plan to deploy. You can just select the number of codes you want to assign to specific Fileset and drag those codes onto that Fileset. This example shows dragging one code from the main Fileset for Digits onto the Fileset meant for the testing team. Managed Distribution Licenses The managed distribution content licenses are treated as part of a pool. When you look at each Fileset's details, you can see the status of your licenses: You will be required to track the usage of your licenses to avoid exceeding your allowed limit. If you distribute more copies of an item than you have licenses for, you will get installation errors. VPP Managed Distribution User Management The most complex portion of the VPP Managed Distribution system is the interaction of the end user and the VPP license architecture. The process is as follows: User agrees to link their Apple ID with your VPP MDM server The MDM server associates managed distribution content licenses with a linked user The user sees all assigned content in their own Apple ID-based purchases in the iTunes/App Store If the user has auto-install enabled, the content automatically appears on the user's device(s) If/when the MDM systems administrator revokes a license, the end user may be allowed up to 30 days to continue use of that application while the MDM systems administrator regains use of the license for another distribution. That timeframe is entirely up to the application developer. It is not a value that you can set or change. You would need to check with the specific app developer to get their assigned revocation timeframe. If the user purchases the revoked application within the developer allotted timeframe, they maintain all of their sandboxed content. If not, the application and content are deleted (iOS only). Note: Never use your VPP account Apple ID for personal purchases. Creating users for your devices Apple's VPP manages licenses that are either assigned to a device, or assigned to specific user's Apple ID. In the Assistants / VPP User Management pane, you can see all of your enrolled devices, and a list of VPP users. In the upper left is the list of enrolled devices. In the upper right is the list of VPP users you need to create. The lower portion of the window displays the device and users who are associated with each other for management purposes. Note - You do not need to do this process manually for a population of several thousand users. FileWave provides the ability for you to link your LDAP directory and your enrolled devices together automatically. The option exists to have a VPP user created automatically as each device enrolls. When doing batch rollouts of iOS devices, this may be your best option. Note: If you use only VPP device assignment, and do not assign licenses to any unique users, you will not need to work with the VPP User Management pane. FileWave assigns a "ghost" VPP user account to each device to handle device assignments. You cannot see these accounts and will not need to manage them. In the VPP User Management pane, we can manually assign a new VPP user for each device. This will give us a VPP user account with blank fields: The VPP Client User ID is a construct that is used by FileWave to facilitate the association of a device - which FileWave can manage - to an Apple ID - which belongs to a user. The account is unique, and has one of three states: registered; associated; or, retired. Registered means that the account is assigned to your FileWave MDM by Apple. Associated means that the account is linked to an Apple ID through an iTunes ID hash and the user can have licenses assigned to them. Retired means that all licenses assigned to that VPP Client User ID are revoked and can be used again. An Apple ID can be associated with multiple VPP Client User ID's; but only one VPP Client User ID can be associated with an enrolled device. It also allows users with multiple iOS/macOS devices to have a single VPP Client User ID associated with those devices. If you link your LDAP accounts to FileWave, then the directory service will have the users associated with a VPP account. This will fill in those blanks, and make the next step easier. LDAP authentication is covered in Chapter 3 . Inviting users to the FileWave MDM VPP Apple requires the end user to actively link their Apple ID to your FileWave MDM. You must send an email to each VPP user account after you have provided their email address. Click in the Email Address field for the VPP user account and enter a valid email address. The does not need to be a user's Apple ID email address, just an address where the user can get a VPP MDM request. Once you have entered a valid email address, the button to send an invite to the user will be active. The user will get an email asking them to activate the link to their "VPP organization;" i.e., your FileWave MDM server. This email account does not need to be the email that person uses for their Apple ID. It can be an internal email address used within your organization/institution, or any common email address the user may provide. Once the user clicks on the link to the iTunes Store, authenticates with his or her Apple ID, and gives permission, the user will get notified that he/she can now be provided with content from your FileWave MDM. This process links that user's Apple ID to your FileWave MDM so that you can assign applications and content to them. You will never see the user's Apple ID (unless they give you the email account they use for their Apple ID as their contact email). What you will see, as proof that this has occurred, is an iTunes ID hash in the VPP User Management window. If you are doing this as part of a BYOD or 1:1, this process can be sped up by having the end users register themselves with FileWave. An enrolled iOS device will have the App Portal installed. When the user opens the App Portal he/she will be greeted with a dialog asking them to register their Apple ID: This is just like the above process; i.e., they authenticate to the iTunes Store and give permission for the linkage. FileWave and macOS VPP users The process for macOS computers and users is almost identical to that of iOS users. When you add an macOS computer as a FileWave Client, it will show up in the Manage VPP Users… window. Note: Direct device assignment is still an "in-progress" thing with OS X. Full functionality from Apple will be available in a future release. You still have to go through the user assignment process unless you automated that in the VPP preferences. The user email will have to be entered unless the user logged into the device with an LDAP account and that account had a valid email account attached. If so, you can have the FileWave server automatically send off an invitation to associate that user with the FileWave VPP. Whichever process you use, the end user will still have to agree to associate with your system. Once that is done, you will be able to assign applications and books to that user through Filesets linked to the VPP managed distribution system. Here's the final view of the Kiosk and the App Store after some Filesets are associated with the client. Retirement Note: If you retire a VPP user account, it cannot be used again. We suggest that you DO NOT test "retiring" VPP user accounts on actively enrolled users. Where OS X VPP differs One key difference between iOS and macOS VPP managed distribution is in the way the applications are installed. You will be asked on the client if you want to turn on automatic application installs; but it refers to apps downloaded onto other devices. What that means is if the end user has a single device, they will get apps showing up in their App Store / Purchases section and those apps will not automatically install on the device. The user must do the installation manually. This also affects Kiosk operations. If an application is in the Kiosk, just selecting it and telling it to install may not result in it showing up in the user's Applications folder - until they go to the App Store / Purchases list and install it from there. Revoking licenses using FileWave MDM with VPP managed distribution When a user is no longer part of an institution, or is no longer working on a project or class that requires a costly application that you have a limited number of licenses for, you can revoke the managed distribution license for that application and return it to FileWave's inventory. The process is the same as you may have already used to remove any other assigned item to a managed device with FileWave - you merely dis-associate the Fileset. Once the model has been updated, you will see the application licenses returned to your license management pool. The behavior of the application on the client device is dependent on the way the application developer designed the revocation settings into the app. A developer can set the app to continue to exist for up to 30 days on a user's device. This also means that the application will remain in the user's purchased list in iTunes. Note: macOS X computers may take several minutes before noticing the applications are no longer assigned to them. In some cases, if the user has both an iOS and macOS device associated with your VPP system, you may see notifications pop up on the iOS device before the macOS computer gets the word. VPP App Configuration Description VPP Apps are all well and good, but what if you need to customise the experience in some way.  Some App developers provide key/value pairs to do just that. Starting in FileWave 16.3.x, supported apps installed through DDM can also include configuration for application extensions . This is separate from classic managed app configuration for the main app itself, and support depends on what the app developer exposes. Requirements  Nothing more than an Apple Business or School Manager account, configured with FileWave for VPP, and an App with support for configuration preferences. Directions Within the contents of a VPP Fileset, you will find a tab called 'Configuration' In this example, the configuration is for the Microsoft Edge Browser.  Microsoft provide the details regarding key/value pairs available: Microsoft Edge App Configuration Consider a list of URLs to block.  It can be seen from the Microsoft KB, the key/value pairs are: Key: URLBlocklist Value: Array of chosen URLs to block, each of which should be a string When first opening a VPP Fileset > Configuration tab, the setting will be set as 'None'.  Clicking on this, it can be set as 'Configuration': Once set as Configuration, click 'Edit' Imagine that the desired URL to block is the FileWave KB, then the setting would appear as: Note, there are multiple 'Type' options for each key: As suggested, this is an Array.  Each item in this Array, for this example, should be a String.  Add as many strings as required for each URL to block. Once associated with a device, on receipt of the Fileset, not only will the App be installed, but attempts to access the blocked URL should fail: Similar options exist for other browsers, e.g Chrome.  For each chosen App to configure, refer to the relevant App Developer for necessary details. Taking Chrome one step further, where Google Admin Console is in use, it is possible to generate a token for browser management.  The Configuration tab can be used to push the token as part of the App Configuration.  Using this method, it is then possible to manage the browser through the Google Admin Console, rather than supplying each desired key/value pair for required management. More details can be found on Google's Cloud Management Enrolment pages: Enrol Google cloud-managed Chrome browsers Unfortunately, many Apps have no configuration options, however, saying that, some everyday Apps, like those mentioned above, do indeed have options that are typically desired. It is possible to contact developers of Apps if there was some configuration that was felt to be a requirement; perhaps configuration would be added by request! VPP Token Renewal Description VPP Tokens need to be renewed once a year. FileWave dashboard will alert when any VPP Token is about to expire by changing to yellow and stating duration until expiry; subsequently turning red once a VPP token expires. Use the steps below to renew VPP Tokens.  Requirements  FileWave Central FileWave fwadmin credentials Access to Apple School or Business Manager: Apple School Manager (ASM) Apple Business Manager (ABM) The ID accessing School or Business should require the appropriate permissions to access the below mentioned VPP token.  This will likely be Content Managers or higher, e.g. Administrators.  Apple recommend Administrators do this where the management account has multiple VPP accounts, split across an organisation, such that all may be renewed in unison. Directions Steps: Navigate to the appropriate Apple account, e.g ASM: In the ABM or ASM portal - navigate to the account name at the lower left side, select "Preferences," then "Payments and Billing" (apps and books is usually the default tab), Then navigate to "Content Tokens". "Content Tokens" will contain the VPP token download option for each location. Select the appropriate token to Download as highlighted: Log into the FileWave Admin console specifically as fwadmin , and from Preferences > VPP & DEP select "Configure tokens" and enter the 'fwadmin' password: From the "Edit VPP service tokens" window double-clicking the appropriate token will open the "VPP server token" showing current VPP token details: Use the 'Import' feature to select the downloaded token from Step 3. Email is not required, but may be a good idea where multiple tokens are configured: Note: You may also see this pop-up, but this is just a warning to let you know how many Filesets a token is associated with. This is not an error, please click yes to continue. On saving, a prompt will appear indicating it may take a while for synchronization.  This window will automatically close at completion.  During any synchronization, an additional prompt may appear if there are new VPP App licenses that do not yet have Filesets.  Allow creation if desired. Congratulations, the VPP token is now configured for another year! VPP App Updates for macOS / iOS / tvOS devices Description As standard, VPP Apps on devices should update automatically, regardless of how they were installed, e.g. Kiosk or Standard Deployment.  They may also be occasion to block VPP Updates, without locking the entire device. Information By default, with no defined customisation, FileWave will trigger automatic updates of VPP Apps installed on devices.   At certain times, FileWave Server requests the list of installed applications.  MDM commands to devices may be observed in the 'Command History' tab of a device's information: At minimum, this will occur every Automatic Verify (usually 24hrs), assuming devices are online, but other actions should also trigger these events.  For example: Manual Verify Model Update Smart Group changes Opening Client Info for a device If an installed App has an update, that App will be flagged. Where an App has an update Flag, a new command to instal the application is queued with the device.  This should be true for all Apps that have an update, one entry per App.  On receipt of the request, the device communicates with the App Store and acknowledges the request to update back to the FileWave Server. By default, when a device honours a normal VPP update request, it will update to the latest compatible version currently on the App Store. Starting in FileWave 16.3.x, supported apps installed through DDM can also be controlled per Fileset from the Application update (DDM) setting in the Details tab. Options include Follow Store Settings , Always On , Always Off , and Pin specific version . This means FileWave can now leave a DDM-managed app on its current version, force normal updating, or target a specific App Store version instead of always taking the latest compatible release. Included in FileWave Anywhere, is the option to determine timings of when VPP App upgrades may take place.  Please view the following KB on this topic: https://kb.filewave.com/books/apple-school-business-manager/page/vpp-application-upgrade-timing Managing Updates There have been instances where disabling auto updates of VPP Apps has been required; due to unexpected behaviour from the App Store.  In such cases, it can be desirable to either block updates completely or block updates per App. Beyond the timing controls above, you may still need to block updates completely or hold back specific versions. Starting in FileWave 16.3.x, supported DDM-installed apps can do this per Fileset in the UI. The custom settings below remain useful for broader server-side behavior and older workflows. Overriding this behaviour may be done by adding options within the custom settings: # macOS/Linux /usr/local/filewave/django/filewave/settings_custom.py Options available are: Key Description SELF_HEAL_APPS_BY_VERSION Enables/disables all VPP App updates IGNORE_PREINSTALLED_APPS_SELF_HEAL Block all update attempts for a defined App by Bundle ID (Unmanaged Apps only) IGNORE_ITUNES_VERSION Block updates, not only by a defined App Bundle ID, but only blocks defined version numbers Directions Each example below involves editing: settings_custom.py.  Any changes require apache to be restarted.  Where the App Bundle ID or version is required, this may be observed in a device's Installed App list. SELF_HEAL_APPS_BY_VERSION Add the following line will block all updates of all Apps: SELF_HEAL_APPS_BY_VERSION = False To revert this behaviour, either set this as True or remove the entire line. IGNORE_PREINSTALLED_APPS_SELF_HEAL This option will only prevent erroneous attempts to update unmanaged Apps, where the device reports an incorrect Bundle ID.  As an unmanaged App, it may not be updated by MDM anyway, but installation errors would be seen in the Command History. Obtain the Bundle ID of the App, then add the following option. For example, to block iMovie, Pages and Keynote: settings.IGNORE_PREINSTALLED_APPS_SELF_HEAL = ("com.apple.iMovie", "com.apple.Pages", "com.apple.Keynote") This is a comma separated list. Add each Bundle ID per App to be blocked for updates. To revert this behaviour, either remove the Bundle ID no longer required for blocking or remove the entire line. IGNORE_ITUNES_VERSION Obtain the Bundle ID and version of the App to be blocked. The settings are set out as: 'Bundle ID': [(version to block, version currently installed)]'Bundle ID': [(version to block, version currently installed)] 'Bundle ID': [(version to block, version currently installed)] The below example will: Keynote - Block version 3.0 from the iTunes Store if device has version 2.7 installed iMovie - Block version 10.1.14 from the iTunes Store if device has version 10.1.13 installed Pages - Block version 8.2 from the iTunes Store if device has version 8.2 installed settings.IGNORE_ITUNES_VERSION = { 'com.apple.keynotes': [('3.0', '2.7'),], 'com.apple.iMovie': [('10.1.14', '10.1.13'),], 'com.apple.Pages': [('8.2', '8.2'),], } The Pages example prevents an App from continually attempting to update, where the version on the iTunes Store matches that on the device, yet the device is still reporting an update is required. Add or remove entries per item to be blocked. Taking this one step forward, consider the above Keynote example.  Device has 2.7 installed, but version 3.0 is set to be ignored.  If version 3.1 were to be released, the device would upgrade to this version, if it were the next latest version available on the App Store, after receiving a new InstallApplication command. To revert the behaviour, either remove the Bundle ID and versions no longer required for blocking or remove this entire code entry. White Space Note, there should be no 'white space' before the added key: spaces, tabs, etc. Doing so will result in the server becoming non-responsive. Apache should then be restarted: # macOS/Linux /usr/local/filewave/apache/bin/apachectl graceful Redeeming VPP/Gift Codes Description For those that can't use VPP, Redeemable Codes provide a way to assign Licenses to iTunes Store IDs , in order to deploy Apps to devices. Who has used the licence, and how manageable are they ? This article gives an overview over how to find out, manage, and troubleshoot this process. Information After the codes have been added into the FileWave VPP Codes assistant ( available from Assistants - "Manage VPP Codes" ), you should see: The file that they were imported from, along with the name of the App Each licence should be listed How many codes are still available for redemption The date the codes were added to the FileWave server Automatic Assignment Any licences available here may be redeemed automatically by the user of the device, with the following process: Associate the Fileset Update Model When device checks in, the user will be prompted to accept the installation with their Apple ID If the user accepts the installation, this code will no longer be available for use and the App will belong to that Apple ID The code used, will automatically disappear from the found VPP Codes from the uploaded file Instead, the code will now show in the redeemed list and will show which device was used when the code was redeemed Unfortunately, Apple do not allow visibility of which user accepted the licence. Have code been used? In rare circumstances a device may show a code as 'Redeemed Automatically", but the code was not actually redeemed and could be re-assigned. If you suspect this to be the case, the codes in question can be re-imported from a CSV. For efficiency, we recommend only re-importing suspected unused codes where possible. For VPP codes, downloading the file again from Apple will provide a new file with just the unredeemed codes. Gift codes though cannot be re-downloaded in this way. A clue could be if a device shows more than once with differing codes. You could try re-adding the first code that had been redeemed via this device by date, from a new CSV import. If a code re-imported form CSV has indeed been redeemed, next redemption attempt for this code will fail, the code will be removed from the list and an attempt will be made with the next code in the list. You may experience this when several users use the same device or if the code was automatically associated, but redemption by the user was not finalised. Manual Assignment You may also choose to allow the user to manually install the application.  In this case, you would: Highlight the relevant code(s) Choose redeem.   The code will now show in the redeemed window (This will not automatically prompt the user) You would then need to send the code to the user, such that they can choose to redeem the code themselves. Any codes configured to be manually redeemed, that have not been redeemed, may be pulled back to the pool of licences (unredeemed) such that they could be automatically associated instead. Warning If a code has been provided to a previous user, e.g. by email, that was not redeemed and you 'Unredeem' the currently unused code, this code could still be used by the original user as they have the code details. The first Apple ID to use the code will own that App and that code will no longer be useable. VPP Application Upgrade Timing What As a FileWave administrator, I want more control over when VPP applications receive updates so that they happen after work or school hours.  In the past, this was not possible. When/Why You can now pick Never, Always or Scheduled for VPP application update settings in FileWave 14.6+ How As shown in the below image you can go in the Web Admin to  Sources and then change the VPP update settings to either  Never ,  Scheduled , or  Always . If you pick  Scheduled then you will have the option of  Weekend , Non-Business Hours , or Non-Business Hours and Weekend . The days and times shown are from the client's time zone.  Starting in FileWave 16.3.x, supported DDM-installed apps can also be controlled per Fileset from the Application update (DDM) setting in the app Fileset Details tab. When that setting is left on Follow Store Settings , the timing configured here still applies. If it is set to Always On , Always Off , or Pin specific version , that app follows the per-Fileset DDM behavior instead. VPP User Assignment for iBooks with Managed Apple IDs Description  Managed Apple IDs and Licenses Guide will go over setting up VPP User assignment for deployment of iBooks with Managed Apple IDs. This guide will also implement new functionality starting in FileWave 12.7 for silent invites for VPP. If you are not using Managed Apple IDs you will need to use the steps on  Apple’s Volume Purchase Plan (VPP) and License Management under "VPP Managed Distribution User Management". Silent invite While most of the apps now support Device Based assignment, a few apps still require user based licenses. All iBooks for instance require VPP User assignment and can not be assigned based on Device. Managed Apple IDs can be associated to VPP User assignment apps and have to be associated to a VPP user for the corresponding VPP token so the token organization can assign licenses to the Apple ID. To ease Managed Apple IDs and VPP user management, Apple introduced a change in VPP to automatically, silently link a VPP user and a Managed Apple ID.  This makes organization life easier as they don't have to rely on human interaction to link their Apple ID and all possible organizations using the Apple App store on each device.  With a VPP user associated to the user's Managed Apple ID - and therefore user based licenses, including those for books, can be deployed, without the need of manually joining the organization. When working on this everything must be related to the same organization - i.e. you can only assign a Managed Apple ID from "Organization A" to an ASM VPP Account from "Organization A". A Managed Apple ID can't be associated to a VPP user from a Legacy token for instance, or from another organization. Steps  1. Assign a user in the Classroom tab to the student device. This will need to be the user that is assigned to the Managed Apple ID that will be logged into the iOS device.  2. Sign in on the device with the  Managed Apple ID that is assigned to the user associated in step 1. 3. Create a VPP User for the device for the VPP token you want to assign iBooks or User VPP apps to. This window is found in the FileWave Admin under "Assistants" → "VPP User Management". This token must be an ASM account token.   4. Associate the VPP Fileset for the iBook or VPP Application to the iOS device.  The Application must be purchased from the same ASM VPP Token that you assigned the device to in step 3 5. Update the model 6. You are done and the Apple ID on the device will automatically be associated to the VPP License you are deploying without input from the user.  Unremovable VPP Applications What There is a new options for VPP apps, namely preventing the user from removing them.  (iOS/iPadOS 14+ required) When/Why We may want to prevent users from removing a VPP licensed and MDM delivered application if it is essential for their day to day use.  Previously a user could remove any deployed application (although it would be reinstalled by FileWave on the next verify ). How There is nothing special you must do to enable this attribute.  By default, deletion is disabled and you should see the below in each of your VPP filesets. Note the language of this dialog...not checked means the app is NOT removable.  Checked means the user can remove the app in question. What we should discuss though is how this setting behaves, so that it is understood: This setting is NOT retroactive...that is, if you have already deployed an app, like iTunes Remote shown above,  the user of that device can still remove it But, if a new device is enrolled and receives this payload, they will not be able to remove it Or, if someone who had it does remove it, and FileWave re-pushes it (on verify), then the newly installed app will NOT be removable This checkbox behavior does NOT affect Kiosk based app distribution, regardless of checkbox setting Any App installed by the user through the Kiosk can be removed by them as well (this setting is basically ignored) The checkbox does default to unchecked, so if you do have something deployed as a push, but you want folks to be able to uninstall, then you should modify that fileset accordingly VPP Notifications (Apple VPP API v2) What Starting from FileWave version 14.6.0 we added support for a new Apple API for App and Book Management within the Apple Volume Purchase Program. With FileWave 15.1.0 this API became the default. The main difference compared to the previous version is that the new API is asynchronous. When we send a request to create / update / retire users or associate / disassociate assets we get a unique event identifier in response, which we use in the scheduler task to retrieve the status of an asynchronous event. There are no visual changes in your environment, except that the new API is more reliable, and expandable. When/Why In short, the new VPP 2.0 protocol is better, but out of an abundance of caution, it was not enabled by default on FileWave version 14.6.0 through 15.0.1 but with FileWave 15.1.0 it will become the default. How The new implementation was not yet turned on by default, until FileWave 15.1.0. To turn it on for prior releases you need to add a line to your /usr/local/filewave/django/filewave/settings_custom.py and after that restart server. If you are a hosted customer you will have it enabled since your server was upgraded to 15.1.0 or beyond. VPP_V2 = True For troubleshooting it can be set to  VPP_V2 = False to go back to the VPP v1 API.  Starting in FileWave 16.3.x, VPP Notifications no longer use a manual checkbox. FileWave now checks whether Apple can reach the notification URL and automatically turns notifications on or off. The current VPP & ADE preferences pane shows the notification state directly. When notifications are on, FileWave can act as soon as Apple confirms the license. When notifications are off, FileWave uses the configured Minimum delay (in minutes) between license assignment and Install Application . Pre-16.3 behavior: older FileWave releases exposed an Enable VPP Notifications checkbox. In FileWave 16.3.x that checkbox is gone, and FileWave decides automatically whether notification-based behavior should be used. Digging Deeper Logging On FileWave 15.1.0 and newer, you can check filewave_django.log . Lines with "Sync VPP v2" confirm the VPP v2 workflow is active. On FileWave 16.3.x, the same logging can help confirm whether VPP notification-based behavior was automatically enabled. Email Address One important change in the new API is that when we create a user we need to specify an email address. For BYOD devices we are using Managed Apple ID, for DEP devices - Device Assigner Email (it is not available when option 'Create VPP users for newly enrolled devices' is checked), if before mentioned is not available, we use Organization Email Address, and as last resort - 'email.not.set@'. Reachable by Apple By default, FileWave uses the following endpoint: This endpoint needs to be reachable and valid from Apple services. You need to make sure that the TSL certificate is trusted by Apple and that Apple services are not blocked by any networking rule. Server Port refers to the port configured in Mobile Preferences, which is likely either 20445 or 20443: https://{server_host}:{server_port}/api/vppv2/notification If the FileWave Server is not accessible by Apple on the defined port, FileWave 16.3.x will keep VPP Notifications turned off and fall back to delay-based behavior. On older releases, this was the situation where administrators would leave the checkbox disabled. If for security reasons or due to your network configuration, your FileWave server can't be reached by Apple services directly, it is possible to define a different URL that will be used by Apple. This can be done by editing the /usr/local/filewave/django/filewave/settings_custom.py file adding the below line and then restarting the server. For hosted customers, you will need support to set this for you. settings.VPP_NOTIFICATIONS_CUSTOM_URL = "https://server:port/url" Then you need to make sure requests to this endpoint are forwarded to your FileWave instance. Migration to VPP Location Based Tokens With Apple School Manager you can: Transfer licenses­ This feature will allow you to transfer licenses from one location to another Share licenses ­ Share licenses between purchasers that have been assigned, and have access, to the same location Simplified Purchasing of Apps & Books ­ Ability to search and browse content directly in the “Apps and Books” section of Apple School Manager. You will also be able to manage all your Volume Purchase Program (VPP) credit and update billing information from within Apple School Manager (ASM) To take advantage of these new features in Apple School Manager (ASM), you will first need to transition your institution from the legacy VPP token system to ASM. Below are some key steps to follow to help you understand and plan  to ensure a successful transition. You must read and follow the steps below to ensure a successful migration to VPP Location-based tokens! If you’re unclear about any of the steps please contact your Apple, or FileWave, representative before proceeding. Not following the steps below can lead to: Unable to deploy apps due to lack of licenses Apps being removed Loss of app data Migration If you have codes still How do I know if I have code? To see if you have any codes in your account before migration, log in and go to “View Purchase History” If any previous purchases have “Download Codes” in the last column you will need to request those be migrated to managed distribution. How do I migrate codes to Managed Distribution? Visit  https://www.apple.com/support/itunes/vpp/ and for “What do you need help with?” select “Other” Use the same institution name (and ideally the same email) as it shows in your Account Summary section Describe your issue and a representative should be in touch. Invite VPP Purchasers If you have purchasers with existing VPP accounts that aren't in Apple School Manager or in Apple Business Manager, invite them to join your organization before you migrate to Apps and Books. One Purchaser per location For the best migration experience, migrate only one purchaser per unique location. You can do this in one of the following ways: By restricting account access in Apple School Manager or in Apple Business Manager to the appropriate location for each purchaser. By directing each user to the specific location that they should choose. If each purchaser migrates to a unique location, all licenses — assigned and unassigned — will move to Apps and Books. Initial migration All licenses that move during migration will be associated with the new location token to which they move. Any assigned licenses that don't move during migration remain associated with the purchaser's legacy token. All tokens that have associated licenses must be uploaded in MDM. Location-­based tokens Apps and Books use location ­based tokens. All licenses purchased for or transferred to a location associated with that location's token.* Legacy tokens from the VPP portal are account-based tokens. Purchasers can access tokens for all of their locations in the Apps and Books section of Apple School Manager's Settings or Apple Business Manager's Settings. Only one person needs to upload location tokens to MDM. Legacy tokens aren't needed after all licenses are moved to a location. When you create a location, the location is in an "untouched" state, which allows Apple to transfer all licenses, including licenses currently in use, from a legacy token. As soon as anything is done on this location (buy apps, transfer token, change permission...), the location is not "untouched", therefore only unused licenses are transferred. So it's critical to NOT do anything with a location before migration happens. Migrate all VPP purchasers When you're ready to migrate to Apps and Books in Apple School Manager or Apple Business Manager, all purchasers should migrate at the same time. Each purchaser must migrate their account. Migrate by clicking Get Started in the Apps and Books section of Apple School Manager or Apple Business Manager, then selecting the appropriate migration location. After all purchasers migrate, you can take full advantage of the new features. If your organization decides not to use Apps and Books, VPP purchasers can continue to use the legacy VPP portal at vpp.itunes.apple.com until December 1, 2019. Assigned book licenses can't be moved and remain assigned to a user. If assigned licenses don't transfer Only unassigned licenses will move to a location if any of the following scenarios occur: Licenses are purchased or transferred to a location before a purchaser migrates to the new location. Someone downloads the location's token before the first user migrates to it. A new Content Manager is created in a location after another user opts into Apps and Books. Multiple purchasers migrate to the same location. If assigned licenses don't transfer, they remain associated with the purchaser's legacy tokens which should remain uploaded to MDM with the location token. After you unassign an app from the legacy token, you can transfer the licenses to a location in Settings > Apps and Books in Apple School Manager or Apple Business Manager. Updating Token in FileWave Admin Preferences Once you have successfully migrated to the location-based tokens, you’re ready to update the legacy token(s) in FileWave! You will need to download your new location-based VPP token(s) and follow the directions below to update your VPP token in the FileWave Preferences. Downloading New Token(s): Log into your ASM/ABM instance Click "Settings" on the lower left Click "Apps and Books" in the center column Scroll down on the right to find the Locations Table Click "Download" next to each location needing to be updated in FileWave  Updating in FileWave: Connect with FileWave Admin and open the preferences Click on the VPP & DEP tab Click on "Configure tokens" Double-click on the VPP token you need to update Click the "Import" button and select your new location-based VPP token VPP Token Revoked Error Problem "VPP token is Revoked" error is displayed in the FileWave Admin> Dashboard or when trying to run a manual VPP sync in the "VPP and DEP" tab of FileWave Admin preferences. This can be caused if you try to enter the same VPP token in Apple Configurator.  Solution The solution for this error is to renew your VPP token in FileWave. For renewing your VPP token we offer the below Knowledge Base article for this process. Renew Your VPP Token VPP Kiosk Error Details When you associate VPP assets via users association there can be messages in the kiosk. Here is what these messages can mean: unavailable for this application's organization When the total available count of license is 0. Meaning you have no purchased licensed for this Application unavailable for this application When the available count of licenses is 0. Meaning you have run out of licenses for this VPP item. application is not device assignable The Developer of this application has not allow their application to be assigned to devices acquired (but your VPP account was retired) As stated, your invitation to the organizations VPP program has been retired available All is well available (but your VPP account is not) The application is assigned as User in Admin, but there is no VPP user account tied to the device acquired Device has a license for this vpp item VPP Device Assignment About Device Assignment With the release of FileWave version 10 and iOS 9 comes a new, simpler way to assign licenses for apps purchased through Apple's Volume Purchase Program (VPP). Unlike VPP's previous options, which employed codes or user assignments, you no longer need CSV uploads or registered Apple IDs on the devices. The new process for VPP allows users to send out and pull back licenses to Apple devices regardless of whether an Apple ID is present. The steps below walk you through the VPP device-assignment process of app deployment. Before completing the guide, make sure the following requirements are met. Requirements iOS 9+ (FileWave version 10.0+) OS X 10.11.1+ (FileWave version 10.1+) OS X Devices MDM Enrolled (DEP or Profile Enrollment) VPP Token in FileWave (Section 3.12 in the FW manual) Device Assignable Apps (see the "Purchase Apps" section below) Restrictions All apps in the VPP Store are opt-in only for device assignment. This means not all apps can be assigned to devices, so check compatibility before purchase (see the "Purchase Apps" section later in this document for details). User assignment, not device assignment, must be used for books purchased through VPP, requiring every Apple device to have a separate Apple ID. Alternatively, PDFs, ePubs, or iBooks can be deployed to iOS 8 or above devices directly with the "Document (iOS 8+)" Fileset option under New Model Filesets. Steps Prepare FileWave Go to the VPP & DEP tab in the FileWave Admin Preferences and click on the "Configure tokens" button. Then sign in with your superuser credentials (by default, this is "fwadmin / filewave"). On the bottom of the new "Edit VPP service tokens" window, you'll find the "Create VPP users for newly enrolled device" pane. Be sure the box is unchecked and then close the window.  Note:  With this option unchecked, if you still want to employ user assignment for VPP books, non-device-assignable apps, and devices not on iOS 9 or OS X 10.11.1 or above, you'll need to create these VPP users manually in the VPP User Management window under the Assistants menu. Back in the FileWave Admin Preferences window under VPP & DEP, you'll see a line that reads "Preferred license distribution model to use for new associations." Use the drop-down menu to select Assign to Device. This makes device assignment the default for any new VPP Fileset associations. Then click OK at the bottom right to save and close the preferences. Purchase Apps To purchase the apps, go to the following URL: Apple School or Apple Business . There you'll be asked to choose Education or Business and sign into your VPP account. Use the search field on the top left to locate the app you want to purchase licenses for. After you select the app, you'll be directed to the Purchase and App Details screen. From there, you'll determine whether the app is device-assignable. The Compatibility section of the app details should read "Device-Assignable." If it doesn't, user assignment needs to be used (requiring an Apple ID for each device). After confirming that an app is device-assignable, you can complete the purchase. Put the quantity of licenses in the Purchase Details section at the top, click Review Order, and click Place Order. Note:  Make sure you purchase enough licenses. If you associated the app with 100 devices but you've purchased only 50 licenses, only 50 devices will be able to download the app. This goes for kiosk associations as well. Associate apps only to devices less than or equal to the number of licenses purchased and reserved. Import Apps into FileWave and Deploy Them After purchasing the licenses, you'll get a confirmation email from Apple noting that the licenses are ready. You can wait for VPP to sync with FileWave automatically, or you can expedite the process by forcing a sync in the VPP & DEP section in the FileWave preferences: Do this by clicking Synchronize. Proceed to the License Management section of FileWave in order to locate new licenses. Click the Refresh button at the top. A prompt will pop up, reading, "FileWave has detected unused VPP licenses. Would you like to create X new Fileset(s) for these licenses now? Note that you will have to do a Model Update to be able to use them in associations." If you click Yes, FileWave will auto-create the Filesets and place them in the Filesets section of FileWave. If you click No, you can manually select the new licenses from the list and click Create Fileset at the top. To double-check how many licenses have been reserved, double-click on the Fileset and look at the Volume Purchase Program - Licenses pane at the bottom. The number of reserved licenses displayed shows how many associated devices can download the app. ( Note:  If devices have redeemed a license for this app in FileWave, you cannot change the associated token until the licenses are retrieved by disassociating the app form the device.) Continue the process by associating the app with the device, or group of devices, in the Associations tab. In the bottom pane where the associations are located, you'll notice an extra column called License Assignment. New associations will automatically be assign-to-device associations. If you already created assign-to-user associations, these can easily be converted if the app is device-assignable. To convert simply, double-click the association, navigate to the License Distribution tab, and click the Assign License to Device radio button, and the license will change after the device syncs. If the app is not device-assignable, the second radio button will be grayed out. Note that the app does not have to reinstall when the license is changed from user to device. Now update the model to save and propagate all changes. If VPP Notifications are on, FileWave can install the app as soon as Apple confirms the license. If notifications are off, FileWave uses the configured minimum delay between license assignment and Install Application before the app installs on the device. Note: The default delay is 3 minutes, but you can change it in the VPP & DEP section in the FileWave preferences. Device Assignable Query Check To make a query to monitor which Filesets are currently in FileWave as device assignable, follow these simple steps. Criteria: VPP Asset / Device assignable flag - does not equal - true Fields: VPP Asset / Product Name VPP Licensing Reservations (v14+) The History Prior to version 14 of FileWave, license reservations for VPP applications could be problematic when purchasing additional licenses.  If you look below, we purchased 25 licenses of this app initially, and the fileset (payload) that was then auto-created had a reservation for exactly 25 licenses. The inefficiency of this model would show itself whenever we purchased more licenses for this app.  For instance, assume that we purchased 10 additional licenses...the fileset shown above would not change from the original 25, so we could effectively run out of licenses, even though we had 10 more available.  This necessitated a manual change to the original fileset, which was not efficient. The Change Starting with v14 reservation of licenses for VPP Filesets (payloads) has made optional in order to offer more convenience when purchasing additional licenses.  You can think of the licenses now more as a dynamic quota than as a restriction.  Here is how it works: Existing filesets will not be affected by this change (any previously defined reservations will persist, but can be turned off simply by unchecking the checkbox).  See below: New application licenses that you purchase will now result in a payload (fileset) with a dynamic quota (reservation checkbox unchecked) as shown below for both native and webadmin: With dynamic quotas, the: Total number of licenses for a particular asset (app/book) will be considered as a pool that is shared between all filesets For all filesets that do have the reservation option activated, the reserved amount of licenses will be deducted from the total quota first When a license is required for a fileset that has licenses reserved, the number of assignments through that fileset will be checked against the reserved licenses For all filesets that do not have the reservation option activated, the remaining number of licenses is shared and available on demand When a license is required, the number of already assigned licenses is checked against this dynamic quota If there are no free licenses available, the installation will not proceed When you purchase more licenses, they will automatically be added to the dynamic quota Examples If you purchased 100 licenses for a new app (Firefox): When the fileset (payload) for the app is created, the reserve license option will be deactivated As there are no other payloads with reserved licenses all 100 licenses will be available through the dynamic quota You associate the payload to 20 clients: dynamic quota is reduced to 80 You now duplicate payload. In the new payload properties you specify that 25 licenses should be reserved for this fileset. The dynamic quota is now reduced to 55 You associate this second payload to 20 clients. The quota for that payload will now be 5, while the dynamic quota remains 55 You create yet another copy of the payload, with no license reservation.  The dynamic quota remains 55 You associate this 3rd copy to 25 clients. The dynamic quota is now reduced to 30 Purchasing 100 more licenses at this point bring the dynamic quota up to 130 Some more complex examples, building on the above: You associate the second fileset above to 10 more clients: Five of the clients will get a license, while the other 5 won't (because we had a reservation of 25, and had already assigned 20 of them) You increase the reserved license count of this fileset to 35 (from 25). The dynamic quota will now be reduced to 120 You associate the third fileset to 150 more clients. The dynamic quota will only allow for 120 of those to get a license Current state: fileset 1 uses 20 fileset 2 has 35 licenses reserved, but uses 30 fileset 3 uses 145 Thus a total number of 195 out of 200 licenses will be used, with 5 still held in reserve You purchase an additional 50 licenses for the app: After a VPP sync and Model update, they will be added to the dynamic quota All clients associated to fileset 3 will now have a license assigned (-30) The dynamic quota will settle in at 20 licenses available  VPP Apps Not Updating Description As described in the KB on VPP App updates , these should occur automatically, within 24 hours of the new App release.  However, there are times they may not happen. Information From device check-in, the FileWave Server receives information on installed applications and where an update exists, a new command is queued for the device.  Once received, the device pulls the updated version from the App Store. Consider the elements involved when assessing why one or more Apps may not update.  These include: Server SSL certifiate VPP token APNs token Apple T&Cs App identifiation Directions The certificates and tokens are relatively straightforward.  If expired, they should be updated.  Whilst expired, VPP installations will be impacted until resolved. VPP Token Renewal APNs Token Renewal SSL Certificate Renewals It is not unusual for Apple to update the T&Cs.  However, Administrators of School or Business manager accounts should receive an email from Apple, indicating these have changed and informing customers to log into their Apple manager account and accept those new terms. On rare occasions, it may found that updating a token, which appears to still be valid, resolves issues with App installations and updates.  Since there is no restriction on frequency of renewal they can be updated in advance of expiry; no harm trying this. The last in the list though is one that can more often catch Administrators out. App Identification Analysis Each App has a unique bundle identification.  This information is stored within the Info.plist of any App, amongst other places. For this example, consider Apple Numbers for macOS. % /usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" '/Applications/Numbers.app/Contents/Info.plist' com.apple.iWork.Numbers Since Numbers used to belong as part of the iWork suite, its bundle identifier reflects this.  We see the same with Keynote: % /usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" '/Applications/Keynote.app/Contents/Info.plist' com.apple.iWork.Keynote FileWave needs to reference these Apps from the App Store, which is handled by the unique App Store ID.  This can be observed as part of the App Store URL link. For the above version of Numbers, the URL is: https://apps.apple.com/gb/app/numbers-14-5/id409203825?mt=12&uo=4 Making the store ID number as: 409203825 Apple has a developer article, indicating how to action store lookups.   App Store API Lookups Not all items need necessarily be included, but it could be in the form of: "https://itunes.apple.com/lookup?id=${apple_id}${country_id}${language}" Using the Numbers example, simplistically, the lookup could be: % curl -s "https://itunes.apple.com/lookup?id=409203825 Amongst the information returned from this query is the identifier and version string: "bundleId":"com.apple.iWork.Numbers" "version":"14.5" Where this is installed on a device, FileWave will report the relevant information: This information is supplied by the device.  Hence, the device knows what is installed, which version is installed and inventory will cause the server to trigger an update where appropriate. What happens though if the information were to change?  Why would it change? Incorrect Identity Before we get into incorrect identifiers, this time compare this with the mobile version of Numbers.  It has an alternate bundle identifier and hence a different App Store identifying number. % curl -s "https://itunes.apple.com/lookup?id=361304891" This time the command returned: "bundleId":"com.apple.Numbers" "version":"15.1" Of course, Apple have spent time working on Universal Apps; those that would work on both macOS and iOS type devices.  Of course, to achieve this, only one App Store App would be required, but clearly there can't be one App with one URL for two different versions and bundle identifiers. This poses an issue for the developer of the application and that has a knock-on effect with MDM servers and devices. Simplifying the change to universal, Apple took the choice to keep the app identity used on mobile devices for the new universal App.  The outcome is iOS devices running Numbers won't notice any difference and will update to the newer released version.  However, macOS will not. As far as the macOS device is concerned, it doesn't have this software installed and there are no more updates for the Numbers.app installed at that time.  The consequence is a requirement to change the association with the original Numbers App with the Universal App Store entry.  The original Numbers.app for macOS is now deprecated, but should still show in purchased Apps and be deployable to relevant devices. Indeed, the same can be seen for Keynote and Pages, for example. Although not recommended by Apple, it is indeed possible to have both versions installed simultaneously, since the reality is they are effectively two different Apps. Unix systems can't have two items with the same name though in the same directory.  Looking at additional information from the App Store query, another point of interest is: "releaseNotes":"Numbers is now part of Apple Creator Studio..." Using the Get Info option on the newly installed versions, does indeed show the name of the App as Numbers Creator Studio:   Using that information, actioning a query against the Info.plist file for that App, highlights it is the same as the version installed on Mobile devices: % /usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" '/Applications/Numbers Creator Studio.app/Contents/Info.plist' com.apple.Numbers Changing over will likely involve a new 'Purchase' of the App in the Apple School or Business Manager account or an increase in licence quantity, if already used for mobile devices. Like iLife and iWork, Apple Creator Studio is a suite of applications.  Apple have provided details regarding this suite, purchases and deployment in Apple's Education Forum: Apple Creator Studio Deployment Considerations As such, the issue of VPP Apps can be about certificates and communication, but sometimes the App isnt' there anymore in its original form.  The same has been seen from other developers and entirely likely more of these could show,  particularly with the transition to universal apps from dedicated apps.       Migrating Apple Devices to FileWave from Another MDM using ASM/ABM What Apple School Manager (ASM) and Apple Business Manager (ABM) now include a device assignment feature that allows you to move DEP/ADE devices from one MDM server to another without requiring physical device access or a factory reset. FileWave can serve as the receiving MDM server in this migration process, making it possible to transition devices from competing MDM solutions with minimal disruption. Note that this functionality of a forced move is new in the '26 versions of the Apple OS versions.  When/Why Use this feature when you're switching to FileWave as your primary MDM and want to migrate existing DEP/ADE enrolled devices without losing enrollment or forcing users through complex re-enrollment processes. This is especially valuable when: You have an established fleet on another MDM and want to consolidate to FileWave You want to avoid factory resets or complex manual re-enrollment workflows You need to preserve device configurations and user experience during the transition You're testing FileWave's MDM capabilities before committing to a full migration How Prerequisites FileWave instance registered as an MDM server in your ASM/ABM account (follow standard MDM setup) Your existing MDM server still registered in ASM/ABM At least one test device to validate the process Step-by-Step Process 1. Assign Device Management in ASM/ABM Log in to Apple School Manager or Apple Business Manager Navigate to your device list and select a test device (start with 1–2 devices, not your entire fleet) Click the ... (three-dot) menu in the top right corner Select Assign Device Management Choose FileWave as the destination MDM server Click + Add Deadline to set when the migration occurs Choose the soonest available time if you want the device to move immediately Confirm the assignment 2. Synchronize with FileWave On your FileWave server , navigate to Assistants → ADE Association Management Click Synchronize to pull the latest device list from Apple The moved device should appear in the ADE device list within a few moments If the device doesn't appear: Hold Option (⌥) while clicking the Synchronize button The button text will change to "Full Sync" Click it to perform a complete sync; the device should now appear 3. Assign Enrollment Profile Locate the newly migrated device in your FileWave ADE device list Verify an enrollment profile is assigned to it If no profile is assigned, select an appropriate enrollment profile and assign it Click Sync with Apple to confirm the assignment 4. User Migration Prompt Once Apple detects the enrollment profile is assigned: The device will automatically receive a prompt to migrate MDM servers For the user: the process is straightforward—they simply accept the on-device prompts Users do not need to understand or interact with MDM details; the migration is transparent to them Platform Device Type iOS/iPadOS macOS Note: This process applies to all Apple platforms enrolled via DEP/ADE. Related Content FileWave MDM Server Setup in Apple Business Manager ADE Association Management Best Practices VPP App Assignment in FileWave Device Enrollment Profiles in FileWave Digging Deeper VPP Apps and Migration One critical consideration during migration is app continuity . If your devices were using VPP (Volume Purchase Program) apps assigned via the previous MDM: Apps won't automatically transfer to FileWave After migration, you must configure VPP app assignments in FileWave to ensure users retain app access Apps may be removed from devices if they're no longer available through the new MDM during the transition Test this scenario on your pilot devices to understand timing and user impact Recommendation: Audit which VPP apps are currently assigned on your test devices, then set up the same apps in FileWave before migration to minimize disruption. Testing Strategy Migrating devices in small batches is essential: Test batch (1–2 devices): Verify the assignment, sync, and enrollment profile assignment works as expected Observe user experience: Confirm users receive prompts and can migrate without assistance Check app availability: Ensure critical apps (especially VPP) are available on FileWave post-migration Check configurations: Verify that any device configurations or restrictions are re-applied properly Rollout in waves: Once validated, migrate in small groups (10–50 devices) rather than all at once This phased approach prevents fleet-wide issues and gives you time to address any unexpected problems. Timing and Deadlines If you don't add a deadline in ASM/ABM, the device assignment will remain pending The deadline determines when Apple will initiate the migration prompt on the device Devices don't migrate instantaneously; allow time for Apple's systems to process and push the prompt Monitor ADE Association Management sync logs to see when devices are enrolled with FileWave If Migration Stalls If a device doesn't complete migration: Verify the enrollment profile is still assigned in FileWave Check that the device has network connectivity Perform another Full Sync (Option + Synchronize) in ADE Association Management Check device logs on the client to see if there's a prompt pending user action