2. Client Pre-Requisites

• Android Client Pre-Requisites
• Apple Client Pre-Requisites
• Chromebook Client Pre-Requisites
• Windows Client Pre-Requisites

Android Client Pre-Requisites

Obtaining JSON File

Android EMM (Enterprise Mobility Management) is built into FileWave as of version 13.1.  This feature requires activation. Activation may be generated from the following link:

https://amapi.filewave.com/

Add the FileWave Server Activation Code in the Customer ID box and select Generate Key.  On doing so, the required JSON file will need to be downloaded and saved.

This process cannot be repeated.  If you have an issue with activation, please contact support.

Setup

Requirements

• Server and Admin running FileWave Version 13.1.0 +
• Android 8 or newer Device(s) as of FileWave 15.3.0 (Requirements may change, confirm with latest release notes)
• Generated JSON key (see above)
• Network Port 443 inbound and outbound between FileWave server and Google (See Default TCP and UDP Port Usage for full list and topology)
• A standard Google account or G-Suite account
• Perform the changes in FileWave as the fwadmin user specifically because some steps will not be able to be accomplished without doing so

A Google account may only be registered to a single EMM instance:
Unlike standard Google or Gmail accounts, a G Suite administrator manages all accounts associated with each of these editions. G Suite provides access to a core set of apps that include Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Google+, Hangouts Meet, Hangouts Chat, Sites, and Groups.

You are not required to setup Google Cloud Messaging (GCM/Firebase) for Android EMM to work. Any references to it are for Chromebooks.

Configure Service Account

Open FileWave Admin 'Preferences' > 'Google' tab and click 'Configure Enterprise' under the EMM Configuration section.  If the Google tab is not yet apparent, the FileWave server service will require a restart after requesting the JSON.

1. Proceed by selecting the 'Choose File' button in the 'Set Up an Android Management Enterprise' window
2. Select service account file, then press 'Upload'
3. When requested, enter a display name for your enterprise and 'Sign Up'. This is merely an internal identifier but will be visible on devices.
4. Press 'Click here' link to finalize the setup. The link opens a browser, navigating to Google Play website.  Finalize enterprise creation using the chosen Google account.
5. On registration completion, the browser should redirect to the FileWave server website informing success. 'Enterprise "[display name]" successfully created.'

The FileWave Admin should now display the successfully configured Android EMM account:

Enrolling Android Devices

You are now set to enroll Android devices as described here: Android Enrollment

Apple Client Pre-Requisites

Now that we have the FileWave basics taken care of, let us start integrating the Apple services into FileWave. This section will cover creating an APNS certificate and syncing FileWave with Apple's DEP and VPP.

Apple Push Notification Service (APNS) Certificate

The Apple Push Notification Service Certificate or "APNS Cert" is what allows FileWave to send out Push Notifications to Apple devices including macOS, iOS, and tvOS. This step is absolutely critical for any Apple management within FileWave.

To create and upload an APNS certificate follow the instructions at one of the following links depending on your platform macOS or Windows. If you have a macOS machine available, the process is usually found to be easier on the Mac versus a Windows machine since macOS includes the built-in Keychain Assistant.

Since the APNS certificate must be renewed annually, we recommend you create calendar reminders 45, 30, and 15 days before the expiration. The FileWave Admin's Dashboard can also be configured to give you an alert of expiration via email.

When renewing your APNS certificate, be sure to use the same Apple ID that was used to originally create it. Creating a new certificate, or creating a certificate with a different Apple ID, rather than renewing the existing one used by FileWave, will break MDM communication with your mobile devices and require un-enrollment and re-enrollment. Take the following precaution to prevent this.

Apple Device Enrollment Program (DEP)

Now that we have the APNS created and imported, let us leverage Apple's Device Enrollment Program to automate the enrollment of our macOS, iOS, and tvOS devices.

Add new MDM Server to Apple

1. Log into Apple School Manager (ASM) or Apple Business Manager (ABM) using your organization's Administrator account.

2. Navigate to "Settings" in the lower left-hand corner.

3. Select "Device Management Settings" from the middle pane.

4. Click "Add MDM Server" from the right pane.

5. Change the "MDM Server Name" to "FileWave" or something distinguishable.

6. Navigate to "FileWave Admin > Preferences > VPP & DEP", click "Download Certificate" from the bottom "Device Enrollment Program" section, and authenticate.

7. Navigate back to ASM/ABM and "Choose File" to select the recently downloaded "FileWave DEP.pem".

8. Click "Save".

Sync Apple DEP within FileWave

1. After creating new MDM Server, select the new server from the list.

2. Click "Download Token" and accept the warning message.

3. Navigate to "FileWave Admin > Preferences > VPP & DEP", click "Configure accounts" from the bottom "Device Enrollment Program" section, and authenticate.

4. Click the "[+]" button in the lower left-hand corner and select the recently downloaded "FileWave_Token_XXXX-XX-XXTXX-XX-XXZ_smime.p7m" token file.

5. If data is populated in all of the columns of the "DEP Accounts" window, the token import was successful.

Assign devices from ASM/ABM to FileWave MDM Server

1. Select "Devices" from the left-hand pane within ASM/ABM.

2. Search for devices by Serial Number (comma separated) or use the Filter icon to choose all "Unassigned" devices.

3. With the device(s) selected, click "Edit Device Management" and select the newly created FileWave MDM Server.

4. Navigate to "FileWave Admin > Assistants > DEP Association Management"

5. Hold down the Option or Alt key on your keyboard and click the "Synchronize (full sync)" button in the lower right-hand corner.

6. You should now see all devices assigned in Step 3 within FileWave's DEP Associations window.

Create DEP Profile and enroll Apple Devices

• These workflows will be covered in the DEP Enrollment section.

Apple Volume Purchase Program (VPP)

The Apple Volume Purchase Program (VPP) is integrated into Apple School Manager and Apple Business Manager and allows you to purchase and deploy applications from the App Store. When purchasing (free or paid) VPP licenses you will need to assign the licenses to a "Location" within ASM/ABM and each "Location" within ASM/ABM corresponds with a VPP Token. You will import each VPP Token into FileWave to sync the licenses assigned to the particular "Location".

If you are just starting out with ASM/ABM, you'll most likely just have one "Location" and therefore one VPP Token. If you are currently using a VPP Token in another MDM it is recommended to create a new "Location" for the evaluation of FileWave. This is recommended because importing a VPP Token that is used in another MDM will result in the automatic revoking of any deployed VPP licenses from that MDM. If you are not concerned with the licenses being revoked, please feel free to continue to import the existing VPP Token.

This section will not cover creating a new "Location" in ASM/ABM but more information can be found here from Apple School Manager User Guide or found here from Apple Business Manager User Guide.

Download VPP Token from ASM/ABM

1. Log into Apple School Manager (ASM) or Apple Business Manager (ABM) using your organization's Administrator account.
2. Navigate to "Preferences" in the lower left-hand corner.
3. Select "Payments and Billing" from the middle pane.
4. Find the desired "Location" name from the "My Server Tokens" section.
5. Click "Download".

Import VPP Token into FileWave Admin

1. Navigate to "FileWave Admin > Preferences > VPP & DEP", click "Configure tokens" from the top "Volume Purchase Program" section, and authenticate.

2. Click the "[+]" button and name the Token. This name is only used to distinguish the VPP Tokens within FileWave.

3. Optionally, fill out the "Department", "Owner", and "Owner Email" fields.

4. Click "Import" button and select the recently download VPP Token "sToken_for_XXXX.vpptoken".

5. The VPP Token should now be visible in the "Edit Apps and Books server tokens" window and ready for use.

VPP Token Permission

If you do not see the added VPP Token this is because your FileWave Admin account has not been granted permission to the VPP Token. Please consult the "Allow new users to access existing VPP Tokens" section to grant permission to the VPP Token.

VPP Ownership

If you receive a message about the VPP Token being owned by another VPP tool, please inform your FileWave SE and they can assist in taking ownership of the VPP Token. Taking ownership of the VPP Token will result in the revoking of any previously deployed VPP licenses from another MDM so please proceed with caution. If you want to avoid licenses being revoked, please create a new "Location" within ASM/ABM and purchase new license or assign existing license to the new "Location".

Purchase VPP Licenses from ASM/ABM

Please consult Apple School Manager User Guide or Apple Business Manager User Guide for more in-depth information regarding purchasing Apps and Books.

1. Log into Apple School Manager (ASM) or Apple Business Manager (ABM) using your organization's Administrator or Content Manager account.
2. Select "Apps and Books" from the left pane.
3. Search for the application name you wish to purchase and verify its intended platform (iOS App vs. macOS App).
4. Select the desired "Location" from the "Assign to" drop-down menu.
5. Specify the quantity of licenses you'd like to purchase.
   1. Please enter a reasonable amount of licenses to cover your future device population but not too many (100,000+) as it may slow down the VPP sync process.
6. Click "Get" button to complete your purchase.
7. Licenses will usually be available within 5 minutes of purchase and you will be emailed by Apple when your licenses are available.

Sync VPP Licenses into FileWave

Now that we have at least one VPP Token imported into FileWave and licenses purchased, we can sync VPP within FileWave and automatically create Filesets for each VPP application.

1. Open FileWave Admin and navigate to "License Management" from the left pane.
2. Click the "Synchronize VPP" button in the black menu bar.
   • FileWave syncs with VPP automatically every 5 minutes but this will force a VPP synchronization and "Refreshes" the view.
3. You should receive a pop up message asking if you'd like to automatically create Filesets for your VPP applications. Click "OK".
4. You should now see the VPP License information in the "License Management" section and a new Fileset in the "Filesets" section.
   • If you'd like to change where the VPP Filesets are imported to, please refer to this section of "Software Group Structure".

Enrollment Credentials

If you choose, you can prompt the user to authenticate the enrollment with a generic account name and password or with your AD/Okta/Google Credentials. You can also turn off authentication completely if you want a more streamlined process.

• Okta Credentials:IdP Setup: Okta
• Google Credentials:IdP Setup: Google
• Microsoft Entra AD: IdP Setup: Microsoft Entra ID
• LDAP Credentials: Using LDAP to enroll macOS/iOS/Android devices

Generic Username/Password:

1. From the server type one of the following, depending on your enrollment strategy: 
   Manual Enrollment(OTA)

   sudo fwcontrol mdm adduser [name]

   Device Enrollment Program (DEP):

   sudo fwcontrol mdm adddepuser [name]

   Where [name] is the name of the account

2. Enter your server’s root password

3. Enter a password for this account

No Authentication:

1. From the server type the following:

   cp /usr/local/filewave/apache/conf/mdm_auth.conf.example_no_auth /usr/local/filewave/apache/conf/mdm_auth.conf

2. When asked to overwrite the original, enter 'y' for yes

3. Restart the apache service to put the new configuration into place

   /usr/local/filewave/apache/bin/apachectl graceful

Chromebook Client Pre-Requisites

Before beginning the setup of the Chromebooks, we must first provide you with a temporary Activation Code to license the amount Chromebooks you currently have under management in Google Admin Console. Please email the total number of "Provisioned" Chromebooks to your FileWave Account Executive or FileWave Systems Engineer, and we will send the Activation Code to you as soon as possible.

If you are unsure whether or not you are able to use Chromebooks with FileWave, please click to see the resources below.

List of countries where Chrome OS Management licenses are sold directly by Google to end customers:
Go to https://eduproducts.withgoogle.com/ , click 'contact sales', and then look at the drop-down menu 'Country' - if the country is in the list, it's supported.

Even if the country is not listed under the link above, a local google partner might be able to help :
https://www.google.com/a/partnersearch 

Chromebook features

• Location Tracking

• Disable / Deprovision device

• Historical user login activity

• FileWave and Google Custom Fields

• Google OU creation, renaming, and move device

• Full hardware and software (extensions) Inventory reporting

• Powerwash & Wipe Users
• Reboot

Setup

Required Items

• Google Domain

  • Admin rights within the Google Domain

  • At least one Chromebook

  • Chromebooks Enterprise enrolled

  • Pre-existing Google Organizational Unit structure (RECOMMENDED)

• Running FileWave Server

• Enough FileWave Chromebook licenses to cover every Chromebook in the Google OU

• FileWave Server must use a root trusted SSL certificate and not a self-signed one

Google Cloud Messaging / Firebase Setup

First, you’ll need to configure Google Cloud Messaging (GCM/Firebase) so that FileWave can send push notifications to your Chromebook devices. The following steps will help you get your FileWave server setup with Google Cloud Messaging which is required for Android and Chromebook support.

1. Go to console.firebase.google.com in your web browser

2. Sign into your Google Account

3. Accept the user agreement (if necessary)

4. Select "Get started with a Firebase Project"

Enter name for the project and Agree to Terms – then click Create Project. Note below the fwx.io is the organization. Make sure the right organization is there or click on it and you can select the organization. Some types of accounts may not offer to let you pick an organization.

Choose to Disable Google Analytics for this project and then let it create the project.

Once the project creation has been completed, select Continue and you'll be on to the next steps.

Configuring Google Chromebooks to Sync with FileWave

The following processes and steps will walk you through setting up your FileWave server to manage Chromebooks. Current functionality will allow you to pull/query inventory data and utilize our location tracking feature in FileWave.

Enable Access to APIs

1. Go to the below address to start the process: https://console.developers.google.com/flows/enableapi?apiid=admin,calendar,classroom,drive,driveactivity.googleapis.com,gmail,groupssettings,licensing,plus,contacts,firebase.googleapis.com,fcm.googleapis.com If you just completed the Google Cloud Messaging / Firebase Setup, the project will already be selected and will use the project created during the GCM setup (this MUST be set up to continue). If it's not automatically selected, select the drop-down at the top of the screen and choose the correct project. You can also create a new one if you'd like. My Project is called 'FileWave Chromebooks'. 2. Confirm the Project and Enable the APIs for the project

Creating a Service Account and Credentials

Adding a Delegated User

OAuth Client ID & Authorizing API Scopes

Sync Google with FileWave

1. Be sure you have already set up Google Cloud Messaging / Firebase Setup 2. Open your FileWave Admin Preferences and select the Google Tab 3. Once there, click the Configure OAuth token button at the top, you will be prompted for your credentials 4. After authenticating simply type in the Google Account you associated with the service account 5. The last step will be to import the .json file you saved at the beginning of this document 6. After you press OK FileWave will sync automatically with Google

Now if you go into the Clients section in FileWave you will see a Chromebooks group with the same structure and devices you have in your Google Admin. This may take some time.

Deploying FileWave Inventory Extension to Chromebooks

Changing check-in frequency

If you want to change the frequency of check-in, you can modify the following attribute in the JSON to reflect check-in frequency (in minutes).  The default is 1440, or once per day.

"UpdateIntervalInMinutes": {
"Value": 1440
}

Location Tracking Permissions

If you're wanting to use Location Tracking, you will need to "Allow sites to detect Users' geolocation" in Google Admin. You will find this option in Devices > Chrome > Settings, on the page that loads it will be under Security > Geolocation. For this setting, you want to ensure that you set it at the level in the organization that it should apply. In the image below we only enabled it for Foundry Chromebooks but did not set it for all. If you would like to enable Geolocation for all devices then make sure you set it at the domain level and also make sure that none of your OUs are set to ignore the inheritance of this setting. Simply check the setting on each OU and you will see what it is set to. 

Just like with the Extensions, it is important that the OUs that you enable this on either be all of them or, at a minimum, you need to enable it for both the User and Device OUs that you will be using with FileWave.

Congratulations, you can now manage your Chromebooks with FileWave!

Troubleshooting

If for any reason you experience issues seeing your ChromeOS devices in FileWave or issues with reporting then see the notes in our Chrome Troubleshooting Guide

Windows Client Pre-Requisites

All you need to do to enroll a Windows Client is to deploy a customized FileWave Client MSI to your machines. We typically recommend using an existing tool capable of deploying a MSI such as Group Policy. This customized MSI can also be "baked" into a Windows image that can be deployed via FileWave's Imaging Virtual Server (IVS) so that freshly imaged Windows machines will automatically enroll into FileWave. Lastly, the FileWave Client MSI can be manually distributed and installed on any Windows machine that has local Administrator privileges. 

If your organization uses Microsoft Entra ID and your users authenticate using Microsoft Entra ID credentials into their Windows machines, please consider enrolling your Windows machines into FileWave via Microsoft Entra ID. This will also allow for Windows MDM management within FileWave. Learn more on our Windows MDM article.

Generating a custom FileWave Client MSI

1. Open the FileWave Customer Installer Builder for Windows.
2. Fill out the settings accordingly.
3. Click the "Build" button and wait for the automatic download.
4. Extract ZIP and install the customized FileWave Client MSI.

Note: The default Server Port setting above is 20015. However, SSL is now required, and the system will automatically use port 20017 instead when 20015 is entered. Do not manually set the port to 20017. Always enter 20015, and the system will handle the SSL port change for you.

Deploying the FileWave Client with Group Policy (Startup Script)

If you have no other way to easily deploy the FileWave Client to Windows sytems, but they are all tied to an Active Directory then leveraging Group Policy (GPO) can allow you to rapidly deploy the client with very little effort. 

<#
.SYNOPSIS
    Deploys the FileWave agent via a Group Policy startup script, always logging output.
.DESCRIPTION
    Checks whether the FileWave process is running; if not, copies the MSI from the network share
    to a persistent local directory and installs it in silent mode. All verbose, warning, and error output
    is logged to C:\temp\Deploy-FileWave.log, trimmed to the last 100 KB at each run.
.NOTES
    - Verbose output is forced by setting $VerbosePreference = 'Continue'.
#>

# Force verbose output so all Write-Verbose messages appear in transcript
$VerbosePreference = 'Continue'

# Define directories and log files
$logDir = 'C:\temp'
$logFile = Join-Path -Path $logDir -ChildPath 'Deploy-FileWave.log'
$maxBytes = 100KB

# Persistent MSI cache location
$cacheDir = 'C:\ProgramData\FileWave\MSICache'
$msiName = 'FileWaveCustom.msi'
$installerLocalPath = Join-Path -Path $cacheDir -ChildPath $msiName
$installerSharePath = '\\server\share\FileWaveCustom.msi'  # Update to your actual UNC path

# Ensure the log directory exists
if (-not (Test-Path -Path $logDir)) {
    try {
        New-Item -Path $logDir -ItemType Directory -Force | Out-Null
    } catch {
        Write-Error "Failed to create log directory '$logDir': $_"
        Exit 1
    }
}

# Trim existing log to last 100 KB
if (Test-Path -Path $logFile) {
    try {
        $fs = [System.IO.File]::Open($logFile, 'Open', 'ReadWrite')
        if ($fs.Length -gt $maxBytes) {
            $buffer = New-Object byte[] $maxBytes
            $fs.Seek(-$maxBytes, 'End') | Out-Null
            $fs.Read($buffer, 0, $maxBytes) | Out-Null
            $fs.SetLength(0)
            $fs.Write($buffer, 0, $maxBytes)
        }
        $fs.Close()
    } catch {
        Write-Warning "Failed to trim log file: $_"
    }
}

# Start transcript logging
Start-Transcript -Path $logFile -Append
Write-Verbose "Transcript started at '$logFile'."

# Check if FileWave agent is already running
$ProcessName = 'fwcld'
Write-Verbose "Checking for process '$ProcessName'..."
try {
    Get-Process -Name $ProcessName -ErrorAction Stop | Out-Null
    Write-Verbose "Process '$ProcessName' is currently running."
    $isRunning = $true
} catch {
    Write-Verbose "Process '$ProcessName' not found. Proceeding with installation."
    $isRunning = $false
}

if (-not $isRunning) {
    Write-Verbose "Deploying FileWave agent..."

    # Ensure the MSI cache directory exists
    if (-not (Test-Path -Path $cacheDir)) {
        try {
            New-Item -Path $cacheDir -ItemType Directory -Force | Out-Null
            Write-Verbose "Created MSI cache directory: $cacheDir"
        } catch {
            Write-Error "Failed to create MSI cache directory '$cacheDir': $_"
            Stop-Transcript
            Exit 1
        }
    }

    # Copy MSI from network share if not already present
    if (-not (Test-Path -Path $installerLocalPath)) {
        Write-Verbose "Copying MSI from '$installerSharePath' to '$installerLocalPath'..."
        try {
            Copy-Item -Path $installerSharePath -Destination $installerLocalPath -Force
            Write-Verbose "Successfully copied MSI to local cache."
        } catch {
            Write-Error "Failed to copy installer: $_"
            Stop-Transcript
            Exit 1
        }
    } else {
        Write-Verbose "MSI already cached locally at '$installerLocalPath'."
    }

    # Install MSI silently and log output
    $installLog = Join-Path -Path $env:TEMP -ChildPath 'FileWaveInstall.log'
    $msiArgs = "/i `"$installerLocalPath`" /qn /norestart /l*vx `"$installLog`""

    Write-Verbose "Starting MSI installation. Command: msiexec.exe $msiArgs"
    $process = Start-Process -FilePath 'msiexec.exe' -ArgumentList $msiArgs -Wait -PassThru
    if ($process.ExitCode -eq 0) {
        Write-Verbose "Installation completed successfully (exit code 0). Log: '$installLog'."
    } else {
        Write-Error "MSI installation failed (exit code $($process.ExitCode)). See '$installLog'."
        Stop-Transcript
        Exit $process.ExitCode
    }

    Write-Verbose 'FileWave installation process finished.'
} else {
    Write-Verbose "Skipping deployment; '$ProcessName' already running."
}

# Stop transcript logging
Stop-Transcript
Write-Verbose "Transcript stopped. Log written to '$logFile'."