3. Client Enrollment
Please follow each section that corresponds with the device types you want to enroll in FileWave.
You will notice that some device types, such as iOS and macOS, contain new information, while Windows and Chromebooks redirect to a previous section.
- Android Enrollment
- Apple ADE Enrollment
- Apple Manual Enrollment
- Using LDAP to enroll macOS/iOS/Android devices
- Chromebook Enrollment
- Windows Enrollment
Android Enrollment
Enrolling Android devices to FileWave
If you haven't already, please consult the Client Pre-Requisites > Android section to learn how to enroll Android EMM devices into FileWave.
There are several ways to enroll Android devices;
Devices in Safe Mode may not be enrolled
QR Code or afw#setup Enrollment
First create an enrolment token from the menu item: 'Assistants' > 'Enroll Android Device...'
Multiple tokens may be created, but one token may be configured for multi-use with an expiration of 30 days (recommended)
Make sure the device is fully wiped to factory settings and is not yet activated. Most modern Android versions can commence the process by either:
- Tapping the screen seven times (in the same spot)
or - Entering
afw#setupin place of a Google account.
Enter the Wi-Fi code and scan the QR code. A few minutes later, accept the prompt to Install Work Apps. This will install the FileWave Client.
On completion a summary will appear. Click Setup.
Where auto enrolment is configured in the New Client > Enrolled Mobile Devices, the device should appear within a few minutes. Otherwise use the New Client window to accept the device and then Update Model.
Android BYOD (EMM)
Android BYOD (Bring Your Own Device) Enrollment, also known as Android Enterprise Work Profile, is a method of enrolling personal Android devices in an Enterprise Mobility Management (EMM) system. This allows organizations to manage and secure corporate data and apps on employees' personal devices, while maintaining user privacy and keeping personal data separate from work data.
In this enrollment method, a work profile is created on the user's personal device, which acts as a separate container for work-related apps and data. This ensures that the organization can only manage and access the work profile, without interfering with the user's personal data and apps.
Android BYOD Enrollment offers several benefits, such as:
- Increased flexibility: Employees can use their personal devices for work, reducing the need for organizations to provide dedicated work devices.
- Enhanced security: Corporate data is secured within the work profile, preventing unauthorized access and data leakage.
- Improved privacy: Users maintain control over their personal data and apps, as the organization can only manage the work profile.
- Simplified management: EMM administrators can easily manage and configure work profiles, apply policies, and distribute apps to enrolled devices.
To implement Android BYOD Enrollment, organizations need an EMM solution that supports Android Enterprise, such as FileWave. The EMM solution will guide users through the enrollment process and help administrators manage and configure work profiles on enrolled devices.
Getting Started with BYOD (EMM)
The very first step before getting start with BYOD (EMM) is to setup Android EMM using the start of this article.
After going through the EMM setup, continue with the next steps.
- Download Android device policy App (https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc&hl=en_US)
- From the App scan the Enrollment QR code
- Add the devices to admin as normal
- (Observe) you will have a "Play Store" app and a "Work Play Store"
The devices will have the same icon in admin.
If the Inventory field "Is User-Owned" is True, the device is a BYOD.
I would add this as a column in the client view to more easily identify.
Enrollment Workflow (EMM)
If you have a Google Policy Fileset with Network information in it. You can select it when you generate a QR code. This inserts the information onto the device for easy enrollment.
 |
| Figure 1.1 - WiFi selected in enrollment QR |
The QR code that is generated contains the WiFi password in plain text.
DO NOT leave the QR code just sitting around.
Android EMM Location Tracking
Android EMM devices need to install a FileWave "companion" application onto the device that will send us location data. Reference Force Location for EMM Android Devices for details.
Apple ADE Enrollment
Benefits of ADE Enrollment
iOS, tvOS, and macOS can all take advantage of Apple ADE enrollment. ADE enrollments will force a specific set of preferences on the device and force enrollment to FileWave any time the device is Factory Reset. Another huge benefit of ADE is that ADE is the only enrollment option that prevents the end-user from removing the MDM Profile and unenrolling the device. These two aspects can be very helpful in device recovery situations since if the device is wiped after being lost or stolen, the device will automatically enroll back into FileWave where you can lockdown the device and collect Location Tracking information to report to the authorities.
If you have not already created your Apple Push Notification Service Certificate (APNS) or configured ADE to sync with FileWave, please review the Platform Integrations > Apple Integration section before continuing.
Creating ADE Profiles
The first step to enrolling your Apple devices via ADE is to create an ADE Profile. The ADE Profile determines the initial settings applied during enrollment and applies across Apple platforms. Unless you need explicit separation of the initial enrollment settings, one ADE Profile can often cover all of your devices. This is partly possible because FileWave Custom Fields can be used to uniquely name devices.
- Open FileWave Admin and navigate to "Assistants > ADE Association Management".
- Click the "[+]" button on the right-hand side under "Profiles".
- Fill out each tab according to your management preferences.
Starting in FileWave 16.3.x, ADE profiles also support do_not_use_profile_from_backup. As described in Apple's deployment guidance, this tells a restored device to ignore the ADE profile embedded in the backup and fetch the current ADE assignment from Apple Business Manager or Apple School Manager instead, so the correct ADE configuration can be applied after restore.
FileWave 16.3.x also adds the Age Based Safety Settings skip key in ADE profiles and Setup Assistant. Apple's documentation is not yet fully consistent on whether this fully replaces AdditionalPrivacySettings, so FileWave keeps support for both keys for now.
The screenshots above show the general ADE profile tabs, but they are not a complete inventory of every current field. Newer ADE options added in later FileWave releases may not be visible in those older screenshots.
Assigning ADE Profiles
Assigning ADE Profiles is very easy within FileWave, especially if you only have one ADE Profile since you can set a Default ADE Profile. With a Default ADE Profile configured, anytime you assign a new device to the FileWave MDM Server from within Apple School Manager or Apple Business Manager, the ADE Profile will automatically apply and the device will be ready for ADE enrollment. However, if you have multiple ADE Profiles, FileWave will also enable you to create Rule-based ADE Profile assignments or you can always just drag-n-drop a ADE Profile onto a single device or multiple devices onto a ADE Profile.
The "Profile Status" field in the "Devices" pane tells you the current status of the ADE profile on the client device.
- Empty - no ADE Profile assigned
- Assigned - ADE Profile has been assigned but ADE enrollment has not occurred
- Pushed - Setup Assistant setting has run and settings have been enforced on client device
- Removed - ADE profile has been unassigned from device, will be changed to "Empty" after ADE sync
Setting Default ADE Profile
- Open FileWave Admin and navigate to "Assistants > ADE Association Management".
- Click "Edit Assignment Rules".
- Select your recently created ADE Profile from the "Default ADE Profile" dropdown menu.
- Click "OK".
- Click "Apply Assignment Rules" to save the changes.
- Hold the Option or Alt key on your keyboard and click "Synchronize (full sync)" button in lower right-hand corner
- You should now see that all of your devices have been "Assigned" to your ADE Profile.
Rule-based ADE Profile Assignment
- Open FileWave Admin and navigate to "Assistants > ADE Association Management".
- Click "Edit Assignment Rules".
- Click "[+]".
- Select the ADE Profile you'd like to assign based on rules.
- Drag-n-drop the Inventory data point the devices must meet to be assigned to the ADE Profile into the "Criteria" section.
- Verify the criteria is correct by viewing the returned devices in the "Fields" section.
- "Save" the query and "OK" to save rule definition.
- Click "Apply Assignment Rules" to save the changes.
- Hold the Option or Alt key on your keyboard and click "Synchronize (full sync)" button in lower right-hand corner.
- You should now see that your selected devices have been "Assigned" to your ADE Profile.
As noted in the Screenshot, the first matching rule (top to bottom) will be honoured; automated rules will override a Default Profile. Hence, Default Profile, if set, is considered the fallback if no rules are met.
Manually assign ADE Profile
- Open FileWave Admin and navigate to "Assistants > ADE Association Management".
- Select one or more devices from left pane and drag-n-drop onto a ADE Profile.
- or...
- Select one ADE Profile from the right pane and drag-n-drop it onto one device.
Generate custom FileWave Client for macOS ADE enrollments
During a ADE enrollment, your macOS devices will automatically download and install the FileWave Client. Before enrolling a macOS device via ADE we must first upload a customized FileWave Client PKG to the FileWave Server.
Generate a custom FileWave Client PKG
- Visit FileWave Custom Installer Builder
- Change the following settings to match your FileWave Server.
- Click "Build" and wait for automatic download of ZIP.
- Extract ZIP.
- Mandatory Settings
- Product Version = Your FileWave Server Version
- Sync Computer Name = macOS Hostname will be FileWave Client Name (recommended)
- Server Name = Fully Qualified Domain Name of your FileWave Server
- Server Port = 20015 (do not modify this as it will automatically go to the proper SSL port if you put in 20015)
- Client Password = Password used to change individual Client Preferences and to start screen-sharing session
- Optional Settings
- Is Tracking = Is Location Tracking Enabled for macOS Clients
- Monitor Port = Port used for FileWave Client Monitor (do not modify)
- Overwrite Configuration = Overwrite any existing FileWave Client configuration with settings entered here (recommended)
- Remotecontrol Enabled = Screen-sharing enabled for Windows Clients
- Remotecontrol Prompting = Whether or not to Prompt the end-user before starting screen-sharing session
- Server Certificate = Only upload certificate is using a Self-Signed Certificate; not required for CA-signed certificate
- Server Publish Port = 20005 (do not modify)
- Tickle Interval = Idle time for Windows Clients before checking for new Model Update (do not modify)
- Vnc Relay Port = 20030 (do not modify)
- Vnc Server Port = 20031 (do not modify)
- Booster Settings
- Do not configure unless instructed by FileWave SE
Upload custom FileWave Client PKG to FileWave
Enrolling Apple devices via ADE
Now that your devices have been "Assigned" to a ADE Profile, they can either be Factory Reset if already configured or taken fresh out of the box from Apple and they will automatically enroll into FileWave.
If getting authentication required during enrollment, please review this section to learn how to disable ADE enrollment authentication.
|
macOS
|
iPadOS
|
Finalizing adding of clients
FileWave Clients communicating to the FileWave server will not be able to connect until you add them to the model. We will now allow our new client to join the FileWave server.
- Open FileWave Central.
- Click on the “New Client” button in the tool bar
- Select either "Desktop Clients" or "Enrolled Mobile Devices" from the dialog box depending on whether it is a macOS or iPad.
- Select your new client from the list presented.
- Click the “Add Clients” button in the lower right.
Once you have selected “Add Clients”, you will be taken to the Clients view in FileWave Admin. By adding a client to the server, we have made changes to the model. In order for those changes to take effect, we need to perform a model update.
You can also decide to automatically add new clients to skip the step of adding devices. This is discussed here: Conflict Resolution
Making Changes to the Model
Remember that you will need to update the model anytime that you want to apply changes you have made. You can update the model after a single change or multiple changes (adding multiple clients, creating groups, etc.)
Congratulations! Your FileWave environment is now up and running! From here you can continue to add clients, build and deploy Filesets!
Apple Manual Enrollment
Not able to use DEP?
Apple's Device Enrollment Program is great but you may find that all or some of your devices aren't showing in Apple School Manager or Apple Business Manager. Devices are usually excluded because they were not purchased directly from Apple or an Authorized Reseller. iOS device capable of running iOS 11+ can be manually added to your ASM/ABM account but unfortunately this not yet an option for macOS. This section covers several manual enrollment methods and why you might need to leverage them.
Add iOS devices to ASM/ABM using Apple Configurator 2
If you have an iOS 11+ or tvOS 11+ device that was not originally purchased from Apple or an Apple Authorized Reseller, you can manually add the device to ASM/ABM using Apple Configurator 2. Please first review Apple's documentation here followed by FileWave Knowledge Base article here for more FileWave-specific processes. Once the device has been added to ASM/ABM you can take advantage of DEP for any future enrollments of this device.
MDM enroll iOS or macOS using URL Enrollment
If you are unable to enroll devices using DEP, you can still MDM enroll an iOS or macOS device using FileWave's URL Enrollment method. This method is commonly used to allow an end-user to MDM enroll a previously configured device without the need for a Factory Reset. The one downside to this enrollment method is that the end-user will have the ability to remove the MDM Profile and unenroll their device from the FileWave MDM. This process also requires the macOS users to have Administrator privileges in order to install the MDM Profile.
If getting authentication required during enrollment, please review this section to learn how to disable URL enrollment authentication.
macOS URL Enrollment
Navigate to "https://yourfilewaveserver.domain.com:20443" using web browser of choice.- Click the large "Enroll Device" button to download the MDM Enrollment Profile.
- If using a self-signed certificate, you will see an additional step to download certificate.
- If enrollment authentication is enabled, please authenticate.
- Located the downloaded MDM Enrollment Profile "enroll.mobileconfig".
- Double-click on the "enroll.mobileconfig" file.
- Open "System Preferences > Profiles" from your macOS menubar.
- Click "Install" next to the "FileWave OTA Enrollment" Profile.
- Click "Install" again at the next prompt and authenticate using your macOS Administrator credentials.
- The MDM Enrollment Profile is now installed and the FileWave Client will be installed automatically.
- If you have not imported your custom macOS FileWave Client, please review the Generate custom FileWave Client for macOS DEP enrollments section.
iOS URL Enrollment
 |
 |
 |