3. Client Enrollment
Please follow each section that corresponds with the device types you want to enroll in FileWave.
You will notice that some device types, such as iOS and macOS, contain new information, while Windows and Chromebooks redirect to a previous section.
- Android Enrollment
- Apple DEP Enrollment
- Apple Manual Enrollment
- Using LDAP to enroll macOS/iOS/Android devices
- Chromebook Enrollment
- Windows Enrollment
Android Enrollment
How to enroll Android devices into FileWave
If you haven't already, please consult the Platform Integrations > Android section to learn how to enroll Android EMM devices into FileWave.
Apple DEP Enrollment
Benefits of DEP Enrollment
iOS, tvOS, and macOS can all take advantage of Apple DEP enrollment. DEP enrollments will force a specific set of preferences on the device and force enrollment to FileWave any time the device is Factory Reset. Another huge benefit of DEP is that DEP is the only enrollment option that prevents the end-user from removing the MDM Profile and unenrolling the device. These two aspects can be very helpful in device recovery situations since if the device is wiped after being lost or stolen, the device will automatically enroll back into FileWave where you can lockdown the device and collect Location Tracking information to report to the authorities.
If you have not already created your Apple Push Notification Service Certificate (APNS) or configured DEP to sync with FileWave, please review the Platform Integrations > Apple Integration section before continuing.
Creating DEP Profiles
The first step to enrolling your Apple devices via DEP is to create a DEP Profile. The DEP Profile is what will determine the initial settings applied to the device during enrollment and applies to all Apple platforms. Unless needing explicit seperation of the initial enrollment settings, one DEP Profile can suffice for all of your devices. This is partly possible since we can use FileWave Custom Fields to uniquely name the devices.
- Open FileWave Admin and navigate to "Assistants > DEP Association Management".
- Click the "[+]" button on the right-hand side under "Profiles".
- Fill out each tab according to your management preferences.
Assigning DEP Profiles
Assigning DEP Profiles is very easy within FileWave, especially if you only have one DEP Profile since you can set a Default DEP Profile. With a Default DEP Profile configured, anytime you assign a new device to the FileWave MDM Server from within Apple School Manager or Apple Business Manager, the DEP Profile will automatically apply and the device will be ready for DEP enrollment. However, if you have multiple DEP Profiles, FileWave will also enable you to create Rule-based DEP Profile assignments or you can always just drag-n-drop a DEP Profile onto a single device or multiple devices onto a DEP Profile.
The "Profile Status" field in the "Devices" pane tells you the current status of the DEP profile on the client device.
- Empty - no DEP Profile assigned
- Assigned - DEP Profile has been assigned but DEP enrollment has not occurred
- Pushed - Setup Assistant setting has run and settings have been enforced on client device
- Removed - DEP profile has been unassigned from device, will be changed to "Empty" after DEP sync
Setting Default DEP Profile
- Open FileWave Admin and navigate to "Assistants > DEP Association Management".
- Click "Edit Assignment Rules".
- Select your recently created DEP Profile from the "Default DEP Profile" dropdown menu.
- Click "OK".
- Click "Apply Assignment Rules" to save the changes.
- Hold the Option or Alt key on your keyboard and click "Synchronize (full sync)" button in lower right-hand corner
- You should now see that all of your devices have been "Assigned" to your DEP Profile.
Rule-based DEP Profile Assignment
- Open FileWave Admin and navigate to "Assistants > DEP Association Management".
- Click "Edit Assignment Rules".
- Click "[+]".
- Select the DEP Profile you'd like to assign based on rules.
- Drag-n-drop the Inventory data point the devices must meet to be assigned to the DEP Profile into the "Criteria" section.
- Verify the criteria is correct by viewing the returned devices in the "Fields" section.
- "Save" the query and "OK" to save rule definition.
- Click "Apply Assignment Rules" to save the changes.
- Hold the Option or Alt key on your keyboard and click "Synchronize (full sync)" button in lower right-hand corner.
- You should now see that your selected devices have been "Assigned" to your DEP Profile.
As noted in the Screenshot, the first matching rule (top to bottom) will be honoured; automated rules will override a Default Profile. Hence, Default Profile, if set, is considered the fallback if no rules are met.
Manually assign DEP Profile
- Open FileWave Admin and navigate to "Assistants > DEP Association Management".
- Select one or more devices from left pane and drag-n-drop onto a DEP Profile.
- or...
- Select one DEP Profile from the right pane and drag-n-drop it onto one device.
Generate custom FileWave Client for macOS DEP enrollments
During a DEP enrollment, your macOS devices will automatically download and install the FileWave Client. Before enrolling a macOS device via DEP we must first upload a customized FileWave Client PKG to the FileWave Server.
Generate a custom FileWave Client PKG
- Visit FileWave Custom Installer Builder
- Change the following settings to match your FileWave Server.
- Click "Build" and wait for automatic download of ZIP.
- Extract ZIP.
- Mandatory Settings
- Product Version = Your FileWave Server Version
- Sync Computer Name = macOS Hostname will be FileWave Client Name (recommended)
- Server Name = Fully Qualified Domain Name of your FileWave Server
- Server Port = 20015 (do not modify this as it will automatically go to the proper SSL port if you put in 20015)
- Client Password = Password used to change individual Client Preferences and to start screen-sharing session
- Optional Settings
- Is Tracking = Is Location Tracking Enabled for macOS Clients
- Monitor Port = Port used for FileWave Client Monitor (do not modify)
- Overwrite Configuration = Overwrite any existing FileWave Client configuration with settings entered here (recommended)
- Remotecontrol Enabled = Screen-sharing enabled for Windows Clients
- Remotecontrol Prompting = Whether or not to Prompt the end-user before starting screen-sharing session
- Server Certificate = Only upload certificate is using a Self-Signed Certificate; not required for CA-signed certificate
- Server Publish Port = 20005 (do not modify)
- Tickle Interval = Idle time for Windows Clients before checking for new Model Update (do not modify)
- Vnc Relay Port = 20030 (do not modify)
- Vnc Server Port = 20031 (do not modify)
- Booster Settings
- Do not configure unless instructed by FileWave SE
Upload custom FileWave Client PKG to FileWave
Enrolling Apple devices via DEP
Now that your devices have been "Assigned" to a DEP Profile, they can either be Factory Reset if already configured or taken fresh out of the box from Apple and they will automatically enroll into FileWave.
If getting authentication required during enrollment, please review this section to learn how to disable DEP enrollment authentication.
macOS |
iPadOS |
Finalizing adding of clients
FileWave Clients communicating to the FileWave server will not be able to connect until you add them to the model. We will now allow our new client to join the FileWave server.
- Open FileWave Central.
- Click on the “New Client” button in the tool bar
- Select either "Desktop Clients" or "Enrolled Mobile Devices" from the dialog box depending on whether it is a macOS or iPad.
- Select your new client from the list presented.
- Click the “Add Clients” button in the lower right.
Once you have selected “Add Clients”, you will be taken to the Clients view in FileWave Admin. By adding a client to the server, we have made changes to the model. In order for those changes to take effect, we need to perform a model update.
You can also decide to automatically add new clients to skip the step of adding devices. This is discussed here: Conflict Resolution
Making Changes to the Model
Remember that you will need to update the model anytime that you want to apply changes you have made. You can update the model after a single change or multiple changes (adding multiple clients, creating groups, etc.)
Congratulations! Your FileWave environment is now up and running! From here you can continue to add clients, build and deploy Filesets!
Apple Manual Enrollment
Not able to use DEP?
Apple's Device Enrollment Program is great but you may find that all or some of your devices aren't showing in Apple School Manager or Apple Business Manager. Devices are usually excluded because they were not purchased directly from Apple or an Authorized Reseller. iOS device capable of running iOS 11+ can be manually added to your ASM/ABM account but unfortunately this not yet an option for macOS. This section covers several manual enrollment methods and why you might need to leverage them.
Add iOS devices to ASM/ABM using Apple Configurator 2
If you have an iOS 11+ or tvOS 11+ device that was not originally purchased from Apple or an Apple Authorized Reseller, you can manually add the device to ASM/ABM using Apple Configurator 2. Please first review Apple's documentation here followed by FileWave Knowledge Base article here for more FileWave-specific processes. Once the device has been added to ASM/ABM you can take advantage of DEP for any future enrollments of this device.
MDM enroll iOS or macOS using URL Enrollment
If you are unable to enroll devices using DEP, you can still MDM enroll an iOS or macOS device using FileWave's URL Enrollment method. This method is commonly used to allow an end-user to MDM enroll a previously configured device without the need for a Factory Reset. The one downside to this enrollment method is that the end-user will have the ability to remove the MDM Profile and unenroll their device from the FileWave MDM. This process also requires the macOS users to have Administrator privileges in order to install the MDM Profile.
If getting authentication required during enrollment, please review this section to learn how to disable URL enrollment authentication.
macOS URL Enrollment
iOS URL Enrollment
iOS User Enrollment (BYOD)
Starting with iOS 13, FileWave allows your end-users to enroll using User Enrollment. This is a new form of BYOD enrollment that allows your organization to deploy VPP applications to the devices while keeping other end-user data private from the MDM. This method also required the use of Managed Apple IDs configured in either Apple School Manager or Apple Business Manager.
For more in-depth information and setup of iOS User Enrollment, please consult the following FileWave Knowledge Base article iOS BYOD User Enrollment. This article contains a video walk though of the enrollment process along with the limitations of iOS User Enrollment.
Enroll non-MDM macOS Client
Enrolling a macOS device outside of the MDM is possible although it is unrecommended. To enroll a non-MDM macOS device into FileWave, you will need to simply install the FileWave Client PKG using a macOS Administrator account.
Features unavailable with non-MDM macOS enrollment
|
Features available with non-MDM macOS enrollment
|
Generate a custom FileWave Client PKG
Open the FileWave Customer Installer Builder for macOS.
- Fill out the settings accordingly.
- Click the "Build" button and wait for the automatic download.
- Extract ZIP and install the customized FileWave Client PKG.
Mandatory Settings |
Product Version = Your FileWave Server Version |
Sync Computer Name = macOS Hostname will be FileWave Client Name (recommended) |
Server Name = Fully Qualified Domain Name of your FileWave Server |
Server Port = 20015 (do not modify) |
Client Password = Password used to change individual Client Preferences |
Note: The default port setting for Server Port above is 20015. However, SSL is now required, and the system will automatically use port 20017 instead when 20015 is entered. Do not manually set the port to 20017. Always enter 20015, and the system will handle the SSL port change for you.
Optional Settings |
Is Tracking = Is Location Tracking Enabled for macOS Clients |
Monitor Port = Port used for FileWave Client Monitor (do not modify) |
Overwrite Configuration = Overwrite any existing FileWave Client configuration with settings entered here (recommended) |
Remotecontrol Enabled = Screen-sharing enabled for macOS Clients |
Remotecontrol Prompting = Whether or not to Prompt the end-user before starting screen-sharing session |
Server Certificate = Only upload certificate is using a Self-Signed Certificate; not required for CA-signed certificate |
Server Publish Port = 20005 (do not modify) |
Tickle Interval = Idle time for macOS Clients before checking for new Model Update (do not modify) |
Vnc Relay Port = 20030 (do not modify) |
Vnc Server Port = 20031 (do not modify) |
Booster Settings |
Initially you may want to make an installer that does not include Boosters. Read more about them here: Boosters |
Finalizing adding of clients
FileWave Clients communicating to the FileWave server will not be able to connect until you add them to the model. We will now allow our new client to join the FileWave server.
- Open FileWave Central.
- Click on the “New Client” button in the tool bar
- Select either "Desktop Clients" or "Enrolled Mobile Devices" from the dialog box depending on whether it is a macOS or iPad.
- Select your new client from the list presented.
- Click the “Add Clients” button in the lower right.
Once you have selected “Add Clients”, you will be taken to the Clients view in FileWave Admin. By adding a client to the server, we have made changes to the model. In order for those changes to take effect, we need to perform a model update.
You can also decide to automatically add new clients to skip the step of adding devices. This is discussed here: Conflict Resolution
Making Changes to the Model
Remember that you will need to update the model anytime that you want to apply changes you have made. You can update the model after a single change or multiple changes (adding multiple clients, creating groups, etc.)
Congratulations! Your FileWave environment is now up and running! From here you can continue to add clients, build and deploy Filesets!
Using LDAP to enroll macOS/iOS/Android devices
Use this document if you are trying to point your enrollment of device to directory services (Active Directory, Open Directory, eDirectory or OpenLDAP). This is used for Android Device and well as iOS devices or macOS devices enrolling OTA (over the air) as well as Apple's DEP (Device Enrollment Program) enrollment for both iOS and macOS devices.
This process consists of:
1- Backing up the current config
2- Editing a new config file to properly read the LDAP structure
3- Restarting the Apache Process so it reads the new config file
Getting the files ready
Open a Terminal Window or use SSH to get into the computer running FileWave Server
Gain root credentials
sudo -s
Enter your login password
Windows: | OS X / Linux: |
C:\Program Files (x86)\FileWave\apache\conf |
cd /usr/local/filewave/apache/conf/ |
Backup your current mdm_auth.conf by making a copy
cp mdm_auth.conf mdm_auth.conf.bac
Make a copy of the LDAP example and rename it
cp mdm_auth.conf.example_ldap_auth mdm_auth.conf
Making the changes
Open it up using your preferred text editor (nano mdm_auth.conf or vi mdm_auth.conf).
it will look like this:
<Location /ios/enroll>
# This is an example of ldap based user auth
AuthType Basic
AuthBasicProvider ldap
AuthName "Enroll IOS Device"
AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
Require valid-user
# If you need to bind to the ldap server, use these lines
# AuthLDAPBindDN "cn=Admin,o=myorg"
# AuthLDAPBindPassword "secret1"
LDAPReferrals Off
</Location>
<Location /ios/dep_enrollment_profile>
# This is an example of ldap based user auth
AuthType Basic
AuthBasicProvider ldap
AuthName "Enroll IOS Device"
AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
Require valid-user
ErrorDocument 401 "Enrollment credentials are needed."
# If you need to bind to the ldap server, use these lines
# AuthLDAPBindDN "cn=Admin,o=myorg"
# AuthLDAPBindPassword "secret1"
LDAPReferrals Off
</Location>
<Location /android/enroll>
# This is an example of ldap based user auth
AuthType Basic
AuthBasicProvider ldap
AuthName "Enroll Android Device"
AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
Require valid-user
# If you need to bind to the ldap server, use these lines
# AuthLDAPBindDN "cn=Admin,o=myorg"
# AuthLDAPBindPassword "secret1"
LDAPReferrals Off
</Location>
<Location /android/project_number>
# This is an example of ldap based user auth
AuthType Basic
AuthBasicProvider lda4
AuthName "Google Cloud Messaging configuration"
AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
Require valid-user
# If you need to bind to the ldap server, use these lines
# AuthLDAPBindDN "cn=Admin,o=myorg"
# AuthLDAPBindPassword "secret1"
LDAPReferrals Off
</Location>
The different sections correspond with the different enrollment URLs.
For example, if my servers hostname was server.filewave.com:
mdm_auth.conf
URL | Use |
https://server.filewave.com:20443/ios/enroll | Over the air enrollment portal |
https://server.filewave.com:20443/ios/dep_enrollment_profile | URL iOS or macOS Devices request when a DEP device is enrolling. This URL is not accessible from a normal browser. |
https://server.filewave.com:20443/android/enroll | Downloading the APK FileWave Client |
https://server.filewave.com:20443/android/project_number | Used by the FileWave Android client to talk to server |
Open Directory & eDirectory
OD (by default) does not require a user to authenticate to read the structure.
You will not need to uncomment the bind options.
AuthName - The title of the login window
AuthLDAPURL - Where and what groups are allowed to login and there for enroll. The example above would allow anyone in the 'Users' group to enroll a device.
Make the appropriate changes and then save the .conf
Active Directory
AD (by default) requires you bind to the directory to read. Many people create a read-only directory account.
AuthName - The title of the login window
AuthLDAPURL - Where and what groups are allowed to login and there for enroll. The example above would allow anyone in the 'Users' group to enroll a device.
AuthLDAPBindDN - From specific to most general. Username, what group that is in, what group (or organizational unit) that group is in, and the server. The example above would allow the user 'TestDir Reader' who is in the group 'User' who is in the Org Unit 'IT' on the Active Directory server of ad-ldap.filewave.com to bind.
AuthLDAPBindPassword - Password for user account being used to bind to AD.
Make the appropriate changes and then save the .conf
Restarting Apache
Once saved, restart the FileWave Apache process/service
OS X / Linux: |
/usr/local/filewave/apache/bin/apachectl graceful |
Now when a device attempts to enroll (by pressing the Enroll Device option on the site). They will be prompted to enter their username and password from the directory server.
Using several authentication sources for the same enrollment type
When we want to use several authentication sources (not nested locations) , we need to use AuthnProviderAlias sections to define those sources. The same format for binding to a single source ( see above ) apply for configuring each AuthnProviderAlias section , as in the following example
At the start of the file we define an alias by using:
<AuthnProviderAlias ldap ALIAS_NAME0>
AuthLDAPBindDN ""
AuthLDAPBindPassword ""
AuthLDAPURL ""
</AuthnProviderAlias>
Then below that you specify the location and call for the alias
<Location /ios/enroll>
AuthBasicProvider ALIAS_NAME0 ALIAS_NAME1 ALIAS_NAME2
AuthType Basic
AuthName "Enroll IOS Device"
Require valid-user
</Location>
A final MDM_auth.conf would look something like this:
<AuthnProviderAlias ldap Student>
AuthLDAPBindDN "cn=BindUserName,dc=filewave,dc=net"
AuthLDAPBindPassword "YourBindPassword"
AuthLDAPURL "ldap://ldap.filewave.net:389/OU=student,dc=filewave,dc=net?sAMAccountName"
</AuthnProviderAlias>
<AuthnProviderAlias ldap Faculty>
AuthLDAPBindDN "cn=BindUserName,dc=filewave,dc=net"
AuthLDAPBindPassword "YourBindPassword"
AuthLDAPURL "ldap://ldap.filewave.net:389/OU=staff,dc=filewave,dc=net?sAMAccountName"
</AuthnProviderAlias>
<Location /ios/enroll>
AuthBasicProvider Faculty Student
AuthType Basic
AuthName "Enroll IOS Device"
Require valid-user
</Location>
Troubleshooting tips
Take a look at the log files for apache:
OS X / Linux: |
<br>/usr/local/filewave/apache/logs/error_log<br> <br> |
Below are some sample errors and what they typically mean.
NOT Bound:
[Thu Feb 09 22:10:19 2012] [error] [client 192.168.1.109] user diradmin: authentication failure for "/ios/enroll": Password Mismatch, referer: https://192.168.1.95:20443/ios/
Bound but user entered info wrong OR ldap url pointed to wrong group:
[Thu Feb 09 22:29:16 2012] [error] [client 192.168.1.109] user diradmin: authentication failure for "/ios/enroll": Password Mismatch
Bound w/ Bad User
[Thu Feb 09 22:29:00 2012] [error] [client 192.168.1.109] user lkajshdg not found: /ios/enroll
Could be Bound or not but not filtering by the correct ?uid ?sAMAccountName at end of URL (?UID is an OD or eDir, AD is typically ?sAMAccountName)
[Thu Feb 09 22:17:31 2012] [error] [client 192.168.1.109] user admin not found: /ios/enroll, referer: https://192.168.1.95:20443/ios/
Something wrong in the mdm_auth.conf file. Like AuthzLDAPAuthoritative isn't off or shoudn't be there.
apache require directives present and no authoritative handler
Recursive issues
Does it appear that your server only looks at the one group/unit pointed to and not sub-groups? try adding ?sub at the end of your AuthLDAPURL lines:
AuthLDAPURL "ldap://ldap.filewave.net:389/OU=student,dc=filewave,dc=net?sAMAccountName?sub"
Always feel free to contact support for further assistance.
Chromebook Enrollment
How to enroll Chromebooks into FileWave
If you haven't already, please consult the Platform Integrations > Chromebooks section to learn how to sync Google Admin Console with FileWave. Once this sync has completed, all of your "Provisioned" Chromebooks will automatically appear in your FileWave Admin. No need for any additional enrollment process.
Provisioning Chromebooks
Fortunately, provisioning Chromebooks is somewhat simpler than the configuration.
Do not log into the Chromebook before enrolment. Doing so, will require resetting the device and starting the process from scratch
A configured Google Enrolment user will be required to enrol the device
On power up, the device should present the Welcome page:
Click 'Let's go' and then select a Wi-Fi to join.
Once the device has joined a network, the device might show an Enterprise Enrolment page:
If not, select CTRL ALT E to enrol the device. Enter the Google Enrolment username and password.
The device will provide a bar showing enrolment is taking place. On completion a success page should be displayed:
At this point the device should show in the Google Admin Console as a Provisioned device. On next FileWave, Google, OAuth synchronisation, the device should appear in the FileWave Client view.
Synchronisation may be triggered manually from the FileWave Central preferences:
Clicking 'Done' on the device should present the login page to the user:
Windows Enrollment
How to enroll Windows Clients into FileWave
If you haven't already, please consult the Platform Integrations > Windows section for guidance on how to install the Windows FileWave client. If your organization uses Microsoft Entra ID and your users authenticate using Microsoft Entra ID credentials into their Windows machines, please consider enrolling your Windows machines into FileWave via Microsoft Entra ID. This will also allow for Windows MDM management within FileWave. Learn more on our Windows MDM article.
FileWave Clients communicating to the FileWave server will not be able to connect until you add them to the model. We will now allow our new client to join the FileWave server.
- Open FileWave Central.
- Click on the “New Client” button in the tool bar
- Select either "Desktop Clients" or "Enrolled Mobile Devices" from the dialog box depending on whether it is a macOS or iPad.
- Select your new client from the list presented.
- Click the “Add Clients” button in the lower right.
Once you have selected “Add Clients”, you will be taken to the Clients view in FileWave Admin. By adding a client to the server, we have made changes to the model. In order for those changes to take effect, we need to perform a model update.
You can also decide to automatically add new clients to skip the step of adding devices. This is discussed here: Conflict Resolution
Making Changes to the Model
Remember that you will need to update the model anytime that you want to apply changes you have made. You can update the model after a single change or multiple changes (adding multiple clients, creating groups, etc.)
Congratulations! Your FileWave environment is now up and running! From here you can continue to add clients, build and deploy Filesets!