Apple Manual Enrollment

Not able to use DEP?

---

Apple's Device Enrollment Program is great but you may find that all or some of your devices aren't showing in Apple School Manager or Apple Business Manager. Devices are usually excluded because they were not purchased directly from Apple or an Authorized Reseller. iOS device capable of running iOS 11+ can be manually added to your ASM/ABM account but unfortunately this not yet an option for macOS. This section covers several manual enrollment methods and why you might need to leverage them.

Add iOS devices to ASM/ABM using Apple Configurator 2

---

If you have an iOS 11+ or tvOS 11+ device that was not originally purchased from Apple or an Apple Authorized Reseller, you can manually add the device to ASM/ABM using Apple Configurator 2. Please first review Apple's documentation here followed by FileWave Knowledge Base article here for more FileWave-specific processes. Once the device has been added to ASM/ABM you can take advantage of DEP for any future enrollments of this device.

MDM enroll iOS or macOS using URL Enrollment

---

If you are unable to enroll devices using DEP, you can still MDM enroll an iOS or macOS device using FileWave's URL Enrollment method. This method is commonly used to allow an end-user to MDM enroll a previously configured device without the need for a Factory Reset. The one downside to this enrollment method is that the end-user will have the ability to remove the MDM Profile and unenroll their device from the FileWave MDM. This process also requires the macOS users to have Administrator privileges in order to install the MDM Profile.

If getting authentication required during enrollment, please review this section to learn how to disable URL enrollment authentication. 

macOS URL Enrollment

1. Navigate to "https://yourfilewaveserver.domain.com:20443" using web browser of choice.
2. Click the large "Enroll Device" button to download the MDM Enrollment Profile.
   • If using a self-signed certificate, you will see an additional step to download certificate.
   • If enrollment authentication is enabled, please authenticate.
3. Located the downloaded MDM Enrollment Profile "enroll.mobileconfig".
4. Double-click on the "enroll.mobileconfig" file.
5. Open "System Preferences > Profiles" from your macOS menubar.
6. Click "Install" next to the "FileWave OTA Enrollment" Profile.
7. Click "Install" again at the next prompt and authenticate using your macOS Administrator credentials.
8. The MDM Enrollment Profile is now installed and the FileWave Client will be installed automatically.
   • If you have not imported your custom macOS FileWave Client, please review the Generate custom FileWave Client for macOS DEP enrollments section.

iOS URL Enrollment

1. Navigate to "https://yourfilewaveserver.domain.com:20443" using iOS Safari.

2. Click the large "Enroll Device" button to download the MDM Enrollment Profile.

   • If using a self-signed certificate, you will see an additional step to download certificate and manually trust.

   • If enrollment authentication is enabled, please authenticate.

3. "Allow" the Profile download, acknowledge the "Profile Downloaded" prompt, and navigate to "Settings".

4. Click the "Profile Downloaded" item from the "Settings" and click "Install".

5. Click "Install" again and "Trust" the "Remote Management" prompt.

6. Your iOS device is now MDM enrolled and you should see the "FileWave App Portal" on the Home Screen.

iOS User Enrollment (BYOD)

---

Starting with iOS 13, FileWave allows your end-users to enroll using User Enrollment. This is a new form of BYOD enrollment that allows your organization to deploy VPP applications to the devices while keeping other end-user data private from the MDM. This method also required the use of Managed Apple IDs configured in either Apple School Manager or Apple Business Manager.

For more in-depth information and setup of iOS User Enrollment, please consult the following FileWave Knowledge Base article iOS BYOD User Enrollment. This article contains a video walk though of the enrollment process along with the limitations of iOS User Enrollment.

Enroll non-MDM macOS Client

---

Enrolling a macOS device outside of the MDM is possible although it is unrecommended. To enroll a non-MDM macOS device into FileWave, you will need to simply install the FileWave Client PKG using a macOS Administrator account.

Features unavailable with non-MDM macOS enrollment VPP content deployment Profile Deployment (macOS Big Sur unsupported) Profile Restrictions (Security and Privacy) FileVault Disk Encryption with Key Escrow Remote Shutdown/Reboot Lock Device Activation Lock Bypass Firmware Password Management Software Updates via MDM (macOS Big Sur)

Features available with non-MDM macOS enrollment Location Tracking Fileset Deployment (PKG, .app, scripts) Limited Profile Restrictions Observe Client Remote Wipe Inventory w/ Custom Fields Legacy Software Updates

Generate a custom FileWave Client PKG

1. Open the FileWave Customer Installer Builder for macOS.
2. Fill out the settings accordingly.
3. Click the "Build" button and wait for the automatic download.
4. Extract ZIP and install the customized FileWave Client PKG.

Mandatory Settings

Product Version = Your FileWave Server Version

Sync Computer Name = macOS Hostname will be FileWave Client Name (recommended)

Server Name = Fully Qualified Domain Name of your FileWave Server

Server Port = 20015 (do not modify)

Client Password = Password used to change individual Client Preferences

Note: The default port setting for Server Port above is 20015. However, SSL is now required, and the system will automatically use port 20017 instead when 20015 is entered. Do not manually set the port to 20017. Always enter 20015, and the system will handle the SSL port change for you.

Optional Settings

Is Tracking = Is Location Tracking Enabled for macOS Clients

Monitor Port = Port used for FileWave Client Monitor (do not modify)

Overwrite Configuration = Overwrite any existing FileWave Client configuration with settings entered here (recommended)

Remotecontrol Enabled = Screen-sharing enabled for macOS Clients

Remotecontrol Prompting = Whether or not to Prompt the end-user before starting screen-sharing session

Server Certificate = Only upload certificate is using a Self-Signed Certificate; not required for CA-signed certificate

Server Publish Port = 20005 (do not modify)

Tickle Interval = Idle time for macOS Clients before checking for new Model Update (do not modify)

Vnc Relay Port = 20030 (do not modify)

Vnc Server Port = 20031 (do not modify)

Booster Settings

Initially you may want to make an installer that does not include Boosters. Read more about them here: Boosters

Finalizing adding of clients

FileWave Clients communicating to the FileWave server will not be able to connect until you add them to the model. We will now allow our new client to join the FileWave server.

Once you have selected “Add Clients”, you will be taken to the Clients view in FileWave Admin. By adding a client to the server, we have made changes to the model. In order for those changes to take effect, we need to perform a model update. 

You can also decide to automatically add new clients to skip the step of adding devices. This is discussed here: Conflict Resolution

Making Changes to the Model

Remember that you will need to update the model anytime that you want to apply changes you have made. You can update the model after a single change or multiple changes (adding multiple clients, creating groups, etc.)

Congratulations! Your FileWave environment is now up and running! From here you can continue to add clients, build and deploy Filesets!