VPP and DEP Preferences
FileWave supports both Apple's Volume Purchase Program (VPP) and Device Enrollment Program (DEP). In order to get these working within FileWave, you will need to configure certain preferences. This section just discusses the settings required in the Preferences.
Note: Instructions for joining and working with the Apple VPP and DEP programs from the Apple side are outlined in detail on these web sites:
https://help.apple.com/deployment/business/
https://help.apple.com/schoolmanager/
https://help.apple.com/deployment/ios/
https://help.apple.com/deployment/macos/
Warning: All of the configuration steps in this section must be done while signed in as fwadmin.
FileWave supports multiple tokens for the VPP service. This allows you to create multiple purchase authorities for your institution's App Store content. Content is automatically synchronized every 24 hours with the Apple VPP service. You may force a full synchronization when you are deploying a large number of App Store items, or any time that a delay may interfere with operational needs by holding down the Option key and clicking on the Synchronize button.
Volume Purchase Program preferences
This pane contains the information for your VPP account with Apple. In order to proceed, you will have to have created a VPP for Education or VPP for Business account with Apple. Once you have a VPP account, you can download your VPP token for inclusion into FileWave. You may add as many tokens as you have purchasing agents.
Configure VPP token(s)
Select the Configure Accounts button (1 in the graphic on the next page). You will have to authenticate as the primary FileWave Admin (fwadmin).
Adding a VPP service token
Click on the [+] button (2) and import your downloaded VPP token (3). When you import the token into this pane, you will see a long alphanumeric hash as shown. Continue these actions until you have added all of the VPP tokens you plan to use for content distribution.
Note: Make sure you are not using a given VPP token on more than one MDM server. Problems, such as loss of control of the token or automatic VPP user retirement, can result.
Once the token has been properly imported, you will see a dialog pop up telling you that everything is in order.
If you want more than the FileWave superuser/admin account (fwadmin) to be able to manage VPP applications later on, you will need to use the /Assistants/ Manage Administrators… pane to assign other administrators to manage the VPP token(s). This is covered at the end of this chapter.
Auto-create Filesets
The first time you set up VPP, you will get Filesets automatically created for each of your existing VPP purchases. You can assign those Filesets to a designated FileWave Group for management. The default is the (Root) Group.
VPP account protection (aka "Take ownership")
One of the new features in FileWave v10 is protection of the VPP accounts and tokens that you use with your server. The concept is very simple: an identifier (called "client context") is sent to Apple for a given VPP account. When an MDM server has to use a VPP account, it will query this identifier and compare with its own; if they match, everything is fine. If they don't match, the server should not use the token.
As long as you are the confirmed owner of the token, the Is Owner flag says Yes;. If you have changed servers, or let another process, such as Apple Configurator, use that VPP token, then you will get an alert stating that the token is owned by another server.
If you have a mismatch, your VPP token entry will turn red, and you will not be able to use that token. Your first indication of an issue may be an alert in your Dashboard:
In order to regain control of the token, you will need to select the token entry and click on the Take ownership button in the lower right corner of the VPP tokens pane. Once you have done that, you will get a confirmation dialog:
The key to this process is making sure you do not apply any of your VPP tokens to a different server, tool, or application. If you are running a test/beta FileWave server or Apple Configurator, you should create a unique VPP account and token for that purpose.
Create VPP users for newly enrolled devices
Back in the Volume Purchase Program pane, you can elect to Create VPP users for newly enrolled devices. VPP users are internally created accounts that link your enrolled device to the FileWave VPP management process. It's not an actual "user" account; but more of a placeholder for the assignment of VPP apps and books. Each VPP user account may contain a link to an actual end user's Apple ID.
If this checkbox is selected, then newly enrolled devices will automatically get a VPP user and that user account will be associated with the device. This can speed up mass deployments, as well as reduce the overhead on 1:1/BYOD deployments. Used in conjunction with settings in the VPP Assistant, your FileWave server can then automatically notify new user's to register their Apple ID with your FW MDM server. You can select a single VPP token to be the primary token related to those VPP users. Also, you can change which tokens are associated with specific VPP users as you need.
Note: If you are using VPP device assignment for application distribution (versus assignment by user - Apple ID), a "ghost" or invisible VPP user account is created. This account is not visible within the VPP User Management pane.
Synchronization
The VPP Synchronization setting lets you determine how often the FW MDM server will match data with your assigned VPP token account. You can push an incremental synchronization by clicking on the Synchronize button; and you can force a full synchronization by holding down the Option key while pressing the Synchronize now button.
Configuring VPP email invitation template
This template will be used by your FileWave server to send an invite to users enrolling in your MDM from iOS devices and macOS computers. If you have configured your setup to use LDAP authentication for enrollment, then your users will get an email addressed to the mail account in their LDAP record. It will contain a custom URL pointing them to the Apple App Store where they will authenticate with their Apple ID to register that ID with your FileWave MDM.
Minimum delay and Preferred Distribution
Starting with FileWave v10, you have the ability to establish a delay between the time you associate a VPP application with a license and when the application is made available to install at the client. This avoids issues during large scale deployments where clients are trying to install VPP applications; but haven't gotten their license assignment yet.
Preferred Distribution allows you to choose the method of deploying a VPP application. The original method has been to assign an application to a registered Apple ID (User). The license shows up in the user's Purchases, and the license can be managed by the FileWave MDM. The new method, supported in iOS 9+ and OS X v10.11+, allows you to assign VPP applications directly to an enrolled device (provided the app developer has coded the app to support this). This method applies only to VPP applications - iBooks are still required to be assigned to individual Apple IDs.
The default setting can be overwritten for a given association of a managed license Fileset.
Using LDAP synchronization allows you to link your LDAP users with VPP users, who can then be associated with their email addresses (if those exist in the LDAP directory). This allows you to have VPP/MDM emails automatically sent to those users. This process can be left off if you are going to use device assignment of all your distributed VPP applications.
Device Enrollment Program preferences
Apple's Device Enrollment Program is designed to support OTA (over the air - Wi-Fi) supervision of devices. FileWave supports iOS devices and macOS computers using DEP. Institutionally purchased devices are registered with Apple, and Apple provides a DEP token for you to link your FileWave MDM server to the DEP service. When a device comes up online, it is recognized by the Apple DEP service, matched to the downloaded token, and automatically configured for supervised management with your FileWave MDM. The preferences you set to get this process up and running are shown below.
Using the "Download certificate" button, download a special "FileWave DEP" certificate to your administrator machine. You will be required to authenticate with the fwadmin FileWave Admin account. Use that certificate to get a DEP token from the Apple DEP site (https://deploy.apple.com or https://school.apple.com).
Select the "Configure accounts" button, and authenticate using the primary fwadmin account. You'll be presented with the option of uploading new tokens. You can have a token for each of the DEP facilitators you have.
The Synchronize button works the same as the VPP synchronize button. DEP will synchronize between Apple and your FileWave Server once a day. You can hold the alt/option key down to force a full, immediate synchronization. Use that sparingly, since it may take a long time to synchronize with lots of devices in the system.