Troubleshooting

Apple Metadata Missing After Fileset Installation (macOS)

Description

In some instances Metadata is added to items to provide additional features, however, this Metadata may not be transferred when the App is delivered as a standard Fileset.  Where this occurs, the Metadata may be re-injected using a script.  An example of this is highlighted in our KB on Deploying Folders with Icons.  

Teamviewer is another example of this.  The Quick Support version of the App has the option to include customisation, as per their guidelines.  In fact, the Tool: FileWave QS App implements this to provide branding, user name and a personalised design.

When customisation is configured on this App, the App receives additional Metadata.  If the Metadata were not restored, the customisation would be lost and the App would appear as the basic, standard looking App.

Instructions

To ensure the Metadata is re-applied after installation as a standard Fileset, the following should be followed:

To read the Metadata, open Terminal and run the following command, editing the path to match the required location.  Using FileWave QS App as an example:

$ xattr -l ~Downloads/FileWave\ QS.app 
com.TeamViewer.ConfigurationId: idcr6bwpyh

A script may now be created to re-instate this Metadata, again changing the path if the App is installed somewhere other than Applications.

#!/bin/zsh

xattr -w com.TeamViewer.ConfigurationId idcr6bwpyh /Applications/FileWave\ QS.app

exit 0

If using an alternative customised Teamviewer QS App, change the name to match the created App and use the reported value from the query to set the matching ID.

Verification
To ensure the script is run again if Verification actions a repair or re-instatement of the App, a Verification Script will also be required with the same contents.

On installation, all applied customisation should appear as expected. This same process may be applied to any additional Metadata that may be lost during Fileset installation.

Example Fileset

This example Fileset includes:

FileWave TV QS Version 14.fileset.zip

When updated versions of Teamviewer FileWave QS are supplied, then the Fileset should be updated with this newer download, to replace the current application.

iOS 12 / macOS 10.14+ and self-signed certificates

Starting with iOS 12 and macOS 10.14, Apple rejected server certificates that use RSA keys smaller than 2048 bits. In FileWave environments, this most often affects older self-signed certificates, especially on servers originally set up before FileWave 9.0.

If your FileWave server uses a trusted CA-issued certificate, or a self-signed certificate generated by FileWave 9.0 or later, you are typically already meeting this specific 2048-bit key-size requirement.

How to check the certificate RSA key size

macOS, Linux:

openssl x509 -in /usr/local/filewave/certs/server.crt -text -noout | grep Public-Key

Windows:

C:\OpenSSL-Win64\bin\openssl.exe x509 -in C:\ProgramData\FileWave\FWServer\certs\server.crt -text -noout | FINDSTR Public-Key

Windows does not include OpenSSL by default, so you may need to install it first. One common source is Win32/Win64 OpenSSL.

The best long-term fix is to use a root-trusted certificate from a Certificate Authority. If you already have a wildcard certificate, you may be able to use that for your FileWave server. For more guidance, see Root Trusted SSL Certificate (Using and Renewing).

If you must stay self-signed

Renew the certificate with a 2048-bit RSA key or larger, then make sure devices trust the new certificate before you switch the server to it. The safest order is:

For the detailed renewal steps, see Renew FileWave Server Self-signed Certificate. If you are specifically working through iOS trust behavior for self-signed certificates, Renew MDM self signed SSL certificate with iOS devices is also useful.

If devices have already upgraded and no longer trust the old certificate, recovery may require manually installing and trusting the new certificate until normal communication is restored.

Newer Apple releases introduced additional certificate requirements beyond key size. If you are troubleshooting iOS 13, macOS 10.15, or later, also review SSL Server Certificates - iOS 13 and macOS 10.15.

M1 Silicon macOS and Recovery

Description

Apple silicon Mac computers use a different Recovery startup flow than Intel Mac computers, and Activation Lock can affect recovery after erase or restore workflows.

FileWave has seen cases where Apple silicon Mac computers were no longer accessible after the first reboot following Automated Device Enrollment. This appears to be related to the managed admin account never completing a login before that reboot.

Erasing M1 devices

Apple Configurator can revive or restore Apple silicon Mac computers. This requires a second Mac and the requirements listed in Apple's guide:

https://support.apple.com/en-gb/guide/apple-configurator-2/apdd5f3c75ad/mac

Follow Apple's restore or revive workflow for the affected Mac.

Activation Lock

If Activation Lock was enabled, the Mac may ask for an Apple ID and password after restore. For organization-owned devices, use Recovery Assistant to enter the MDM Activation Lock bypass code instead.

Activation Lock bypass codes are available from the FileWave Central Assistants menu:

Recovery Mode

On Apple silicon Mac computers, hold the power button until the screen shows 'Loading startup options' to enter Recovery.

https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/mac

To enter the Activation Lock code:

https://support.apple.com/en-gb/guide/mdm/apd593fdd1c9/web

At this point the device should be accessible again and can be enrolled again if needed.

Failure to Personalize

Apple also documents this restore-related error:

Apple's article for this issue is here:

https://support.apple.com/en-us/HT211983

The previous startup keys combinations used for Intel macOS devices do not apply to M1 Silicon macOS devices:
https://support.apple.com/en-gb/HT201255