Manufacturer Specific Considerations
Apple Specific Considerations
FileWave loves Apple, and so do our customers. If you happen to be one of the organizations that have chosen to incorporate Apple devices into their infrastructure, from iPads to MacBooks, here are some crucial considerations for a successful refresh and (re)Enrollment:
The Apple Program Considerations
You no doubt already know about the various Apple Programs, such as ABM/ASM/VPP/DEP/MDM and even APN. Each of these programs, explained below, provide critical roles during device enrollment. As with everything else (re)enrollment, pre-work is good work, and each program has it's own pre-requisites (and sometimes lead-time). You'll want to review the specifics of each below:
Apple Push Notification (APN)
Apple Push Notifications are the method by which FileWave initiates communication with your devices through the Apple MDM framework. Every FileWave server must have a valid APN token assigned, and it must be refreshed annually. Before any major project, you should make sure your APN has plenty of life left (and you can renew early).
Apple School Manager/Apple Business Manager Integration (ASM/ABM)
Apple School Manager (for educational institutions) and Apple Business Manager (for businesses) are central to the administration of Apple devices. When integrated with FileWave, these platforms provide granular control and enhanced capabilities. They allow you to:
- Purchase and distribute apps and books in volume: Ensuring the right apps are available for the right users at the right time.
- Create Managed Apple IDs for students and staff: Managed Apple IDs provide a suite of services, including iCloud, collaboration with iWork, and Classroom for student-teacher interaction.
- Configure and update device settings: You can set up device configurations, restrictions, and more, ensuring the devices align with the organization's security policies and operational needs.
But, you can't use these programs if they aren't established and integrated with FileWave. So, in particular if you are setting up a new environment, you'll want to give yourself plenty of time before your project to enroll.
Volume Purchase Program (VPP) and Device Enrollment Program (DEP)
The VPP ( Volume Purchase Program ) and DEP ( Working with Apple’s Device Enrollment Program ) play a critical role in managing applications and automating device enrollments. Their integration with FileWave allows for:
- Pre-assignment of essential apps/licenses: Save time by pre-assigning devices with required software before they land in the user's hands.
- Automatic device enrollment: With DEP, devices are automatically enrolled into your management system when activated, ensuring they are immediately ready for use, and remain under management
VPP and DEP also require initial setup, and shouldn't be left to the last minute. DEP profiles control device configuration at setup time, and you'll want to make sure you procure all licenses through VPP well ahead of time to avoid last-minute congestion on Apple systems. (Remember you aren't the only organization enrolling 5,000 devices today).
Using FileWave's DEP profile assignment wizard is a great way to pre-configure your devices automatically, even before they leave the box.
Apple MDM Framework (and known issues)
Apple were very innovative with the creation of the MDM framework, and it allows for controlled management of endpoints through known, controlled mechanisms. It is very structured, and means that MDM vendors provide support in very common and defined manners. Knowing for instance that an MDM command to InstallApplication X won't be able to run until the push notification is able to be sent to the device plays into your capacity planning for (re)enrollment. So, it is structured, but it (like any other system) isn't perfect and there are some additional recommendations we'd make to ensure success:
- Work ahead as much as possible, especially with application licenses...during times of very larger enrollments (particularly in schools in the early fall) there can be tremendous load on Apple services, slowing down throughput...but if you licensed 3 days before you need them, you have no worries
- Only purchase what you actually need
- Many customers say "the license is free, so I'll buy 10,000 even though I need 100". Don't do that. Every license you purchase does create system load, even if you don't end up using it. It can massively impact VPP sync time, so less is more here.
- Eliminate Antiquated applications
- There have been reports of iPads, in particular, having an issue when applications are assigned to them that are no longer available in the App store. In certain circumstances, attempted installation of these apps can make the mdm client stop responding on the device, and a reboot required.
- For best results, try to keep your list of applications in the environment as lean as you can...organization standards and approval processes here can be quite useful
- Identify and remove "no longer available" applications from your device assignments
- Keep a mindful eye
- There have been reports (and we have witnessed it internally as well) of macOS mdm clients dying over time. We believe Apple are working on addressing this issue, but in the meantime, please see the below articles on working around this particular issue
- Work around some known OS Update issues: Reported Issues with macOS Software Updates
- We know that Apple MDM can get stalled: Address Stalled MDM Commands which can cause a slowdown for you and make it harder to patch systems. Review that article for a workaround, but ideally open a ticket with Customer Technical Support and with Apple so that we can all push harder for a fix from Apple.
- Nudge for macOS Software Updates (macOS Script) is one workaround that many people like for macOS patching.
- S.U.P.E.R.M.A.N. for macOS Software Updates (macOS Script) is another workaround that is also really great.
Non-VPP Apps
Everyone has some apps that aren't in VPP that they need to push out. If filesets, fileset magic, .APP installs and custom filesets aren't quite enough options for you :), take a look at Installomator - The one installer script to rule them all (macOS Script) to easily push out over 450 different applications. Completely opensource, and completely super!
Use the Kiosk
With all platforms, but particularly iOS/iPadOS, using the Kiosk ( Kiosk ) to allow your customers to easily and effectively install pre-approved applications and profiles will help you both:
- Maintain your sanity
- Mean that your customers can install any needed app, whenever they need it
Microsoft Specific Considerations
FileWave may love Apple, but we also love Microsoft Windows. (In the same way that you don't have a favorite child)
Microsoft's Windows platform is widely used in various organizations due to its versatility and familiarity. For a successful device refresh or (re)Enrollment of Microsoft devices, these factors should be considered:
Windows Autopilot and MDM
Windows MDM ( Microsoft Windows MDM ) offers an advanced set of capabilities that allow IT teams to pre-configure Windows devices for immediate deployment. With FileWave and Autopilot working in unison, you can:
- Preassign necessary apps and software, saving users from manually installing crucial business applications.
- Configure user-specific settings, offering a personalized experience from the first use.
- Enforce security protocols and settings to maintain a secure environment across all devices.
Imaging Systems when you can't get to MDM-only
Depending on your situation you may not be able to simply enroll devices in Windows MDM and let Filesets install and configure everything. If that's where you are at then take a look at:
- Network Imaging / IVS - Filewave's official supported solution to put images on bare metal.
- PSImage - Alternative Windows Imaging - If you want to learn how to use Microsoft standard tools and build out an alternative workflow then take a look at this. It ties in to FileWave, but was built as an alternative by Professional Services and is more of a DIY solution for those who like to customize everything in their workflow.
Client Deployment
If dealing with enrollment of an existing fleet of devices, but one not yet under FileWave's care, remember that you can create a custom FileWave Client installer at custom.filewave.com. This client installer is a standard MSI installer and can be distributed manually, through a GPO, or even through a legacy management system. It is very flexible, and when combined with the use of placeholders and custom fields, you can pre-assign all device content to deploy automatically on enrollment.
Active Directory Integration
It isn't isolated to only MSFT of course, but Active Directory (AD) or AzureAD are usually an integral part of user management in the Microsoft ecosystem. By integrating AD with FileWave, you can enhance user and device management, including:
- Synchronization of user accounts and groups between AD and FileWave.
- Automation of device assignments based on AD group membership.
- Implementation of access control and device policies based on AD user roles.
- Integration of AD based data into FileWave for super-granular device and user-control
Updates and Patch Management
Microsoft consistently releases updates for Windows OS and their suite of office applications. An effective patch management strategy is crucial to maintain security and productivity. FileWave can:
- Schedule and manage updates at convenient times, reducing disruption to productivity.
- Automate the installation of critical security patches, keeping your device fleet secure.
- Provide alerts about outdated software, allowing for quick remediation.
By considering these manufacturer-specific aspects and leveraging FileWave's integrations and capabilities, you can ensure a smooth and efficient device refresh or (re)Enrollment process.
Utilize solutions like Microsoft winget to patch 3rd party applications.
Google Specific Considerations
FileWave support two very distinct Operating Systems from Google: Chromebooks, and Android based devices. Each platform has its own specific considerations.
Chromebook Integration
Unlike other supported platforms, FileWave support of Chromebooks is primarily centered around gathering device information, and OU management. It is a very effective tool for quickly finding and particularly moving devices between OUs, which can quickly change their settings and extension assignments. (As well as location lookup)
But, you can't manage them if they aren't enrolled. Thankfully, enrollment is an ALL or NOTHING integration for FileWave and Chromebooks. You'll need to do the one-time configuration, but you'll immediately have management of ALL ChromeBooks in your organization without touching each device.
Chrome Education Upgrade/Chrome Enterprise Upgrade and Android Enterprise
These services provide advanced device management capabilities for education and enterprise customers. When integrated with FileWave, they offer:
- Access to device and user policies: This ensures consistent application of your organization's rules across all devices.
- Theft prevention with lost mode: In case a device is misplaced, you can lock it remotely, ensuring your data remains secure.
- Advanced device reporting and health checks: Regularly monitor the status of your devices and troubleshoot any issues swiftly.
Android: Google Play Store Management
With the vast library of apps available on the Google Play Store, effective app management can be challenging. FileWave's app management features allow you to:
- Manage app distribution and ensure compliance: Keep track of your app installations and report unauthorized installation.
- Customize app settings and access per user or user group: Personalize the user experience and maintain a secure environment.
Google as an IDP (Identity Provider)
Tangentially to both above platforms, the FileWave system itself allows for authentication of FileWave admins through Google IDP services.
By considering these manufacturer-specific aspects and leveraging FileWave's integrations and capabilities, you can ensure a smooth and efficient device refresh or r(re)Enrollment process.