Manufacturer Specific Considerations

• Apple Specific Considerations
• Microsoft Specific Considerations
• Google Specific Considerations

Apple Specific Considerations

FileWave loves Apple, and so do our customers.  If you happen to be one of the organizations that have chosen to incorporate Apple devices into their infrastructure, from iPads to MacBooks, here are some crucial considerations for a successful refresh and (re)Enrollment:

The Apple Program Considerations

You no doubt already know about the various Apple Programs, such as ABM/ASM/VPP/DEP/MDM and even APN.  Each of these programs, explained below, provide critical roles during device enrollment.  As with everything else (re)enrollment, pre-work is good work, and each program has it's own pre-requisites (and sometimes lead-time).  You'll want to review the specifics of each below:

Apple Push Notification (APN)

Apple Push Notifications are the method by which FileWave initiates communication with your devices through the Apple MDM framework.  Every FileWave server must have a valid APN token assigned, and it must be refreshed annually.  Before any major project, you should make sure your APN has plenty of life left (and you can renew early).

Apple School Manager/Apple Business Manager Integration (ASM/ABM)

Apple School Manager (for educational institutions) and Apple Business Manager (for businesses) are central to the administration of Apple devices. When integrated with FileWave, these platforms provide granular control and enhanced capabilities. They allow you to:

• Purchase and distribute apps and books in volume: Ensuring the right apps are available for the right users at the right time.
• Create Managed Apple IDs for students and staff: Managed Apple IDs provide a suite of services, including iCloud, collaboration with iWork, and Classroom for student-teacher interaction.
• Configure and update device settings: You can set up device configurations, restrictions, and more, ensuring the devices align with the organization's security policies and operational needs.

But, you can't use these programs if they aren't established and integrated with FileWave.  So, in particular if you are setting up a new environment, you'll want to give yourself plenty of time before your project to enroll.

Volume Purchase Program (VPP) and Device Enrollment Program (DEP)

The VPP ( Volume Purchase Program ) and DEP ( Working with Apple’s Device Enrollment Program ) play a critical role in managing applications and automating device enrollments. Their integration with FileWave allows for:

• Pre-assignment of essential apps/licenses: Save time by pre-assigning devices with required software before they land in the user's hands.
• Automatic device enrollment: With DEP, devices are automatically enrolled into your management system when activated, ensuring they are immediately ready for use, and remain under management
  

VPP and DEP also require initial setup, and shouldn't be left to the last minute.  DEP profiles control device configuration at setup time, and you'll want to make sure you procure all licenses through VPP well ahead of time to avoid last-minute congestion on Apple systems.  (Remember you aren't the only organization enrolling 5,000 devices today).

Using FileWave's DEP profile assignment wizard is a great way to pre-configure your devices automatically, even before they leave the box.

Apple MDM Framework (and known issues)

Apple were very innovative with the creation of the MDM framework, and it allows for controlled management of endpoints through known, controlled mechanisms.  It is very structured, and means that MDM vendors provide support in very common and defined manners.  Knowing for instance that an MDM command to InstallApplication X won't be able to run until the push notification is able to be sent to the device plays into your capacity planning for (re)enrollment.  So, it is structured, but it (like any other system) isn't perfect and there are some additional recommendations we'd make to ensure success:

• Work ahead as much as possible, especially with application licenses...during times of very larger enrollments (particularly in schools in the early fall) there can be tremendous load on Apple services, slowing down throughput...but if you licensed 3 days before you need them, you have no worries
  
• Only purchase what you actually need
  • Many customers say "the license is free, so I'll buy 10,000 even though I need 100".  Don't do that.  Every license you purchase does create system load, even if you don't end up using it.  It can massively impact VPP sync time, so less is more here.
• Eliminate Antiquated applications
  • There have been reports of iPads, in particular, having an issue when applications are assigned to them that are no longer available in the App store.  In certain circumstances, attempted installation of these apps can make the mdm client stop responding on the device, and a reboot required.
  • For best results, try to keep your list of applications in the environment as lean as you can...organization standards and approval processes here can be quite useful
  • Identify and remove "no longer available" applications from your device assignments
• Keep a mindful eye
  • There have been reports (and we have witnessed it internally as well) of macOS mdm clients dying over time.  We believe Apple are working on addressing this issue, but in the meantime, please see the below articles on working around this particular issue
• Work around some known OS Update issues: Reported Issues with macOS Software Updates
  • We know that Apple MDM can get stalled: Address Stalled MDM Commands which can cause a slowdown for you and make it harder to patch systems. Review that article for a workaround, but ideally open a ticket with Customer Technical Support and with Apple so that we can all push harder for a fix from Apple.
  • Nudge for macOS Software Updates (macOS Script) is one workaround that many people like for macOS patching.
  • S.U.P.E.R.M.A.N. for macOS Software Updates (macOS Script) is another workaround that is also really great. 

Non-VPP Apps

Everyone has  some apps that aren't in VPP that they need to push out.  If filesets, fileset magic, .APP installs and custom filesets aren't quite enough options for you :), take a look at Installomator - The one installer script to rule them all (macOS Script) to easily push out over 450 different applications. Completely opensource, and completely super!

Use the Kiosk

With all platforms, but particularly iOS/iPadOS, using the Kiosk ( Kiosk ) to allow your customers to easily and effectively install pre-approved applications and profiles will help you both:

• Maintain your sanity
• Mean that your customers can install any needed app, whenever they need it

Microsoft Specific Considerations

FileWave may love Apple, but we also love Microsoft Windows.  (In the same way that you don't have a favorite child)

Microsoft's Windows platform is widely used in various organizations due to its versatility and familiarity. For a successful device refresh or (re)Enrollment of Microsoft devices, these factors should be considered:

Windows Autopilot and MDM

Windows MDM ( Microsoft Windows MDM ) offers an advanced set of capabilities that allow IT teams to pre-configure Windows devices for immediate deployment. With FileWave and Autopilot working in unison, you can:

• Preassign necessary apps and software, saving users from manually installing crucial business applications.
• Configure user-specific settings, offering a personalized experience from the first use.
• Enforce security protocols and settings to maintain a secure environment across all devices.

Imaging Systems when you can't get to MDM-only

Depending on your situation you may not be able to simply enroll devices in Windows MDM and let Filesets install and configure everything. If that's where you are at then take a look at:

• Network Imaging / IVS - Filewave's official supported solution to put images on bare metal. 
• PSImage - Alternative Windows Imaging - If you want to learn how to use Microsoft standard tools and build out an alternative workflow then take a look at this. It ties in to FileWave, but was built as an alternative by Professional Services and is more of a DIY solution for those who like to customize everything in their workflow. 

Client Deployment

If dealing with enrollment of an existing fleet of devices, but one not yet under FileWave's care, remember that you can create a custom FileWave Client installer at custom.filewave.com.  This client installer is a standard MSI installer and can be distributed manually, through a GPO, or even through a legacy management system.  It is very flexible, and when combined with the use of placeholders and custom fields, you can pre-assign all device content to deploy automatically on enrollment.

Active Directory Integration

It isn't isolated to only MSFT of course, but Active Directory (AD) or AzureAD are usually an integral part of user management in the Microsoft ecosystem. By integrating AD with FileWave, you can enhance user and device management, including:

• Synchronization of user accounts and groups between AD and FileWave.
• Automation of device assignments based on AD group membership.
• Implementation of access control and device policies based on AD user roles.
• Integration of AD based data into FileWave for super-granular device and user-control

Updates and Patch Management

Microsoft consistently releases updates for Windows OS and their suite of office applications. An effective patch management strategy is crucial to maintain security and productivity. FileWave can:

• Schedule and manage updates at convenient times, reducing disruption to productivity.
• Automate the installation of critical security patches, keeping your device fleet secure.
• Provide alerts about outdated software, allowing for quick remediation.

By considering these manufacturer-specific aspects and leveraging FileWave's integrations and capabilities, you can ensure a smooth and efficient device refresh or (re)Enrollment process.

Utilize solutions like Microsoft winget to patch 3rd party applications. 

Google Specific Considerations

FileWave supports two distinct Google device platforms, Chromebooks and Android devices. Each platform has its own setup and management considerations.

Chromebook Integration

FileWave support for Chromebooks is primarily focused on device visibility and organizational unit (OU) management. That makes it useful for finding devices quickly, checking where they belong, and moving them between OUs so the correct settings and extensions are applied.

Chromebooks still need to be enrolled before FileWave can manage them. The Google integration is configured once at the organization level, so after that setup is complete, FileWave can work with the Chromebooks in your environment without touching each device individually.

Chrome Education Upgrade / Chrome Enterprise Upgrade and Android Enterprise

These services extend device management for education and enterprise environments. When they are integrated with FileWave, they can provide:

• Access to device and user policies, which helps keep settings consistent across devices.
• Theft prevention with lost mode, so a misplaced device can be locked remotely.
• Advanced device reporting and health checks for ongoing visibility and troubleshooting.

Android and Google Play management

Google Play's large app catalog can be difficult to manage manually. FileWave can help you:

• Manage app distribution and monitor compliance, including unauthorized installations.
• Customize app settings and access for individual users or user groups.

Google as an identity provider

FileWave admins can also authenticate through Google's identity provider services.

Keeping these Google-specific considerations in mind can make device refresh and re-enrollment projects go more smoothly.