# Profiles (Apple) Apple Configuration Profiles files contain settings and restrictions to manage and configure Apple devices. These profiles are created and distributed by administrators or IT departments to enforce specific configurations, policies, and restrictions on iOS, iPadOS, macOS, and tvOS devices. Configuration Profile management is broad, including: network configurations, security policies, app restrictions, email, VPN and more. These profiles can be deployed over-the-air (OTA) or installed manually on devices, allowing organizations to maintain consistent settings and efficient management. Providing a centralised and flexible custom management, Configuration Profiles support various deployment scenarios. # Background Login Items Notification Suppression (macOS Ventura+) ## What macOS 13 Ventura includes new functionality in the new **System Settings** app to control services like LaunchAgents and LaunchDaemons — Apple is (confusingly) calling this **Login Items** (found in **Settings->General**). By default, Apple has chosen to display notifications to the user when these items are installed. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-05/scaled-1680-/RmV4a6hR918CxIoL-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-05/RmV4a6hR918CxIoL-image.png) ## When/Why As a system administrator, you may not want these to display for your users. The example profile from this article will suppress notifications like this. ## How Download the attached Fileset and assign it to your MDM-enrolled macOS Ventura devices. [ ![download-icon-upload-button-vector.webp](https://kb.filewave.com/uploads/images/gallery/2023-05/scaled-1680-/hHgoXN2jkKSiDibk-download-icon-upload-button-vector.webp)](https://kb.filewave.com/attachments/2) [Download Fileset](https://kb.filewave.com/attachments/2) ## Related Content - [Managing "Login Items" for macOS Ventura](https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6) - Credit to Rober Hammen for documenting this. # Application Bundle IDs in Apple Profiles ## What Some profile types require an Application Bundle Identifier to be supplied to the Profile. In some instances this may be added automatically. Examples of Profiles that require Application Bundle IDs are: - Notifications - Home Screen Layout ## When/Why Perhaps it would be desirable to create a Profile to preset Notification options for Teams or maybe choose where in the Home Screen Teams is located. ## HOW ### Search & Create Payload Taking Notifications as an example, choosing to create a Notifications Payload, a Search box pops up:
FileWave CentralFileWave Anywhere
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/oBkPgmcZik7IX2C6-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/oBkPgmcZik7IX2C6-image.png)[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/dkacmlqpWuWaVWdC-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/dkacmlqpWuWaVWdC-image.png)
Using Microsoft Teams as an example, the search may provide the following output:
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/XcsrqBqh27AhI4EM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/XcsrqBqh27AhI4EM-image.png)[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/L06S9miJZMT1rKxE-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/L06S9miJZMT1rKxE-image.png)
On selecting the Store App for Microsoft Teams from the list, the following is shown: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/F3qobcGN6QcACChj-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/F3qobcGN6QcACChj-image.png) However, in the background FileWave has lifted the Bundle ID from the App Store query and inserted this into the underlying profile: ``` NotificationSettings = Array { Dict { BadgesEnabled = false ShowInCarPlay = false ShowInLockScreen = true AlertType = 1 GroupingType = 0 CriticalAlertEnabled = false SoundsEnabled = true BundleIdentifier = com.microsoft.skype.teams PreviewType = 0 NotificationsEnabled = true ShowInNotificationCenter = true } } ``` Note, this is the Bundle ID of the iOS Application for Microsoft Teams; the macOS Bundle ID is: com.microsoft.teams Therefore, to manage Teams for macOS in one of these Payloads would require manually entering the Bundle ID into the Search box, since there is no App Store version to be found.
FileWave CentralFileWave Anywhere
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/KSf7e6rmCZX4AIgK-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/KSf7e6rmCZX4AIgK-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/afEpt3taM1ESCUJM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/afEpt3taM1ESCUJM-image.png)
Upon entering the Bundle ID into the search box, select the one listed as the Bundle Identifier and accept this.

Re-opening the Payload in the future may show the Bundle ID instead of the App name, where App Store items were previously accepted.

[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/MUCM0AYraIrpR9ED-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/MUCM0AYraIrpR9ED-image.png) Home Screen Layout is another Payload example which requires a Bundle ID and the search should behave in the same manner, where if found, the App Store version may be selected, otherwise the Application Bundle ID must be added manually into the search box to be selected:
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/aCdnWeZqG1AjwmKE-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/aCdnWeZqG1AjwmKE-image.png)[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/lxLSa1IuteRmcwos-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/lxLSa1IuteRmcwos-image.png)
### Obtaining the Bundle Identifier. Since the Bundle Identifier is required, it must be discovered. If the Application exists on a managed device, then an Inventory Query may be built to obtain the Application Bundle ID:
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/WQYjOBAevprqoQLI-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/WQYjOBAevprqoQLI-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-09/scaled-1680-/kXUYiVvEn5vufzEy-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-09/kXUYiVvEn5vufzEy-image.png)
## Related Content - [Profile Editor Details for Apple](https://kb.filewave.com/books/profiles-apple/page/profile-editor-details-for-apple) # Create TCC Privacy Policy Control Payloads ### Description There is no way to escape the need to identify which services are being requested and require approval through the Privacy section of the Security & Privacy Preference Pane. Indeed there is an [in-depth KB](https://kb.filewave.com/books/profiles-apple/page/macos-privacy-preferences-payload-in-mojave-1014 "macOS Privacy Preferences Payload in Mojave 10.14+") to assist this recognition. When an action triggers this process, there should also be an addition to the relevant Service, which may be seen from the Security & Privacy Preference Pane. Once these details have been established, the profile then needs to be built. This relies on the commands being run in a Terminal shell to obtain certain information, e.g BundleID and Code Signature. To simplify this process, a Finder service has been built, which may: - Create new Privacy Profiles - Allow and Deny service rules and add Additional Apple Events - Edit an already created Privacy Profile to update or add additional items ### Requirements - The following service - Ironically, the Finder Service in its own right requires some privacy allowance
↓ macOS
[![placeholder-medium-zip.png](https://kb.filewave.com/uploads/images/gallery/2023-07/6ySDc0dBg5a0v09E-placeholder-medium-zip.png)](https://kb.filewave.com/attachments/163)
### Directions - Unzip the service - Double click to install the service - When the service is first run, there will be a prompt to allow the service access rights; click OK Now that the Service has the allowance to run, Privacy Profiles may be built with this Service. #### Hidden Apps and Binaries The service relies on selecting items with Finder; some though are hidden from finder view. An example is the FileWave Client. To build Privacy Payloads for the FileWave Client for example, the selection should be: - /usr/local/sbin/FileWave.app To access these items, users may use Terminal to open the containing folder in Finder. For example: ```bash open /usr/local/sbin/ ``` #### Example Consider the requirement to grant Terminal Full Disk Access - Select Terminal.app in Finder - Right-click and select 'Create TCC Profile' - Note: On macOS Monterey, you will right click then choose Quick Actions then Create TCC profile [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/0Fw1TPHJr7Zqqd1A-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/0Fw1TPHJr7Zqqd1A-image.png) The first window will provide an option to create a new file or add to an existing file. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/Am3coesNGuLjLFuM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/Am3coesNGuLjLFuM-image.png) Select 'No'. You will then be presented with a Window of items to 'Allow'. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/mtvXZHFzvtATFDkD-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/mtvXZHFzvtATFDkD-image.png) Select 'All Files'. The next two windows give the option to select items to 'Deny' and Add Apple Events, skip both of these and additionally select 'No' to 'Add other Apple Event' [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/7Wa8Sf2mpYKFAPTW-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/7Wa8Sf2mpYKFAPTW-image.png) Save the file and Finder will become active with the created file highlighted, ready to drag into FileWave. #### Adding to an existing file When choosing to add to an existing file, any additional item selected will have its services added from those newly selected. If an App, Bundle or Binary selected is one that already exists in the file, it will be reset and each service selected will replace those in the file; other Apps, Bundles, or Binaries that live inside the file will be left intact. ### Delete: Cancel When choosing to amend an already existing file, if 'Delete: Cancel' option is selected, the original file will be left as was, with no amendments. Choosing Save, however, will overwrite the original file. #### Selecting Items When selecting services, the interface is a standard Finder interface. As such you can use the Shift key to select a group of services or Command (⌘) click to select multiple items individually. #### FileWave Client Binary Managed allowance of services must be delivered through MDM to a device that has UAMDM, the FileWave Client, therefore, will not have any additional access granted when installed. Since each customer will have their own security requirements, there should be careful consideration when choosing which services to allow. Examples could include: - Accessibility - System Post Events - Full Disk Access - Apple Events: - System Events - Osascript - SystemUIServer - Finder Below is an example, which includes each of the items mentioned in the list. However, this should be edited to meet your own requirements
↓ maOS
[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/rsgkgiuJbMWWMKDC-image.png)](https://kb.filewave.com/attachments/164)
# Alternate Browser Configuration on iOS/iPadOS ## What It can be desirable to use browsers, other than Safari. Apple now provide two such methods for i(Pad)OS. - Web Clip URLs sent to devices to open particular pages - Changing the default browser i(Pad)OS 18+ ## When/Why Internal policy may suggest a different browser is used for compatibility. Perhaps though, it is better to allow users to choose their preferred browser, but delivery of certain Web Clips contain pages better suited to a different browser.

Where an alternate browser is targeted, that browser must already be installed on the device.

## How ### Web Clip URL

Page may need to be a non-secure or secure link, http or https respectively. Be sure to test the URL link before mass deployment.

Configuring a Web Clip Payload to use either http or https, will cause the Web Clip to open in the users chosen default browser. This will be Safari, if not changed. For example, on an non-configured device, meaning Safari is default, either of the following should open using Safari: - `http://ww.filewave.com` - `https://www.filewave.com` Each browser has an identifier which may be set to force the Web Clip to open in that browser, including:
BrowserBrowser URL PrefixBrowser URL Secure Prefix
Google Chromegooglechrome://googlechromes://
Firefoxfirefox://open-url?url=http://firefox://open-url?url=https://
Microsoft Edgemicrosoft-edge-http:// microsoft-edge-https://
#### Example Imagine the Google Chrome web browser is the chosen target application for the Web Clip, either of the following should open using the Google Chrome browser: - `googlechrome://www.filewave.com` - `googlechromes://www.filewave.com` Using the latter example, this is how this should look in the URL of the Profile Payload: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/AnVDO2ukFadqeroL-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/AnVDO2ukFadqeroL-image.png) ### Force Default Browser As of FileWave 16, it is now possible to leverage the newly added Apple feature to force a different default browser on i(Pad)OS 18.2+. This is a command sent to devices: [![image.png](https://kb.filewave.com/uploads/images/gallery/2025-04/scaled-1680-/etw3yVRSyReD3Mk7-image.png)](https://kb.filewave.com/uploads/images/gallery/2025-04/etw3yVRSyReD3Mk7-image.png) In this instance, it should be the Bundle ID of the Application, e.g.
BrowserBundle ID
Safari com.apple.mobilesafari
Firefoxorg.mozilla.ios.Firefox
Operacom.opera.OperaTouch
Microsoft Edgecom.microsoft.msedge
Google Chromecom.google.chrome.ios
Bravecom.brave.ios.browser
As a Command, it does allow users to overrule the chosen Browser, but as with other commands, the policies are re-pushed every 24hours. However, it is possible to prevent users from altering the default browser with a restrictions profile: [![image.png](https://kb.filewave.com/uploads/images/gallery/2025-04/scaled-1680-/TJ8pBU1IKQBC2Xcu-image.png)](https://kb.filewave.com/uploads/images/gallery/2025-04/TJ8pBU1IKQBC2Xcu-image.png) As per Apple's documentation, this restriction does not prevent the MDM command from setting an alternate browser: [![image.png](https://kb.filewave.com/uploads/images/gallery/2025-04/scaled-1680-/FNTRHEKRYgAo6Uf1-image.png)](https://kb.filewave.com/uploads/images/gallery/2025-04/FNTRHEKRYgAo6Uf1-image.png) ## Related Content - [Managing Web Clips on iOS / iPadOS](https://kb.filewave.com/books/profiles-apple/page/managing-web-clips-on-ios-ipados "Managing Web Clips on iOS / iPadOS") # eSIM Management for Apple devices Apple devices may be using LTE connectivity and may be equipped with an eSIM instead of a physical SIM chip : [https://support.apple.com/en-us/HT209044](https://support.apple.com/en-us/HT209044) FileWave and Apple offer options to manage these eSIM devices. ### **Restrict access to eSIM settings:** Deploying iOS / restrictions profile allows you to restrict access to eSIM settings, to make sure the device user is not changing the carrier: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/UbJL9WmVaA8Ivc4I-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/UbJL9WmVaA8Ivc4I-image.png) ### **Configure eSIM:** While eSIMs can be configured manually, it is possible to use FileWave to update eSIM configurations remotely for your devices. Carriers should provide you a *cellular plan url* which will be used by the device to get the Carrier configuration. To have your devices refresh the cellular plan:
1. Create a new profile
2. Select "Command Policy" in the *iOS and macOS 10.10+* section[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/2q1RcxLKC2sturHW-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/2q1RcxLKC2sturHW-image.png)
3. In the profile definition, enter the url provided by your carrier in the *Refresh Cellular Plan* section[![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/VUEfciOxIlmMIWC7-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/VUEfciOxIlmMIWC7-image.png)
4. Deploy the profile to the corresponding devices
The command will be sent to the device at each verify ; you may want to remove devices from corresponding groups once they have been configured properly to avoid re-sending the command too frequently. Prior to iPadOS 13.4, the eSIM restriction would impact the ability of refreshing Cellular Plan via your MDM. If you have devices earlier than 13.4, then It is required to remove the restriction before deploying the Command Policy profile updating the plan. Upgrading your iPadOS device to 13.4.1 solves this issue. The following options are also available in the iOS restriction payload to allow you configuring access to cellular settings: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/NglJ1YAMad4YvS4t-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/NglJ1YAMad4YvS4t-image.png) ### Automatic configuration of new devices If you buy a large number of eSIM capable devices, you may want to automate the process of configuring the eSIM during enrollment. This can be achieved with: - a *Profile* Fileset, with a "Command Policy" which will define *Refresh Cellular Plan* url provided by your carrier - Create a smart group with the following criteria: - All involved devices (see notes below on identifying devices) - Empty phone number When enrolling a new device, it will be a member of our defined smart group and we'll assign the *Refresh Cellular* command to configure the eSIM to the group as well. Once that command is completed, the device will then report having a phone number and will thus be excluded from the Smart Group in future. Currently, iOS devices do not report if they are eSIM capable or not, so it's not possible to create a Smart Group based on a built-in inventory field. However, there are a couple of ways this can be worked around: - Use a specific DEP server in ASM/ABM, add all matching devices and use the DEP account field in the Smart Group (this would be a manual operation in ASM/ABM) - Slightly easier, you can add your devices as placeholders, and create a specific [Custom Field](https://kb.filewave.com/wiki/spaces/KB/pages/4718852/8.9.++Custom+Fields) to flag matching devices and use the Custom Field in the Smart Group - Filter devices by model as only some models are eSIM capable. Apple lists them here : [https://www.apple.com/ipad/cellular/](https://www.apple.com/ipad/cellular/) ; [Mactracker](https://apps.apple.com/fapp/mactracker/id430255202), a free macOS app, can also be used to get information about device capabilities. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/t4QSGg7zRuiES4eP-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/t4QSGg7zRuiES4eP-image.png) # macOS Privacy Preferences Payload in Mojave 10.14+ ### Description With macOS 10.14, Apple has introduced another new payload that requires [User Approved MDM](https://kb.filewave.com/books/filewave-client/page/user-approved-mdm-enrollment-macos "User Approved MDM Enrollment (macOS)"). The [Privacy Preferences payload](https://kb.filewave.com/books/profiles-apple/page/privacy-preferences-policy-control-tcc "Privacy Preferences Policy Control (TCC)") controls the settings that are displayed in the ”Privacy” tab of the ”Security & Privacy” pane in System Preferences. This forms part of Apple's security framework: Transparency Consent and Control (TCC). ### Ingredients - FileWave 13+ - macOS 10.14+ - macOS UAMDM enrolled device ### FileWave Supported Version Although FileWave 13 has initial support for Privacy Payloads, approval for the FileWave Client to access services in macOS 10.15 relies upon FileWave 13.2.2 or higher. ### BundleID or Path When building TCC Privacy Payloads there are two choices: - BundleID - Path Items within bundles (.app or .bundle), must refer to the bundle and not the path. Otherwise, 'Path' should be selected. Directions 1. Create a New Profile Fileset 2. Choose Payload 3. Select 'Privacy & Security' in the sidebar 4. Select the Privacy tab 5. Provide either the App Path or Bundle ID as required and click on the '+' [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/sPXK8PUY4kXC7TkR-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/sPXK8PUY4kXC7TkR-image.png) 6. Choose the necessary Service type 7. Add the Code Requirement [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/MinOMaUuADTntyYn-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/MinOMaUuADTntyYn-image.png) Code Required To obtain the required code, as shown in the window the displayed 'codesign' command will need to be run, pointing to the path of either the binary or Application. See below: Requesting Application. 8. Set other settings appropriately. 9. Save, Associate, and Update Model ### System Preferences When a payload is set to configure a service on a macOS device, the System Preferences view will not reflect this setting, despite it being managed. #### Identifying Accessing Service Run a 'log stream' command on the destination device and then attempt to push the Fileset. Using the following command, the requesting App may be identified: ```bash $ /usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"' Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage BEGINSWITH "AttributionChain"" Timestamp Thread Type Activity PID TTL 2019-04-04 09:17:22.668813+0100 0x14c8f Info 0x2a2c2 209 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.filewave.fwcld, PID[8318], auid: 0, euid: 0, responsible path: '/usr/local/sbin/FileWave.app/Contents/MacOS/fwcld', binary path: '/usr/local/sbin/FileWave.app/Contents/MacOS/fwcld'}, ACC:{ID: com.apple.ls, PID[8691], auid: 0, euid: 0, binary path: '/bin/ls'}, REQ:{ID: com.apple.sandboxd, PID[7499], auid: 0, euid: 0, binary path: '/usr/libexec/sandboxd'} ``` This has shown both the bundle ID and the path to the requesting agent: ```bash # log show --info -last 15m --predicate 'subsystem == "com.apple.TCC" AND eventMessage contains "service="' Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage CONTAINS "service="" Skipping debug messages, pass --debug to include. Timestamp Thread Type Activity PID TTL 2019-04-04 09:17:22.665903+0100 0x14c8f Info 0x2a2c2 209 0 tccd: [com.apple.TCC:access] tccd[209](0): handling request from PID[7499](-1): { service="kTCCServiceSystemPolicyAllFiles" function="TCCAccessRequest" preflight=false target_token={pid:8691, auid:-1, euid:0} background_session=false } ``` ### Profile Services Apple's list of manageable services: - [Apple MDM Support Privacy Preferences Policy Control List](https://support.apple.com/en-gb/guide/mdm/mdm38df53c2a/1/web/1) - [Apple Developer Privacy Preferences Policy Control List](https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services) In FileWave 13 (up to 13.1.5), Protected Files refers to System Policy All Files. #### Denied Only Some items only have the option to be denied; allowance is only possible by the user. Examples include: - Camera (macOS 10.14+) - Microphone (macOS 10.14+) - Screen Capture (macOS 10.15+) ### macOS 10.5+ Default behaviour of some services is different between macOS 10.14 and 10.15+. The below example is a demonstration of this experience. Testing of each major version of macOS, from 10.14 up, is advised. ### Example Configure FileWave to use Apple's Screen Sharing Application and allow the Apple Screen Sharing Agent. ### macOS 10.15+ As of macOS 10.15+ Screen Sharing has been included as a separate service, which may only be denied. Only Users can allow Screen Sharing. However, devices that are UAMDM enrolled, may have Apple's Screen Sharing service enabled and FileWave may be configured to use this service as suggested in the next section along with the following Privacy Payload. It should be noted, that there are two options when logging in with 10.15+ if the user authenticating Screen Sharing differs from the user currently logged in: - Log in as yourself (the user name that was used to authenticate the screen sharing) - Ask for permissions to view the display (user must accept the prompt that will appear on their screen) It is not possible to configure macOS 10.15+ with permission for Screen Sharing control of a users environment, without the users accepting the request, where a user is logged in that differs from the authenticated Screen Sharing user. However this method offers the option to prompt the user to accept the request; prompting will occur on every new Screen Sharing attempt. This method with 10.15+ provides both Observation and Control. #### Reconfigure FileWave for Apple's Screen Sharing Application By default, FileWave has its own built-in Screen Sharing Agent. To adapt this, follow the details laid out in [Apple's Screen Sharing Application](https://kb.filewave.com/wiki/spaces/KB/pages/4328081/Apple+Screen+Sharing+Resolution) Prior to macOS 10.14+ this would allow full control of the macOS device. Due to the new TCC Privacy Framework, macOS 10.14+ will only allow observation when using this method and a privacy payload is required. #### Privacy Payload to Allow Apple's Screen Sharing Agent Apple have provided details to allow the [Apple Screen Sharing Agent](https://support.apple.com/en-us/HT209161), which provides the necessary information to build the profile. If these details were not provided though, they may be obtained (see 'Requesting Application' below). For simplicity, use this provided Fileset: [Profile - TCC - Screen Sharing.fileset.zip](https://kb.filewave.com/attachments/162) #### Deployment Associate both the Fileset to configure FileWave to leverage Apple's Screen Sharing and the Fileset to allow the Apple's Screen Sharing Agent, Update Model and test client observation. ### Requesting Application Details of the requesting Application can be viewed if need be. On a test client device, run the following command in Terminal: ```bash $ /usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"' ``` This will give a live output of events requesting access. Configure a device to use Apple's Screen Sharing App from above and attempt to run the required Application (in this case use 'Observe Client' from the Admin console) to the test client. The following should be observed on the client: ```bash $ /usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"' Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage BEGINSWITH "AttributionChain"" Timestamp Thread Type Activity PID TTL 2018-10-12 07:54:39.013089+0100 0xa1b1 Info 0x21eb3 209 0 tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.screensharing.agent, PID[1125], auid: 501, euid: 501, binary path: '/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent'}, REQ:{ID: com.apple.WindowServer, PID[176], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'} ``` This has shown both the bundle ID and the path to the requesting agent: - `com.apple.screensharing.agent` - `/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent` Using the agent path, the Code Requirement can be retrieved. ```bash $ codesign -dr - /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent Executable=/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent designated => identifier "com.apple.screensharing.agent" and anchor apple ``` In this case, the Code Requirement is: - `identifier "com.apple.screensharing.agent" and anchor apple` These details may now be used to create a Privacy payload #### Identify Accessing Service The 'log show' command may be used to observe actions that have previously occurred. In this example ```bash # log show --info -last 15m --predicate 'subsystem == "com.apple.TCC" AND eventMessage contains "service="' Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage CONTAINS "service="" Skipping debug messages, pass --debug to include. Timestamp Thread Type Activity PID TTL 2019-04-04 09:17:22.665903+0100 0x14c8f Info 0x2a2c2 209 0 tccd: [com.apple.TCC:access] tccd[209](0): handling request from PID[7499](-1): { service="kTCCServiceSystemPolicyAllFiles" function="TCCAccessRequest" preflight=false target_token={pid:8691, auid:-1, euid:0} background_session=false } ``` #### FileWave Client Providing access to services to the FileWave Client requires: - App path or Bundle ID: com.filewave.client - Code Requirement: identifier "com.filewave.fwcld.pkg" and anchor apple generic and certificate 1\[field.1.2.840.113635.100.6.2.6\] /\* exists \*/ and certificate leaf\[field.1.2.840.113635.100.6.1.13\] /\* exists \*/ and certificate leaf\[subject.OU\] = "83S2TRZ3CS" # Managing Web Clips on iOS / iPadOS ## Description It can be desirable to manage Apps, e.g Home Screen Layout, Restrict App Usage, but how can Web Clips be managed in this same way. ## Ingredients - iOS 11.3+ - Supervised devices - Web Clip(s) ## Directions ### Creating a Web Clip Web Clip payload can be found in the FileWave Profile Editor and may be created by: 1. Naming the Profile 2. Label the Web Clip (name displayed on the device) 3. Add the URL 4. Add an icon. An icon is not a requirement, but will make it easier for users of devices to identify the Web Clip. URL Scheme The URL must contain an appropriate scheme, e.g http:// or https:// [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/TKxluhFHUyx3Oz7h-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/TKxluhFHUyx3Oz7h-image.png) ### Creating a Home Screen Layout Home Screen Layout payload can also be found in the FileWave Profile Editor. When managing items in Home Screen Layout, the Bundle ID is usually referenced, however all Web Clips have the same bundle ID. Therefore, when including a Web Clip in a Home Screen Layout, the URL from the Web Clip should be copied to this payload to match exactly. Again, the URL must contain the same appropriate scheme, e.g http:// or https:// [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/jxdPdO7R06C8iIoc-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/jxdPdO7R06C8iIoc-image.png) To move the Web Clip version of the App Portal please view our KB on this topic: [Moving the App Portal Web Clip using the Home Screen Layout Payload](https://kb.filewave.com/books/profiles-apple/page/moving-the-app-portal-web-clip-using-the-home-screen-layout-payload "Moving the App Portal Web Clip using the Home Screen Layout Payload") ### App Restrictions Where Application Restrictions are applied, Web Clips will need to be allowed if required. This involves referencing the Bundle ID: com.apple.webapp [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/WB0x0OLlz94CLcIG-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/WB0x0OLlz94CLcIG-image.png)

Bundle ID Since the Bundle ID is the same for all Web Clips, restrictions will either allow or deny all Web Clips. Associations should be used for granular control.

User Created Web Clips When App Restrictions are in place which deny 'Allow Removing Apps', users may create their own Web Clips, but will not be able to remove them.

# FileWave Apple Profile Editor Explained ## Description Configuration of Apple devices largely relies upon Profiles. Profiles contain Payloads: settings defined to control aspects of the Operating System and user experience. FileWave has a built-in editor allowing the building of Profiles. This editor is designed to ensure Profiles only contain Payload keys that meets Apple's definitions, which in turn provides peace of mind that Profiles will instal on devices when associated. ## Apple Definitions Apple's developer pages list definitions of all payloads and as such, which keys are available within each payload; including, amongst other things, whether keys are required or optional. Below is the link to Apple's definition for the Lock Screen Message Payload and example content:
Example: Lock Screen Message https://developer.apple.com/documentation/devicemanagement/lockscreenmessage ``` Dict { PayloadDisplayName = Lock Screen Message PayloadScope = System PayloadType = Configuration PayloadRemovalDisallowed = false PayloadContent = Array { Dict { PayloadVersion = 1 PayloadDisplayName = Lock Screen Message PayloadType = com.apple.shareddeviceconfiguration IfLostReturnToMessage = FileWave IT LockScreenFootnote = %custom_field.asset_tag% AssetTagInformation = %custom_field.asset_tag% PayloadEnabled = true PayloadIdentifier = ML1063.local.93367c30-cfe5-4c58-a2a0-83190666231b.com.apple.shareddeviceconfiguration.1b7de9ad-fc3d-4f97-9338-a26d7811f974 PayloadUUID = 1b7de9ad-fc3d-4f97-9338-a26d7811f974 } } ConsentText = Dict { default = } PayloadIdentifier = ML1063.local.93367c30-cfe5-4c58-a2a0-83190666231b.Configuration.93367c30-cfe5-4c58-a2a0-83190666231b PayloadVersion = 1 PayloadUUID = 93367c30-cfe5-4c58-a2a0-83190666231b } ```

For the keen eyed, the values provided for two of the possible keys contain parameters from inventory. This allows far more flexibility than fixed details.

Apple's guide shows there are 3 possible keys and their value types: - AssetTagInformation -- String - IfLostReturnToMessage -- String - LockScreenFootnote -- String ## FileWave Mechanics When creating a Profile in FileWave, any Payload included will automatically have **ALL** default values set within the Payload. The editor is then used to customise chosen values.

macOS will react to all missing Payload Keys by applying default values

Below is an example for managing Finder:
Finder Payload for Desktop Looking at the FileWave Profile Editor > Finder > Preferences Payload details, for Desktop, FileWave lists 3 items enabled by default: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/FoVy6A9hH7ET7lub-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/FoVy6A9hH7ET7lub-image.png) It can be seen that this a direct representation of the default values defined in Apple's documentation: [https://developer.apple.com/documentation/devicemanagement/finder](https://developer.apple.com/documentation/devicemanagement/finder)
**ShowExternalHardDrivesOnDesktop --** boolean If false, the system doesn’t show external hard drives on the Desktop. **Default**: true
**ShowRemovableMediaOnDesktop --** boolean If false, the system doesn’t show removable media items on the Desktop. **Default**: true
**WarnOnEmptyTrash --** boolean If false, the system doesn’t warn the user before emptying the trash. **Default**: true
All other desktop values have a default of 'false'

Building Profiles in FileWave should ensure you always have correctly configured Payloads.

## Custom Settings Prior to Profile Payloads, Apple had a mechanism known as Managed Preferences (MCX). These were either controlled using Apple Server or as with Profiles, could be installed locally on devices. In many ways, they are essentially the same thing; an xml structured file containing configuration. Despite Profiles taking over from MCX many years ago, MCX management still exists today in the latest macOS. The FileWave Profile Editor is able to leverage these and they are managed with the Custom Settings Payload. This means that not only can the OS be managed, but also provides a mechanism for controlling 3rd party Applications whose configuration is defined by this same implementation.
Example Google Chrome Custom Settings Custom Settings define the Preference Domain (this is the name of the plist file which controls those settings) and then the Property List Values to be controlled: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/8UuFeINfk5aQHbQ5-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/8UuFeINfk5aQHbQ5-image.png)

Custom Settings have a slightly different format than Profiles. It is not possibly to directly import a Profile into a Custom Settings Payload

## Importing Profiles It is possible to find keys that are not defined by Apple, yet may still seem to function. As such, it would seem on face value, reasonable to add such keys to the Payload. Yet, FileWave only includes those that are defined by Apple, so how could this be possible? One method would be the use of Custom Settings, however it is possible to use FileWave to Import any Profile, either from another FileWave Server, built using an Editor or from another tool. There are though some important considerations when importing from other tools. ### FileWave Definitions As noted above, FileWave definitions are built from Apple's definitions. Additionally, FileWave will always configure **ALL** key/value pairs to default if not already defined. However, the flip side of this is that FileWave will also **REMOVE** any keys that are not part of the definition. ### Importing Undefined Keys If the Profile being imported contains keys that are not part of the definition, the Profile should never be altered or saved within FileWave.

To avoid the need to save the Profile to be imported, drag and drop the Profile into FileWave Central Filesets view or use FileWave Anywhere to upload the Profile. Avoid duplication, as noted below.

The Profile, if opened, will not display unknown keys and if the payload only contains unknown definitions, it will appear as if it doesn't even exist within the Profile.
Example: Xcreds Payload The only item that appears to exist in the Payload is General: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/oApPMyboNgrHBo1R-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/oApPMyboNgrHBo1R-image.png) Exporting the Profile though and looking at its contents, it can be seen that there is more to this Profile than can be shown using the FileWave Editor: ``` Dict { PayloadVersion = 1 PayloadDisplayName = Xcreds Azure PayloadScope = System PayloadType = Configuration PayloadRemovalDisallowed = false PayloadContent = Array { Dict { PayloadVersion = 1 PayloadDisplayName = XCreds PayloadUUID = 216961FC-A8FE-4E1B-8253-747D3A4A184B PayloadType = com.twocanoes.xcreds discoveryURL = https://login.microsoftonline.com/xxx/.well-known/openid-configuration loginWindowBackgroundImageURL = file:///Users/Shared/random.heic scopes = profile openid offline_access PayloadIdentifier = ml1063.lan.4301329C-0440-4BB7-B8E8-B498DDE2448C.com.twocanoes.xcreds.216961FC-A8FE-4E1B-8253-747D3A4A184B clientID = xxx PayloadOrganization = } } ConsentText = Dict { default = } PayloadIdentifier = ml1063.lan.e558df3f-4f17-4d48-919e-56c2fc8636d3.Configuration.e558df3f-4f17-4d48-919e-56c2fc8636d3 PayloadOrganization = FileWave PayloadUUID = e558df3f-4f17-4d48-919e-56c2fc8636d3 } ```
#### Importing Existing Profiles Each Profile has a Unique Identifier. If at the time of importing, a Profile with the same Identifier already exists within FileWave, a prompt will be shown, asking if this should be newly created or if it should overwrite the current Profile. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/3mI9YuoYbHsSSQOZ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/3mI9YuoYbHsSSQOZ-image.png)

This action will, as with all save actions with Profiles, causes all missing, but defined keys, to be added with default values, **whilst all undefined keys will be removed.**

## macOS GUI The macOS GUI does not always necessarily display the setting that is defined. In some instances, it may even look like it allows the user to alter the value, however, to the user it will appear not to work, since in reality it is managed. ## Undefined Keys Looking into plist files or binaries of applications, additional, undefined keys can sometimes be found. What's more, it may be possible to use these keys, either within an imported Payload or Custom Settings, with the desired effect. However, since they are undefined, it cannot be guaranteed that these settings will work on all versions of macOS.
Example: Apple Undefined Key Looking at the macOS Restrictions Payload, one of the services available for control is AirDrop: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/GAM0hiQDZCpZ8AMn-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/GAM0hiQDZCpZ8AMn-image.png)
**allowAirDrop --** boolean If false, the system disables AirDrop. Requires a supervised device. Available in iOS 7 and later, and macOS 10.13 and later. **Default**: true
When using AirDrop there are options for discovery: - No One - Contacts Only (Requires iCloud login) - Everyone Looking at a user's plist file, the key defining their setting may be seen: ``` % defaults read ~/Library/Preferences/com.apple.sharingd.plist DiscoverableMode Off ``` Taking that info a Custom Settings Payload: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/pO9ORATOAlVG1wje-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/pO9ORATOAlVG1wje-image.png) Applying to the same device whose AirDrop discovery is set as 'Off': [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/lNHKmuFbUljvKWPJ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/lNHKmuFbUljvKWPJ-image.png) For the user, it is configured as 'Off', yet the Payload is defining this to be 'Everyone' and this is reflected in the user experience.

Remember, this is an undefined key and may not function as desired with all macOS versions.

## Missing Keys At times, Apple add/remove keys from Payload definitions. If a key is considered to be missing from FileWave, but is clearly defined in Apple's developer documentation, then consider creating a ticket through [FileWave Support](https://support.filewave.com). ## Conflicting Keys It would be worth noting in this topic, conflicting Payloads. If two payloads were overlapping in content, but with different settings, what should be the outcome. As per Apple's documentation: [https://support.apple.com/en-gb/guide/deployment/dep9a318a393/web](https://support.apple.com/en-gb/guide/deployment/dep9a318a393/web) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-11/scaled-1680-/wxbXTyV6cwSuWQS6-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-11/wxbXTyV6cwSuWQS6-image.png) ## Conclusion FileWave Profile Editor protects against malformed Payloads, ensuring they meet Apple's requirements. If a key is required that is not defined by Apple, consider using a Custom Settings Payload to deliver that key/value pair. If importing an undefined key within a non-Custom Settings Payload, do not edit the Profile to ensure it remains untouched. # Apple Profile: Apple Intelligence ## What Apple has introduced new controls that allow Mobile Device Management (MDM) solutions to manage and restrict the use of **Apple Intelligence** features on managed devices. Starting with **FileWave 15.5.0**, administrators can configure these settings within the **Restrictions** payload in profiles. This enhancement provides organizations with the ability to enable or disable specific AI-powered features across their device fleets, offering greater control over how these functionalities are utilized within the enterprise. ## When/Why Organizations may have concerns about the use of AI features on company devices, particularly regarding data privacy and the potential for confidential information to be inadvertently shared or processed. By controlling Apple Intelligence features, IT administrators can: - **Ensure Data Security**: Prevent sensitive data from being processed by AI features that might store or transmit information in ways that are not aligned with company policies. - **Maintain Compliance**: Adhere to industry regulations and organizational policies that restrict the use of certain technologies. - **Manage Feature Adoption**: Delay or control the rollout of new AI features until they have been thoroughly evaluated and approved by the organization. - **Standardize User Experience**: Provide a consistent set of features across all managed devices, reducing potential confusion or support issues. ## How To configure Apple Intelligence restrictions in **FileWave 15.5.0** and above: 1. **Access the Profile Editor**: - Open **FileWave Central** or login to **FileWave Anywhere**. - Create a **Profile** Fileset. - Add the Restrictions payload for macOS or iOS. - In the profile editor, add the **Restrictions** payload to your profile by picking one of them and clicking **Configure...** [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/fkdIHw66vEJcgmVe-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/fkdIHw66vEJcgmVe-image.png) 2. **Configure Apple Intelligence Restrictions**: - Within the Restrictions payload, locate the new settings related to Apple Intelligence features. - **Available Restrictions**: - **Allow Genmoji** (allowGenmoji): Controls the use of personalized emoji generation. - **Allow Image Playground** (allowImagePlayground): Manages access to interactive image editing features. - **Allow Image Wand** (allowImageWand): Enables or disables AI-powered image manipulation tools. - **Allow Personalized Handwriting Results** (allowPersonalizedHandwritingResults): Manages personalized handwriting recognition. - **Allow Writing Tools** (allowWritingTools): Enables or disables AI-assisted writing features. - **Disable Specific Features**: - For each feature you wish to restrict, uncheck the corresponding box to set the option to **Disabled**. - Keep in mind that all options in a Restrictions profile are applied so review the profile to ensure everything is the way you want or consider if you already have a Profile that you simply want to edit these options on. 3. **Save and Deploy the Profile**: - Save your changes to the profile. Remember you may need one for iPads/iPhones and another for macOS. - Ensure the profile you are distributing targets the appropriate devices (macOS, iOS, iPadOS). - Deploy the profile to the target devices. ## Related Content - [FileWave Version 15.5.0](https://kb.filewave.com/books/downloads/page/filewave-version-1550-unsupported "FileWave Version 15.5.0") - [Profile Editor details for Apple](https://kb.filewave.com/books/profiles-apple/page/profile-editor-details-for-apple "Profile Editor details for Apple") ## Digging Deeper As artificial intelligence continues to integrate into everyday device functionalities, organizations face the challenge of balancing innovation with security and compliance. Apple Intelligence features offer powerful tools that can enhance productivity and user experience, such as AI-driven image editing, personalized handwriting recognition, and advanced writing assistance. However, these features may raise concerns about data privacy, as they often process personal or sensitive information. By utilizing the new restrictions in **FileWave 15.5.0**, administrators can proactively manage these features, ensuring that only approved AI functionalities are accessible on company devices. **Key Considerations**: - **Data Privacy**: Disabling certain AI features can prevent the potential leakage of confidential or protected information, aligning with the principle that the best way to protect data is not to collect it unnecessarily. - **Regulatory Compliance**: Organizations subject to strict data protection regulations may need to disable specific features to remain compliant. - **User Training**: Educate users about the AI features available on their devices and the reasons why certain features may be restricted. **Staying Informed**: - **Monitor Updates**: Keep abreast of Apple’s announcements regarding new AI features and corresponding MDM controls. - **Participate in Beta Programs**: Consider enrolling in Apple’s AppleSeed for IT program to test upcoming releases in your work environment and prepare for future changes. - **Regular Policy Reviews**: Reassess your organization’s device management policies regularly to accommodate new technologies and evolving security landscapes. By effectively managing Apple Intelligence features through FileWave’s MDM solution, organizations can enjoy the benefits of Apple’s latest innovations while maintaining control over their data and compliance obligations. # Microsoft Office 365 OAuth and Exchange Profile ## What Basic Authentication has been deprecated as of December 2022. Now only a Modern Authentication method (using OAuth) will work. This KB article will guide on how to setup and get connected with FileWave's Exchange Profile. Requirements are: - FileWave Central - Administrative access to your Microsoft Azure for the URL and Tenent ID ## When/Why Microsoft has introduced a new Modern Authentication method (using OAuth), using FileWave’s Exchange Profile can be configured to connect to your Exchange services. If you have Users setup within Microsoft Azure directories, you may want to use variables that can be extracted and populated in for users or email addresses. For more information and other variables that can be used in iOS/macOS Profiles please review: [Using variables in iOS/macOS Profiles](https://kb.filewave.com/books/profiles-apple/page/using-parameters-in-apple-iosmacos-profiles "Using variables in Apple iOS/macOS Profiles"). ## How Now let’s create the Exchange Profile. You will want to open FileWave Admin and create a new Profile by selecting Filesets > Create New Desktop > Profile. 1. Choose the Exchange Payload and then configure the following: 1. Account Name - Name of your choice 2. Connection Type - Choose iOS or macOS 3. User - You may use the variable for the username or for email to populate in the user’s account; %username% or %email% 4. Email Address - You may use the variable for email to populate in the email address; %email% 5. Check the box ‘Use OAuth for authentication’ to enable OAuth method 6. OAuth Sign in URL - `https://login.microsoftonline.com//auth2/v2.0/authorize`; be sure the Tenent ID matches from your Microsoft Azure account 7. OAuth Token Request URL - `https://login.microsoftonline.com//oauth2/v2.0/token`; be sure the Tenent ID matches from your Microsoft Azure account 8. Exchange Active Host URL - `outlook.office365.com` 9. Optional settings - you may check based on your desired settings for the mail account Below is an example screen shot: ![](https://kb.filewave.com/uploads/images/gallery/2023-07/XTIsQCU5Ltewu1mj-embedded-image-hvwxr1vc.png) ![](https://kb.filewave.com/uploads/images/gallery/2023-07/7ProIZtUuE6UCedY-embedded-image-sdvrrkss.png) ## Related Content - [Deprecation of Basic authentication in Exchange Online | Microsoft Learn](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online) - Be sure to review Microsoft Office documentation on setting up [Exchange Online | Microsoft Learn](https://learn.microsoft.com/en-us/exchange/exchange-online) # Moving the App Portal Web Clip using the Home Screen Layout Payload

FileWave no longer deploys a Web Clip version of the FileWave App Portal. The new version 2 Kiosk App's Bundle ID is: **com.filewave.ios.app.kiosk2**

[![image.png](https://kb.filewave.com/uploads/images/gallery/2025-02/scaled-1680-/NmhtJGOVN2fg8eFe-image.png)](https://kb.filewave.com/uploads/images/gallery/2025-02/NmhtJGOVN2fg8eFe-image.png) For the new App, it may be referenced in a Home Screen Layout Payload by this Bundle ID: [![image.png](https://kb.filewave.com/uploads/images/gallery/2025-02/scaled-1680-/Oe9eYTAl96mzGc80-image.png)](https://kb.filewave.com/uploads/images/gallery/2025-02/Oe9eYTAl96mzGc80-image.png)

The below method for the Web Clip App Portal is legacy and will be removed from our KB at a later date.

To move the App Portal Web Clip using the Home Screen Layout Payload, locate the URL of the web clip from any iOS device settings: - Settings App > General > Device Management > FileWave MDM > More Details "Web Clip" as seen below: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/MaC6Lwm07yy15nJM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/MaC6Lwm07yy15nJM-image.png) The Web Clip address shown should be injected into the Home Screen Layout Payload, replacing the long string of characters and numbers at the end with %device\_id% . In this example: ```bash https://demo.filewave.ch:20445/ios/recommended_apps/6a43efb044bb2e8bd19488cc47cfa62a39cdd04 ``` becomes: ```bash https://demo.filewave.ch:20445/ios/recommended_apps/%device_id% ``` Inject this into the home screen layout payload you are deploying, instead of an app name, and the App portal will be moved into that folder. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/FLuMssbcS2BLJg9i-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/FLuMssbcS2BLJg9i-image.png) # Privacy Preferences Policy Control (TCC) ### Description Apple's TCC payload was introduced in FileWave 13 and controls the Privacy section of the Security & Privacy Preference. Since it was controlling the Security & Privacy tab, it was included in one single Security & Privacy Payload, when creating the Fileset. This, however, reduces flexibility of Privacy Payload distribution. FileWave 13.1 has addressed this. ### Information FileWave 13.1 separates the Privacy TCC payload from the Security & Privacy Preference in our Profile Editor, providing two Security & Privacy Payloads ##### Security & Privacy - iOS and macOS (10.7+) Including the tabs: General (macOS only), FileVault (macOS only), Firewall and Privacy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/rQxKc9CNimap9GXo-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/rQxKc9CNimap9GXo-image.png) ##### Security & Privacy - macOS (10.14+) Only includes the additional TCC Payload from within Privacy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/O6uvgizyCc0WxUXM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/O6uvgizyCc0WxUXM-image.png) ### Upgrading to FileWave 13.1 For any existing payloads, created in 13.0.x, that included TCC Privacy Payloads, during migration to FileWave 13.1+ the Profile will be converted and will now show both Security & Privacy Payloads. It is highly recommended that two separate Profiles are created instead; one containing the General, FileVault and Firewall and the other containing the Privacy TCC Payload. With a separate TCC Privacy Payload, it is then possible to deliver multiple Privacy Payloads, providing greater granular control. # Apple Profile: ACME Certificate ## What The **ACME Certificate** profile is a new Apple Profile component introduced in **FileWave 15.5.0** and above. This feature allows administrators to configure and manage ACME (Automatic Certificate Management Environment) certificates on Apple devices directly through FileWave. With this profile, devices can automatically obtain and renew digital certificates from an ACME server, streamlining certificate management and enhancing security across your organization’s Apple devices. ## When/Why Use the ACME Certificate profile when you want to automate the deployment and renewal of digital certificates on managed Apple devices using **FileWave 15.5.0** or later. This is particularly useful for securing communications for services like HTTPS, Wi-Fi authentication, VPN connections, and email encryption. By leveraging ACME certificates through FileWave, you reduce administrative overhead, minimize the risk of service disruptions due to expired certificates, and ensure consistent security practices across all devices. ## How To configure the ACME Certificate profile in **FileWave 15.5.0** and above: 1. **Access the Profile Editor**: - Open the Profile Editor within the FileWave Central or Anywhere interface. 2. **Create a New Profile**: - Select the option to add a new profile. - Choose the **ACME Certificate** payload from the list of available Apple Profile components. 3. **Configure ACME Settings**: - **Directory URL**: Enter the URL of your ACME server (e.g., Let’s Encrypt). - **Client Identifier:** A unique string identifying a specific device (e.g., %udid%). - **Subject**: Specify the desired subject name for the certificate. (e.g., O=Company Name/CN=Foo). - **Additional Options**: Configure settings like key usage, extended key usage, and subject alternative names as required. [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/HzEdZvtfcjq3savt-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/HzEdZvtfcjq3savt-image.png) 4. **Reference ACME Payload in Other Profiles**: - Other payloads, such as the **Network** payload, can reference the ACME Certificate payload, similar to how they would reference SCEP payloads. - This allows services like Wi-Fi configurations within the Network payload to utilize the ACME-issued certificates seamlessly for authentication. [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/06EWmVBdfz8Wsc2y-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/06EWmVBdfz8Wsc2y-image.png) 5. **Save and Deploy**: - Ensure all required fields are completed correctly. - Save the profile and deploy it to the target Apple devices managed by **FileWave 15.5.0** or later. **Note**: The ACME Certificate profile is supported on devices running macOS 10.15 and later, iOS 14 and later, and iPadOS 14 and later. All profiles are signed according to the latest Apple requirements to ensure integrity and authenticity. ## Related Content - [ACME Certificate Profile Documentation](https://support.apple.com/guide/deployment/automated-certificate-management-environment-depb95c66a07/1/web/1.0) ## Digging Deeper With the introduction of the ACME Certificate profile in **FileWave 15.5.0** and above, administrators can now integrate automated certificate management into their Apple device management workflows more efficiently. The ACME protocol automates interactions with certificate authorities (CAs), such as Let’s Encrypt, to provision certificates without manual intervention. A significant advantage of the ACME Certificate profile is its ability to be used alongside the **Network** payload within an Apple Profile. This means you can configure Wi-Fi or Ethernet settings in the Network payload and reference the ACME Certificate for authentication purposes. By doing so, devices can automatically obtain the necessary certificates for secure network access, streamlining the onboarding process for network services. By allowing other configuration profiles to reference ACME payloads similarly to SCEP payloads within FileWave, you create a cohesive and efficient system for managing certificates across various services. This approach ensures that all network services relying on digital certificates have access to valid, up-to-date certificates, enhancing both security and user experience. Implementing ACME certificates through FileWave 15.5.0 also contributes to cost savings by utilizing free certificate services like Let’s Encrypt, eliminating the need for purchasing certificates from traditional CAs. Additionally, the automatic renewal feature reduces the administrative burden on IT staff and mitigates the risk of service outages due to expired certificates. As security threats continue to evolve, automating certificate management with ACME profiles in **FileWave 15.5.0** is a proactive step toward safeguarding your organization’s data and communications. Regularly reviewing and updating your certificate policies in line with industry standards will further strengthen your security posture. # Profile Editor Command Policy ## What The Command Policy in the Profile Editor is unique; the contents of a Command Policy is not a profile payload, but instead MDM commands. ## When/Why Some commands are available from the right click context menu, e.g. Wipe Device…. However, some commands would be unwieldy in this manner e.g. iOS Wallpaper. Imagine having hundreds or thousands of devices or if you wanted different Wallpaper based upon location, department, etc. To provide this flexible working, some commands have been placed inside the Profile Editor and all these commands exist within the Command Policy view. This method allows the association of such commands based upon Smart Groups, for example, and allows easy association across many devices.

Since these are commands and not Profile Payloads, there will be: \* No request type of ‘InstallProfile’ listed in the Command History \* These will not be listed in the ‘Installed Profiles’ view. \* There will be no Fileset Report for these Command Policies \* The Fileset Status will remain grey and only ever report Associated However, any commands sent should be seen in the Command History view with a request type of ‘Settings’

#### Additional Consideration Some command options allow for enabling or disabling a setting, for example Remote Desktop. In this instance, if a currently associated Command Policy included a setting to enable this feature, a disassociation event should automatically send a command to disable the setting.

Some commands are resent periodically, e.g. Wallpaper. This command will be resent in case the user has changed the Wallpaper, but only resent every 24 hours by default, to alleviate undue load on the server. Other commands may be resent with a manual Verify.

## How - Open the Profile Editor - Select Command Policy - Edit as desired - Associate to test device(s) first before deploying across many devices Example Command History view for a setting to alter the Wallpaper: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/78Ddjnw8Yd3TZ9hs-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/78Ddjnw8Yd3TZ9hs-image.png) # Apple Profile: System Logging ## What The System Logging Profile is a new feature added to the Profile Editor in the web interface, mirroring the functionality available in Central Admin. This profile empowers administrators to configure system logging settings on macOS devices, including enabling private data logging and managing subsystem logging configurations. It provides granular control over what system events are logged, facilitating better monitoring and troubleshooting. ## When/Why Utilize the System Logging Profile when you need detailed insights into system behaviors for diagnostics, security audits, or compliance purposes. It's especially beneficial for troubleshooting complex issues, monitoring system performance, and ensuring that logging practices meet organizational policies or regulatory requirements. ## How Some details about the new macOS Profile for System Logging; **Key Features:** - **Enable Private Data Logging**: A checkbox to enable or disable private data logging for the entire system. Default is unchecked. - **Subsystem Logging Configuration**: A table for configuring logging behavior for subsystems. You can add new configurations with unique identifiers and set logging categories, enabling, and persisting options. - **Modal Configuration**: When adding or editing subsystem logging configurations, you can specify: - **Subsystem Identifier**: A required, unique identifier. - **Logging Categories**: Add and configure categories with enable and persist options. - **Additional Settings**: Configure key-value pairs for each item. - **Validation**: The Save button is enabled only when all required fields are correctly filled. An empty profile cannot be saved. - **Editing**: Post-creation, you can edit the entire profile or individual subsystem logging configurations. The new System Logging Profile supports macOS 10.12 and later versions. All Apple profiles are signed as per the latest updates. [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/MmggpY5eC5s7F1Jd-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/MmggpY5eC5s7F1Jd-image.png) ## Related Content - For more details, refer to the Apple documentation on [System Logging](https://developer.apple.com/documentation/devicemanagement/systemlogging "https://developer.apple.com/documentation/devicemanagement/systemlogging") ## Digging Deeper The System Logging Profile provides a powerful tool for administrators to fine-tune logging practices on macOS devices. By customizing subsystem identifiers and logging categories, you can focus on capturing relevant data while minimizing unnecessary log noise. This is crucial for effective system monitoring and can significantly aid in proactive issue resolution. # Profile Editor details for Apple The primary management tool for client management / MDM on iOS and macOS X is the Profile Editor. It can be accessed through either the Desktop Fileset or Mobile Fileset tool. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/aI8S2C366Y4LEgN5-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/aI8S2C366Y4LEgN5-image.png) ## Search and Show only configured (FW 10+) Two features introduced in FileWave 10 are a search field to locate specific settings and the ability to display only the configured payloads in a profile. ## macOS, iOS and tvOS ### General The first item encountered in Profile Editor is the **General** settings. This is not a profile nor payload type; it's a header for any profile to be created. Best practice for profiles is to create a single payload setting within each profile, giving it an descriptive name in the General settings. The key settings to note are the **Name, Security** and **Automatically Remove Profile**. All other General settings are optional. You must give the Profile a name for tracking purposes. The **Security** setting lets you decide if the profile can be removed by the end user or not. Users on unsupervised iOS devices can remove profiles regardless of the settings here. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/AOzOSpJfqibKTSa0-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/AOzOSpJfqibKTSa0-image.png) **Note:** Due to changes in how profiles are installed on OS X 10.10+, if you install a profile with Security set to *Never,* FileWave will not be able to remove the profile and will ask for admin credentials on the client machines. The workaround is to use a password protected removal using the *With Authorization* option. **Automatically Remove Profile** settings will disable the profile after a specific time interval or on a specific date. The recommendation is to leave this set to *Never* and use FileWave to remove the profile when necessary. The **Description** and **Consent** fields are used to provide more detail for troubleshooting purposes, and to display a text block asking the user to agree to the content of the Consent text when installing this profile manually. If the profile is installed as part of a FileWave Fileset, the end user will not see this, however. ### Network [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/Fo0jqIxOLF7717ui-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/Fo0jqIxOLF7717ui-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/GMOdLRPDcoqtqpZJ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/GMOdLRPDcoqtqpZJ-image.png) This payload allows you to preconfigure network settings for your devices. You can define Wi-Fi, Legacy Hotspot, Passpoint, or Ethernet (macOS only) settings, including Auto Join, Proxy, Wi-Fi Security, and 802.1x. ### Certificates [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/6q9R1fNoLKYjqnaG-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/6q9R1fNoLKYjqnaG-image.png) The Certificates payload lets you designate PKCS1 or PKCS12 certificate data to be stored on managed devices. You can specify institutional certificates or any other certificates required for access to your network services. ### SCEP [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/qPCxoO3duHdWx2Zj-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/qPCxoO3duHdWx2Zj-image.png) The SCEP, or Simple Certificate Enrollment Protocol, payload is used to define the X.500 information needed by an institution for a connected device. You may also import a certificate to provide all the needed settings. ## iOS and macOS (10.7+) These settings are unified and can apply to any supported iOS device as well as any OS X device running 10.7 Lion or higher. ### Passcode [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/xRJTJIM233MZHlsR-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/xRJTJIM233MZHlsR-image.png) Passcode allows you to establish a more complex passcode rule for end users, including requiring a minimum length, alphanumerics, and time limits. A few of the key settings are: - Maximum passcode age: requires user to change passcode within defined timeframe - Auto-Lock: defines the amount of time the device can be idle before it locks - Grace period for device lock: defines the amount of time after the device locks before a passcode is required ### Email [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/Hvnjz8JsFoLle57G-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/Hvnjz8JsFoLle57G-image.png) Email settings allow the systems administrator to predefine key SMTP or IMAP settings for users, such as host server, requirement to use only a defined server for sending mail, use of S/MIME, and SSL. This is one of the profiles that can be configured for parameterized profile settings if the client device is associated with an LDAP directory. ### Exchange ActiveSync [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/aXHmHqD0n05Oud5C-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/aXHmHqD0n05Oud5C-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ep23l4IpHKN5mDLv-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ep23l4IpHKN5mDLv-image.png) Exchange ActiveSync is a payload that lets you predefine settings for users' access to Microsoft Exchange services. New with FileWave 11's support for iOS 9.3 is an "Allow Mail Drop" option for the Exchange payload (Mail Drop lets you send large files like videos, presentations, and images through iCloud. For more info, see: [https://support.apple.com/en-us/HT203093](https://support.apple.com/en-us/HT203093). ### LDAP [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/x7eNWt1v9JvRq2jd-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/x7eNWt1v9JvRq2jd-image.png) The LDAP payload provides the ability to link the device to an LDAP server for lookup and configuration access. You can provide authentication for secure server access, or use just the hostname to gain anonymous access to the network directory. Some of the settings include SSL usage and search criteria. This is not a binding profile since iOS devices cannot be bound to a network directory. For macOS computers, use the Directory payload for binding. ### Contacts [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/2W2jKvTKUGIZ8DjR-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/2W2jKvTKUGIZ8DjR-image.png) The Contacts payload provides settings to allow access to CardDAV servers. This payload supports parameterized profiles. ### CalDAV [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/Cv4fTegIUJimUXWM-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/Cv4fTegIUJimUXWM-image.png) The CalDAV payload provides settings for access to CalDAV (Calendar) servers. This payload supports parameterized profiles. ### VPN [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/kMmXMv0JqxWACJns-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/kMmXMv0JqxWACJns-image.png) Use the VPN payload to establish settings for a device to connect to a virtual private network. Settings include the user and machine authentication methods (including shared secret or certificate), proxy settings, and ability to force all network traffic through VPN. ### Web Clip [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/XD9fC9MlSWtyhaqK-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/XD9fC9MlSWtyhaqK-image.png) The Web Clip payload lets you assign URL's as 'miniApps' to a managed device. Settings include the URL for the clip, an icon for the item, and the ability to force the clip to open as a full screen application. The Web Clip is deployed as a regular application on iOS and as a Dock item on macOS. ### Security & Privacy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/x1iens7vIum6CgAx-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/x1iens7vIum6CgAx-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/462BNRhareFLCsHy-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/462BNRhareFLCsHy-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/15BEG8PUpbRVpzbn-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/15BEG8PUpbRVpzbn-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/HgQaSr3gmc3pjOLB-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/HgQaSr3gmc3pjOLB-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/RE2l9qJ3ZngxBen5-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/RE2l9qJ3ZngxBen5-image.png) The Security & Privacy payload allows managed devices to be configured with access to specific sources for application downloads (macOS only Gatekeeper), Firewall settings, and specify if diagnostic information will be sent to Apple or not. FileVault 2 settings are can be configured using the **Disk Encryption** payload. ### Font [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/wATxUgJiJxjJA74W-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/wATxUgJiJxjJA74W-image.png) The Font payload allows you send a specific font set to a device. This capability is very handy for insuring an iOS device has the same font installed for a document that is also being worked on with macOS computes. ## iOS and macOS (10.10+) This payload is for iOS and macOS ### AirPlay Mirroring [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/nEYK0p8AQ1SL21bA-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/nEYK0p8AQ1SL21bA-image.png) AirPlay Mirroring payloads are for assignment of specific AirPlay devices to designated Apple TVs. A Group of iOS devices can be assigned to a certain Apple TV with the password imbedded in the profile. Other devices would not be able to connect to that Apple TV. You can also provide a set of whitelisted Apple TVs that the managed device can use for AirPlay. ### Command Policy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/0ytGNm1hbIiI9D0c-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/0ytGNm1hbIiI9D0c-image.png) These settings determine the voice and data roaming, Wallpaper, Lock Screen Grace Period, or Bluetooth. The commands are sent at each *Verify* from FileWave. ## iOS and tvOS ### Global HTTP Proxy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/9D6SmBOQBHYXzQ4R-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/9D6SmBOQBHYXzQ4R-image.png) Global HTTP Proxy payload settings allow supervised iOS devices to be linked to a master network proxy for web content. ## iOS These payloads apply to all supported iOS devices. ### Restrictions Restrictions allow for the establishment of tight controls over institutional iOS devices, and can be used for managing BYOD/1:1 devices. These settings include controlling access to the camera, Siri, iTunes, and iCloud. This payload also contains 'Manage open in' and GameCenter controls, as well as content management by age appropriate settings. Note that many of the settings require the device to be supervised. That means the device must be institutionally purchased and configured with either DEP, or with Apple Configurator. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/jJAmR765XyBt1Qcc-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/jJAmR765XyBt1Qcc-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/YgKkf2ettnPweRnt-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/YgKkf2ettnPweRnt-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/rbyNNjsb8HnBjZ7p-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/rbyNNjsb8HnBjZ7p-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/QsTjOzLCfZrtzfvp-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/QsTjOzLCfZrtzfvp-image.png) New with FileWave 11's support for iOS 9.3 are the following restrictions, which apply to supervised devices: - *Allow Apple Music* — If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true. - *A\_l\_low Radio* — If set to false, iTunes Radio is disabled. Defaults to true. - *Restrict App Usage*: - Allow All Apps - Allow Some Apps Only, where you can specify what apps are allowed - Don't Allow Some Apps, where you can specify what apps are not allowed ### Subscribed Calendars [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ecQ0sro2OX8a1IeH-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ecQ0sro2OX8a1IeH-image.png) The Subscribed Calendars payload lets you provide predefined shared calendar information for your end users on managed devices. The settings work with parameterized profiles. ### APN [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/MLU5OtFRXVAzX1ZL-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/MLU5OtFRXVAzX1ZL-image.png) The APN payload allows systems administrators the ability to manage Carrier Access Point Name configuration for iOS devices with cellular services enabled. ### Single App Mode [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/PWJzEIibyefXsm3F-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/PWJzEIibyefXsm3F-image.png) The Single App Mode payload is designed to allow you to configure supervised iOS devices so that they open into a single application. If a user turns the device off, when restarted, it will reopen into the designated app as long as the profile is active on the device. This payload is best used in testing or kiosk environments. Setup requires the use of Apple Configurator to force the device into supervised mode. The payload also allows you to deactivate several other options, such as Auto Lock, Device Rotation, and Volume buttons. You select the app from the list of iOS apps added to Filesets. The iOS app Fileset must also be associated with the device in order for this process to work. ## iOS 7+ settings Payloads for iOS devices running iOS 7 and higher. ### AirPrint [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/5MSmR1F9oVQ6fegC-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/5MSmR1F9oVQ6fegC-image.png) Use the AirPrint payload to designate AirPrint capable printers for managed iOS devices. The settings can be manually entered IP addresses or discoverable (Bonjour) devices. ### Web Content Filter (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/DHBNh0BQXSrnF1qT-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/DHBNh0BQXSrnF1qT-image.png) The Web Content Filter payload supports whitelists and blacklists for web access, as well as setting a basic content filter to control access to adult content. ### Single Sign-On [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/JAu7bauBj5PhEcLg-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/JAu7bauBj5PhEcLg-image.png) The Single Sign-On (SSO) payload allows you to configure Kerberos access for your managed device to specific services and applications. ## iOS 8+ These settings are for iOS 8 or higher only. ### Managed Domains [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/PE9chjJBNP6yCwqf-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/PE9chjJBNP6yCwqf-image.png) Managed domains can be set for mail and web sites. For mail, you specify "safe" email domains; e.g. [filewave.com](http://filewave.com/) and any mail coming from, or being sent to another domain will be highlighted. On the web side, documents from approved domains will be considered as managed. This will allow a Web Clip from an approved domain to function while a PDF from an unapproved domain won't be allowed to open in any managed application. New with FileWave 11 and iOS 9.3 is the ability to specify the URL patterns fro which passwords can be saved for supervised devices. ### macOS Server Accounts [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ixKcdpV0idKIzG0A-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ixKcdpV0idKIzG0A-image.png) These settings allow you to pre-configure macOS file servers for access by managed users. ### Network Usage Rules [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/dCuxoS577iT2s7S7-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/dCuxoS577iT2s7S7-image.png) These setting specify how managed apps use cellular data networks. ### Cellular [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/fC1u5WoYb1rJ0eRR-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/fC1u5WoYb1rJ0eRR-image.png) Use this payload for cellular settings. In iOS 7 or later, the APN payload is deprecated in favor of the Cellular payload. ## iOS 9.3+ These settings apply to iOS devices running iOS 9.3 or higher. ### Home Screen Layout (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/wZ7pHd8igNqggvoi-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/wZ7pHd8igNqggvoi-image.png) With supervised devices, you can specify the home screen layout including which apps are in the Dock and which apps appear where on different pages of the home screen. ### Lock Screen Message [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/SfeHRXZiQnuIilof-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/SfeHRXZiQnuIilof-image.png) This allows you to specify the text to be displayed in the login window and on the lock screen. Devices do not have to be supervised to use this payload type. ### Google Account [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/gInXBchtGnxEL7mZ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/gInXBchtGnxEL7mZ-image.png) This payload type is used to configure Google accounts. The user will be prompted to sign in to the configured account(s). ### Notifications [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/YPqr3FCHNgp3BpSm-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/YPqr3FCHNgp3BpSm-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/lw7JdM7KARMvZd06-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/lw7JdM7KARMvZd06-image.png) This payload type is used to enforce notification settings for each app. These settings only affect supervised devices. ## iOS 11.0+ ### DNS Proxy (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/XKo9A7fuAcpD1DVr-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/XKo9A7fuAcpD1DVr-image.png) Use this section to configure DNS procy settings. These settings will only affect supervised devices. ## iOS 11.3+ ### TV Remote (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/51kn1d4rrjGFHRr3-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/51kn1d4rrjGFHRr3-image.png) Use this section to configure the list of Apple TVs that can be controlled using the Remote app. these settings will only affect supervised devices. ## macOS (10.5+) These settings are for macOS only. Settings applied to systems running OS X pre-Lion will be sent as Managed Client property lists (mcx.plists); settings sent to OS X 10.7 – 10.11 and macOS Sierra (10.12) will be sent as managed profiles. **Note: In order to keep using mcx.plists, you must be using the 8.1.5 version of the FileWave client. Newer versions of the client do not convert profiles to mcx.plists.** ### Restrictions [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/o5ZbwGaZfRiqIjFD-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/o5ZbwGaZfRiqIjFD-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/nckFUyqW2YIgNjNv-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/nckFUyqW2YIgNjNv-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/F90QWIetgkaMnqDq-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/F90QWIetgkaMnqDq-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/TiLGQUZi92PWm3xf-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/TiLGQUZi92PWm3xf-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/gzPwlibZbYNvP1RV-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/gzPwlibZbYNvP1RV-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/AwpHIIqBVYkH3OGq-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/AwpHIIqBVYkH3OGq-image.png) The restrictions payload contains settings to limit access to system preferences, applications, Widgets, media, and sharing services. Preferences now includes all Systems Preferences plus the 3rd party Preference panes that are installed on the FileWave Admin machine. If you want to control 3rd party Preference panes on client devices, you must have that same item installed on your administration machine in order to have it show up in the list for management. For application control, the best practice is to designate the 'safe' paths for applications, such as /Applications; then designate restricted paths to 'unsafe' areas. Do not try to specify all 'allowed' applications because you will also have to locate all helper and sub-launched apps. Some of the settings include control over AirDrop and App Store app adoption, Other settings include the ability to manage access to media, such as external drives, USB flash drives, and Game Center, plus the ability to manage access to shared services such as Twitter and Facebook. Desktop settings allow control of the Desktop picture, Camera use, iCloud documents, data and passwords, and Spotlight suggestions. ### Login Window [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ah3wwy0K1H6EWj69-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ah3wwy0K1H6EWj69-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/9hsr83OKz6refUAT-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/9hsr83OKz6refUAT-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/p06okRWxJ3b51V9M-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/p06okRWxJ3b51V9M-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/1sAwx2LLEvFWYvgS-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/1sAwx2LLEvFWYvgS-image.png) The Login Window payload lets you configure the login window with a message, designate the type of login display (name/pwd or list), allow local administrators to bypass management, allow the Guest account, configure a login window screen saver, limit device access to certain Groups, and imbed login/logout scripts. ### Login Items [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/4f5ThW6MtkLhzPD4-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/4f5ThW6MtkLhzPD4-image.png) Login Items is a payload that can contain specified applications and network sharepoints to be activated at user login. The designated items will launch or mount after the user logs in and the Finder launches. ### Mobility [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/cVYYzrMztQknQFoi-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/cVYYzrMztQknQFoi-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/DddJOFSBwvohbBYL-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/DddJOFSBwvohbBYL-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/nqyH8ebAzr3Lh5xd-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/nqyH8ebAzr3Lh5xd-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/KKhFJwTiQ2AWdZ5h-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/KKhFJwTiQ2AWdZ5h-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/PANjviv0YHmNMe4p-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/PANjviv0YHmNMe4p-image.png) Mobility allows you to create mobile accounts - network user accounts with portable home directories. Used in conjunction with the Login Window payload, you can specify support for the External account, which is a mobile account with an externally attached home directory. The idea is to have managed systems, bound to a network directory, where the user carries their home directory (USB/Thunderbolt drive) from device to device; but still logs in as a network directory account. ### Dock [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ungKApSIcvl9mxLP-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ungKApSIcvl9mxLP-image.png) The Dock payload can be configured for shared computers that need to have a consistent look and feel regardless of user. ### Printing [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/DQcFRWo5loaRbWek-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/DQcFRWo5loaRbWek-image.png) Printing payloads allow the assignment of network printers to managed computers, as well as the ability to force all print jobs to contain the identity of the managed computer. ### Parental Controls [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/LhqSX7Ihq3QxLFsI-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/LhqSX7Ihq3QxLFsI-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/GbV9uUpS7HqgpktY-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/GbV9uUpS7HqgpktY-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/VnbBsWcuR7dvgIT8-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/VnbBsWcuR7dvgIT8-image.png) Parental Controls were designed to support 1:1's where policies required content filters for managed computers when they were away from the managed network, as well as being able to set curfews and usage time limits for younger users. The payload is also very useful in open labs where the ability to deny non-administrator access to systems past a certain time of day is recommended. ### Finder [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/4B71BMoHfZn00BZV-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/4B71BMoHfZn00BZV-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/GY8SmBARAJkZhpmd-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/GY8SmBARAJkZhpmd-image.png) The Finder payload is designed to allow for limited access to external devices as well as hiding commands such as Shutdown or Go to Folder on common use / shared use systems. ### Universal Access [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/S2IQ7IfqiGcvaSmU-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/S2IQ7IfqiGcvaSmU-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/7xrbPSc50ef2UPcq-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/7xrbPSc50ef2UPcq-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/uRyLKDBSEABvbAlD-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/uRyLKDBSEABvbAlD-image.png) Universal Access payload settings are not just for special needs; but also contain settings for open labs and users who need additional services, such as zoom. Examples are having screens flash at alerts versus beeping in an open lab, or configuring a Group of users' computers to support zoom with the trackpad. ### Custom Settings [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/mA9Tb8nyr7pGKBRH-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/mA9Tb8nyr7pGKBRH-image.png) Custom Settings payloads allow you to greatly expand your ability to provide templates and special settings for managed computers. You configure the preferences for any application that supports property lists (.plist files), upload that configured .plist file, edit out the unneeded portions, and your managed systems will see that payload as a managed set of configuration settings to follow for that application. ### Directory [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/0LWKbwEB5WHoypKS-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/0LWKbwEB5WHoypKS-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/qWIOA4I81WmAK4oY-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/qWIOA4I81WmAK4oY-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/AcDVLTErbcrkmLTr-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/AcDVLTErbcrkmLTr-image.png) The Directory payload allows you to configure **binding** to LDAP directories for your macOS systems. You can set up anonymous or authenticated bindings. ### Energy Saver [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/H0HoEXl2ciGpBlcz-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/H0HoEXl2ciGpBlcz-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/JzQGzGHQr9ipnruj-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/JzQGzGHQr9ipnruj-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ytZWpZ1bJhWWRZCZ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ytZWpZ1bJhWWRZCZ-image.png) Energy Saver payload settings allow you to preconfigure managed computers with the settings to optimize battery life in portables, as well as force desktop systems in a lab to sleep or wake when needed for online maintenance. ## macOS (10.7+) settings These settings are OS X running v10.7 (Lion) or higher only. ### Identification [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/rZ3NKIm34V7EV0fH-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/rZ3NKIm34V7EV0fH-image.png) The Identification payload, using parameterized profile settings, can allow you to preconfigure user identity information for multiple users in OS X. You can define just a user's name, or nothing at all other than a prompt text that tells the user what to do the first time they log in. This information would then be saved for use in any service that can take advantage of Apple's Identity framework. ### Messages [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/zYDAmCgzBHErk2rP-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/zYDAmCgzBHErk2rP-image.png) Messages allows you to preload the settings for user access to Jabber or AIM chat services. It can use parameterized profile settings for this payload. ### AD Certificate [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/KI6qqhDx3Gz1qT7G-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/KI6qqhDx3Gz1qT7G-image.png) Configuring the AD Certificate payload lets you set up other payloads, such as VPN or Network, more easily. This payload provides the authentication data that will validate access to other services dependent on Active Directory certificates. ### Time Machine [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/fYhewwavVsKvdoas-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/fYhewwavVsKvdoas-image.png) For environments using Time Machine servers or Time Capsules, this payload lets you set up the access information for backup of managed devices. ### Xsan [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/zgD6jqLPGa6Tmxcy-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/zgD6jqLPGa6Tmxcy-image.png) This section is used to configure Xsan; specifically the name of the Xsan network, the name of the FS Name Server, and the authentication secret, if one is used. ### Proxies [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/VdW9Cc1nZ2GW01MW-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/VdW9Cc1nZ2GW01MW-image.png) This payload type is used to configure proxy settings, including exception for specified hosts and domains. ## macOS (10.9+) ### Disk Encryption [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/L6uUSj947WAXbITf-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/L6uUSj947WAXbITf-image.png) Use this section to define settings for Disk Encryption (FileVault 2). [You can find more information about FileVault 2 on FileWave's Knowledge Base](https://kb.filewave.com/wiki/spaces/KB/pages/4327598/FileVault+2) ## macOS (10.12+) ### Smart Card Settings [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/5B8fMsM6Xfm1Zako-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/5B8fMsM6Xfm1Zako-image.png) Use the section to configure smart card security settings for macOS ### System Migration Settings [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/6NGqiEFQ7728VZFJ-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/6NGqiEFQ7728VZFJ-image.png) Use this section to configure system migration settings ### Time Server [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/SbMoOzucDtyHw8Td-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/SbMoOzucDtyHw8Td-image.png) use this section to configure time server settings ## macOS (10.13+) ### Extensions [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/roQsQB1rGEhKapP2-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/roQsQB1rGEhKapP2-image.png) Use this section to configure allowed extensions on macOS ## macOS (10.13.2+) ### Kernel Extension Policy [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/oEg7tMnWYJB7q8or-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/oEg7tMnWYJB7q8or-image.png) Use this section to configure kernel extensions on macOS ## macOS (10.13.3+) ### Content Caching [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/Gm8z6AnQRwwOZgoD-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/Gm8z6AnQRwwOZgoD-image.png) Use this section to configure content caching settings on macOS ## tvOS ### Restrictions [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/V2CNMAN9UXNzkNOs-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/V2CNMAN9UXNzkNOs-image.png) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/hPy0kATtslt6IZO4-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/hPy0kATtslt6IZO4-image.png) Restrictions allows you to push three different restrictions to your Apple TV. Disable Airplay (supervised only)Require passcode on first AirPlay pairingDisable control using Remote app (supervised only) ### Single App Mode [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/1thRIXaqT6nhCO0c-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/1thRIXaqT6nhCO0c-image.png) Use this section to specify the app to which the device should be locked to. These settings will only affect supervised devices. ### Conference Room Display (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/ibQcdNaqw0meN5F5-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/ibQcdNaqw0meN5F5-image.png) Use this section to put a supervised Apple TV into Conference room Display mode. ### AirPlay Security [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/5y8I6rTUWPw7Ewr0-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/5y8I6rTUWPw7Ewr0-image.png) Use this section to configure settings for AirPlay security ### Home Screen Layout (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/O2rPq6IJempd1AKU-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/O2rPq6IJempd1AKU-image.png) Use this section to configure tvOS home screen layout. These setttings will only affect supervised devices. ### TV Remote (supervised only) [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/hNgcEDg5nxEnUXzy-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/hNgcEDg5nxEnUXzy-image.png) Use this section to configure the list of iOS devices that can control the Apple TV(s). These settings will only affect supervised devices. # Profiles in macOS 11 Big Sur and beyond must be installed via MDM Prior to Big Sur, profiles could be installed on macOS devices in multiple ways, including: - Opening a profile locally in System Preferences - Command line tools - Via MDM to devices that are MDM enrolled FileWave had the ability to use either of the latter two options, defaulting to MDM if the device were MDM enrolled at the time of receiving the association. As of Big Sur, Apple made a fundamental change, denying the ability to add profiles using command line tools; they may still be removed though. **This leaves MDM as the only manageable option in Big Sur onwards**. FileWave was required to remember the method of profile installation: via FileWave Client app or via MDM. Each of these methods uses a different channel to instal the profile; to change channel requires removing the profile and re-installing it. Note though, that updating profiles alone could still be achieved and will use the same method of delivery without consequence where allowed. Example: - Associate a Dock profile to a non-MDM enrolled device and Update Model - Profile will instal using the FileWave Client App - Subsequently MDM enrol the device - Update the dock profile and Update Model - The update of the profile will continue to be handled using the FileWave Client App - Newly associated profiles would though be handled by MDM. - Remove the association of the Dock profile, Update Model - Once removed, re-associate the Dock profile and Update Model - Since the device is now MDM enrolled, the profile will be delivered using MDM, as will any updates to this profile

Note that not every type of change that a profile makes can be cleanly undone simply by removing the profile. One example would be if you add a printer via profile and then remove the profile the printer will remain. Always test adding and take a look at what happens when removing a setting.

### Impact Consequences can therefore occur when devices are upgraded to macOS Big Sur or higher.

If devices rely upon profiles, for example providing network connectivity, and the profile is removed to be re-installed, the network will be lost and the new profile will never become installed until the device is back online. As such, FileWave will not attempt to change the channel of delivery of these profiles, but careful consideration should be contemplated when manually attempting to use this process. Other examples could include profiles containing certificates, VPN, etc.

#### Devices not MDM enrolled Where devices are not MDM enrolled: - Any associated profile would have been installed using the FileWave Client App prior to Big Sur - After upgrading to Big Sur, profiles would remain installed - Once on Big Sur any attempt to make changes to the profile will result in a failure to deliver the update - Once on Big Sur any new profile associations will also fail - Disassociation of a profile will remove the profile #### Device MDM enrolled after profile installation When not MDM enrolled, the above would still be of consideration. However after MDM enrolled: - Any new association will instal via MDM - Removing an association, allowing the device to remove the profile and then re-associating the profile will then instal the profile using MDM This is the same impact even if not upgraded to Big Sur ### Resolution Management of profiles on Big Sur relies upon devices being MDM enrolled. If not they may not be installed or updated. As such devices must be MDM enrolled Where profiles were installed not using MDM, the only way for these profiles to become managed is by removing the association, allowing the device to remove the profile and then creating a new association. As highlighted above, take great care in the choice of profile removal if you have network reliance on installed profiles. This will require some manual method of transition where this is the case. ### Additional Information If the Client Info of a Device does not have a 'Command History' tab, it should imply that the device is not MDM enrolled. In this instance, only the FileWave Client App may instal Filesets of any type. Note Apple's VPP also requires MDM. # Restrictions Profile & Control Center ## What Apple provides separate Restrictions profiles for iOS, macOS and tvOS. macOS Ventura has somewhat altered System Preferences and is now System Settings, aligning it with iOS. This has implications. ## When/Why To date, the Restrictions Payload provided the ability to control the System Preference Panes viewable on macOS. This was either a list of those denied or those allowed. - EnabledPreferencePanes - DisabledPreferencePanes On release of Ventura, Apple added new options for controlling System Settings. However the only option was to disable unwanted settings: - DisabledSystemSettings All of the above are now listed as deprecated: - [https://developer.apple.com/documentation/devicemanagement/systempreferences](https://developer.apple.com/documentation/devicemanagement/systempreferences) On making these changes, no allowance was included to ensure any of the Ventura Control Center options could be enabled. The offshoot of this is the potential to block the Control Center without a method to enable it. It is unlikely Apple will provide an update to the profile allowing enablement of Control Center. ## How If a Restrictions Payload is created to set a list of panes to enable as per the below image: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-06/scaled-1680-/OqvFgqAB8SaD39as-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-06/OqvFgqAB8SaD39as-image.png) All items selected will be enabled. Due to the above, there is no way to add the Control Center and its sub categories from being enabled. As such, the Control Center will be blocked. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-06/scaled-1680-/YMBcpBgU5f2Q3KYs-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-06/YMBcpBgU5f2Q3KYs-image.png) Manually editing the file with an attempt to add them as 3rd party panes does not work. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-06/scaled-1680-/lBXyqtfyy9MWvn3x-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-06/lBXyqtfyy9MWvn3x-image.png) The only option that continues to manage the available Preference Panes without restricting the Control Center, requires a reversal of the logic; creating a list of panes to deny. The payload will need to be altered as per the below image, swapping out the chosen panes by reversing the settings of each: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-06/scaled-1680-/FFj3wkMWF2J3SyzL-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-06/FFj3wkMWF2J3SyzL-image.png) # Set Safari Homepage (macOS) ## Description This profile changes the Safari Homepage for the currently logged in user.

This recipe was tested on 10.13.2 with Safari 11.0.2

## Ingredients - FW Admin ## Directions 1. Create a New Desktop Fileset and select the **Profile** option 2. Name the profile in the **General** payload and fill out the **Custom Settings** payload with the following information where the value can be whatever site you wish: Preference Domain : com.apple.safari Key: HomePage Type: String Value: [https://www.filewave.com ](https://ww.filewave.com/) ![RecipeSafairHomePage-CustomSettings.png](https://kb.filewave.com/uploads/images/gallery/2023-05/scaled-1680-/Jf12XMbkhzj4Lvhw-recipesafairhomepage-customsettings.png) 3. Close the **Profile Editor** 4. Double click on the newly created profile → select the settings tab → uncheck the box for "Users" under installation and check the box for "System" under installation. ![Screen Shot 2018-01-03 at 9.07.36 AM.png](https://kb.filewave.com/uploads/images/gallery/2023-05/scaled-1680-/9kSmidKEbDJOCVR4-screen-shot-2018-01-03-at-9-07-36-am.png) 5. Then deploy the profile out to your selected macOS devices. ### Notes Some additional options that may require consideration:
**Additional keys**
``` Key: LastSafariVersionWithWelcomePage-v2 Type: String Value: 9.0 (Description: Show Safari Welcome Page to new users. String set as last version of Safari welcome page was shown; may require changing with newer versions of Safari) Key: NewWindowBehavior Type: Number Value: 0 (Description: Policy for new window contents. 0 = show homepage\, 1 = show empty page\, 2 = show same page as current window/tab\, 3 = show bookmarks) Key: NewTabBehavior Type: Number Value: 0 (Description: Policy for new tab contents. 0 = show homepage\, 1 = show empty page\, 2 = show same page as current window/tab\, 3 = show bookmarks) ``` # Set the Lock / Home screen Wallpaper on iOS devices ## Description In the Profile Editor, you can create a configuration profile that, when deployed to iOS devices, will configure the Home and/or Lock screens. ### Apple Documentation Some details to consider:

"*This payload defines a layout of apps, folders, and web clips for the Home screen. **On iOS, this layout is locked and can't be modified by the user**.*"

"*If a home screen layout puts more than four items in the iPhone or iPod touch dock the location of the fifth and succeeding items may be undefined but they will not be omitted*."

## Step-by-step guide 1. In the Admin console, create new Mobile Fileset> Profile 2. Configure the "General" payload to give the profile a name 3. Configure the "Command Policy" payload and select the relevant option in the section "Wallpaper" combo box. 4. Click "Save" at the bottom left to save your profile. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/by3HkM8MzXdM5iP6-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/by3HkM8MzXdM5iP6-image.png) Deploy the Command Policy payload to a group of test devices, and after successful installation, deploy to your wider population of devices. **Note**: It is best practice when creating your wallpaper to try and create the image file as small as possible to expedite the deployment process. Also, when deploying this payload, it will execute as a command on a recurring basis (every day) to ensure that the wallpaper will be re-applied correctly. ## Related articles - [Customizing iOS Device Wallpaper with Dynamic Text](https://kb.filewave.com/books/ios-ipados/page/customizing-ios-device-wallpaper-with-dynamic-text "Customizing iOS Device Wallpaper with Dynamic Text") # Setting Timezones on Apple Devices ## What In FileWave 14.1+ you are able to make command policy profiles for iOS (14+ supervised) and tvOS (14+ supervised) ## When/Why Setting the timezone can help a user with their localization settings. ## How
Native AdminWeb Admin
1. Filesets view 2. New Mobile ( or Desktop) Fileset 3. Profile 4. Command Policy 5. Configure... 6. Find "Time Zone" You can choose between \* **Don't Change timezone** - (Default) Does nothing \* **Use FWAdmin time zone (X)** - Where X should be the timezone of the computer admin is running \* This option is something like a quick-set value that makes it so you don't have to wade through the long list of time zones \* **Select from the list of all time zones** - A second drop down list will show of available timezones [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/IYffN6AsoVk9Rrm8-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/IYffN6AsoVk9Rrm8-image.png) 1. Payloads 2. Plus ![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/uYbepiVQ2BubyEcz-image.png) 3. Command Policy 4. Configure 5. Find "Time Zone" You can choose between \* **Don't Change timezone** - (Default) Does nothing \* **Use FWAdmin time zone (X)** - Where X should be the timezone of the computer admin is running Known issue that the webadmin does not reflect the proper local timezone...under development \* **Select from the list of time zones** - A second drop down list will show of available timezones [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/FMDJtF9xyw0sdhLU-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/FMDJtF9xyw0sdhLU-image.png)
Please remember, Command Policy profiles are not persistent. Meaning a user could change it at anytime after this command has been received, but the command policy does re-apply periodically. So, it is not a "restriction" per se. # Using Parameters in Apple iOS/macOS Profiles Creating profiles with parameters in them is the ability to insert string/bool/int/datetime parameters into a profile so that they can be dynamically used on many devices. The following will help you understand what fields can be used, and what information will come from them. Remember: The below options are for FileWave's built in abilities. You can always create your own options by creating [**custom fields**](https://kb.filewave.com/books/custom-fields/page/custom-fields "Custom Fields") that are either mapped to LDAP attributes, custom scripts, or manually entered parameters. See [Custom Fields](https://kb.filewave.com/books/custom-fields/page/custom-fields "Custom Fields") for more information. ## What are my Options ## LDAP Parameters FileWave version 6.1 allows you to use Directory based parameters in your profile payloads.
%first\_name% %last\_name% %full\_name% %short\_name% %email% %job\_title% %mobile\_phone% %guid%
Setting up a directory server for use with Parameterized Profiles is easy. Navigate to the FileWave Preferences Screen and fill out the appropriate information for your OpenDirectory, Active Directory or E-Directory. For issues and troubleshooting related to your LDAP preferences, please refer to the [LDAP section](https://kb.filewave.com/books/filewave-central-anywhere/page/ldap-preferences "LDAP Preferences"). You must also be using LDAP authentication for iOS device enrollment. Instructions for that setup are in the [Using LDAP to enroll macOS/iOS/Android devices](https://kb.filewave.com/books/evaluation-guide/page/using-ldap-to-enroll-macosiosandroid-devices "Using LDAP to enroll macOS/iOS/Android devices").

For the above user strings to work you must be pointed to an Directory server and have it selected as authentication

You can also map custom fields to LDAP parameters to extend the above list. See [Custom Fields](https://kb.filewave.com/books/custom-fields/page/custom-fields "Custom Fields") for more information.

## Inventory / Device Parameters Starting in FileWave **6.1+** you can reference specific information about the device as well, directly from FileWave Inventory. Those fields are:
%OSVersion% %SerialNumber% %ProductName% %BuildVersion% %WIFIMAC% %ICCID% %IMEI%
## All Devices
Common Device Parameters Type FileWave Version Introduced
%archived% datetime 13.0.0
%auth\_username% string 13.0.0
%cpu\_count% int 13.0.0
%cpu\_type% string 13.0.0
%current\_ip\_address% string 13.0.0
%last\_enterprise\_app\_validation\_date% datetime 13.0.0
%last\_state\_change\_date% datetime 13.0.0
%department% string 13.0.0
%device\_id% string 13.0.0
%device\_name% string 13.0.0
%device\_product\_name% string 13.0.0
%enroll\_date% datetime 13.0.0
%filewave\_client\_name% string 13.0.0
%filewave\_id% string 13.0.0
%free\_disk\_space% int 13.0.0
%is\_system\_integrity\_protection\_enabled% bool 13.0.0
%is\_tracking\_enabled% bool 13.0.0
%last\_check\_in% datetime 13.0.0
%last\_ldap\_username% string 13.0.0
%last\_logged\_in\_username% string 13.0.0
%location% string 13.0.0
%management\_mode% int 13.0.0
%monitor\_id% string 13.0.0
%ram\_size% int 13.0.0
%serial\_number% string 13.0.0
%state% int 13.0.0
%total\_disk\_space% int 13.0.0
%unenrolled% bool 13.0.0
%is\_user\_enrollment% bool 13.2.0
%is\_activation\_lock\_manageable% bool 13.2.0
%remote\_desktop\_enabled% bool 13.2.0
%external\_boot\_level% bool 13.2.0
## Desktop Specific (macOS & Windows)
Desktop Device Parameters Type
%device\_manufacturer% string 13.0.0
%filewave\_client\_locked% bool 13.0.0
%filewave\_client\_version% string 13.0.0
%filewave\_model\_number% int 13.0.0
%rom\_bios\_version% string 13.0.0
## iOS Specific
iOS Device Parameters Type
%battery\_level% float (from 0 to 1) 13.0.0
%last\_cloud\_backup\_date% datetime 13.0.0
%last\_wallpaper\_change\_date% datetime 13.0.0
%apple\_device\_id% string 13.0.0
%eas\_device\_identifier% string 13.0.0
%is\_activation\_lock\_enabled% bool 13.0.0
%is\_device\_locator\_service\_enabled% bool 13.0.0
%is\_do\_not\_disturb\_in\_effect% bool 13.0.0
%is\_cloud\_backup\_enabled% bool 13.0.0
%is\_mdm\_lost\_mode\_enabled% bool 13.0.0
%is\_supervised% bool 13.0.0
%awaiting\_configuration% bool 13.0.0
%is\_network\_tethered% bool 13.0.0
%itunes\_store\_account\_is\_active% bool 13.0.0
%itunes\_store\_account\_hash% string 13.0.0
%languages% string 13.0.0
%locales% string 13.0.0
%maximum\_resident\_users% int 13.0.0
%meid% string 13.0.0
%model% string 13.0.0
%organization\_info% string 13.0.0
%product% string 13.0.0
%product\_name% string 13.0.0

You can also map custom fields to script results to extend the above list. See [Custom Fields](https://kb.filewave.com/books/custom-fields/page/custom-fields "Custom Fields") for more information.

You can also look in the inventory query builder and it will tell you the internal name in the bottom left: ![](https://kb.filewave.com/uploads/images/gallery/2023-07/4F26Y4L3crRdGfmj-embedded-image-yph2mvxb.png)
## Using parameters in profiles To add parameters to your profiles, simple replace the normal value with one from the list above. For instance, you might create an email profile with the account information. See the example here: ![Sample Profile](https://kb.filewave.com/uploads/images/gallery/2023-07/RPXWLT7uIa4Dofll-embedded-image-qz82u7gq.png) ## Appendix Directory servers use their own values for common fields. Below is the mapping for each supported directory: ## E-Directory
Profile Parameters LDAP attribute name Remarks
short\_name uid
first\_name givenName
last\_name sn
full\_name fullName
email mail
job\_title title
mobile\_phone mobile
guid GUID A binary read-only attribute
## Open Directory
Profile Parameters LDAP attribute name
email mail
first\_name givenName
full\_name fullName
guid apple-generateduid
job\_title title
last\_name sn
mobile\_phone mobile
short\_name uid
## Active Directory
Profile Parameters LDAP attribute name
email mail
first\_name givenName
full\_name fullName
guid objectGUID
job\_title title
last\_name sn
mobile\_phone mobile
short\_name sAMAccountName
# Signed Apple Profiles ## What With the release of FileWave 15.5, all configuration profiles deployed to Apple devices are now automatically signed. Profile signing enhances security by verifying the authenticity and integrity of the profiles, ensuring they haven’t been altered or tampered with during deployment. Additionally, FileWave allows you to export these signed profiles for use outside of the FileWave environment. ## When/Why #### **When Does Profile Signing Occur?** - **Automatic Signing Upon Deployment:** Starting from FileWave 15.5, any profile you deploy to Apple devices is signed by default. There’s no need to manually select or trigger the signing process. #### **Why Is Profile Signing Important?** - **Enhanced Security:** Automatic signing ensures that all profiles are trusted and have not been modified maliciously. - **Integrity Assurance:** Guarantees that the profile content remains unchanged from the point of signing to installation. - **Compliance Requirements:** Helps meet organizational security policies and industry compliance standards by providing proof of profile authenticity. - **Flexible Use:** The ability to export signed profiles allows you to use them in other tools like Apple Configurator, ensuring consistency across different methods. ## How #### **Deploying Signed Profiles** Since profiles are automatically signed upon deployment in FileWave 15.5 and later, you don’t need to take any extra steps for signing during the deployment process. [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/Cdl3kJraRVYjWzk3-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/Cdl3kJraRVYjWzk3-image.png) #### **Exporting Signed Profiles** If you need to use the signed profiles outside of FileWave—for example, in Apple Configurator—you can export them as signed payloads, by way of Fileset Properties view, as shown below: [![image.png](https://kb.filewave.com/uploads/images/gallery/2024-10/scaled-1680-/wOkQGRRMxlm65Nhv-image.png)](https://kb.filewave.com/uploads/images/gallery/2024-10/wOkQGRRMxlm65Nhv-image.png) ## Related Content - [FileWave Version 15.5.0](https://kb.filewave.com/books/downloads/page/filewave-version-1550-unsupported "FileWave Version 15.5.0")