Skip to main content

Return to Service feature for tvOS

What

Even though devices can be erased remotely, getting them back into service is a manual process, as it requires someone to physically touch them and take them through Setup Assistant. Apple is removing the additional manual step with the introduction of Return to Service for tvOS.  This feature was added in FileWave version 15.5.0 for tvOS 18. For iOS/iPadOS this same feature was added in FileWave 15.1.0

When/Why

Return To Service is the following process. The MDM server sends an EraseDevice command to the device. The command includes additional information which allows the device to reset, securely erase all data, connect to Wi-Fi, enroll into MDM, and get back to the Home Screen, ready to be used.

How

With FileWave 15.5.0 support of Return To Service was added for tvOS. To use Return To Service open Remote Wipe dialog for tvOS device. Checkbox Return To Service allows to specify whether feature should be enabled or disabled. It can be checked only if Remove Activation Lock checkbox is checked as well. The feature can be used only if there is at least one configured Wi-Fi profile (fileset containing Network payload with Network Interface “Wi-Fi“). Available Wi-Fi profiles are displayed on combobox. This allows Wi-Fi only Apple TVsAppleTVs to have zero-touch wipe and re-enroll process.

If you use Ethernet for your AppleTV devices you can still use Return To Service, but you'll essentially send a WiFi profile to them that the device won't use since Ethernet is connected. 

image.png

What happens on the device?

If Return To Service is enabled on FileWave side and then Wipe Device button is pressed, the device will be wiped and then connected to the Wi-Fi network specified in selected Wi-Fi profile without asking password. Also MDM profile will remain on the device, there will be no need for it to re-enroll in MDM. You will want to make sure the DEP profile for the device has Auto Advance enabled so that you don't have to be present at the device to get it through the setup wizard. 

If you have an AppleTV that uses Ethernet then you could simply send a wipe to it and not need RTS since it will come back in to the server if it is enrolled via ADE/DEP. Just like for RTS you need to make sure Auto Advance is enabled in the enrollment profile or you would have to go to the device to move it through the re-enrollment. 

Troubleshooting

We have found that relateon the WiFi profile, setting Security to this'With content.Authorization' - even with the right password, will break Return to Service. What you will see is that the iPad will not be able to join the WiFi automatically when it boots up though you can manually join the WiFi. 

image.png

Digging Deeper

WantWhen Remote Wipe dialog is opened the list of configured Wi-Fi profiles is loaded in format:

[(<file_id>, <fileset_id>, <fileset_name>, <payload_display_name>, <payload_identifier>),(...)]

fileset_id and fileset_name are displayed on the UI, payload_display_name and payload_identifier are used for tool tip. file_id is used as internal data for combobox.

When Wipe Device button is pressed, on the backend side is generated MDM command EraseDevice with dictionary field ReturnToService and fields Enabled and WiFiProfileData according to providevalues specified on the UI, then command is added to command queue.

When command is grabbed from command queue and is being composed for sending to the device MDMProfileData is added to ReturnToService dictionary. This data matches the final payload that is provided by MDM server when /ios/profile URL is used for OTA enrollment. MDMProfileData is not added for DEP devices.

API Command

Sending the command to wipe via an API command requires the following data format.

'{
    "ids": [<integer>, <integer>],
    "command": "EraseDevice",
    "options": {
        "DisallowProximitySetup": false,
        "PIN": "",
        "PreserveDataPlan": false,
        "ReturnToService": {
            "Enabled": true,
            "WiFiProfileID": <integer>
        }
    }
}'
  • 'ids' is a comma separated list of the Device IDs to be targeted
  • 'WifiProfileID' is the File ID (this is not the Fileset ID)

To obtain the WifiProfileID, will require an additional query first.  A full list of all Wi-Fi Profiles can be returned with the following API:

curl -X GET "https://${server_dns}/filewave/api/apple/profiles/wifi" -k -H  "Content-Type: application/json" -H "authorization: ${auth}" | awk '{ gsub("\\]\\,\\[","\n"); gsub("\\]\\]",""); gsub("\\[\\[","");  print }'

Where:

  • ${server_dns} is the server name as seen in FileWave Central -> Preferences -> Mobile
  • ${auth} is the application token as shown in FileWave Central -> Manage Administrators (each user has one or more detailtokens)
  • or
other

The examples?returned Wantlist might look something like:

750959,669526,"Profile - HOME WIFI","HOME WIFI","ml1063.lan.4bf6fba8-9cfc-48b5-ad74-a251a65c8759.Configuration.4bf6fba8-9cfc-48b5-ad74-a251a65c8759"
780638,736322,"Profile - WLTC wifi","WLTC wifi","ml1063.local.7a00d6eb-9b4b-4e7e-b68b-7ee7e6414051.Configuration.7a00d6eb-9b4b-4e7e-b68b-7ee7e6414051"
504184,411265,"Profile - Wi-Fi BT 2.4GHz","Wi-Fi BT 2.4GHz","FW1063.local.e285dc3b-9c4b-4a7a-84a9-a3cd5169f92d.Configuration.e285dc3b-9c4b-4a7a-84a9-a3cd5169f92d"
504185,24571,"Profile - Wi-Fi BT 5GHZ","Wi-Fi BT 5GHZ","ML1063.local.02d6d9c3-5a7d-490c-afa8-f160ba9b4e40.Configuration.02d6d9c3-5a7d-490c-afa8-f160ba9b4e40"

The first number is the File ID, whilst the second is the Fileset ID.

Example

Considering the following 3 devices to waxbe poetic?wiped Dousing that'Return here,to Service':

Server FQDN from Preferencesdemo.filewave.ch
Authorisation Token

e2E1OTU4ZmYyLTg4ZTYtNDEzNC1iZjdhLWE0ZmJmMTViNmI5OH0=

"Profile - WLTC wifi" [File ID of Fileset: 'Profile - WLTC wifi']

780638

iPad001 [FileWave Device ID]

3425

iPad002 [FileWave Device ID]

4342

iPad003 [FileWave Device ID]

3312

The API data block might look like:

'{
    "ids": [3425, 4342, 3312],
    "command": "EraseDevice",
    "options": {
        "DisallowProximitySetup": false,
        "PIN": "",
        "PreserveDataPlan": false,
        "ReturnToService": {
            "Enabled": true,
            "WiFiProfileID": 780638
        }
    }
}'

and keep the topcommand:

of
curl these-X documentsPOST crisp"https://demo.filewave.ch/api/devices/v1/devices/mdm-command" and-k clean.-H  "Content-Type: application/json" -H "authorization: e2E1OTU4ZmYyLTg4ZTYtNDEzNC1iZjdhLWE0ZmJmMTViNmI5OH0=" -d  "<data block goes here>