Skip to main content

Return to Service feature for tvOS

What

Even though devices can be erased remotely, getting them back into service is a manual process, as it requires someone to physically touch them and take them through Setup Assistant. Apple is removing the additional manual step with the introduction of Return to Service for tvOS.   This feature was added in FileWave version 15.5.0  for tvOS 18.  For iOS/iPadOS this same feature was added in FileWave 15.1.0.  

When/Why

Return To Service is the following process. The MDM server sends an an EraseDevice command to the device. The command includes additional information which allows the device to reset, securely erase all data, connect to Wi-Fi, enroll into MDM, and get back to the Home Screen, ready to be used.

How

With FileWave 15.5.0 support of Return To Service was added for tvOS. To use Return To Service open Remote Wipe dialog for tvOS device. Checkbox Return To Service allows to specify whether feature should be enabled or disabled. It can be checked only if Remove Activation Lock checkbox is checked as well. The feature can be used only if there is at least one configured Wi-Fi profile (fileset containing Network payload with Network Interface “Wi-Fi“). Available Wi-Fi profiles are displayed on combobox. This allows Wi-Fi only AppleTVs to have zero-touch wipe and re-enroll process.

image.png

What happens on the device?

If Return To Service is enabled on FileWave side and then Wipe Device button is pressed, the device will be wiped and then connected to the Wi-Fi network specified within the selected Wi-Fi profile without password prompt. Also, the MDM profile will remain on the device, there will be no need for it to re-enroll in MDM. You will want to make sure the DEP profile for the device has Auto Advance enabled so that you don't have to be present at the device to get it through the setup wizard.  

If you have an AppleTV that uses Ethernet then you could simply send a wipe to it and not need RTS since it will come back in to the server if it is enrolled via ADE/DEP. Just like for RTS you need to make sure Auto Advance is enabled in the enrollment profile or you would have to go to the device to move it through the re-enrollment.  

Troubleshooting

We have found that setting Security to 'With Authorization' within the Wi-Fi Profile (even with the correct password) will break Return to Service. In this instance the AppleTV will not be able to join the WiFi automatically when it boots up, though you can manually join the WiFi.  

image.png

Digging Deeper

When Remote Wipe dialog is opened the list of configured Wi-Fi profiles is loaded, formatted as:

[(<file_id>, <fileset_id>, <fileset_name>, <payload_display_name>, <payload_identifier>),(...)]

fileset_id and  and fileset_name  are displayed on the UI,  payload_display_name and  and payload_identifier  are used for tool tip.  file_id  is used as internal data for combobox.

When Wipe Device button is pressed, in the backend, the MDM command EraseDevice is generated with dictionary field field ReturnToService  and fields fields Enabled and  and WiFiProfileData according to values specified in the UI; the command is added to the device's command queue.

On grabbing the command from the queue, during composition for delivery, the ReturnToService dictionary is updated with  MDMProfileData for non DEP enrolled devices.  The data added, matches the final payload that is provided by MDM server when /ios/profile URL is used for OTA enrollment.

API Command

Sending the command to wipe via an API command requires the following data format.

'{
    "ids": [<integer>, <integer>],
    "command": "EraseDevice",
    "options": {
        "DisallowProximitySetup": false,
        "PIN": "",
        "PreserveDataPlan": false,
        "ReturnToService": {
            "Enabled": true,
            "WiFiProfileID": <integer>
        }
    }
}'
  • 'ids' is a comma separated list of the Client IDs to be targeted
  • 'WifiProfileID' is the File ID (this is not the Fileset ID)

To obtain the WifiProfileID, will require an additional query first.  A full list of all Wi-Fi Profiles can be returned with the following API:

curl -X GET "https://${server_dns}/filewave/api/apple/profiles/wifi" -k -H  "Content-Type: application/json" -H "authorization: ${auth}" | awk '{ gsub("\\]\\,\\[","\n"); gsub("\\]\\]",""); gsub("\\[\\[","");  print }'

Where:

  • ${server_dns} is the server name as seen in FileWave Central -> Preferences -> Mobile
  • ${auth} is the application token as shown in FileWave Central -> Manage Administrators (each user has one or more tokens)

The returned list might look something like:

750959,669526,"Profile - HOME WIFI","HOME WIFI","ml1063.lan.4bf6fba8-9cfc-48b5-ad74-a251a65c8759.Configuration.4bf6fba8-9cfc-48b5-ad74-a251a65c8759"
780638,736322,"Profile - WLTC wifi","WLTC wifi","ml1063.local.7a00d6eb-9b4b-4e7e-b68b-7ee7e6414051.Configuration.7a00d6eb-9b4b-4e7e-b68b-7ee7e6414051"
504184,411265,"Profile - Wi-Fi BT 2.4GHz","Wi-Fi BT 2.4GHz","FW1063.local.e285dc3b-9c4b-4a7a-84a9-a3cd5169f92d.Configuration.e285dc3b-9c4b-4a7a-84a9-a3cd5169f92d"
504185,24571,"Profile - Wi-Fi BT 5GHZ","Wi-Fi BT 5GHZ","ML1063.local.02d6d9c3-5a7d-490c-afa8-f160ba9b4e40.Configuration.02d6d9c3-5a7d-490c-afa8-f160ba9b4e40"

The first number is the File ID, whilst the second is the Fileset ID.

Example

Considering the following 3 devices to be wiped using 'Return to Service':

Server FQDN from Preferences demo.filewave.ch
Authorisation Token

e2E1OTU4ZmYyLTg4ZTYtNDEzNC1iZjdhLWE0ZmJmMTViNmI5OH0=

"Profile - WLTC wifi" [File ID of Fileset: 'Profile - WLTC wifi']

780638

iPad001 [FileWave Client ID]

3425

iPad002 [FileWave Client ID]

4342

iPad003 [FileWave Client ID]

3312

The API data block might look like:

'{
    "ids": [3425, 4342, 3312],
    "command": "EraseDevice",
    "options": {
        "DisallowProximitySetup": false,
        "PIN": "",
        "PreserveDataPlan": false,
        "ReturnToService": {
            "Enabled": true,
            "WiFiProfileID": 780638
        }
    }
}'

and the command:

curl -X POST "https://demo.filewave.ch/api/devices/v1/devices/mdm-command" -k -H  "Content-Type: application/json" -H "authorization: e2E1OTU4ZmYyLTg4ZTYtNDEzNC1iZjdhLWE0ZmJmMTViNmI5OH0=" -d  "<data block goes here>