Page tree
Skip to end of metadata
Go to start of metadata

Configuring FileWave Settings

  1. Launch the FileWave Admin console app from either the /Applications/FileWave folder or the FileWave program group in the Windows Start menu to log into the FileWave server.
  2. Enter the address for your FileWave server, enter "fwadmin" for the username and "filewave" for the password, and click the Connect button.
  3. Go to FileWave Admin > Preferences (Mac) or File > Preferences (Windows).
  4. In the Mobile tab enter your FileWave server's address in the Server Address field, check Generate new key on Save, wait for the dot to turn green, and click OK. The Shared Key should now be populated with a value rather than "No Key (Not Secure)".
  5. Pick Manage Administrators from the Assistants menu.
  6. Select the "fwadmin" account on the left, enter a password of your choosing into the Password and Verify Password fields on the right, and click OK. Use a password that you will not forget. Keep it in a secure location for safe keeping. Note that you will be prompted for this new password for the "fwadmin" account in the future when making changes to FileWave that requires superadmin credentials.
  7. As a security precaution we recommend that you go back to the Manage Administrators assistant and create an everyday local login account for management tasks.
    • Click the plus sign in the lower left corner of the Manage Administrators assistant and choose Local Account.
    • Enter a Login Name and specify your password in the User details tab.
    • In the Permissions tab, click Select AllApply, and then OK.
    • Close the FileWave Admin console and log back in using your new local account to verify that it works.

MDM Certificate Configuration

The FileWave MDM Server requires two certificates - one to send push commands to Apple and another for mobile devices to communicate securely with the MDM Server. These certificates can be configured in the Mobile preferences tab.


APNS Certificate Setup

To create and upload an APNS certificate follow the instructions at one of the following links depending on your platform - MacWindows - if you have not already done so. The Windows Certificate Wizard and Mac Certificate Assistant Script are available here to facilitate the creation of your APNS. They will walk you through the same steps as the above guides.

Since the APNS certificate must be renewed annually, we recommend you create calendar reminders 45, 30, and 15 days before the expiration. When renewing your APNS certificate, be sure to use the same Apple ID that was used to originally create it. Creating a new certificate, or creating a certificate with a different Apple ID, rather than renewing the existing one used by FileWave, will break MDM communication with your mobile devices and require un-enrollment and re-enrollment. Take the following precaution to prevent this.

  1. Click the Info icon for your APNS certificate in your Apple Push Certificates Portal account and enter the DNS name for your server in the Notes field. This lets you know which server it is intended for.
  2. Verify that the topic for the APNS certificate you’re trying to renew matches the topic listed in the Mobile tab of the FileWave preferences. If they don’t match then you’re renewing the wrong APNS certificate. 


SSL Certificate Setup

Next you’ll need to upload an SSL certificate to secure MDM communication between FileWave and your mobile devices.  We recommend purchasing an SSL certificate from a commercial certificate authority (CA).  These can be obtained for as little as $10-20/year. If you already have a wildcard certificate that covers the top level domain the FileWave server will be hosted on then you can use it without needing to purchase another certificate. Apple tightened security beginning with iOS 10.3, and since then iOS no longer trusts self-signed certificates by default. During interactive MDM enrollments you must edit the iOS settings to explicitly trust the self-signed certificate from the FileWave server. You do not have to go through the process of explicitly trusting the self-signed certificate if the device is enrolled via Apple Configurator 2 (AC2) or the Device Enrollment Program (DEP).

  • Self-signed SSL certificate generated by FileWave server
    • Advantage - free
    • Disadvantage - requires extra step to explicitly trust it during interactive enrollment of iOS 10.3+ devices (does not affect AC2 and DEP enrollments)
  • Trusted certificate from commercial CA
    • Advantage - no extra step to explicitly trust certificate during interactive enrollments of iOS 10.3+ devices
    • Disadvantage - not free (cost possibly as low as $10-20/year)


Generating a Self-signed Certificate

If you are unable to acquire an commercial SSL certificate from a trusted CA then you generate a self-signed certificate temporarily while you are testing FileWave MDM. However, we recommend replacing it with a trusted SSL certificate from a CA as soon as possible. Apple could at any time change iOS to no longer support self-signed certificates and instead require a commercial SSL cert that can be verified.

  1. To tell the FileWave server to generate a self-signed certificate, open a commandline session on the FileWave server and run the following command, replacing  "<FW_server_FQDN>" with the actual DNS name for your FileWave server. For Windows remember to open the CMD session with Run as administrator

    sudo fwcontrol server generateSelfSignedCert --create --cn=<FW_Server_FQDN>
    sudo fwcontrol server generateSelfSignedCert --install
  2. The Common name field in the HTPPS Certificate Management section of the General preferences tab in the FileWave Admin console should now be populated with the DNS name for your FileWave server.


Installing a Commercial Cert from a Trusted Certificate Authority

  1. Follow the instructions here for creating a .p12 certificate file from the .crt file provided by your certificate vendor. To ensure that you receive your certificate as a .crt file pick Apache HTTP for the download format. The Windows Certificate Wizard and Mac Certificate Assistant Script are available here to facilitate the creation of your .p12 SSL certificate file. They will walk you through the same steps as the aforementioned instructions. You will need to merge your SSL .crt file, private key, and possibly any required intermediate certificates into a single .p12 file. SSL vendors often provide multiple intermediate certificates in .crt format. To determine which one is the correct one for your SSL certificate
    • Go to the Intermediate Certificate Check page at https://tools.keycdn.com/ssl.
    • Paste the contents of your SSL .crt file from your SSL provider and follow it up with the contents of the  desired intermediate .crt file right below it.
    • Click the Validate button.
    • You'll receive a response stating either "No chain issues detected" in green or "Chain issues detected" in brown. If there are chain issues keep replace the intermediate cert with another one until there are no chain issues.
  2. In the SSL Certificate Management section of the of the General preferences tab of the FileWave Admin console click the Upload PKCS12 Certificate button, authenticate, and select the .p12 certificate file generated from step 1. You'll also want to store a copy of this .p12 file in a safe place for disaster recovery purposes should your FileWave server suffer a catastrophic hardware failure.
  3. Click the OK button and then Update Model in the toolbar to commit your changes.
  4. Ensure that the DNS assigned to the FileWave server is resolvable externally and that TCP port 20443 has been forwarded correctly if your server is hosted inside of your firewall with a private IP. Verify the certificate trust chain externally using one of the external SSL checkers below. Be sure to specify port 20443 when doing so. If there is no field for the port, append ":20443" to end of the server address DNS.

https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help
https://www.geocerts.com/ssl_checker
https://www.rapidsslonline.com/ssl-tools/ssl-checker.php
https://certlogik.com/ssl-checker

Similar to the APNS certificate, your SSL certificate must be renewed on a regular basis. Luckily SSL certificates can be purchased for terms of up to 3 years. We recommend you create calendar reminders 45, 30, and 15 days before your SSL certificate expires so you can renew it in a timely fashion.

  • No labels