Page tree
Skip to end of metadata
Go to start of metadata

Before you decide how your iOS devices will be enrolled in MDM management you first need to decide who can enroll devices into MDM management and how they should be authenticated. For authentication you need to decide which authentication method(s) will be used to permit the user to enroll the device.

  • No authentication
  • Generic username/password. You can create multiple accounts for different departments, schools, offices, etc.
  • Unique LDAP (AD, OD, eDirectory) authentication

You can also choose different authentication methods for different enrollment methods. For example, with DEP enrollments you might require no authentication, but for interactive web-based enrollments users must enter their AD credentials.

Having your FileWave server linked to your LDAP server allows users to authenticate as themselves during MDM enrollment, instead of using a generic user account. This provides the benefit of linking the user’s identity and their directory information to the device. As a result their email address can be used in parameterized config profiles to populate user specific profiles such as ActiveSync or email config profiles. Custom fields for user-based LDAP attributes and smart groups based on these LDAP custom fields can be created to automatically group devices based on user enrollment LDAP data, such as user group memberships. Note that connecting FileWave to your LDAP automatically enables LDAP enrollment authentication by default unless you specifically decline to do so. The details on how to configure FileWave for LDAP enrollment are available at the links below.

Connecting FileWave to your LDAP

Enabling LDAP authentication for enrollment

For the purposes of iBooks Store book deployment, you can also enable automatic 1) VPP user association via their email address and b) sending of VPP invitation emails. Automatic VPP email invitations requires that the user's email attribute be populated in your LDAP directory. These options can be set in the DEP & VPP preferences tab.

In this evaluation guide we will only be configuring one or more generic user accounts for enrollment. The enrollment user account will be populated in the Auth Username or Authentication Username field. If you wish to disable authentication or have problems enabling LDAP enrollment please contact your FileWave SE for assistance. To create a generic enrollment user account open a commandline session on the FileWave server and run the following command. For Windows remember to open the CMD session with admin privileges and remove "sudo" from the commandlines below.

Interactive web-based enrollment: 

sudo fwcontrol mdm adduser <name> 

DEP enrollment:

sudo fwcontrol mdm adddepuser <name>

There are 4 ways to enroll mobile devices into MDM depending on the device type

  • Interactively via a web page on the FileWave server (iOS, Mac, Android)
  • Silently and automatically via DEP when an iOS/Mac device goes through the Apple Setup Assistant. This method is the only enrollment method for iOS that allows you to protect the MDM enrollment profile from removal by the enduser.
  • Via Apple Configurator 2 when preparing an iOS device
  • Manually installing the MDM enrollment profile (iOS and Mac) or APK (Android) attached to an email 

Interactive Web-based Enrollment

Users can interactively enroll their iOS and Android devices by going to https://<filewave_server_DNS>:20443You can email the URL to users or link to it on your IT department's home page. When they go to the enrollment URL on their mobile device, instructions are provided on how to enroll their device with your server. If your server is using a self-signed certificate 2 steps will be listed.

Step 1 is to install the self-signed certificate. It will display as being signed by "<your_FileWave_server_DNS>" and "Not Verified".

On iOS 10.3+ devices you'll have to go into the iOS Settings and browse to General > About > Certificate Trust Settings. Under ENABLE FULL TRUST FOR ROOT CERTIFICATES toggle the slider for the self-signed certificate from your FileWave server to trust it and tap Continue at the Root Certificate warning dialog. If you do not explicitly trust the self-signed certificate first, Step 2 will fail. Tapping Step 2 installs the MDM enrollment profile that will enroll your iOS device in management. Enter the generic username/password you previously configured when prompted for credentials. Tap Install 3 times to confirm that you want to install the MDM enrollment profile.

If you have installed a commercial from a trusted CA and its trust chain can be verified  there will only be a single step that installs the MDM enrollment profile. Enter the generic username/password you previously configured when prompted for credentials. Tap Install 3 times to confirm that you want to install the MDM enrollment profile.

The MDM profile will display as Verified with a green checkmark. Tap Install 3 times to install the MDM enrollment profile.

DEP Enrollment

DEP is the recommended method for enrolling iOS devices as it is the most convenient and provides significant benefits above other enrollment methods. Make sure that DEP is configured and a DEP profile is assigned to your iOS device as described in the Device Enrollment Program section. Note that DEP is the ONLY way to protect the MDM enrollment profile from deletion by the end user. Reset your device or power it on for the first time if it's a new device to trigger the Apple Setup Assistant. The Setup Assistant will enforce the DEP profile and enroll the device. Enter your generic enrollment credentials when prompted to install the MDM enrollment profile.

Apple Configurator 2 (AC2) Enrollment

For devices that are not in DEP, AC2 provides a way to quickly prepare multiple iPads quickly and supervise them at the same time. To enroll iOS devices you'll need to go to the Device Enrollment tab in the Enroll iOS Device Assistant and copy the MDM Server URL. When preparing device(s) select Manual configuration, choose New Server, paste the MDM Server URL into the Hostame or URL field, and check Supervise Devices. When prompted to configure the iOS Setup Assistant make sure that Location Services is checked. The following KB article will walk you through the AC2 enrollment process. For additional help with AC2 please consult Apple's documentation here

Installing the MDM Enrollment Profile from an Email Attachment

Go to Assistants > Enroll iOS Device, pick the Mass Enrollment tab, click the Download MDM Enrollment Profile button, and save the MDM enrollment profile to your desktop. Email this enrollment profile to your end-users. They can enroll their device by going into the email and opening the attached enrollment profile on their iOS device.

Adding Mobile Clients

After mobile devices have been enrolled they must be added to FileWave before they can be managed.

  1. Open the FileWave Admin console, go to the Clients section on the left-hand nav pane, click New Group in the toolbar.
  2. Enter a name for the group, e.g. "All Mobile Devices", and click OK to add the group. If you want the group to show up at the top or bottom of the list then prefix its name with a space or some other character like ~.
  3. Click New Client in the toolbar and select Enrolled Mobile Devices to bring up the New Mobile Client From Server dialog.
  4. Highlight the clients to be added or click Select All to choose all devices, pick the "All Mobile Devices" group from the group pull-down, and click Add Clients. If you want to automatically add clients to this group in the future as they report into the FileWave server, then check the Automatically add all new clients to the selected group checkbox.
  5. Click Update Model in the toolbar. Your new device(s) should now appear in the "All Mobile Devices" group. 
  • No labels