Page tree
Skip to end of metadata
Go to start of metadata

Before issuing a mobile device to end-users it’s a good idea to craft an acceptable use policy and end-user agreement (EUA) that informs users of what their responsibilities are and the possible management actions that may be taken on their mobile devices by the IT department. This is especially crucial if you plan on tracking, wiping, or bricking mobile devices that are reported as lost/stolen or not properly returned. Having a EUA in place that is signed by the end-user or their guardian, protects not just the user but also your organization. It's in your best interest to not release the device to the end user until they or their guardian have signed and returned the EUA that includes your acceptable use policy.

Device Enrollment Program

Enabling DEP for an iOS device lets you to maintain a sort of persistent management over the client device. You can block users from removing the MDM enrollment profile, which keeps the device under management, except by resetting the device. However, if they reset the device you can force it to automatically re-enroll in MDM management on the FileWave server again. More information on how to enable DEP for your iOS devices can be found in the Device Enrollment Program section. Enrolling an iOS device via DEP with supervision enabled will automatically escrow the activation lock bypass code so that you can unlock devices when someone leaves your organization and returns a device with Find my iPhone enabled.

Geolocation Tracking

Device geolocation tracking is provided by the App Portal iOS application. When an device is enrolled in FileWave MDM a fullscreen web clip labeled App Portal is automatically deployed to it. To be able to track a device you must replace this web clip with the actual .ipa application file for the App Portal. When deployed to an iOS client it automatically deletes the original web clip and the mobile app takes its place. If you do not planning on using device tracking there is no reason to deploy the App Portal enterprise .ipa.

You can distinguish the web clip from the .ipa mobile app by checking for a status bar at the top of the screen when the web clip or mobile app is launched. The mobile app is full screen and does not feature a status bar. If you see indicators for Wi-Fi signal strength, the current time, and battery life then it means you're in the web clip.

To deploy the App Portal .ipa to client iOS devices.

  1. Log into the web site and go to the download page for the version of FileWave you are evaluating.
  2. Scroll to the bottom of the page and find the static CDN URL for App Portal .ipa. Copy the URL for it.
  3. In the FileWave Admin console go to Filesets, click New Mobile Fileset in the toolbar, and pick Enterprise.
  4. Choose Use a remote file, paste in the URL for the App Portal .ipa and click the Import button.
  5. In the Associations area, assign your new fileset for the App Portal .ipa to a device group containing the devices that you want to use device tracking on.
  6. Update your model.
  7. Once the App Portal .ipa has been successfully deployed to client devices you'll need to launch it at least once and allow location services for it when prompted.

Location reporting is not enabled by default. If, for any reason, your organization does not desire location tracking to be enabled at any level, your FileWave license can be adjusted to disable the collection of personal data. See the article here for details.

By default, the devices in the Clients section show the State column as "Not Tracked", meaning geolocation tracking is disabled. In order to activate tracking manually, right-click on one or more clients and choose Client State > Normal.

  • Not tracked - Default state
  • Normal - Client reports location every 15 minutes by default
  • Missing - Client reports location every 1 minute. This interval cannot be altered. Used for missing or stolen devices.
  • Archive - State a client is put into when it is going offline for repairs, storage, or other reasons where you do not need inventory to be updated. Device does not consume a license.

Once you have changed the state of the device to Normal, you will get a dialog box asking you to confirm the setting. Update the model to make the changes effective. Response times from clients may vary depending on their network connectivity. Give the device between 15-30 minutes to report its first location.

When you activate tracking and update the model, every client getting the new setting will react differently, depending on the OS. iOS devices will prompt the user to allow location services for the App Portal application the first time tracking is enabled. For this reason it is a good idea to enable tracking temporarily on an iOS device before handing it over to the end-user so you can allow location services and thus allow tracking in advance. Be sure to disable tracking before issuing the device to the end-user. Android devices will not prompt the user for permission to enable tracking. They are warned by Android when they install the Android App Portal .apk that they are granting it the ability to use location services.

To view location data, select one or more clients or a client group, right click, and choose Show Location(s)Location of Devices window opens with a map displaying location pins for each selected client, along with a slider bar on the right for zooming in/out. The location accuracy can vary greatly depending on whether the device is GPS enabled or on Wi-Fi. The accuracy of the Wi-Fi location tends to much more accurate in more densely populated areas where there are a lot of Wi-Fi access points. If there is no data available wait 15 minutes and check the location map again.

The device Client Info window also has a Position Map tab that displays the location of the current device. 

Lost Mode

Supervised iOS 9.3+ devices can be put into "Lost Mode” by changing the client state to "Missing". Missing devices are locked, displaying a message, phone number, and footnote. The number pad is also disabled so that you cannot authenticate to access the device. You can configure text that will be displayed on the device in the Organization Info tab of FileWave Admin Preferences. These strings are optional; however, we recommend that you specify a phone number or message. FileWave will display "Lost device" on an iOS device that is set to missing if nothing is provided in the settings. FileWave 12+ also allows you to play lost mode sound on your devices in case you want to search for the device within a room. After you have set your device to missing, simply right click the it and select Play Lost Mode Sound (iOS 10.3+). The only way to turn that off is to change the device state to something other than “Missing”.

Supervised iOS devices do not need to have the App Portal .ipa installed on them for you to be able to track them with the "Missing" state. This is because the location data is not provided by the App Portal mobile app but by a separate iOS Lost Mode MDM API. You still need to have the App Portal .ipa installed if you want to track them with the "Normal" state since the location data for it is not provided by the iOS Lost Mode MDM API but by the App Portal mobile app.

Remote Wipe

Sometimes you may need to erase a mobile device remotely to protect confidential or proprietary data on a lost/stolen device. In other instances it may be because an employee did not return a device after leaving your organization. 

To wipe a mobile device

  1. Double click a mobile device to get to its Client Info window and click the Remote Wipe button in the button bar
  2. Authenticate and click OK in order to proceed with the device wipe.
  3. If the target is a supervised iOS device with Find My iPhone enabled, check Remove Activation Lock.
  4. Click Wipe device in the lower left corner of the Remote Wipe screen.

Activation Lock Management

If a user leaving your organization has enabled Find My iPhone on an iOS device and wiped it, activation lock will be enabled on the device. This prevents the Apple Setup Assistant from completing by not allowing you to activate the device. You must enter the Apple ID and password used to enable Find My iPhone to be able to use the device. Since the user has left your organization they are not very likely help you in this regard. If the device is running iOS 7.1+ and is supervised, FileWave MDM can bypass the activation lock for you. If the device is a DEP device pointing to your FileWave server you can issue remote wipe and enable the Remove Activation Lock option. If the device is not DEP enabled

  1. Log into the FileWave Admin console using the "fwadmin" superadmin credentials.
  2. In the Clients area find your device and copy its serial number.
  3. Go to Assistants > Activation Lock Management, find the entry matching your device's serial number, and copy the bypass code. The Activation Lock Management menu item only shows up when you are logged in as "fwadmin".
  4. On the iOS device leave the Apple ID field blank and enter the bypass code in the password field to bypass the activation lock and complete the Setup Assistant.

Note that activation lock bypass codes are stored in the FileWave server, and remain even when the device has been un-enrolled. As a best practice, maintain the bypass codes for institutional devices, regardless of the device’s enrollment status, as a safety measure. If the device is no longer used, or taken offline, do NOT delete the device from your FileWave server but instead just archive it. Once the device has been deleted, the activation lock information is deleted also. Each time a device is reset it will generate a new activation lock bypass code. To avoid bricked devices due to activation lock, enable DEP for all your iOS devices, force mandatory MDM enrollment, and supervise them.

  • No labels