The primary management tool for client management / MDM on iOS and macOS X is the Profile Editor. It can be accessed through either the Desktop Fileset or Mobile Fileset tool.
Search and Show only configured (FW 10+)
Two features introduced in FileWave 10 are a search field to locate specific settings and the ability to display only the configured payloads in a profile.
macOS, iOS and tvOS
The first item encountered in Profile Editor is the General settings. This is not a profile nor payload type; it's a header for any profile to be created. Best practice for profiles is to create a single payload setting within each profile, giving it an descriptive name in the General settings. The key settings to note are the Name, Security and Automatically Remove Profile. All other General settings are optional. You must give the Profile a name for tracking purposes. The Security setting lets you decide if the profile can be removed by the end user or not. Users on unsupervised iOS devices can remove profiles regardless of the settings here.
Note: Due to changes in how profiles are installed on OS X 10.10+, if you install a profile with Security set to Never, FileWave will not be able to remove the profile and will ask for admin credentials on the client machines. The workaround is to use a password protected removal using the With Authorization option.
Automatically Remove Profile settings will disable the profile after a specific time interval or on a specific date. The recommendation is to leave this set to Never and use FileWave to remove the profile when necessary. The Description and Consent fields are used to provide more detail for troubleshooting purposes, and to display a text block asking the user to agree to the content of the Consent text when installing this profile manually. If the profile is installed as part of a FileWave Fileset, the end user will not see this, however.
This payload allows you to preconfigure network settings for your devices. You can define Wi-Fi, Legacy Hotspot, Passpoint, or Ethernet (macOS only) settings, including Auto Join, Proxy, Wi-Fi Security, and 802.1x.
The Certificates payload lets you designate PKCS1 or PKCS12 certificate data to be stored on managed devices. You can specify institutional certificates or any other certificates required for access to your network services.
The SCEP, or Simple Certificate Enrollment Protocol, payload is used to define the X.500 information needed by an institution for a connected device. You may also import a certificate to provide all the needed settings.
iOS and macOS (10.7+)
These settings are unified and can apply to any supported iOS device as well as any OS X device running 10.7 Lion or higher.
Passcode allows you to establish a more complex passcode rule for end users, including requiring a minimum length, alphanumerics, and time limits. A few of the key settings are:
- Maximum passcode age: requires user to change passcode within defined timeframe
- Auto-Lock: defines the amount of time the device can be idle before it locks
- Grace period for device lock: defines the amount of time after the device locks before a passcode is required
Email settings allow the systems administrator to predefine key SMTP or IMAP settings for users, such as host server, requirement to use only a defined server for sending mail, use of S/MIME, and SSL. This is one of the profiles that can be configured for parameterized profile settings if the client device is associated with an LDAP directory.
Exchange ActiveSync is a payload that lets you predefine settings for users' access to Microsoft Exchange services. New with FileWave 11's support for iOS 9.3 is an "Allow Mail Drop" option for the Exchange payload (Mail Drop lets you send large files like videos, presentations, and images through iCloud. For more info, see: https://support.apple.com/en-us/HT203093.
The LDAP payload provides the ability to link the device to an LDAP server for lookup and configuration access. You can provide authentication for secure server access, or use just the hostname to gain anonymous access to the network directory. Some of the settings include SSL usage and search criteria. This is not a binding profile since iOS devices cannot be bound to a network directory. For macOS computers, use the Directory payload for binding.
The Contacts payload provides settings to allow access to CardDAV servers. This payload supports parameterized profiles.
The CalDAV payload provides settings for access to CalDAV (Calendar) servers. This payload supports parameterized profiles.
Use the VPN payload to establish settings for a device to connect to a virtual private network. Settings include the user and machine authentication methods (including shared secret or certificate), proxy settings, and ability to force all network traffic through VPN.
The Web Clip payload lets you assign URL's as 'miniApps' to a managed device. Settings include the URL for the clip, an icon for the item, and the ability to force the clip to open as a full screen application. The Web Clip is deployed as a regular application on iOS and as a Dock item on macOS.
Security & Privacy
The Security & Privacy payload allows managed devices to be configured with access to specific sources for application downloads (macOS only Gatekeeper), Firewall settings, and specify if diagnostic information will be sent to Apple or not.
FileVault 2 settings are can be configured using the Disk Encryption payload.
The Font payload allows you send a specific font set to a device. This capability is very handy for insuring an iOS device has the same font installed for a document that is also being worked on with macOS computes.
iOS and macOS (10.10+)
This payload is for iOS and macOS
AirPlay Mirroring payloads are for assignment of specific AirPlay devices to designated Apple TVs. A Group of iOS devices can be assigned to a certain Apple TV with the password imbedded in the profile. Other devices would not be able to connect to that Apple TV. You can also provide a set of whitelisted Apple TVs that the managed device can use for AirPlay.
These settings determine the voice and data roaming, Wallpaper, Lock Screen Grace Period, or Bluetooth. The commands are sent at each Verify from FileWave.
iOS and tvOS
Global HTTP Proxy
Global HTTP Proxy payload settings allow supervised iOS devices to be linked to a master network proxy for web content.
These payloads apply to all supported iOS devices.
Restrictions allow for the establishment of tight controls over institutional iOS devices, and can be used for managing BYOD/1:1 devices. These settings include controlling access to the camera, Siri, iTunes, and iCloud. This payload also contains 'Manage open in' and GameCenter controls, as well as content management by age appropriate settings. Note that many of the settings require the device to be supervised. That means the device must be institutionally purchased and configured with either DEP, or with Apple Configurator.
New with FileWave 11's support for iOS 9.3 are the following restrictions, which apply to supervised devices:
- Allow Apple Music — If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true.
- Allow Radio — If set to false, iTunes Radio is disabled. Defaults to true.
- Restrict App Usage:
- Allow All Apps
- Allow Some Apps Only, where you can specify what apps are allowed
- Don't Allow Some Apps, where you can specify what apps are not allowed
The Subscribed Calendars payload lets you provide predefined shared calendar information for your end users on managed devices. The settings work with parameterized profiles.
The APN payload allows systems administrators the ability to manage Carrier Access Point Name configuration for iOS devices with cellular services enabled.
Single App Mode
The Single App Mode payload is designed to allow you to configure supervised iOS devices so that they open into a single application. If a user turns the device off, when restarted, it will reopen into the designated app as long as the profile is active on the device. This payload is best used in testing or kiosk environments. Setup requires the use of Apple Configurator to force the device into supervised mode. The payload also allows you to deactivate several other options, such as Auto Lock, Device Rotation, and Volume buttons. You select the app from the list of iOS apps added to Filesets. The iOS app Fileset must also be associated with the device in order for this process to work.
iOS 7+ settings
Payloads for iOS devices running iOS 7 and higher.
Use the AirPrint payload to designate AirPrint capable printers for managed iOS devices. The settings can be manually entered IP addresses or discoverable (Bonjour) devices.
Web Content Filter (supervised only)
The Web Content Filter payload supports whitelists and blacklists for web access, as well as setting a basic content filter to control access to adult content.
The Single Sign-On (SSO) payload allows you to configure Kerberos access for your managed device to specific services and applications.
These settings are for iOS 8 or higher only.
Managed domains can be set for mail and web sites. For mail, you specify "safe" email domains; e.g. filewave.com and any mail coming from, or being sent to another domain will be highlighted. On the web side, documents from approved domains will be considered as managed. This will allow a Web Clip from an approved domain to function while a PDF from an unapproved domain won't be allowed to open in any managed application. New with FileWave 11 and iOS 9.3 is the ability to specify the URL patterns fro which passwords can be saved for supervised devices.
macOS Server Accounts
These settings allow you to pre-configure macOS file servers for access by managed users.
Network Usage Rules
These setting specify how managed apps use cellular data networks.
Use this payload for cellular settings. In iOS 7 or later, the APN payload is deprecated in favor of the Cellular payload.
These settings apply to iOS devices running iOS 9.3 or higher.
Home Screen Layout (supervised only)
With supervised devices, you can specify the home screen layout including which apps are in the Dock and which apps appear where on different pages of the home screen.
Lock Screen Message
This allows you to specify the text to be displayed in the login window and on the lock screen. Devices do not have to be supervised to use this payload type.
This payload type is used to configure Google accounts. The user will be prompted to sign in to the configured account(s).
This payload type is used to enforce notification settings for each app. These settings only affect supervised devices.
DNS Proxy (supervised only)
Use this section to configure DNS procy settings. These settings will only affect supervised devices.
TV Remote (supervised only)
Use this section to configure the list of Apple TVs that can be controlled using the Remote app. these settings will only affect supervised devices.
These settings are for macOS only. Settings applied to systems running OS X pre-Lion will be sent as Managed Client property lists (mcx.plists); settings sent to OS X 10.7 – 10.11 and macOS Sierra (10.12) will be sent as managed profiles.
Note: In order to keep using mcx.plists, you must be using the 8.1.5 version of the FileWave client. Newer versions of the client do not convert profiles to mcx.plists.
The restrictions payload contains settings to limit access to system preferences, applications, Widgets, media, and sharing services. Preferences now includes all Systems Preferences plus the 3rd party Preference panes that are installed on the FileWave Admin machine. If you want to control 3rd party Preference panes on client devices, you must have that same item installed on your administration machine in order to have it show up in the list for management.
For application control, the best practice is to designate the 'safe' paths for applications, such as /Applications; then designate restricted paths to 'unsafe' areas. Do not try to specify all 'allowed' applications because you will also have to locate all helper and sub-launched apps.
Some of the settings include control over AirDrop and App Store app adoption, Other settings include the ability to manage access to media, such as external drives, USB flash drives, and Game Center, plus the ability to manage access to shared services such as Twitter and Facebook. Desktop settings allow control of the Desktop picture, Camera use, iCloud documents, data and passwords, and Spotlight suggestions.
The Login Window payload lets you configure the login window with a message, designate the type of login display (name/pwd or list), allow local administrators to bypass management, allow the Guest account, configure a login window screen saver, limit device access to certain Groups, and imbed login/logout scripts.
Login Items is a payload that can contain specified applications and network sharepoints to be activated at user login. The designated items will launch or mount after the user logs in and the Finder launches.
Mobility allows you to create mobile accounts - network user accounts with portable home directories. Used in conjunction with the Login Window payload, you can specify support for the External account, which is a mobile account with an externally attached home directory. The idea is to have managed systems, bound to a network directory, where the user carries their home directory (USB/Thunderbolt drive) from device to device; but still logs in as a network directory account.
The Dock payload can be configured for shared computers that need to have a consistent look and feel regardless of user.
Printing payloads allow the assignment of network printers to managed computers, as well as the ability to force all print jobs to contain the identity of the managed computer.
Parental Controls were designed to support 1:1's where policies required content filters for managed computers when they were away from the managed network, as well as being able to set curfews and usage time limits for younger users. The payload is also very useful in open labs where the ability to deny non-administrator access to systems past a certain time of day is recommended.
The Finder payload is designed to allow for limited access to external devices as well as hiding commands such as Shutdown or Go to Folder on common use / shared use systems.
Universal Access payload settings are not just for special needs; but also contain settings for open labs and users who need additional services, such as zoom. Examples are having screens flash at alerts versus beeping in an open lab, or configuring a Group of users' computers to support zoom with the trackpad.
Custom Settings payloads allow you to greatly expand your ability to provide templates and special settings for managed computers. You configure the preferences for any application that supports property lists (.plist files), upload that configured .plist file, edit out the unneeded portions, and your managed systems will see that payload as a managed set of configuration settings to follow for that application.
The Directory payload allows you to configure binding to LDAP directories for your macOS systems. You can set up anonymous or authenticated bindings.
Energy Saver payload settings allow you to preconfigure managed computers with the settings to optimize battery life in portables, as well as force desktop systems in a lab to sleep or wake when needed for online maintenance.
macOS (10.7+) settings
These settings are OS X running v10.7 (Lion) or higher only.
The Identification payload, using parameterized profile settings, can allow you to preconfigure user identity information for multiple users in OS X. You can define just a user's name, or nothing at all other than a prompt text that tells the user what to do the first time they log in. This information would then be saved for use in any service that can take advantage of Apple's Identity framework.
Messages allows you to preload the settings for user access to Jabber or AIM chat services. It can use parameterized profile settings for this payload.
Configuring the AD Certificate payload lets you set up other payloads, such as VPN or Network, more easily. This payload provides the authentication data that will validate access to other services dependent on Active Directory certificates.
For environments using Time Machine servers or Time Capsules, this payload lets you set up the access information for backup of managed devices.
This section is used to configure Xsan; specifically the name of the Xsan network, the name of the FS Name Server, and the authentication secret, if one is used.
This payload type is used to configure proxy settings, including exception for specified hosts and domains.
Use this section to define settings for Disk Encryption (FileVault 2). You can find more information about FileVault 2 on FileWave's Knowledge Base
Smart Card Settings
Use the section to configure smart card security settings for macOS
System Migration Settings
Use this section to configure system migration settings
use this section to configure time server settings
Use this section to configure allowed extensions on macOS
Kernel Extension Policy
Use this section to configure kernel extensions on macOS
Use this section to configure content caching settings on macOS
Restrictions allows you to push three different restrictions to your Apple TV. Disable Airplay (supervised only)Require passcode on first AirPlay pairingDisable control using Remote app (supervised only)
Single App Mode
Use this section to specify the app to which the device should be locked to. These settings will only affect supervised devices.
Conference Room Display (supervised only)
Use this section to put a supervised Apple TV into Conference room Display mode.
Use this section to configure settings for AirPlay security
Home Screen Layout (supervised only)
Use this section to configure tvOS home screen layout. These setttings will only affect supervised devices.
TV Remote (supervised only)
Use this section to configure the list of iOS devices that can control the Apple TV(s). These settings will only affect supervised devices.