Part 3) Win MDM Setup: The Portal App


The configuration of your Windows MDM integration will all be driven by an application you yourself create in the Microsoft Azure Portal.


This application is the linch pin that ties your devices (in AutoPilot), through your user accounts (the group associated with the app), into redirection to your FileWave MDM server.  Detailed setup steps follow.


Add Azure AD account in FileWave

  1. Open your FileWave Web Admin page and navigate to sources.
  2. Click the Microsoft tab.
  3. Click on New account and you should see the following form:

Keep this form open for completion in later steps.

Configuring Azure AD

Creating MDM application

In order to enable MDM enrollment, first you need to configure your Azure AD to recognizes your FileWave server as your MDM.

  1. Go to your Azure AD portal:
  2. From dashboard navigate to Azure Active Directory → Mobility (MDM and MAM)  and then click Add application.
  3. In new application form, select On-premises MDM application, give it a name and a log and click on add.

Configuring your MDM application

  1. Go back to the list of MDM applications from step 2 above, and open the application you have just created. You should be able to see the following options:
    1. MDM user scope: This is where you indicate which users can enroll their devices using this MDM application. you can either choose: 
      1. All: Force all users to use this MDM application. (Preferred)
      2. Some: You can select user groups which are allowed to use this MDM application to enroll their devices. If you do use this then you will need to make sure that you make a Group to restrict this, and add all of the users who will have their devices managed by MDM in that same group. 

It is very important that if you have another solution in place like InTune that you make sure that you do not have both InTune and FileWave enabled for the same users. You may get an error about not having permission to enroll devices. You can test this by disabling the Intune MDM (or another vendor) in Azure by setting it to None and then wait 5 minutes and you would be able to enroll using FileWave. Think about which MDM solution you want to be for your different users in your environment. A single device can only really be in a single MDM. You can enroll to Intune for MDM and install the FileWave agent for instance, but then you could only push Windows Profiles from InTune. Everything else would work just fine in FileWave for those devices. 

Integrating FileWave and Azure

After configuring your MDM application, on the same page, you will see a small link that reads: On-premises MDM application settings. Click on it in order to open your on-premise application settings. You should see the following page:

From here there are only few steps left!

  1. Copy the Application ID and Tenant ID from this page and paste it in the Azure Account form in FileWave Web Admin (which you kept open from earlier)
  2. The Application ID URI value in your MDM app (in Azure AD) must match your FileWave server URL, to fix that, go to "Expose an API" on the left side, and edit the URL there. The URL should be like replacing that with your server's DNS name.

  3. Go back to the Azure account form in your FileWave Web Admin, and download the FileWave certificate.
  4. Once you have the certificate, go back to the Azure AD portal, navigate to Certificates & secrets and upload your certificate to your Azure MDM application there.

  5. Once the Certificate is uploaded, wait couple of seconds, then go back to FileWave Web Admin, in the already open Azure account form and click on Check Status button.
  6. As soon as you see the green light, go ahead and save your Azure account.

You are now ready to enroll a device in to Windows MDM.