Server-side Management Enrollment Process

1. Open the Files Advanced web interface.
2. Log in as an administrator.
3. Open the Mobile Access tab.
4. Open the Settings tab.
5. Select the desired device enrollment requirements

Enrollment Settings

Allow mobile clients restored to new devices to auto-enroll without PIN -

Use user principal name (UPN) for authentication to Gateway Servers - will use username@domain.com for authentication when enabled instead of domain/username.

Device Enrollment Mode

Files Advanced includes two device enrollment mode options. This mode is used for all client enrollments. You will need to select the option that fits your requirements:

• PIN number + Active Directory username and password - In order to activate their Files Advanced app and gain access to Files Advanced servers, a user is required to enter an expiring, one-time use PIN number and a valid Active Directory username and password. This option ensures that a user can only enroll one device, and only after receiving a PIN number issued by their IT administrator. This option is recommended when the enhanced security of two-factor device enrollment is required.
• Active Directory username and password only - A user can activate their Files Advanced app using only their Active Directory username and password. This option allows a user to enroll one or more devices at any point in the future. Users just need to be given the name of their Files Advanced server, or a URL pointing to their Files Advanced server, which can be posted on a web site or emailed, simplifying the rollout of Files Advanced to large numbers of users. This option is preferred in environments where two-factor enrollment is not required and many users may need access to Files Advanced at any time, such as student deployments.

Inviting a user to enroll

Users are typically invited to enroll with the Files Advanced Server with an email that is sent from an Files Advanced Administrator. If required by the server, this email contains a one-time use PIN number that is valid for a configurable number of days. The PIN number can be used to enroll the Mobile app on one device only. If a user has multiple devices, they will need to be sent one invitation email for each device that needs access. This email includes a link to the Mobile app in the App Store, in the case the app first needs to be installed. It also includes a second link that, when tapped while on the device, will open the Files Advanced mobile and auto-complete the client enrollment form with the Files Advanced Server's name, the unique enrollment PIN number, and the user's username. By using this link, a user simply enters their account password to complete client enrollment.

• Once an enrollment invitation is generated, the invited users are displayed on the Enrollment Invitations page. Each user's PIN number is listed, in the case that you need to communicate it by a means other than the automatic email.
• Once a user successfully enrolls their Files Advanced mobile using their one-time use PIN number, they will no longer appear in this list.
• To revoke a user's invitation PIN number, press delete to remove them from the list.

Using basic URL enrollment links when PIN numbers are not required

If your server is configured to not require PIN numbers for client enrollment, you can give your users a standard URL that will automatically start the enrollment process when tapped from the mobile device.

To determine the enrollment URL for your management server, open the Mobile Access tab and open the Enroll Users tab. The URL is displayed on this page.

Note: For more information on the two modes, visit the Settings section.

To generate a Files Advanced enrollment invitation:

1. Open the Mobile Access tab and open the Enroll Users tab
2. Press the Send Enrollment Invitation button.
3. Enter an Active Directory user name or group name and click Search. If a group is chosen, you can press Add to show each email address in that group in the Users to invite list. This will allow you to batch invite all members in a group. You can optionally remove one or more of those group members before sending the invitations. You can perform 'begins with' or 'contains' searches for Active Directory groups. Begins with search will complete much faster than contains searches.
4. Once you've added your first user or group, you can issue a new search and continue to add additional users or groups to the list.
5. Review the list of Users to invite. You can Delete any users you would like to remove them from the list.
6. If a user does not have an email address associated with their account, you will see No email address assigned - click here to edit in the Email Address column. You can click any of these entries to manually enter an alternate email address for that user. If a user is left with No email address assigned, a PIN number will still be generated for them, and will be visible on the Enroll Users page. You will need to convey this PIN number to the user by another means before they can enroll their Files Advanced mobile.

   Note: If you prefer to manually communicate enrollment PIN numbers to the users, you can uncheck the Send an enrollment invitation email to each user with a specified address option. Each PIN number will be visible on the Enrollment Invitations page.

7. Choose the number of days you'd like the invitation to be valid for in the Number of days until invitation expires field.
8. Choose the number of PINs you'd like to send to each user on the invitations list. This can be used in cases where a user may 2 or 3 devices. They will receive individual emails containing each unique one-time-use PIN.

   Note: Files Advanced licensing allows each licensed user to activate up to 3 devices, each additional device beyond 3 is counted as a new user for licensing purposes.

9. Choose the version or versions of the Files Advanced mobile that you would like your users to download and install on their device. You may choose iOS, Android, or Both. If you are using Files Advanced for Good Dynamics, you can select that option and your users will only be directed to download the Good Dynamics version of the Files Advanced mobile.
10. Press Send.

    Note: If you get an error message when sending, confirm that the SMTP settings in the SMTP tab under General Settings are correct. Also, if you're using Secure connection, verify that the certificate you are using matches the host name of your SMTP server.

Inviting users previously enrolled by mobilEcho 4.5 or earlier

mobilEcho 2.X did not require a PIN number to enroll a client in the Client Management system. There are two options for migrating mobilEcho 2.X clients to the Files Advanced management system. By default, mobilEcho servers that are upgraded from 2.X allow clients previously managed by the 2.X server to auto-enroll and appear in the Files Advanced Devices list without having to enter a PIN number. If you would like to ensure that all devices accessing the system have enrolled with a PIN number, you can disable this setting. In that case, if the user doesn't have User can remove Mobile Client from management privileges, the user will need to delete Files Advanced from their device and reinstall a new copy from the App Store before they can enroll using a PIN number.

Also note that when this auto-enroll setting is enabled, it will be possible to do an iTunes backup of a device running a managed version of mobilEcho 2.X or 3.0, restore that backup to a new device, and as long as the user has the active directory username and password for the associated account, that new device can be automatically enrolled in client management without a PIN number.

It is recommended that you disable the auto-enroll setting after your previously managed clients have all accessed the management server for the first time. They will appear in the Devices list when this happens.

To allow mobilEcho clients that were already enrolled in mobilEcho 2.X Client Management to automatically enroll after your mobilEcho Client Management server is upgraded to the Files Advanced Server, enable the Allow mobilEcho clients previously managed by 2.X servers and managed mobilEcho clients restored to new devices to auto-enroll without PIN setting.