Enrolling iOS Devices Using a SOTI MobiControl Certificate

Before you begin

Important: Install the Apple Push Notification Service (APNS) certificate before enrolling your Apple devices. The APNS certificate facilitates regular communication between the SOTI MobiControl deployment server and enrolled Apple devices.

About this task

In this procedure, you'll learn how to:

Note: If you bound trusted third party certificates to Deployment Server Extensions and Web Console and iOS Profile Signing in the SOTI MobiControl Administration Utility and the Require Trust Profile During Enrollment setting is turned off, follow the steps at Enrolling iOS Devices Using a Third Party Certificate instead.

Procedure

Define enrollment settings for iOS devices
  1. In the SOTI MobiControl legacy console, go to the Apple > Rules and right-click Add Devices. Select Create Add Devices Rule to launch the Create Add Devices Rule wizard.
    An add devices rule defines enrollment settings for your devices. You can create multiple add devices rules, each with different enrollment settings. However, you cannot use one add devices rule across multiple platforms.
    Location of right-click menu to create a new Apple add devices rule.
  2. Enter a name for the add devices rule. Make it brief, but descriptive, especially if you plan to create multiple add devices rules. Click Next.
  3. Enter an MDM Profile Description. This will appear to the device user.
  4. Select an enrollment type:
    • Device Enrollment: Use where you'll have full control over the device.
    • User Enrollment: Use in BYOD environments. Only supported on devices running iOS 13.1 or later.
    See iOS Enrollment Types for more information.
  5. Optional: For User Enrollment only: Select the type of Managed Apple IDs that will be authorized to enroll using this Add Devices rule.
    Accounts Federated by Microsoft Azure AD Select to use a Microsoft Azure AD connection to authorize Managed Apple IDs.
    Local Accounts Select to add local Managed Apple ID accounts. You can add up to 1000 accounts. Accounts must conform to a valid email address format, such as user@domain or user@domain.topleveldomain
    Tip: Click Import to upload a .csv of Managed Apple IDs. The .csv should be a list of Managed Apple IDs, with no header.
  6. Choose the destination device groups:
    Manual All devices enrolled with this rule will be placed in the same device group.

    On the next screen, select a device group from the list to enroll your devices into and then skip to the step for selecting a user authentication option.
    Based on User Group Membership Devices will be placed into groups based on the membership of the user account assigned to the device. You'll be able to associate user groups to specific device groups later on in the wizard.

    Click Next.

  7. Choose either LDAP Directory Service or Identity Provider and then select an identity management connection from the dropdown list. If you have not configured any connections yet, click Manage Directory Services / IdP Connections to configure a new connection in the dropdown list instead. See Identity Management for more information. Click Next.
    Important: If you chose User Enrollment and Accounts Federated by Microsoft Azure AD, you must select the Identity Provider option and use an IdP connection that is backed by the same Azure AD connection you selected on the previous Managed Apple IDs screen.
  8. Enter a user group (for example, administrators) that exists in your connection in the field and click Add. Once it appears under User Groups, choose a device group from the dropdown list. All members of the user group will be automatically added to the selected device group as soon as they enroll in SOTI MobiControl. If you'd like, add any terms and conditions documents. Click Next.
    User group mapping in add devices rule
  9. Select a user authentication option.
    Note: These options appear only if you chose Manual for mapping your device destinations.
    Utilize user groups to authenticate users during device enrollment Use a directory service or an identity provider for user authentication.

    Select Directory Service to select a directory service connection from the list, and search for a user group using that connection. If no directory service connection has yet been configured, select Manage Directory Services to open the Directory which you can use to configure a new connection.

    Select Identity Provider to select an identity provider connection from the list, and search for a user group using that connection. If no identity provider connection has yet been configured, select Manage IdP Connections to open the Identity Provider which you can use to configure a new connection.
    Authenticate using the Identity Provider that federates your Managed Apple IDs. Use the same Identity Provider (IdP) you selected for your Managed Apple IDs to authenticate your devices. You can allow all authenticated users to enroll with this rule or restrict enrollment by specifying which specific groups within the IdP connection can enroll.
    Note: This option is only available for User Enrollment add devices rules that are using Accounts Federated by Microsoft Azure AD.
    Password required to verify device enrollment Specify a single password for enrollment across all devices that enroll using this add devices rule.
    No password required to verify device enrollment Allow devices to enroll without verification.
    Use static enrollment challenge User static enrollment challenge. (For use with Apple Configurator.)
  10. Leave Internal SOTI MobiControl CA selected as the certificate authentication authority.
    If you want to enroll devices with a third-party certificate, follow the steps at Enrolling iOS Devices Using a Third Party Certificate instead.
  11. Optional: Set this add devices rule as an enrollment profile for Apple's Automated Device Enrollment (ADE). Select all the options you want to apply to this enrollment profile. If you have not already configured ADE with SOTI MobiControl, click Configure ADE. Click Next.
    Note: ADE is not supported on User Enrollment add devices rules.
  12. Optional: Enable the Terms and Conditions setting and select a terms and conditions document from the dropdown list. If you haven't uploaded a terms and conditions document yet, click Manage to add a new document. Click Next.
    Device users will be prompted to accept the terms and conditions upon enrollment.
  13. Specify a naming convention for your devices. Use a combination of text and macros to automatically and intelligently name your devices.
    For example, Ottawa Sales %AUTONUM% %ENROLLEDUSER_EMAIL% transforms into Ottawa Sales 001 sarah@organization.com, Ottawa Sales 002 saurabh@organization.com, and so on.
  14. Optional: Choose images for your devices' lock and home screens. Click the image icon to browse your computer for image files. Toggle between iPhone and iPad to use different images on different device types.
    iOS wallpaper picker
    Note: You cannot specify images for user enrollment add devices rules.
  15. Review your enrollment settings. Click Back to return to a previous screen and make changes or click Advanced to adjust the rule further.
  16. Once you're satisfied with your enrollment settings, click Finish to save your new add devices rule.
  17. Make a note of the Enrollment ID or Enrollment URL.
    Location of Enrollment ID and URL in add devices rule summary
Enroll iOS Devices
Note: On devices running iOS 10.3.3 or later, you will receive a warning prompt whenever the Enrollment Service requests access to the Settings app. Tap Allow to continue.
  1. On your iOS device, open the Safari web browser and enter the Enrollment URL in the address bar.
    If you receive a popup stating that the browser cannot verify the server identity, click Continue to ignore it and proceed to the iOS Enrollment Service web page.
  2. Enter the credentials you specified in the add devices rule.
  3. Tap Step 1 to begin downloading the SOTI MobiControl Trust Profile.
    This profile installs the SOTI MobiControl Root CA certificate on your iOS device. It is required to verify the SOTI MobiControl Device Enrollment Profile.
  4. Tap Install to initiate the download. On devices running iOS 12.2 or later, you'll need to navigate to Settings > General > Profiles and Device Management and tap Install to initiate the download. Once the Trust Profile has finished downloading, tap Install again to install the Trust Profile and continue with the enrollment process.
  5. Complete this step if the device is running iOS 10.3 or later: On your iOS device, navigate to Settings > General > About > Certificate Trust Settings and activate Enable Full Trust for Root Certificates for the certificate that was downloaded in the previous step. Return to Safari.
  6. Optional: If this device is enrolled with a user enrollment add devices rule, enter your Managed Apple ID and click Enroll.
  7. Tap Step 2 to download the SOTI MobiControl Device Enrollment Profile. Tap Allow and then Install and then Install again to install the SOTI MobiControl device enrollment profile. On devices running iOS 12.2 or later, you'll need to navigate to Settings > General > Profiles and Device Management and install the device enrollment profile from there.
    When you tap Install, you will receive a warning message with a brief description of the purpose of the SOTI MobiControl Device Enrollment Profile. Tap Trust to continue.

    The installation process of the SOTI MobiControl Device Enrollment Profile includes several automatic steps that require no user interaction. Once the profile has finished installing on your device, tap Done.

Results

You will be returned to the Safari browser where you can see if the enrollment was successful.