Creating an iOS Device Policy

Before you begin

Important: If you wish to enroll an iOS device using a third-party certificate, bind a trusted third-party certificate to Deployment Server Extensions and Web Console and iOS Profile Signing in the SOTI MobiControl Administration Utility and turn off the Require Trust Profile During Enrollment setting.

About this task

Use this procedure to create an Apple iOS Enrollment Policy.


  1. From the main menu, select Policies > Enrollment. The Enrollment Policies view is displayed.
  2. Click New Enrollment Policy. The Enrollment Policy wizard launches.
  3. Below the Apple icon, select the iOS platform. The General view is displayed.
  4. On the General view, enter a name and description for the policy. Make the name brief but descriptive, especially if you plan to create multiple enrollment policies. Click Next.
  5. On the Device Type view, choose an enrollment type:
    • Device : Use where you will have full control over the device.
    • User : Use in BYOD environments. Only supported on devices running iOS 13.1 or later.
    See iOS Enrollment Types for more information.
  6. Optional: For User enrollment only: Select the type of Managed Apple IDs that will be authorized to enroll using this policy.
    Federated Account Select to use a Microsoft Azure AD connection to authorize Managed Apple IDs.
    Local Accounts Select to add local Managed Apple ID accounts. You can add up to 1,000 accounts. Accounts must conform to a valid email address format, such as user@domain or user@domain.topleveldomain
    Tip: Click Import to upload a .csv of Managed Apple IDs. The .csv should be a list of Managed Apple IDs, with no header.
  7. Click Next. On the Groups view, choose if authentication is required for enrollment. No authentication means that devices are enrolled without user verification. If authentication is required, select one of the following options:
    Password Type a single password for use across all devices that enroll with this policy. Once the password is set, select a device group destination.
    Directory Click Add button to add directory groups. Choose a directory service from the dropdown and use the Search Groups field to find a group. You can add a new directory service connection by clicking Manage Services. From the dropdown menu, choose Directory, Identity Provider, or SOTI Identity. See Identity Management for more information. Once the directory group is added, select a device group destination and applicable terms and conditions.

    Important: Multiple directory groups can be added to the enrollment policy; however, the authenticated device will be assigned to the first listed directory group of which the user is a member. Use the up/down arrow buttons to arrange the list in an appropriate order.
  8. ClickNext. The Auto Enroll view is displayed.
  9. Optional: Click Enable Automated Device Enrollment to configure device settings for future device enrollments. Set the following:
    1. Under Select an Automated Device Enrollment account, select the account to perform Automated Device Enrollment.
      Note: To add a new Automated Device Enrollment account, click Manage Accounts and follow the steps in Creating ADE Accounts.

      Selecting Manage Accounts for Auto Device Enrollment

    2. Scroll down to select from the available settings.

      Option list of available enrollment settings

  10. Click Next. The Settings view is displayed.
  11. Select from the available settings then click Finish.
  12. The new enrollment policy is created, and the Enrollment Policy Info page is displayed. This page lists policy details and device enrollment options:
    • Click Email button. Click Manage Emails to email the enrollment URL to a recipient.
    • Click IOS Agent Enrollment ID to to reveal and copy the ID.
    • Click Enrollment URL to view or copy the enrollment URL directly.
  13. Click OK to complete the process.