System Requirements

Your environment must meet the following requirements to successfully install and deploy SOTI MobiControl. Unless noted, these are the minimum requirements for a deployment of less than 1000 devices. Above 1000 devices, it is highly recommended that you consider upgrading the components for better performance.

For SOTI products that are past their End of Life (EOL), SOTI does not market, sell, deploy, or provide updates to those versions. See End of Life (EOL) to understand product upgrade needs.

Note: The deployment server and the management server support load balancing. However, the SOTI MobiControl console is not kept in global cache, therefore it is important to use sticky sessions.

Tip: If you do not want to run SOTI MobiControl server components using a Local System account, you can create a Service Account with the appropriate permissions.

General Requirements


Component	Required Level
Operating System	Windows Server 2016 Windows Server 2019 Windows Server 2022 Note: TLS 1.3 is not supported with Windows Server 2022 and should be disabled.
Storage	The application uses approximately 300 MB of storage space
Browsers	Google Chrome Mozilla Firefox Microsoft Edge
Other	.NET Runtime 6.0, ASP.NET Core Runtime 6.0, .NET Framework 4.8 Runtime x64 and .NET Core 3.1 runtime libraries installed with all critical updates. Note: .NET Runtime 6.0 and ASP.NET Core Runtime 6.0 are installed at the same time using the ASP.NET Core 6.0 Runtime - Windows Hosting Bundle. Oracle Java 11 (64 bit) You can use Oracle JDK or OpenJDK 11.0.2 as an alternative. For details, see Installing Oracle JDK for Use With SOTI MobiControl and Installing OpenJDK for Use With SOTI MobiControl. Optional, depending on your requirements: If managing Android or Apple devices: DNS (accessible externally) If managing Apple devices: APNS certificate (with password and APNS topic string) Note: APNS requires one of the following TLS cipher suites to be enabled on the deployment server: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 If the SOTI MobiControl console is configured to use directory service integrated security: LDAPS DNS name
Ports and IP Addresses	See the default Network Ports and IP addresses that SOTI MobiControl uses to communicate.

Recommended Settings

The listed components should meet the recommended levels to run SOTI MobiControl.


Component	Recommended Level
Memory (RAM)	10 to 500 devices: 4 GB+ 500 to 1000 devices: 6 GB+ 1000+ devices: 8 GB+
Processor Speed	10 to 1000 devices: 2 GHz dual core or faster 1000+ devices: 3 GHz quad core or faster These are the minimum requirements. If there is constant data collection and configurations, SOTI recommends upgrading to higher clock speeds.

Database Requirements

The SOTI MobiControl installer comes bundled with Microsoft SQL Server 2016 Express Edition, a lightweight version of SQL Server 2016. It is typically adequate for deployments of 10-1000 devices. For deployments of more than 1000 devices, consider using Microsoft SQL Server 2019 as it has many scalability and performance improvements.

You can install the database and deployment server on the same host server. However, for deployments of more than 500 devices, it is recommended to use a standalone database.


Component	Required Level
Software	Microsoft SQL Server 2016 (Service Pack 2, Cumulative Update 12) Microsoft SQL Server 2017 (Cumulative Update 8 and above) Microsoft SQL Server 2019 (Cumulative Update 12 and above)
Operating System	Windows Server 2016 Windows Server 2019 Windows Server 2022

SOTI MobiControl requires SQL servers use a database collation that is case insensitive and accent sensitive. For example, SQL_Latin1_General_CP1_CI_AS is a collation that meets these criteria.

Note: Ensure the TCP/IP network protocol is enabled in your SQL Server network configuration.

Database Permissions

When installing SOTI MobiControl, you must be either a SysAdmin or a DbCreator with additional ALTER ANY LOGIN permissions. When upgrading SOTI MobiControl, you must also have ALTER DATABASE permissions.

When performing regular operations for SOTI MobiControl Main and Archive databases, the user must have the following permissions:

Db_datareader
Db_datawriter
Permission for execution of all procedures

Database Recommendations

The listed components should meet the recommended levels to install the database.


Component	Recommended Level
Memory (RAM)	4 GB or more
Processor Speed	2 GHz Dual Core or faster
Storage	Approximately 350 MB for installation 10 to 500 devices: 2 GB for database growth 500 to 1000 devices: 4 GB for database growth 1000+ devices: at least 5 GB for database growth Note: The database size is dependent on the amount of historical log information that you set SOTI MobiControl to retain, as well as the frequency with which package deployment is used.

Network Ports

SOTI MobiControl uses the following ports to communicate between components.

Tip: For an interactive guide to SOTI MobiControl network connections, see the SOTI MobiControl network configuration diagram.

Tip: For the list of hosts and ports required by SOTI MobiControl to ensure fully functional Android Enterprise devices, see Android Enterprise Network Requirements for SOTI MobiControl.

Deployment Server Connections


Component Name	Protocol	TCP Port(s)	Direction
SOTI MobiControl Deployment Server Note: For deployments with multiple Deployment servers, for caching purposes.	Binary	5495	Inbound
SOTI MobiControl Management Server	Binary	5494/5495	Inbound
Amazon App Store	HTTPS	443	Outbound
Apple Push Notification Service (APNS)	HTTPS	443	Outbound
Apple ADE	HTTPS	443	Outbound
Apple Store Licenses	HTTPS	443	Outbound
Certification Authority - DCOM Note: Must be on the same domain.	Binary	Dynamic	Outbound to the CA
Certification Authority - HTTP	HTTPS	443	Outbound
Google Play	HTTPS	443	Outbound
iTunes	HTTPS	443	Outbound
LDAP	LDAP/S	389/636	Outbound
Microsoft SQL Server (SOTI MobiControl Database)	Binary	1433	Outbound from the management server and deployment server to the database
SOTI Cloud Link	HTTPS	443	Inbound
SOTI MobiControl Device Agents	Binary/HTTPS	5494, 443	Outbound from the device agents to the deployment server
SOTI MobiControl Device Agents (additional ports for legacy Windows Mobile/CE devices) Note: These ports are required only when Using SHA-1 and SHA-2 Certificates on the Same Deployment Server	Binary/HTTPS	5497/444	Outbound from the device agents to the deployment server
SOTI MobiControl Search	HTTPS	9200	Outbound to the MS
Native MDM	HTTPS	443	Inbound
SOTI Services	HTTP/S	443	Outbound
Remote Control	Binary	5494	Inbound
Windows Notification Service (WNS)	HTTP/S	80, 443	Outbound
SOTI MobiControl Signal Service	HTTPS	13131	Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service

Management Server Connections

Table 1. SOTI Products
Component Name	Protocol	TCP Port(s)	Direction
SOTI MobiControl Deployment Server	Binary	5494/5495	Outbound
SOTI Cloud Link	HTTPS	443	Outbound
SOTI Identity	HTTPS	443	Outbound and Inbound See Connecting On-Premises SOTI MobiControl with SOTI Identity in the SOTI Identity help for more information.
SOTI Services	HTTP/S	443	Outbound
SOTI Services Skins	HTTP/S	80*, 443	Outbound
SOTI MobiControl Search	HTTPS	9200	Outbound to SOTI MobiControl Search
SOTI MobiControl Search	HTTPS	9300	Inbound from and Outbound to SOTI MobiControl Search (for multi-MS setups)
SOTI MobiControl Console	HTTPS	443	Inbound
SOTI XSight Server	HTTPS	443	Inbound
SOTI MobiControl Signal Service	HTTPS	13131	Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service

*The port 80/HTTP requirement is for the skins URL http://www.soti.net/skins/. This endpoint stores only image files related to device skins.

Table 2. **Third-Party Services**
Component Name	Protocol	TCP Port(s)	Direction
Amazon App Store	HTTPS	443	Outbound
Apple Push Notification Service (APNS)†	HTTPS	443	Outbound
Apple DEP	HTTPS	443	Outbound
Apple App Store License	HTTPS	443	Outbound
Bing Maps*	HTTPS	443	Outbound
Certification Authority - DCOM	Binary	Dynamic	Outbound Note: Must be on the same domain.
Certification Authority - HTTP	HTTPS	443	Outbound
Enterprise Resource Gateway (ERG)	HTTPS	443	Outbound
Google Play‡	HTTPS	443	Outbound
iTunes	HTTPS	443	Outbound
LDAP	LDAP/S	389/636	Outbound
Microsoft SQL Server (SOTI MobiControl Database)	Binary	1433	Outbound

*Enable Ports TCP/443 Outbound for:

bing.com
platform.bing.com
*.virtualearch.net

† For Apple APNS:

Enable ports TCP/2195, TCP/2196 Inbound/Outbound from 17.0.0.0/8
- gateway.push.apple.com
Enable ports TCP/443 Outbound for:
- phobos.apple.com
- vpp.itunes.apple.com
- init.itunes.apple.com

‡ Google Play Store:

The Google Play Store requires access to SOTI Services IP Addresses.

Miscellaneous Connections


Component A	Component B	Protocol	TCP Port(s)
Enterprise Resource Gateway (ERG)	Exchange	Binary	443
Enterprise Resource Gateway (ERG)	SharePoint/WebDAV	HTTPS/WebDAV	443
SOTI Cloud Link	Certification Authority - DCOM Note: Must be on the same domain.	Binary	Dynamic
SOTI Cloud Link	Certification Authority - HTTP	HTTPS	443
SOTI XSight Server	Microsoft SQL Server (SOTI XSight Database)	Binary	1433
SOTI XSight Server	SOTI XSight UI	HTTPS	443
SOTI XSight UI	Remote Control	HTTPS (web sockets)	443
SOTI Hub	Enterprise Resource Gateway (ERG)	HTTPS	443
SOTI Surf	Enterprise Resource Gateway (ERG)	HTTPS	443
SOTI MobiControl Console	Remote Control	HTTPS (web sockets)	443

SOTI Services

SOTI Services includes Activation, Agent Builder, Enrollment, Location, Google Play, Microsoft 365 Integration, Messaging, Antivirus Definitions and SOTI Surf services. These services ensure that your SOTI MobiControl deployment has:

the latest certified version of device agents
fast and easy enrollment of devices
updates for licenses
enhanced feature integration with third-party services

Access SOTI services using HTTPS on port 443 and, for skins, a separate endpoint for device skin related images files on HTTP Port 80. Be sure to whitelist the following fully qualified domain names and/or IP addresses with your firewall, allowing unrestricted communication between your SOTI MobiControl deployment and SOTI Services.

Note: To download or update Android device agents, the SOTI MobiControl management service requires access to the following URL endpoints: activate2.soti.net and agentdservice.s3.amazonaws.com.


Service Name	Endpoint
Activation Service	activate2.soti.net / services.soti.net
Agent Builder Service	activate2.soti.net
BitDefender Antivirus	mobicontrolservices.soti.net
Enrollment	mcenroll.soti.net / mc-enroll.soti.net / activate2.soti.net
Google Play Services	activate2.soti.net
Location Services	activate2.soti.net / services.soti.net
Microsoft 365 Services	mobicontrolservices.soti.net
Messaging	activate2.soti.net
Notifications	notificationservice.soti.net
Skins Service	skinsapi.soti.net / www.soti.net
SOTI Surf	mobicontrolservices.soti.net

Services are load-balanced across the following IP addresses. It is strongly advised to whitelist all IP addresses in case of a failover event as to not prevent communication:


ID Based Enrollment:
54.209.186.178 54.208.149.103
Primary Communications:
76.223.23.230 13.248.157.19
Skins Endpoint:
99.83.149.241 75.2.25.8
Failover:
Note: The following IP addresses will not respond unless there is a failover event.
54.208.194.169 54.209.62.205 54.209.186.251 54.209.207.237

Note: For agentdservice.s3.amazonaws.com endpoint, you’ll need to whitelist Amazon’s S3 Service. A list of their IP addresses is here (https://ip-ranges.amazonaws.com/ip-ranges.json) using the filter of service: S3 and Region: us-east-1.

Supported Devices

SOTI MobiControl supports a wide range of products, including Android, Apple, Linux, Windows, and wireless printer devices. For simplicity, SOTI MobiControl groups related device types under Platform tabs. Refer to the table below for a full list of supported operating systems and their associated platforms.

Note: Some devices require the installation of a SOTI MobiControl device agent for management purposes. The device agent uses approximately 10 MB of device storage.


This platform tab	Manages these device types
Android Plus	Devices running Android Classic - Devices running Android 4.2 to 12 Android Enterprise - Devices running Android 5 to 13
Apple	Devices running iOS 8.0 or later including iPhone, iPad and iPod Touch devices macOS 10.12 or later
Linux	Devices with x86 (32 bit), x64 (64 bit), or ARM (32 bit and 64 bit) processors or Zebra FX7500/FX9600 (RFID readers)
Printers	Zebra wireless printers
Windows Desktop Classic	Desktop devices running Windows
Windows Mobile/CE	Devices running: Windows CE .NET 4.2 or later Windows Mobile 5.0 or later Windows Pocket PC 2002 or 2003
Windows Modern	Devices running Windows 10 or later or Windows Phone 8 and later Includes HoloLens devices

Supported TLS Versions

Secure communication depends on the Transport Layer Security (TLS) version supported by both the SOTI MobiControl deployment server and the device platform.

Note: Unless necessitated by the limitations of older mobile devices, use of pre-1.2 TLS versions is not recommended.

The SOTI MobiControl deployment server supports the following TLS 1.2 cipher suites:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The TLS version supported by each device platform is provided in the following table.


Device Platform	TLS Versions
Windows CE	TLS 1.0/1.1/1.2
Android 4.2	TLS 1.0
Android 4.3 – 9.0	TLS 1.0/1.1/1.2
Android 10–12	TLS 1.0/1.1/1.2/1.3
iOS 5 – 12	TLS 1.0/1.1/1.2
Windows Phone 8.0	TLS 1.0
Windows Phone 8.1	TLS 1.0/1.1/1.2
Windows 10 Mobile 1511 – 1709	TLS 1.0/1.1/1.2

Certified Device Support

SOTI provides technical and development support for devices that have been tested and certified. Device certification ensures compatibility with all applicable SOTI ONE products and features.

Note: Uncertified devices receive best-effort support because SOTI cannot give assurance that they will function as intended.

Below is an overview of the certification process:

A SOTI partner submits a request for device certification, including the make and model number.
SOTI evaluates the certification request based on set criteria, then works with the partner to ensure all business and technical requirements are met to move forward.
SOTI applies more than 400 rigorous tests to the device.
SOTI fully certifies the device if it meets the standards of performance and functionality for the SOTI ONE Platform. The device may alternatively earn a passing status with known limitations.

If the device certification fails, SOTI will work with the device manufacturer to best resolve the issues.

Upon device certification, the customer receives the following support:

Technical support for troubleshooting SOTI-related device features across all SOTI products.
Best development efforts with SOTI and its partnership network.
Ongoing device application support to ensure SOTI features are updated with periodic SOTI agent and plugin releases.
Device-specific feature requests are considered for implementation in supporting the customer's operational needs.

Please click https://docs.soti.net/mobicontrolagentdownloads to see a list of available certified Android devices and SOTI Agent APKs.

If you do not find the device you are looking for, please contact your SOTI Account Manager or contact us at https://soti.net/about/contact-us/.