Enrollment Policy Wizard
Use the Enrollment Policy Wizard to create and edit enrollment policies for specific devices. For step-by-step instructions, see:
Creating an Android Classic Device Policy
Creating an Android Enterprise Device Policy
Creating a Linux Device Policy
Creating a macOS Device Policy
Creating a tvOS Device PolicyGeneral
Description | Describe how or where users use policies. |
Enterprise Bindings | For Android Enterprise, choose an account type (None, Managed, Domain). See Enterprise Bindings for more information. |
MDM Profile Description | Enter a message for users as they enroll their device. |
Name | Enter a name for the policy. Important: This field is mandatory. |
Device Type
Device Type | Select one of the available management types for the enrollment policy: Work Managed, Work Profile, Corporate Personal. For more information, see Android Enterprise Devices. |
Groups
Device Group Destination | Choose the device group where you want to enroll the devices. |
User Authentication for Enrollment | Choose if you want users to authenticate devices when enrolling
them. This field is mandatory. You can authenticate it either by
Password or by
Directory. Important: You must select
Directory to be able to succesfully
resolve the Macros %ENROLLEDUSER_FIRST_NAME% ,
%ENROLLEDUSER_MIDDLE_NAME% and
%ENROLLEDUSER_LAST_NAME% and to prevent
Allow device user to edit: from being
overriden. |
Auto Enroll
Account Type | Select the local user account type created on the device. Choose from:
When you select Unmanaged, the device user account is an Unmanaged Administrator account. The type is always an Administrator account. You cannot change it to Standard. You can enable Pre-populate user account details to make the following configurations:
When you select Managed, the device
user account is a Managed Administrator
account. The type is also always an administrator
account. You can then make the following configurations:
When you select Both, the
device creates an Unmanaged user account and a Managed
administrator account.
|
Android Migration | Displays the Android Migration pane in the Setup Assistant. |
Appearance | Displays the Choose Your Look pane in the Setup Assistant for iOS 13 and later ADE devices. |
Apple ID | Displays the Apple ID pane in the Setup Assistant. |
Apple Pay | Displays the Apple Pay pane in the Setup Assistant. |
Customized Enrollment | Mandatory for modern authentication and acceptance of terms and conditions (compatible with iOS 13 and later). |
Diagnostics | Displays the Diagnostics pane in the Setup Assistant. |
Display Tone | Displays the Display Tone pane in the Setup Assistant. |
Enable Automated Device Enrollment | Choose if you want devices to be automatically enrolled using an Automated Device Enrollment account. |
Enforce FileVault during enrollment | When enabled, SOTI MobiControl enforces Apple's FileVault on the device during ADE enrollment. (Requires macOS 14.0+) |
Express Language | Displays the Express Language pane in the Setup Assistant for iOS 13 and later ADE devices. |
File Vault | Displays the FileVault pane in the Setup Assistant. This enables the device user to enable the automatic encryption of files. |
Home Button Sensitivity | Displays the Home Button Sensitivity pane in the Setup Assistant. |
iCloud Diagnostics | Displays the iCloud Analytics pane in the Setup Assistant. This enables the device user to choose whether to send diagnostic iCloud data to Apple. |
iMessage and FaceTime | Displays the iMessage and FaceTimepane in the Setup Assistant for iOS 12.0 and later ADE devices. |
Location Services | Displays the Location Services pane in the Setup Assistant. |
OnBoarding | Displays the Onboarding pane in the Setup Assistant. |
Passcode | Displays the Passcode pane in the Setup Assistant. |
Preferred Language | Displays the Preferred Language pane in the Setup Assistant for iOS 13 and later ADE devices. |
Prevent Un-enrollment | Prevents the device user from removing the MDM profile from the device. |
Privacy | Displays the Privacy pane in the Setup Assistant for iOS 11.3 and later ADE devices. |
Quick Start | Displays the Device to Device Migration pane in the Setup Assistant for iOS 13 and later ADE devices. |
Registration | Displays the Registration pane in the Setup Assistant. This enables the device user to fill out a registration form and send it to Apple. |
Require Enrollment | Automatically enrolls the device in SOTI MobiControl. The device user must enter their credentials for LDAP-based enrollment when running the Setup Assistant. |
Require Minimum OS Version | When enabled, SOTI MobiControl requires the
compatible Apple device to meet a minimum OS version before
enrollment. (Requires iOS 16.0+, macOS 14.0+) Important: You must upload an Apple Root Certificate
for device users so they can receive the OS version values from
the OS version drop-down. If the device does not meet
the minimum OS version requirements, then SOTI MobiControl prompts the device to upgrade to
the latest version. Warning: Even if the device user selects an intermediate version,
SOTI MobiControl still updates them to the
latest version. |
Screen Time | Displays the Screen Time pane in the Setup Assistant for iOS 12.0 and later ADE devices. |
Select an Automated Device Enrollment account | Select the Automated Device Enrollment (ADE) account. |
Set up your Apple TV | Enables the setup pane and onscreen instructions for Apple TV devices. |
Setup new or restore from backup | Displays of the Setup New or Restore from Backup pane in the Setup Assistant. |
Shared iPad |
Enables Shared iPad for Business configurations for devices with the following:
Note: The Supervise Device option
is not required.
|
Sign into your TV provider | The user signs in once with their TV provider account information to access all supported apps. |
Sim Setup | Displays the SIM Setup pane in the Setup Assistant. |
Siri | Displays the Siri pane in the Setup Assistant. |
Software Update | Displays the Software Updates pane in the Setup Assistant for iOS 12.0 and later ADE devices. |
Supervise Device | Enables device supervision over-the-air upon device
activation. These Apple devices are automatically supervised:
Tip: Turn on Supervised
Device for Apple operating systems that are
not listed.
|
Sync Apple TV Home Screen Layout | The user can sync the home screen layout with another Apple TV device. |
Terms and Conditions | Displays the Terms & Conditions pane in the Setup Assistant. |
Touch Id | Displays the Touch ID pane in the Setup Assistant. |
Wait until device is configured | Forces the device activation wizard on iOS 9.3 and later devices to wait until the MDM has finished fully configuring the device. Users can only use the device once it is fully configured. |
Watch Migration | Displays the Watch Migration pane in the Setup Assistant. |
Welcome | Displays the Get Started pane in the Setup Assistant for iOS 13 and later ADE devices. |
Where is the Apple TV | Users can select a room for the Apple TV device. |
Zoom | Displays the Zoom pane in the Setup Assistant. |
Settings
Access Token Validity Period |
Represents the validity period of Access Tokens issued for the
enrollment policy.
Important: It should be minimum five minutes or less than five minutes
from the Refresh Token Validity Period. |
Refresh Token Validity Period |
Represents the validity period of Refresh Tokens issued for the
enrollment policy.
Important: Set it to a minimum value of one day. |
Activate Declarative Device Management | Enable to activate the Declarative Device Management (DDM)
protocol on your Apple devices. Restriction: You can not use this setting to deactivate
Apple devices that are already activated with the DDM
protocol. See Introduction to Declarative Device Management and Apple devices for details. If you enable this setting, enroll some devices using this setting, and then choose disable this setting later, you must perform further configurations. Specifically, you must re-enroll all DDM-activated devices you enrolled using this enabled setting to deactivate DDM. |
Activation Date | Specify the date that activates the policy. |
Activation Time | Specify the time that activates the policy. |
Cache Password | Caches the LDAP/IdP password entered by the device user during enrollment for 10 minutes. During this time, profiles targeting the device with configurations requiring account credentials (Email, VPN, Wi-Fi, etc.) include the cached password in the configuration. This avoids repeat prompting for the same credentials. |
Criteria | Enable to define a criterion that applies at enrollment. To add a
criterion, select
Add. Define the enrollment criterion based on Value, Device Property, and Operator. You can add more than one criteria. A criterion resulting in enrollment denial takes precedence as the highest priority. Example Important: If you add a
criterion that denies all Samsung devices and then add
another allowing specifically for Samsung (Fold), you must
be careful. The denial criterion takes precedence in
determining the enrollment restriction and making the
Samsung (Fold) criterion inactive.
Note: You must enable
Enrollment Restrictions to set a
criterion. |
Customize iPad wallpaper | Set the wallpaper for iPad devices upon enrollment (requires iOS 8+ Supervision). If enabled, select image files as the home and lock screen wallpapers. |
Customize iPhone wallpaper | Set the wallpaper for iPhone devices upon enrollment (requires iOS 8+ Supervision). If enabled, select image files as the home and lock screen wallpapers. |
Deploy Latest Plugins to Device | Install plugins on your SOTI MobiControl environment before deploying them to the device. |
Device Enrollment Limit | Set the maximum number of devices you can enroll using this
enrollment policy. Note: You must enable
Enrollment Restrictions to set a
device enrollment limit. |
Draw Over Other Apps | Enables the display of content on top of other apps. |
Enable Terms and Conditions | Enable this requirement to display the terms and conditions to the device user at enrollment. |
Enrolled Device Name | Select an identifier for the device. Select the gear icon to insert macros to auto fill portions of the device name. |
Enrollment Restrictions | Enable setting a Device Enrollment Limit or define a Criteria that applies at enrollment. |
Manage Plugins | Use this window to add SOTI MobiControl Device Agents and plugins. Select add to select the device models you want to add new plugins and agents to. |
Modify System Settings | Enable modification of system settings. |
Notification Access | Enable to read all notifications posted by the system or any installed apps. |
Preserve Device Location on Re-enrollment | SOTI MobiControl remembers the group membership of the device when it is re-enrolled. |
Preserve Device Name on Re-Enrollment | When a deleted device is re-enrolled, SOTI MobiControl remembers the deleted assigned device's name. |
Rule Tag | This tag embeds into device agents belonging to this policy. |
Select a template for the agent certificate | Select a template to issue device identity. Select Manage Certificate Authorities to configure certificate authorities and create dynamic certificate templates for each user and device. |
Select the device user's Terms and Conditions | Select terms and conditions that users must accept at enrollment. |
Set Deactivation Date | Specify the date and time to deactivate the policy. |
Update Personalized Device Name | Enable the Personalized Device Name to update to match the name set in SOTI MobiControl. |
Usage Access | Enables access to app history and collects detailed information. |