Enrollment Policy Wizard

Use the Enrollment Policy Wizard to create and edit enrollment policies for specific devices. For step-by-step instructions, see:

Creating an Android Classic Device Policy

Creating an Android Enterprise Device Policy

Creating a Linux Device Policy

Creating an iOS Device Policy

Creating a macOS Device Policy

Creating a tvOS Device Policy
Enrolling Windows Modern Desktop Devices
Important: The visibility of the options described below depends upon the selected device.

General

Description Describe how or where users use policies.
Enterprise Bindings For Android Enterprise, choose an account type (None, Managed, Domain). See Enterprise Bindings for more information.
MDM Profile Description Enter a message for users as they enroll their device.
Name Enter a name for the policy.
Important: This field is mandatory.

Device Type

Device Type Select one of the available management types for the enrollment policy: Work Managed, Work Profile, Corporate Personal. For more information, see Android Enterprise Devices.

Groups

Device Group Destination Choose the device group where you want to enroll the devices.
User Authentication for Enrollment Choose if you want users to authenticate devices when enrolling them. This field is mandatory. You can authenticate it either by Password or by Directory.
Important: You must select Directory to be able to succesfully resolve the Macros %ENROLLEDUSER_FIRST_NAME%, %ENROLLEDUSER_MIDDLE_NAME% and %ENROLLEDUSER_LAST_NAME% and to prevent Allow device user to edit: from being overriden.

Auto Enroll

Account Type Select the local user account type created on the device. Choose from:
  • Unmanaged
  • Managed
  • Both

When you select Unmanaged, the device user account is an Unmanaged Administrator account. The type is always an Administrator account. You cannot change it to Standard. You can enable Pre-populate user account details to make the following configurations:

  • Full name: Enter a name (preferably legal name) of the unmanaged account. You can also select from the following Macros:
    • %ENROLLEDUSER_FIRST_NAME%

    • %ENROLLEDUSER_MIDDLE_NAME%

    • %ENROLLEDUSER_LAST_NAME%
      Important: For User Authentication for Enrollment's Authentication type, you must select Directory to successfully resolve these Macros during account creation.
  • Account name: The account name of the unmanaged account. You can select from the following Macros:
    • %ENROLLEDUSER_USERNAME%
      Important: For User Authentication for Enrollment's Authentication type, you must select Directory to successfully resolve these Macros during account creation.
  • Allow device user to edit: When enabled, the device user can change the Full name and Account name during the setup assistant.
    Important: For User Authentication for Enrollment's Authentication type, you must select Directory. If you do not select Directory for Authentication, this value is overriden to Enabled when you use Macros.
When you select Managed, the device user account is a Managed Administrator account. The type is also always an administrator account. You can then make the following configurations:
  • Full name: Enter a name (preferably legal name) of the managed administrator account.
  • Account name: The account name of the managed administrator account.
  • Password: The password of the managed administrator account. This password can be later updated using the Set Managed Admin Password device action.
  • Hide account: When enabled, the device hides the account on device's login window and User & Groups on the device. Furthermore, on SOTI MobiControl's Device Details of this assigned device, it is also hidden for Active Users(s).
When you select Both, the device creates an Unmanaged user account and a Managed administrator account.
  1. For the Unmanaged user account, the instructions is almost the same as selecting Unmanaged. However, the only difference is you can select the user type to be Administrator or Standard.
  2. For the Managed administrator account, the instructions are the same as selecting Managed.
  3. For Account type for user profiles, select the account type for user profile assignment. You can choose from:
    • Unmanaged
    • Managed
Android Migration Displays the Android Migration pane in the Setup Assistant.
Appearance Displays the Choose Your Look pane in the Setup Assistant for iOS 13 and later ADE devices.
Apple ID Displays the Apple ID pane in the Setup Assistant.
Apple Pay Displays the Apple Pay pane in the Setup Assistant.
Customized Enrollment Mandatory for modern authentication and acceptance of terms and conditions (compatible with iOS 13 and later).
Diagnostics Displays the Diagnostics pane in the Setup Assistant.
Display Tone Displays the Display Tone pane in the Setup Assistant.
Enable Automated Device Enrollment Choose if you want devices to be automatically enrolled using an Automated Device Enrollment account.
Enforce FileVault during enrollment When enabled, SOTI MobiControl enforces Apple's FileVault on the device during ADE enrollment. (Requires macOS 14.0+)
Express Language Displays the Express Language pane in the Setup Assistant for iOS 13 and later ADE devices.
File Vault Displays the FileVault pane in the Setup Assistant. This enables the device user to enable the automatic encryption of files.
Home Button Sensitivity Displays the Home Button Sensitivity pane in the Setup Assistant.
iCloud Diagnostics Displays the iCloud Analytics pane in the Setup Assistant. This enables the device user to choose whether to send diagnostic iCloud data to Apple.
iMessage and FaceTime Displays the iMessage and FaceTimepane in the Setup Assistant for iOS 12.0 and later ADE devices.
Location Services Displays the Location Services pane in the Setup Assistant.
OnBoarding Displays the Onboarding pane in the Setup Assistant.
Passcode Displays the Passcode pane in the Setup Assistant.
Preferred Language Displays the Preferred Language pane in the Setup Assistant for iOS 13 and later ADE devices.
Prevent Un-enrollment Prevents the device user from removing the MDM profile from the device.
Privacy Displays the Privacy pane in the Setup Assistant for iOS 11.3 and later ADE devices.
Quick Start Displays the Device to Device Migration pane in the Setup Assistant for iOS 13 and later ADE devices.
Registration Displays the Registration pane in the Setup Assistant. This enables the device user to fill out a registration form and send it to Apple.
Require Enrollment Automatically enrolls the device in SOTI MobiControl. The device user must enter their credentials for LDAP-based enrollment when running the Setup Assistant.
Require Minimum OS Version When enabled, SOTI MobiControl requires the compatible Apple device to meet a minimum OS version before enrollment. (Requires iOS 16.0+, macOS 14.0+)
Important: You must upload an Apple Root Certificate for device users so they can receive the OS version values from the OS version drop-down.
If the device does not meet the minimum OS version requirements, then SOTI MobiControl prompts the device to upgrade to the latest version.
Warning: Even if the device user selects an intermediate version, SOTI MobiControl still updates them to the latest version.
Screen Time Displays the Screen Time pane in the Setup Assistant for iOS 12.0 and later ADE devices.
Select an Automated Device Enrollment account Select the Automated Device Enrollment (ADE) account.
Set up your Apple TV Enables the setup pane and onscreen instructions for Apple TV devices.
Setup new or restore from backup Displays of the Setup New or Restore from Backup pane in the Setup Assistant.
Shared iPad

Enables Shared iPad for Business configurations for devices with the following:

  • iOS 13.4 or later
  • Apple Business Manager account
  • Managed Apple ID
  • 32GB of storage
Note: The Supervise Device option is not required.
Sign into your TV provider The user signs in once with their TV provider account information to access all supported apps.
Sim Setup Displays the SIM Setup pane in the Setup Assistant.
Siri Displays the Siri pane in the Setup Assistant.
Software Update Displays the Software Updates pane in the Setup Assistant for iOS 12.0 and later ADE devices.
Supervise Device Enables device supervision over-the-air upon device activation.

These Apple devices are automatically supervised:

  • iPhone with iOS 13 or later
  • iPad with iPadOS 13.1 or later
  • Mac computers with macOS 10.14.4 or later
Tip: Turn on Supervised Device for Apple operating systems that are not listed.
Sync Apple TV Home Screen Layout The user can sync the home screen layout with another Apple TV device.
Terms and Conditions Displays the Terms & Conditions pane in the Setup Assistant.
Touch Id Displays the Touch ID pane in the Setup Assistant.
Wait until device is configured Forces the device activation wizard on iOS 9.3 and later devices to wait until the MDM has finished fully configuring the device. Users can only use the device once it is fully configured.
Watch Migration Displays the Watch Migration pane in the Setup Assistant.
Welcome Displays the Get Started pane in the Setup Assistant for iOS 13 and later ADE devices.
Where is the Apple TV Users can select a room for the Apple TV device.
Zoom Displays the Zoom pane in the Setup Assistant.

Settings

Access Token Validity Period
Represents the validity period of Access Tokens issued for the enrollment policy.
Important: It should be minimum five minutes or less than five minutes from the Refresh Token Validity Period.
Refresh Token Validity Period
Represents the validity period of Refresh Tokens issued for the enrollment policy.
Important: Set it to a minimum value of one day.
Activate Declarative Device Management Enable to activate the Declarative Device Management (DDM) protocol on your Apple devices.
Restriction: You can not use this setting to deactivate Apple devices that are already activated with the DDM protocol.

See Introduction to Declarative Device Management and Apple devices for details.

If you enable this setting, enroll some devices using this setting, and then choose disable this setting later, you must perform further configurations. Specifically, you must re-enroll all DDM-activated devices you enrolled using this enabled setting to deactivate DDM.

Activation Date Specify the date that activates the policy.
Activation Time Specify the time that activates the policy.
Cache Password Caches the LDAP/IdP password entered by the device user during enrollment for 10 minutes. During this time, profiles targeting the device with configurations requiring account credentials (Email, VPN, Wi-Fi, etc.) include the cached password in the configuration. This avoids repeat prompting for the same credentials.
Criteria Enable to define a criterion that applies at enrollment. To add a criterion, select Add.

Define the enrollment criterion based on Value, Device Property, and Operator. You can add more than one criteria. A criterion resulting in enrollment denial takes precedence as the highest priority.

Example

Important: If you add a criterion that denies all Samsung devices and then add another allowing specifically for Samsung (Fold), you must be careful. The denial criterion takes precedence in determining the enrollment restriction and making the Samsung (Fold) criterion inactive.
Note: You must enable Enrollment Restrictions to set a criterion.
Customize iPad wallpaper Set the wallpaper for iPad devices upon enrollment (requires iOS 8+ Supervision). If enabled, select image files as the home and lock screen wallpapers.
Customize iPhone wallpaper Set the wallpaper for iPhone devices upon enrollment (requires iOS 8+ Supervision). If enabled, select image files as the home and lock screen wallpapers.
Deploy Latest Plugins to Device Install plugins on your SOTI MobiControl environment before deploying them to the device.
Device Enrollment Limit Set the maximum number of devices you can enroll using this enrollment policy.
Note: You must enable Enrollment Restrictions to set a device enrollment limit.
Draw Over Other Apps Enables the display of content on top of other apps.
Enable Terms and Conditions Enable this requirement to display the terms and conditions to the device user at enrollment.
Enrolled Device Name Select an identifier for the device. Select the gear icon to insert macros to auto fill portions of the device name.
Enrollment Restrictions Enable setting a Device Enrollment Limit or define a Criteria that applies at enrollment.
Manage Plugins Use this window to add SOTI MobiControl Device Agents and plugins. Select add to select the device models you want to add new plugins and agents to.
Modify System Settings Enable modification of system settings.
Notification Access Enable to read all notifications posted by the system or any installed apps.
Preserve Device Location on Re-enrollment SOTI MobiControl remembers the group membership of the device when it is re-enrolled.
Preserve Device Name on Re-Enrollment When a deleted device is re-enrolled, SOTI MobiControl remembers the deleted assigned device's name.
Rule Tag This tag embeds into device agents belonging to this policy.
Select a template for the agent certificate Select a template to issue device identity. Select Manage Certificate Authorities to configure certificate authorities and create dynamic certificate templates for each user and device.
Select the device user's Terms and Conditions Select terms and conditions that users must accept at enrollment.
Set Deactivation Date Specify the date and time to deactivate the policy.
Update Personalized Device Name Enable the Personalized Device Name to update to match the name set in SOTI MobiControl.
Usage Access Enables access to app history and collects detailed information.