System Requirements

The following sections details the minimum system requirements for installing up to 1000 devices on SOTI MobiControl. For deployments of more than 1000 devices, consider upgrading the server components for better performance.

For SOTI products that are past End of Life (EOL), SOTI does not market, sell, deploy, or offer updates to those versions. See SOTI MobiControl Product Lifecycle for more details.

Note: The Deployment Server (DS) and the Management Server (MS) support load balancing. However, use sticky sessions as the SOTI MobiControl console is not kept in the global cache.
Tip: If you do not want to run SOTI MobiControl server components using a local system account, you can create a Service Account with the appropriate permissions.

General Requirements

Component Required Level
Operating System
  • Windows Server 2019
  • Windows Server 2022
    Note: Disable the Transport Layer Security (TLS) 1.3 protocol because it is not supported in Windows Server 2022.
Storage The application requires about 300 MB of storage space.
Browsers
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
Other
Tip: The manual install of prerequisites is no longer required as the SOTI MobiControl installer has them embedded.

[Optional], depending on your requirements:

  • If managing Android or Apple devices: Domain Name Service (DNS) (accessible externally)
  • If managing Apple devices: APNS certificate (with a password and APNS topic string)
    Note: Enable one of the following TLS cipher suites on the deployment server for APNS:
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • If the SOTI MobiControl console configuration uses directory service integrated security: LDAPS DNS name
Ports and IP Addresses See the default Network Ports and IP addresses that SOTI MobiControl uses to communicate.

SOTI ONE Platform Integration

The following SOTI ONE platform products are compatible with SOTI MobiControl version 2024.0.

Component Recommended Level
SOTI XSight Version 4.3 and later
SOTI Snap Version 2024.0 and later
SOTI Connect For network inventory, version 2.5.1 and later
SOTI Identity Version 2024.1 and later

Recommended Settings

The listed components must meet the recommended levels to run SOTI MobiControl.
Note: For 100,000 devices and up, reach out to SOTI Professional Services for recommendations.
Device Scale Number of Management Servers Management Server Specification Number of Deployment Servers Deployment Server Specifications Number of SQL Servers SQL Specification
1 - 1000 1 2vCPU - 8GB RAM (All -in one: MS, DS, and SQL installed) 0 Included in Management Server 0 Included in Management Server
1000 - 10,000 1 4vCPU - 16GB RAM (All-in-one: MS, DS, and SQL installed) 0 Included in Management Server 0 Included in Management Server
10,000 - 20,000 1 4vCPU - 16GB RAM 1 4vCPU - 16 GB RAM 1 4vCPU - 32GB RAMSSD Drives
20,000 - 50,000 1 8vCPU - 32GB RAM 2 4vCPU - 16 GB RAM 1 4vCPU - 32GB RAMSSD Drives
50,000 - 100,000 1 8vCPU - 32GB RAM 4 4vCPU - 16GB RAM 1 8vCPU - 64GB RAM

Database Requirements

The SOTI MobiControl installer comes bundled with the Microsoft SQL Server Express Edition. It is typically adequate for deployments of 10 to 1000 devices. For deployments of more than 1000 devices, consider using Microsoft SQL Server Standard edition, as it has many scalability and performance improvements.

You can install the database and deployment server on the same host server. However, SOTI recommends using a standalone database to deploy more than 500 devices.

Component Required Level
Software
  • Microsoft SQL Server 2019 (Cumulative Update 12 and later)
  • Microsoft SQL Server 2022 (Cumulative Update 1 and later)
Operating System
  • Windows Server 2019
  • Windows Server 2022

SOTI MobiControl requires SQL servers to use a database collation that is case-insensitive and accent-sensitive. For example, SQL_Latin1_General_CP1_CI_AS is a collation that meets these criteria.

Important: Enable the TCP/IP network protocol in your SQL Server network configuration.

Database Permissions

When installing SOTI MobiControl, you must be a SysAdmin or a DbCreator with additional ALTER ANY LOGIN permissions. When upgrading SOTI MobiControl, you must also have ALTER DATABASE permissions.

When performing regular operations for SOTI MobiControl Main and Archive databases, the user must have the following permissions:

  • Db_datareader
  • Db_datawriter
  • Permission for execution of all procedures

Database Recommendations

The listed components must meet the recommended levels to install the database.

Component Recommended Level
Storage
  • 10 to 500 devices: 2 GB for database growth
  • 500 to 1000 devices: 4 GB for database growth
  • 1000+ devices: at least 5 GB for database growth
Note: The database size depends on the amount of historical log information that you set SOTI MobiControl to retain, and the frequency of package deployment.

Network Ports

SOTI MobiControl uses the following ports to communicate between components.

Tip: See the SOTI MobiControl network configuration diagram for an interactive guide to SOTI MobiControl network connections.
Tip: For the list of hosts and ports that SOTI MobiControl requires to make sure full functionality of Android Enterprise devices, see Android Enterprise Network Requirements for SOTI MobiControl.
Tip: For the list of hosts and ports that SOTI MobiControl requires to make sure full functionality of Apple Enterprise devices, see Apple Enterprise Network Requirements for SOTI MobiControl.

Deployment Server Connections

Component Name Protocol TCP Port(s) Direction
SOTI MobiControl Deployment Server
Note: This is for configurations with more than one Deployment server. Used for caching purposes.
 Binary 5495 Inbound
SOTI MobiControl Management Server Binary 5494/5495 Inbound
Amazon App Store HTTPS 443 Outbound
Apple Push Notification Service (APNS) HTTPS 443 Outbound
Apple Automated Device Enrollment (ADE) HTTPS 443 Outbound
Apple Store Licenses HTTPS 443 Outbound
Certification Authority - DCOM
Note: It must be on the same domain.
 Binary Dynamic Outbound to the CA
Certification Authority - HTTP HTTPS 443 Outbound
Google Play HTTPS 443 Outbound
iTunes HTTPS 443 Outbound
LDAP LDAP/S 389/636 Outbound
Microsoft SQL Server (SOTI MobiControl Database) Binary 1433 Outbound from the management server and deployment server to the database
SOTI Cloud Link HTTPS 443 Inbound
SOTI MobiControl Device Agents Binary/HTTPS 5494, 443 Outbound from the device agent to the deployment server

SOTI MobiControl Device Agents (additional ports for legacy Windows Mobile/CE devices)

Note: Use these ports only when Using SHA-1 and SHA-2 Certificates on the Same Deployment Server
 Binary/HTTPS 5497/444 Outbound from the device agent to the deployment server
SOTI Search HTTPS 5500 Outbound to the MS
Native MDM HTTPS 443 Inbound
SOTI Services HTTPS 443 Outbound
Remote Control Binary 5494 Inbound
Windows Notification Service (WNS) HTTP/HTTPS 80, 443 Outbound
SOTI MobiControl Signal Service HTTPS 13131 Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service

Management Server Connections

Table 1. SOTI Products
Component Name Protocol TCP Port(s) Direction
SOTI MobiControl Deployment Server Binary 5494/5495 Outbound
SOTI Cloud Link HTTPS 443 Outbound
SOTI Identity HTTPS 443

Outbound and Inbound

See Connecting On-Premises SOTI MobiControl with SOTI Identity in the SOTI Identity help for more information.
SOTI Services HTTPS 443 Outbound
SOTI Services Skins HTTPS 443 Outbound
SOTI Search Binary 5500 Outbound to SOTI Search
SOTI MobiControl Console HTTPS 443 Inbound
SOTI XSight Server HTTPS 443 Inbound
SOTI MobiControl Signal Service HTTPS 13131 Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service
Microsoft SQL Server (SOTI MobiControl Database) Binary 1433 Outbound from the management server and deployment server to the database
Table 2. Third-party Services
Component Name Protocol TCP Port(s) Direction
Amazon App Store HTTPS 443 Outbound
Apple Push Notification Service (APNS)† HTTPS 443 Outbound
Apple Device Enrollment Program (DEP) HTTPS 443 Outbound
Apple App Store License HTTPS 443 Outbound
Bing Maps* HTTPS 443 Outbound
Certification Authority - DCOM Binary Dynamic Outbound
Note: It must be on the same domain.
Certification Authority - HTTP HTTPS 443 Outbound
Enterprise Resource Gateway (ERG) HTTPS 443 Outbound
Google Play‡ HTTPS 443 Outbound
iTunes HTTPS 443 Outbound
LDAP LDAP/S 389/636 Outbound
Microsoft SQL Server (SOTI MobiControl Database) Binary 1433 Outbound

*Enable Ports TCP/443 Outbound for:

  • bing.com
  • platform.bing.com
  • *.virtualearth.net

† For Apple APNS:

To use Apple Push Notification Service (APNS), your devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.

If you use a firewall or private Access Point Name for cellular data, your Apple devices must be able to connect to specific ports on specific hosts:

  • Enable TCP port 5223 to communicate with APNS.
  • Enable TCP port 443 or 2197 to send notifications to APNS.
Devices uses TCP port 443 during device activation, and afterward as a fallback if they cannot reach APNS on port 5223. The connection on port 443 uses a proxy as long as the proxy permits communication to pass through without decrypting.

The APNS servers use load balancing, so your devices do not always connect to the same public IP address for notifications. It is best to let your device access these ports on the entire 17.0.0.0/8 address block, which is reserved for Apple. If you can not allow access to the whole 17.0.0.0/8 address block, open access via the same ports to these network ranges on IPv4 or IPv6:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23

IPv6

  • 2620:149:a44::/48

  • 2403:300:a42::/48

  • 2403:300:a51::/48

  • 2a01:b740:a42::/48

‡ Google Play Store:

  • The Google Play Store requires access to SOTI Services IP Addresses.

Miscellaneous Connections

Component A Component B Protocol TCP Port(s)
Enterprise Resource Gateway (ERG) Exchange Binary 443
Enterprise Resource Gateway (ERG) SharePoint/WebDAV HTTPS/WebDAV 443
SOTI Cloud Link Certification Authority - DCOM
Note: It must be on the same domain.
 Binary Dynamic
SOTI Cloud Link Certification Authority - HTTP HTTPS 443
SOTI XSight Server Microsoft SQL Server (SOTI XSight Database) Binary 1433
SOTI XSight Server SOTI XSight UI HTTPS 443
SOTI XSight UI Remote Control HTTPS (web sockets) 443
SOTI Hub Enterprise Resource Gateway (ERG) HTTPS 443
SOTI Surf Enterprise Resource Gateway (ERG) HTTPS 443
SOTI MobiControl Console Remote Control HTTPS (web sockets) 443
SOTI Search Other SOTI Search Servers (Only for Multi SOTI Search Servers) Binary 5500 (Inbound and Outbound)

SOTI Services

The SOTI Services include Activation, Agent Builder, Enrollment, Location, Google Play, Microsoft 365 Integration, Messaging, Antivirus Definitions and SOTI Surf services. These services make sure that your SOTI MobiControl deployment has:
  • the latest certified version of device agents
  • fast and easy enrollment of devices
  • updates for licenses
  • enhanced feature integration with third-party services

Access both SOTI Services and SOTI Services Skins (for device skin-related image files) using HTTPS on port 443. Be sure to whitelist the following fully qualified domain names and/ or IP addresses with your firewall, allowing unrestricted communication between your SOTI MobiControl deployment and SOTI Services.

Note: The SOTI MobiControl management service requires access to the following URL endpoints: activate2.soti.net and agentdservice.s3.amazonaws.com to download or update SOTI MobiControl Android Device Agents.
Service Name Endpoint
Activation Service activate2.soti.net / services.soti.net
Agent Builder Service activate2.soti.net
BitDefender Antivirus mobicontrolservices.soti.net
Enrollment mcenroll.soti.net / mc-enroll.soti.net / activate2.soti.net / mobicontrolservices.soti.net
Google Play Services activate2.soti.net
Location Services activate2.soti.net / services.soti.net
Microsoft 365 Services mobicontrolservices.soti.net
Messaging activate2.soti.net
Notifications notificationservice.soti.net
Skins Service skinsapi.soti.net / www.soti.net
SOTI Surf mobicontrolservices.soti.net
Send Debug Report Logs sftp.soti.net (port 22)
Important: You must also whitelist https://services.soti.net/sftp/metadata.json

SOTI Services are load-balanced across the following IP addresses. It is strongly advised to whitelist all IP addresses in case of a failover event so as not to prevent communication:

ID Based Enrollment:

54.209.186.178

54.208.149.103

Primary Communications:

76.223.23.230

13.248.157.19

Skins Endpoint:

99.83.149.241

75.2.25.8

Failover:
Attention: The following IP addresses do not respond unless there is a failover event.

54.208.194.169

54.209.62.205

54.209.186.251

54.209.207.237
Note: For the agentdservice.s3.amazonaws.com endpoint, you must to whitelist Amazon’s S3 Service. A list of their IP addresses is here (https://ip-ranges.amazonaws.com/ip-ranges.json) using the filter of service: S3 and Region: us-east-1..

Supported Devices

SOTI MobiControl supports various products, including Android, Apple, Linux, and Windows.

The following table offers a complete list of supported operating systems and their associated platforms.

Note: Some devices require the installation of a SOTI MobiControl Device Agent for management purposes. The SOTI MobiControl Device Agent uses about 10 MB of device storage.
Important: If your devices use the following unsupported operating systems, upgrade to a supported operating system and the latest SOTI MobiControl Device Agent. Devices that do not update get marked as incompatible and hence do not receive any SOTI MobiControl Device Agent upgrades after upgrading to SOTI MobiControl 2024.1.
  • Windows CE .NET 3.0
  • Windows CE .NET 4.1
  • Windows CE .NET 4.2
  • Windows Pocket PC 2002
  • Windows Pocket PC 2003
  • Windows 2000
  • Windows Mobile 2003
  • Windows Server 2003
  • Windows Server 2008
  • Windows XP
  • Windows Vista
Platform Description
Android Plus For SOTI MobiControl Device Agent 2024.0 and later, devices running:
  • Android Classic | devices running Android 4.2 to 13
  • Android Enterprise | devices running Android 5 to 14
Note: If you use SOTI MobiControl Device Agent 15.4.6 (Android Enterprise) or SOTI MobiControl Device Agent 15.4.5 (Classic) or earlier, then you can use the following:
  • Android Classic | devices running Android 4.2 to 12
  • Android Enterprise | devices running Android 5 to 13
Note: For more information about Android Enterprise/Classic, see Android Enterprise and Android Classic for SOTI MobiControl Device Agent 2024.0.0 (October 19, 2023) in the Release Notes. You cannot enroll devices for SOTI MobiControl Device Agent 15.4.0 or later versions for:
  • Android Classic: OS versions 4 and 5
  • Android Enterprise: OS versions 5 and 6
Apple Devices running:
  • iOS 8.0 or later, including iPhone, iPad, and iPod touch devices
  • macOS 10.12 or later
Linux Devices with x86 (32-bit), x64 (64-bit), or ARM (32-bit and 64-bit) processors or Zebra FX7500/FX9600 (RFID readers)
Windows Desktop Classic Desktop devices running Windows
Windows Mobile/CE Devices running:
  • Windows CE .NET 5.0 or later
  • Windows Mobile 5.0 or later
Windows Modern Devices running:
  • Windows 10: Professional, Enterprise, or IoT Enterprise
  • Windows 11: Professional, Enterprise, or IoT Enterprise

Supported TLS Versions

Secure communication depends on the Transport Layer Security (TLS) version supported by the SOTI MobiControl deployment server and the device platform.

Important: Unless necessitated by the limitations of older mobile devices, the use of pre-1.2 TLS versions is not recommended.
The SOTI MobiControl deployment server supports the following TLS 1.2 cipher suites:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The following table lists the TLS version supported by each device platform.

Device Platform TLS Versions
Windows CE TLS 1.0/1.1/1.2
Android 4.2 TLS 1.0
Android 4.3 to 9.0 TLS 1.0/1.1/1.2
Android 10 to12 TLS 1.0/1.1/1.2/1.3
iOS 5 to 12 TLS 1.0/1.1/1.2
macOS 10.15.x to 13.x TLS 1.0/1.1/1.2
Windows 10 Mobile 1511 to 1709 TLS 1.0/1.1/1.2

Certified Device Support

SOTI provides technical and development support for devices that have been tested and certified. Device certification ensures compatibility with all applicable SOTI ONE products and features.

Note: Uncertified devices receive best-effort support because SOTI cannot give assurance that they will function as intended.

Below is an overview of the certification process:

  1. A SOTI partner submits a request for device certification, including the make and model number.
  2. SOTI evaluates the certification request based on set criteria, then works with the partner to ensure all business and technical requirements are met to move forward.
  3. SOTI applies more than 400 rigorous tests to the device.
  4. SOTI fully certifies the device if it meets the standards of performance and functionality for the SOTI ONE Platform. The device may alternatively earn a passing status with known limitations.

If the device certification fails, SOTI will work with the device manufacturer to best resolve the issues.

Upon device certification, the customer receives the following support:

  • Technical support for troubleshooting SOTI-related device features across all SOTI products.

  • Best development efforts with SOTI and its partnership network.

  • Ongoing device application support to ensure SOTI features are updated with periodic SOTI agent and plugin releases.

  • Device-specific feature requests are considered for implementation in supporting the customer's operational needs.

Please click https://docs.soti.net/mobicontrolagentdownloads to see a list of available certified Android devices and SOTI Agent APKs.

If you do not find the device you are looking for, please contact your SOTI Account Manager or contact us at https://soti.net/about/contact-us/.