System Requirements

The following sections detail the minimum system requirements for installing up to 1000 devices on SOTI MobiControl. For larger deployments, consider upgrading server components for improved performance.

For SOTI product versions that are past End of Life (EOL), SOTI does not market, sell, deploy, or offer updates for them. See SOTI MobiControl Product Lifecycle.

Important: The Deployment Server (DS) and Management Server (MS) are optimized for SOTI MobiControl’s native load balancing. According to the Terms of Service, customers are responsible for configuring and maintaining third-party load balancers.
Tip: If you do not want to run SOTI MobiControl server components using a local system account, you can create a service account with the appropriate permissions. See SOTI's discussion forum.

General Requirements

Component Required Level
Operating System
  • Windows Server 2019
  • Windows Server 2022
    Note: Disable the Transport Layer Security (TLS) 1.3 protocol as it is not supported in Windows Server 2022.
Storage The application requires at least 300 MB of storage space.
Browsers
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
Other
Tip: A manual prerequisites install is no longer required as the SOTI MobiControl installer has them embedded.

[Optional], depending on your requirements:

  • If managing Android or Apple devices: An externally accessible Domain Name Service (DNS).
  • If managing Apple devices: An APNS certificate (with a password and APNS topic string)
    Note: Enable one of the following TLS cipher suites on the deployment server for APNS:
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • If the SOTI MobiControl console configuration uses directory service's integrated security: Lightweight Directory Access Protocol Secure (LDAPS) DNS name.
Ports and IP Addresses See the default Network Ports and IP addresses SOTI MobiControl uses to communicate.

SOTI ONE Platform Integration

The following SOTI ONE platform products are compatible with SOTI MobiControl version 2024.0 or later.

Component Recommended Level
SOTI XSight Version 4.3 and later
SOTI Snap Version 2024.0 and later
SOTI Connect For network inventory, version 2.5.1 and later
SOTI Identity Version 2024.1 and later

Recommended Settings

The listed components must meet the recommended levels to run SOTI MobiControl.
Note: For recommendations on 100,000 devices or higher, contact SOTI Professional Services.
Device Scale Number of Management Servers Management Server Specification Number of Deployment Servers Deployment Server Specifications Number of SQL Servers SQL Specification
1 - 1000 1 2vCPU - 8GB RAM (All -in one: MS, DS, and SQL installed) 0 Included in Management Server 0 Included in Management Server
1000 - 10,000 1 4vCPU - 16GB RAM (All-in-one: MS, DS, and SQL installed) 0 Included in Management Server 0 Included in Management Server
10,000 - 20,000 1 4vCPU - 16GB RAM 1 4vCPU - 16 GB RAM 1 4vCPU - 32GB RAMSSD Drives
20,000 - 50,000 1 8vCPU - 32GB RAM 2 4vCPU - 16 GB RAM 1 4vCPU - 32GB RAMSSD Drives
50,000 - 100,000 1 8vCPU - 32GB RAM 4 4vCPU - 16GB RAM 1 8vCPU - 64GB RAM

Database Requirements

The SOTI MobiControl installer comes bundled with the Microsoft SQL Server Express edition. It is typically adequate for deployments of 10 to 1000 devices. For deployments of more than 1000 devices, consider using Microsoft SQL Server Standard edition, as it has scalability and performance improvements.

You can install the database and deployment server on the same host server. However, SOTI recommends using a standalone database to deploy more than 500 devices.

Component Required Level
Software
  • Microsoft SQL Server 2019 (Cumulative Update 12 and later)
  • Microsoft SQL Server 2022 (Cumulative Update 1 and later)
Operating System
  • Windows Server 2019
  • Windows Server 2022

SOTI MobiControl requires SQL servers to use a database collation that is case-insensitive and accent-sensitive. For example, SQL_Latin1_General_CP1_CI_AS is a collation that meets these criteria.

Important: Enable the TCP/IP network protocol in your SQL Server network configuration.

Database Permissions

When installing SOTI MobiControl, you must be a SysAdmin or a DbCreator with ALTER ANY LOGIN permissions. When upgrading SOTI MobiControl, you must also have ALTER DATABASE permissions.

When performing regular operations for SOTI MobiControl Main and Archive databases, the user must have the following permissions:

  • Db_datareader
  • Db_datawriter
  • Permission to execute all procedures

Database Recommendations

The listed components must meet the recommended levels to install the database.

Component Recommended Level
Storage
  • 10 to 500 devices: 2 GB for database growth
  • 500 to 1000 devices: 4 GB for database growth
  • 1000+ devices: at least 5 GB for database growth
Note: The database size depends on the amount of historical logs you configure SOTI MobiControl to retain and your frequency of package deployment.

Network Ports

SOTI MobiControl uses the following ports to communicate between components. For details, refer to the interactive network configuration diagram.

Tip: For the complete list of hosts and ports required by SOTI MobiControl for full functionality of Android Enterprise devices, refer to the Android Enterprise Network Requirements.
Tip: For the complete list of hosts and ports required by SOTI MobiControl for full functionality of Apple Enterprise devices, refer to the Apple Enterprise Network Requirements.

Deployment Server Connections

Component Name Protocol TCP Port(s) Direction
SOTI MobiControl Deployment Server
Note: This is for configurations with more than one deployment server (caching).
 Binary 5495 Inbound
SOTI MobiControl Management Server Binary 5494/5495 Inbound
Amazon App Store HTTPS 443 Outbound
Apple Push Notification Service (APNS) HTTPS 443 Outbound
Apple Automated Device Enrollment (ADE) HTTPS 443 Outbound
Apple Store Licenses HTTPS 443 Outbound
Certification Authority - DCOM
Note: This outbound connection to the certificate authority must be in the same domain.
 Binary Dynamic Outbound
Certification Authority - HTTP HTTPS 443 Outbound
Google Play HTTPS 443 Outbound
iTunes HTTPS 443 Outbound
LDAP LDAP/S 389/636 Outbound
Microsoft SQL Server (SOTI MobiControl Database) Binary 1433 Outbound
SOTI Cloud Link HTTPS 443 Inbound
SOTI MobiControl device agents
Note: This must be an outbound from device agents to deployment servers.
 Binary/HTTPS 5494, 443 Outbound

SOTI MobiControl Device Agents (extra ports for legacy Windows Mobile/CE devices).

Note: This outbound connection must be from device agents to deployment servers. Use these ports only when Using SHA-1 and SHA-2 Certificates on the Same Deployment Server
 Binary/HTTPS 5497/444 Outbound
SOTI Search HTTPS 5500 Outbound to the MS
Native MDM HTTPS 443 Inbound
SOTI Services HTTPS 443 Outbound
Remote Control Binary 5494 Inbound
Windows Notification Service (WNS) HTTP/HTTPS 80, 443 Outbound
SOTI MobiControl Signal Service HTTPS 13131 Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service.

Management Server Connections

Table 1. SOTI Products
Component Name Protocol TCP Port(s) Direction
SOTI MobiControl Deployment Server Binary 5494/5495 Outbound
SOTI MobiControl Management Service
Note: This is mandatory in environments with more than one Management Server.
 Binary 5490 Inbound
SOTI Cloud Link HTTPS 443 Outbound
SOTI Identity
Note: See Connecting On-Premises SOTI MobiControl with SOTI Identity in the SOTI Identity help for more information.
 HTTPS 443

Outbound and Inbound
SOTI Services HTTPS 443 Outbound
SOTI Services Skins HTTPS 443 Outbound
SOTI Search Binary 5500 Outbound to SOTI Search
SOTI MobiControl Console HTTPS 443 Inbound
SOTI XSight Server HTTPS 443 Inbound
SOTI MobiControl Signal Service HTTPS 13131 Outbound to the server hosting Signal Service. Inbound if this server is hosting Signal Service.
Microsoft SQL Server (SOTI MobiControl Database)
Note: Enable 1434 for clear reports.
 Binary 1433, 1434 Outbound
Table 2. Third-party Services
Component Name Protocol TCP Port(s) Direction
Amazon App Store HTTPS 443 Outbound
Apple Push Notification Service (APNS)† HTTPS 443 Outbound
Apple Device Enrollment Program (DEP) HTTPS 443 Outbound
Apple App Store License HTTPS 443 Outbound
Bing Maps* HTTPS 443 Outbound
Certification Authority - DCOM
Note: It must be on the same domain.
 Binary Dynamic Outbound
Certification Authority - HTTP HTTPS 443 Outbound
Enterprise Resource Gateway (ERG) HTTPS 443 Outbound
Google Play‡ HTTPS 443 Outbound
iTunes HTTPS 443 Outbound
LDAP LDAP/S 389/636 Outbound
Microsoft SQL Server (SOTI MobiControl Database) Binary 1433 Outbound

*Enable Ports TCP/443 Outbound for:

  • bing.com
  • platform.bing.com
  • *.virtualearth.net

Apple APNS

  • Devices require a persistent connection to Apple's servers via Ethernet, cellular data (if supported), or Wi-Fi.

  • Firewall/ Private APN Requirements:

    • Port 5223: Used for communication with APNS.
    • Port 443 or 2197: Used to send notifications to APNS.
    • Port 443: Used during device activation and as a fallback if Port 5223 is unavailable. Connections over Port 443 can use a proxy, provided the proxy permits communication without decrypting data.

  • Load Balancing:

    APNS servers use load balancing, so devices may not connect to the same public IP for notifications.

  • IP Address Access Recommendations:

    • Allow access to the entire 17.0.0.0/8 address block (reserved for Apple).
    • If restricted, allow access to these specific ranges:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23

IPv6

  • 2620:149:a44::/48

  • 2403:300:a42::/48

  • 2403:300:a51::/48

  • 2a01:b740:a42::/48

‡ Google Play Store:

  • The Google Play Store requires access to SOTI Services IP Addresses.

Miscellaneous Connections

Component A Component B Protocol TCP Port(s)
Enterprise Resource Gateway (ERG) Exchange Binary 443
Enterprise Resource Gateway (ERG) SharePoint/WebDAV HTTPS/WebDAV 443
SOTI Cloud Link Certification Authority - DCOM
Note: It must be on the same domain.
 Binary Dynamic
SOTI Cloud Link Certification Authority - HTTP HTTPS 443
SOTI XSight Server Microsoft SQL Server (SOTI XSight Database) Binary 1433
SOTI XSight Server SOTI XSight UI HTTPS 443
SOTI XSight UI Remote Control HTTPS (web sockets) 443
SOTI Hub Enterprise Resource Gateway (ERG) HTTPS 443
SOTI Surf Enterprise Resource Gateway (ERG) HTTPS 443
SOTI MobiControl Console Remote Control HTTPS (web sockets) 443
SOTI Search Other SOTI Search Servers (Only for multi SOTI Search server environments) Binary 5500 (Inbound and Outbound)

SOTI Services

The SOTI Services include Activation, Agent Builder, Enrollment, Location, Google Play, Microsoft 365 Integration, Messaging, Antivirus Definitions and SOTI Surf services. These services make sure that your SOTI MobiControl deployment has:
  • the latest certified version of device agents
  • fast and easy enrollment of devices
  • updates for licenses
  • enhanced feature integration with third-party services

Access both SOTI Services and SOTI Services Skins (for device skin-related image files) using HTTPS on port 443. Be sure to whitelist the following fully qualified domain names and/ or IP addresses with your firewall, allowing unrestricted communication between your SOTI MobiControl deployment and SOTI Services.

Note: The SOTI MobiControl management service requires access to the following URL endpoints: activate2.soti.net and agentdservice.s3.amazonaws.com to download or update SOTI MobiControl Android Device Agents.
Service Name Endpoint
Activation Service activate2.soti.net / services.soti.net
Agent Builder Service activate2.soti.net
BitDefender Antivirus mobicontrolservices.soti.net
Enrollment mcenroll.soti.net / mc-enroll.soti.net / activate2.soti.net / mobicontrolservices.soti.net
Google Play Services activate2.soti.net
Location Services activate2.soti.net / services.soti.net
Microsoft 365 Services mobicontrolservices.soti.net
Messaging activate2.soti.net
Notifications notificationservice.soti.net
Skins Service skinsapi.soti.net / www.soti.net
SOTI Surf mobicontrolservices.soti.net
Send Debug Report Logs sftp.soti.net (port 22)
Important: You must also whitelist https://services.soti.net/sftp/metadata.json

SOTI Services are load-balanced across the following IP addresses. It is strongly advised to whitelist all IP addresses in case of a failover event so as not to prevent communication:

ID Based Enrollment:

54.209.186.178

54.208.149.103

Primary Communications:

76.223.23.230

13.248.157.19

Skins Endpoint:

99.83.149.241

75.2.25.8

Failover:
Attention: The following IP addresses do not respond unless there is a failover event.

54.208.194.169

54.209.62.205

54.209.186.251

54.209.207.237
Note: For the agentdservice.s3.amazonaws.com endpoint, you must to whitelist Amazon’s S3 Service. A list of their IP addresses is here (https://ip-ranges.amazonaws.com/ip-ranges.json) using the filter of service: S3 and Region: us-east-1..

Supported Devices

SOTI MobiControl supports various products, including Android, Apple, Linux, and Windows.

The following table offers a complete list of supported operating systems and their associated platforms.

Note: Some devices require the installation of a SOTI MobiControl Device Agent for management purposes. The SOTI MobiControl Device Agent uses about 10 MB of device storage.
Important: If your devices use the following unsupported operating systems, upgrade to a supported operating system and the latest SOTI MobiControl Device Agent. Devices that do not update get marked as incompatible and hence do not receive any SOTI MobiControl Device Agent upgrades after upgrading to SOTI MobiControl 2024.1.
  • Windows CE .NET 3.0
  • Windows CE .NET 4.1
  • Windows CE .NET 4.2
  • Windows Pocket PC 2002
  • Windows Pocket PC 2003
  • Windows 2000
  • Windows Mobile 2003
  • Windows Server 2003
  • Windows Server 2008
  • Windows XP
  • Windows Vista
Platform Description
Android Plus For SOTI MobiControl Device Agent 2024.0 and later, devices running:
  • Android Classic | devices running Android 4.2 to 13
  • Android Enterprise | devices running Android 5 to 14
Note: If you use SOTI MobiControl Device Agent 15.4.6 (Android Enterprise) or SOTI MobiControl Device Agent 15.4.5 (Classic) or earlier, then you can use the following:
  • Android Classic | devices running Android 4.2 to 12
  • Android Enterprise | devices running Android 5 to 13
Note: For more information about Android Enterprise/Classic, see Android Enterprise and Android Classic for SOTI MobiControl Device Agent 2024.0.0 (October 19, 2023) in the Release Notes. You cannot enroll devices for SOTI MobiControl Device Agent 15.4.0 or later versions for:
  • Android Classic: OS versions 4 and 5
  • Android Enterprise: OS versions 5 and 6
Apple Devices running:
  • iOS 8.0 or later, including iPhone, iPad, and iPod touch devices
  • macOS 10.12 or later
Linux Devices with x86 (32-bit), x64 (64-bit), or ARM (32-bit and 64-bit) processors or Zebra FX7500/FX9600 (RFID readers)
Windows Desktop Classic Desktop devices running Windows
Windows Mobile/CE Devices running:
  • Windows CE .NET 5.0 or later
  • Windows Mobile 5.0 or later
Windows Modern Devices running:
  • Windows 10: Professional, Enterprise, or IoT Enterprise
  • Windows 11: Professional, Enterprise, or IoT Enterprise

Supported TLS Versions

Secure communication depends on the Transport Layer Security (TLS) version supported by the SOTI MobiControl deployment server and the device platform.

Important: Unless necessitated by the limitations of older mobile devices, the use of pre-1.2 TLS versions is not recommended.
The SOTI MobiControl deployment server supports the following TLS 1.2 cipher suites:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The following table lists the TLS version supported by each device platform.

Device Platform TLS Versions
Windows CE TLS 1.0/1.1/1.2
Android 4.2 TLS 1.0
Android 4.3 to 9.0 TLS 1.0/1.1/1.2
Android 10 to12 TLS 1.0/1.1/1.2/1.3
iOS 5 to 12 TLS 1.0/1.1/1.2
macOS 10.15.x to 13.x TLS 1.0/1.1/1.2
Windows 10 Mobile 1511 to 1709 TLS 1.0/1.1/1.2

Certified Device Support

SOTI provides technical and development support for devices that have been tested and certified. Device certification ensures compatibility with all applicable SOTI ONE products and features.

Note: Uncertified devices receive best-effort support because SOTI cannot give assurance that they will function as intended.

Below is an overview of the certification process:

  1. A SOTI partner submits a request for device certification, including the make and model number.
  2. SOTI evaluates the certification request based on set criteria, then works with the partner to ensure all business and technical requirements are met to move forward.
  3. SOTI applies more than 400 rigorous tests to the device.
  4. SOTI fully certifies the device if it meets the standards of performance and functionality for the SOTI ONE Platform. The device may alternatively earn a passing status with known limitations.

If the device certification fails, SOTI will work with the device manufacturer to best resolve the issues.

Upon device certification, the customer receives the following support:

  • Technical support for troubleshooting SOTI-related device features across all SOTI products.

  • Best development efforts with SOTI and its partnership network.

  • Ongoing device application support to ensure SOTI features are updated with periodic SOTI agent and plugin releases.

  • Device-specific feature requests are considered for implementation in supporting the customer's operational needs.

Please click https://docs.soti.net/mobicontrolagentdownloads to see a list of available certified Android devices and SOTI Agent APKs.

If you do not find the device you are looking for, please contact your SOTI Account Manager or contact us at https://soti.net/about/contact-us/.