Scope of work for MobiControl implementation

 On total 30+ devices will be enrolled and managed from SOTI MobiControl cloud instance.
 Device fleet consists of different variants of device manufacture such as iOS, Android, and
Windows desktop .
 Utilizing MobiControl web console for centralised management and Administrator of
enrolled devices.
 Activate MobiControl
 Assist to obtain an Apple APNS certificate for iOS device management.
 Assist to obtain an Android Enterprise for enhanced device management.
 Create and configure a logical tree structure based on best practice and customer
requirements
 Enrollment method to be utilized:
 iOS –> Factory wipe and manual supervision for enhanced MDM functionalities and
utilizing URL method of enrollment
 Android –> Android Enterprise work managed (DO Mode) – Factory wipe and
enrolling device to ensure complete device management
 Windows -> Windows Modern certificate-based enrollment (PPKG)
 Kiosk (Lockdown mode)
 Android and Windows -> Multi App kiosk mode
 iOS – Single app kiosk mode
 Enabling sharing device option via SOTI identity.
 Remote control on Android & Windows devices and only Remote view on iOS devices.
 OS update management on iOS devices (Require supervision).
 Alerts -> Geofence – To monitor the inbound and outbound traffic in specific terminal
location.
 Alerts -> Device events – To monitor the mobile device’s performance.

Scope of work for MobiControl training

 Web console navigation
          o Platform tabs
          o Column customization
          o Device info panels
          o Groups
          o View filter

 Right click options / Additional Menu

        o Remote control
        o Custom attributes
        o Custom data
        o Advanced settings
        o Actions
        o Location services
        o Send

 Rules
      o Add device rule
      o Application catalog
      o File sync rule
      o Device relocation rule
      o Data collection rule
      o Alert rule
      o Telecom expense management rule

 Profiles
      o Security
      o Restrictions
      o Email & Calendars
      o Connectivity
      o Other
      o SOTI apps
      o KNOX
      o Android for work
      o Profile assignment

 Packages
       o Building packages
       o Package dependencies
       o Content Library
       o Global settings
        o Admin utility
        o Cloud link
        o Enterprise resource gateway
        o Console Security
        o Reports
 SOTI Mobicontrol Activation
Activate SOTI MobiControl to begin using its device management features. Activation is
simple and only requires a registration code:-
- Login onto Mobicontrol Portal
Server : https://a007058.mobicontrol.cloud/MobiControl/
Login : Administrator
Password : Welcome2Cloud
- Go SYSTEM SETTINGS > Servers
- Click on Help button > License information

- Input Registration Code:

  User Management in SOTI Identity
Configuring SOTI Mobicontrol for SOTI Identity User Management

The following user management tasks are performed in SOTI Identity.

 Adding Users
 Deleting Users
 Creating and assigning user roles
 Setting access control and password complexity requirements
 Unlocking accounts

To configure SOTI MobiControl to use SOTI Identity to perform user

management tasks:

1. Setup an SOTI Identity account.

SOTI Identity URL: https://identity.soti.net

- Create New User Groups (E.g. Administrators, User Group..)

 - Add New User

- Assigned Apps

Add users and create user roles in SOTI Identity.

To define permissions for user roles:

1. On the Security tab, select Manage Users on the left pane.

2. Select the user role whose permissions you want to define.
3. Under Global Permissions, choose either Allow or Deny for each permission. See Global
Permissions to understand what each permission allows a user to do.
4. Once you're satisfied with the list of permissions, click Save in the bottom right corner.

Your user roles now have permissions configured for them. Return to the SOTI Identity console and
assign roles to users.
Adding Permissions Based on Device Group
To create a new user or user group within the SOTI MobiControl console whose permissions are
restricted to specific device groups:

1. On the All Platforms tab, select the Security tab.

2. Select the Device Group Permissions option from the left pane of the console.
3. Select a user or user group from the User/User Groups list and then select a device group
from the Device Groups list.
4. Under the Device Group Permissions pane, select the permissions that you want to apply to
the user or user group.

See Device Group Permissions for information on specific permissions.

5. Once you are satisfied with the permissions, click Save in the bottom right corner of the SOTI
MobiControl console.

2. Log into your SOTI Identity console and add your SOTI MobiControl instance to SOTI

Identity.

- In the SOTI Identity Admin Console, open the  main menu in the top left and

select Applications from the dropdown menu to open the Applications view.
- Click the  Add Application button in the top right corner and select SOTI MobiControl from
the dropdown list.
- In the Add SOTI MobiControl dialog box, enter SOTI MobiControl Instance Name,
Application Logo, and Description for your profile.

- Click on Add and Generate Credentials to generate the application credentials which include
the Client ID, Client Secret and SOTI Identity URL
3. Associate your SOTI MobiControl instance with SOTI Identity. Perform the steps below:-

In the SOTI MobiControl console, open the  main menu in the top left and select Global

Settings.
If you are in the legacy console, go to the All Platforms tab and the Servers tab.
- Under Global Settings, click the wrench icon beside Identity Provider Configuration to
open the Identity Provider Configuration dialog box.
- Click the New button and select SOTI Identity from the dropdown list.
- Enter the SOTI Identity URL for the SOTI Identity account that manages users for this
instance of SOTI MobiControl.
- Enter the Client ID and Client Secret information for your SOTI MobiControl instance.
- Click OK to save your settings and close the Identity Provider Manager dialog box.
- Under Global Settings, click the wrench icon beside Console Security Settings to open
the Console Security dialog box.
- On the SAML SSO tab, turn on Enable SSO and from the Identity Provider dropdown list,
select SOTI IdP.
- Click OK to save your settings and close the Console Security dialog box.

4. Control User Access to Apps

- In the SOTI Identity Admin Console, open the  main menu in the top left and

select Applications.

- Select the application you want to assign users to then click the  Assign User icon in the
Applications Actions menu bar. The Assign User dialog box opens.

- Select the user or group you want to assign the role to then click the Edit button.

- Open the Role dropdown list and select all the roles you want to apply to the user or
group.

- Click Update to save your changes.

- Click Done to return to the Applications list.
 Enrolling Devices
1. Creating an Android Enterprise Device Policy

- From the main menu, select Policies > Enrollment. The Enrollment Policies view is displayed.

- Click New Enrollment Policy. The Enrollment Policy wizard launches > Choose Android
Enterprise
- Add Name for Enrollment Policy
- Enterprise Bindings > Managed > Add one Managed Enterprise Account (Google Play)

- Management Type > Work Managed

- Set Device Group Destination
- Configure additional settings for the Enrollment Policy

2. Adding Apple Devices

 When managing Apple devices, you must install the Apple Push Notification Service (APNS)
certificate on SOTI MobiControl before you can create an add devices rule. The APNS
certificate facilitates communication between SOTI MobiControl and Apple servers.

 Apple devices do not require a device agent for enrollment, however you can choose to
install an agent on iOS devices after enrollment. Simply create an app policy that contains
the device agent and targets the enrolled device.

Assist to obtain an Apple APNS certificate for iOS device management.

1. Go to Global Settings > Apple > Apple Push Notification Service

2. Download Certificate Signing Request

3. Log into the Apple Push Certificates Portal using your Apple ID and upload the CSR
file. A certificate file .pem will be received in return.
4. In the Push Certificate field, enter the .pem certificate file. You can browse for this file or
drag and drop it into the field.
5. In the Apple ID field, enter the ID you've used at the Apple Push Certificates Portal, for
future reference.
6. Click Save.

You can now enroll your Apple devices.

APNS certificates are valid for one year. Always ensure you renew the certificate before the
expiration date. If the certificate expires, all devices must be re-enrolled.
 3. Adding Windows Devices (Windows Modern Desktop Devices)

- In the SOTI MobiControl legacy console, go to Windows Modern > Rules and right-click Add

Devices. Select Create Add Devices Rule to launch the Create Add Devices Rule wizard.
o An add devices rule defines enrollment settings for your devices. You can create multiple
add devices rules, each with different enrollment settings.
- Enter a name for the add devices rule. Make it brief, but descriptive, especially if you plan to
create multiple add devices rules. Click Next.
- Enrollment Options > Certificate Based Enrollment (Select Automate Certificate Enrollment)
- Rule Target > Select Device group
- Authentication > Internal Mobicontrol CA
- Customize the name of devices enrolling into the system and Enable Rule

Downloading Provisioning Package (PPKG)

1. In the SOTI MobiControl legacy console, go to Windows Modern > Rules and expand Add

Devices to reveal a list of available Add Devices rules.
2. Right-click the rule from which you will download the provisioning package. Click Download
Microsoft Provisioning Package.
 3. Retrieve the .ppkg from your Downloads folder.

Using a PPKG file

1. On the Windows Modern device you wish to enroll, navigate to the .ppkg file and open it.
2. Follow all prompts and accept the package. The device will enroll silently.
3. To verify the installation, navigate to Settings > Accounts > Access work or school. A list of
MobiControl MDM connections will appear. Verify that a MobiControl MDM connection is
present.

4. Enrollment Rules
Enrollment policies (Add device rule) for Windows modern (Certificate based enrollment),
iOS (Steps to supervise and enroll using URL method) and Android (Android Enterprise work
managed)

- Go to Global Settings > Enrollment > Enrollment Rules

- Set the Enrollment defined rules for each platform
Please find below steps and details on how to enrol the devices to MobiControl:-
 
1. Android Devices
 Go to Settings > Reset device to factory settings
 Choose Wi-Fi network for internet access
 Copy apps and data (Don’t copy if not required)
  Checking Info > insert afw#mobicontrol when prompted to add a Google Account
 Install MobiControl Android Enterprise
 Account Added > Next
 Google Services Policy > Accept
 Done
 Enroll using ID or Server address (QLAHKZ27 or
https://a007058.mobicontrol.cloud/Enrollment/162MX7)

1. iPad Devices
You can either download Mobicontrol from App Store or use below link to proceed with
download
               
Enrollment URL
                https://a007058.mobicontrol.cloud/Enrollment/NDIQT6
 
IOS Agent Enrollment ID
                BUMJUW48
 
Download > Allow website to download a configuration profile
·        Choose iPad > Next
·        Trust > Next
·        Enroll > Download > Allow
·        Open settings on iPad > General > VPN & Device Management
·        Select Downloaded Profile (Mobicontrol)
·        Install Profile

1. Windows 10 Modern Devices

Install attached ppkg file on the Windows 10 device for enrolment

Device Compliance Policies

Implement custom policies that determine what characterizes a compliant device in your
environment. Each compliance policy consists of a set of highly customizable criteria that uses
filtering logic similar to the Devices search. Devices that match the specified criteria are flagged in
the system as non-compliant and you can perform actions based on their compliance status.
You can create multiple compliance policies, each with different criteria, different actions, or
different device group targets.

Compliance polices are supported on Android, iOS and Linux devices.

Compliance policies are run at every device check-in. Non-compliant devices are marked with a red
exclamation mark in the Devices list. You can also check a device's compliance status in its Device
Information panel or run a device search: Compliance Status = Non-Compliant. The Compliance
Status (deprecated) device property specifically refers to a device's status regarding default
compliance policies.

Default Compliance Polices

SOTI MobiControl 15.1.0 significantly expanded the former functionality of compliance policies.
Previously, compliance referred to a specific and limited set of criteria such as whether a device was:

 Enrolled
 Enabled
 Wiped
 Jailbroken or rooted

Device types which do not support custom compliance policies (such as Windows and Printers)
continue to use this older standard. On Android Plus, iOS, and Linux devices, they remain as default
compliance policies.

Setting up a Compliance Policy

Use compliance policies to create custom filters that flag devices that meet the specified criteria and
potentially perform automatic actions on non-compliant devices.

To create a new compliance policy:

 1. Open the Compliance Policies view from the main menu.
2. Click New Compliance Policy to launch the Create Compliance Policy wizard.
3. Choose the device type you want this compliance policy to apply to. You can only create
compliance policies per device type and settings differ based on device type. You can create
a policy for the following device types:
o Android
o iOS
o Linux
4. Enter a name and description for the compliance policy. Click Next.
5. Under Non-Compliant Criteria, click inside the Add a filter field to activate it. Start to type
the name of a device or extended property to narrow down the list or scroll through the
dropdown list to find a property.
6. Under Actions, click Add to specify the actions SOTI MobiControl should perform on non-
compliant devices.
7. Select an action type from the dropdown list.

Options change depending on which action is selected.

Refer to Compliance Policy Actions for a list of available actions.

8. Configure the action and click Add Action. You can add multiple actions to a compliance
policy.

You can set actions to execute as soon as a device is deemed non-compliant or delay their
execution.

9. Click Save to save the compliance policy without assigning it to any devices or Save and
Assign to proceed straight to assigning it.

The new compliance policy will be visible in the Compliance Policies view where you can continue to
make changes as needed.

Creating a Device Group

To create a root device group:

1. At the bottom of the device group tree, click New Group and select New Root Group.
2. Enter a name for the new device group in the Group Name field and click Create.
3. Drag and drop devices into your new device group or create an add devices rule that targets
the new group.

To create a nested device group:

 4. Right-click on the device group where you want to nest a new group.

You cannot nest 'real' device groups under virtual or filter groups, only under other real
device groups.

5. Select Add Group.

6. Enter a name for the new group in the Group Name field and click Create.
7. Drag and drop devices into your new group or create an add devices rule that targets the
new group.

Moving Devices Between Groups

Although devices are added to device groups based on enrollment settings, they do not have to
remain in those device groups. You can drag-and-drop them into a different device group or use
device relocation rules to automatically move devices between groups based on changes in their IP
addresses or other custom data that you have specified.

Note: Device configuration settings are often based on device group. When devices are moved
between groups, their assigned device settings, profiles, and other configurations may be revoked or
altered to match the new device groups.

Triggering Device Check-In

To immediately synchronize a device to the SOTI MobiControl deployment server:

1. Select the device(s) that you want to check-in and click the Check-in icon in the Device
Actions menu bar.
2. If applicable, click the warning message at the bottom of the dialog box to see why some of
the selected devices cannot check-in.
3. Click Check-in.

Sharing Devices

Before you begin

You must have a valid directory service or identity provider connection configured in SOTI
MobiControl. SOTI MobiControl uses these credentials to verify which device users are authorized to
access shared device features. See Identity Management for help setting up these connections.

If you want to present terms and conditions to your device users when they log into a shared device,
you should upload terms and conditions to SOTI MobiControl prior to beginning this task.
The Shared Device advanced configuration allows you to share a device among multiple users and
personalize the device to each user as they log in. This multi-user functionality creates a set of
interchangeable devices that are equally and immediately useful to any authorized user that picks
one up.

Tip: Check out Configuring Shared Device for videos detailing how to configure Shared Devices.

Shared Device is only supported on Android (with a device agent of 13.7.0 or later) and iOS devices.

To set up Shared Device on your devices:

1. Create and organize your device groups to capitalize on Shared Device functionality.

The shared device feature is applied at the device group level and all its subgroups (unless
otherwise specified). You can set Shared Device to move devices to a nested group with
different settings when a user logs into a device. This way, you control which settings or
configurations are available depending on the log in status of the device. You can even
designate different device groups depending on the user that logs into the device.

A basic device group structure might look like this:

Depending on your relocation settings, devices may remain in Warehouse or move to either
Warehouse A or Warehouse B.

2. Apply any rules, settings, or configurations that you want enabled on the main device group
or its nested device groups.

Important: On iOS devices, you must install the SOTI MobiControl Login app to facilitate
Shared Device features. Use an application catalog rule to deploy it to devices.

Tip: Consider adding a Lockdown (Android Plus) or Single App Mode (iOS - set to the SOTI
MobiControl Login app) profile configuration to the main shared device group to restrict the
functionality of devices unless an authorized user is logged in.

3. In the Devices view, right-click on the the device group where you want to apply Shared
Device and select Advanced Configurations.
4. Choose either Android Plus or Apple from the device type dropdown and select Shared
Device from the list of Advanced Configurations. You can apply shared device to both
Android and iOS devices within the same group but you must configure them separately.
5. In the Shared Device Configuration dialog box, select the Enable Shared Device Configuration
check box and begin filling in the fields to configure Shared Device.

Select this check box to enable the Shared Device advanced

Enable Shared Device
configuration.
Click the to select either a Directory Services or a Identity
Add Groups
Provider connection from the dropdown list. If you haven't
o Directory configured a directory service or IdP, you can set up a new
Service connection by clicking Manage Directories. Refer to Identity
o Identity Management for instructions on how to associate your
Provider identity management system with SOTI MobiControl.

Note: Shared devices do not work with Azure AD.

User Group Mapping Use this table to map user groups to the device groups they'll move
into once a user from that user group logs into the device. Each
 user group can be mapped to a different destination device group,
with different terms and conditions.

For example, you can specify that the devices logged into by
users in the IT user group should move to Group B upon login.
Group B has lockdown and some feature control options
configured. Then, specify that users in the Sales user group
should move to Group C, which has lockdown and VPN profile
configurations applied, as well as a more frequent check in
schedule.

Choose a terms and conditions document from the dropdown

list.
Enable this option to send the device back to its original group once
Relocate device back to
the device user logs out. Settings and configurations specific to the
home device group on
destination group will be removed and instead the settings and
logout
configurations of the home group will reapply.
Enable this option to delete all data from applications installed by
Clear managed SOTI MobiControl, when a device user logs out of Shared Device
application data when mode.
user logs out Note: Email account data is always cleared regardless of whether
this option is selected or not.
Enable this option to clear the passcode from the device once the
Disable device passcode device user logs out.
when user logs out Note: This option is only supported on iOS devices or Samsung
devices running Android 7.0 or later.

6. Use the up and down arrows to reorder the user group mappings. SOTI MobiControl
evaluates user acceptance to each group in the order they appear in the list.
7. Click OK to save your settings for Shared Device and apply it your devices.

Shared device is now enabled on your devices. Your device users will be able to log in with
their directory service or IdP accounts and configure the device to their requirements.

Configuring Shared Device Video:-

https://soti.net/mc/help/v15.2/en/console/configurations/advancedconfigurations/shareddevice/
shareddevice_videos.html

Logging into Android Plus Shared Devices

Note: To log into an iOS shared device, see Logging into iOS Shared Devices.

To sign into Shared Device on your devices:

1. On the device, open the SOTI MobiControl device agent, open the side menu and tap Log in
to launch the Shared Device log in page. If a lockdown profile configuration is enabled, swipe
up from the bottom of the device screen and tap the Log In button instead.
 2. Enter the credentials for the applicable directory service or IdP connection and tap Log in.

Once the device user is successfully logged in, the device will move to the device group specified in
the shared device advanced configuration and apply any settings or configurations that are assigned
on that device group. There may be a slight delay while the device is prepared for the new user. The
device user can configure their email and other device settings.

To log out, swipe up from the bottom and tap Log Out.

Logging into iOS Shared Devices

Before you begin

Shared Device on iOS requires the use of the SOTI MobiControl Login app. Deploy it to your iOS
devices using an application catalog rule.

Note: To log into an Android shared device, see Logging into Android Plus Shared Devices.

To sign into a shared device on your iOS devices:

1. On the device, launch the SOTI MobiControl Login app and enter the credentials for the
applicable directory service or IdP connection. Tap Log in.
 2. Optional: If applicable, accept the terms and conditions to finish logging into the device.

Once the device user is successfully logged in, the device will move to the device group specified in
the shared device advanced configuration and apply any settings or configurations that are assigned
on that device group. There may be a slight delay while the device is prepared for the new user. The
device user can configure their email and other device settings.

To log out, open the SOTI MobiControl Login app and tap Log Out.

Logging Out Shared Devices

If you need to sign a user out of a shared device, you can log them out remotely from the SOTI
MobiControl console:

1. Select the devices whose current users you want to sign out and in the Device Actions menu
bar, click the More > Log Out Shared Device.
2. In Log Out Shared Device, confirm that the device action will apply to all the selected devices
or expand the warning message to see why a device won't receive the command.
3. Click Log Out Shared Device.

Device users currently logged into the selected devices will be logged out. Depending on your
settings, devices may return to their original device groups and revoke any configurations or settings
that previously applied.
Using Profiles
A profile is a container that applies device settings (through configurations), data or applications
(through packages) to your devices. You can create multiple profiles and assign them to different
devices or device groups.

The Profiles view displays an overview of all the profiles present in your SOTI MobiControl instance.
See profile information for individual devices in their Device Information panels.

Creating a Profile
Send device settings and software to your device through Profiles.

To create a profile:
1. In the console, click the main menu button and select Profiles from the dropdown menu to
enter the Profiles view.
2. Click the New Profile button in the top right corner and select a platform from the Create
Profile dialog box. The Android Plus, Apple and Windows platforms have subcategories of
device types. Hover over each platform icon to see more specific device types.

You can only create profiles for a single platform at a time.

3. On the General tab, enter a name and description for the profile. The name and description
will be visible to the device user.

In the future, this is where basic information about the profile will appear.

4. Note: You can create profiles have only configurations or only packages. You do not need to
include both.

Move to the Configurations tab and click the Add Configuration button.

A list of all the profile available for that device type will appear.

5. Select a profile configuration and configure it accordingly.

Profile configurations can differ drastically in requirements. For information on specific

configurations, see Profile Configurations.

6. Repeat for any additional profile configurations you want to add to the profile.

Note: Some profile configurations have dependencies and prevent you from installing the
profile unless both are on the device. For example, you cannot assign a Lockdown profile
configuration if there is no Authentication profile configuration also inside the profile.

7. Move to the Packages tab and click the Add Package button.
8. Add a package to the profile.
o If the package is already uploaded to SOTI MobiControl, select it from the packages
list and click Add to Profile.
o If the package is not uploaded to SOTI MobiControl yet, click Add and Browse to the
location of the .pcg (or .apk for Android) file you want to add to the profile then click
Upload.

Ensure you select the correct package version.

9. Repeat for any additional packages you want to add to the profile. Use the arrows to change
the order in which packages will be installed.
10. Optional: If your packages must be installed in a specific order, click Action > Define Package
Dependencies beside the package that depends upon the installation of other package.

a. Beside the package(s) which must be installed to allow the other packages
installation, shift the toggle to On to set the dependency.
b. Click Save.
11. Click Save and Assign to assign the profile to your devices immediately or Save to save the
profile and assign it later.
You've finished creating a profile. All profiles are visible in the Profiles view.

Assigning a Profile
Assigning a profile pushes its settings down to your devices. You can assign a profile immediately
after creating it or create a profile and then assign it separately.

To assign a profile to devices:

1. In the Profiles view, click on a profile's name to open its Profile Information panel and click
the Assign button from the Profile Actions list.

You can also click > Assign beside the profile.

2. In the Assign dialog box, configure the Device/Device Groups that you want the profile to
target, the Filter Criteria that you want to use to narrow which devices it affects, and any
other Options such as installation methods and schedules.

Tip: For profiles with large packages, consider setting a package installation window that
restricts the time frame in which the package will begin installation on the device.

3. In the Assign dialog box, select the devices or device groups that you want the profile to
target.
4. Switch to the Users tab and select one or more directory services or identity provider (IdP)
groups that will be used to determine which devices are assigned the profile.

You can specify that devices belonging to a directory service or IdP group are either included
in, or excluded from, profile assignment.

5. Switch to the Filters tab and define filter criteria to further refine which devices receive the
profile.

Filter criteria use the same filtering logic as the Devices search. You can use device
properties and the Apps extended property to create filters.

6. Click Options to set installation methods and schedules.

Supported options differ by platform.

Installation Choose how the profile's content are installed on the device:
Method
o Automatic: the contents of the profiles are automatically
installed on the device once the profile is received.
o Self Serve: the device user chooses which configurations or
 packages to install.

Network Specify over which networks the device is allowed to download the
Restrictions contents of the profile.
Minimum Battery Set the minimum battery level a device must exceed before it can begin
Level profile installation.
When enabled, packages are stored persistently on the
Store Packages Persistently
device
Reinstall Every Update When enabled, packages are reinstalled on the device on
Schedule and Check-in every check in.
Uninstall Contents After Profile When enabled, package contents are removed from the
Revocation/Deletion device when the profile is removed or deleted.
Set a date and time for the package to be installed on the
Install Date device. Choose which time standard to use: Device Time or
UTC Time
Set time frames during which packages can be installed. You
Custom Package Installation
can set multiple time frames. Click Add to add a time frame.
Schedule
Click Edit to edit an existing time frame.
Enable to select a date and time to assign the profile. If you also enable
Assign Date Delay to next update schedule, the profile will be assigned on the first
update check in following the Assign Date.
Disable Date Enable to select a date and time to disable the profile.
Revoke Date Enable to select a date and time to revoke the profile.
Set time frames during which the contents of the profile can be installed.
You can set multiple time frames. Click the Add button to add a time frame.
Note: If you set both a profile assign date/time and a time frame, and the
Custom
profile assign date/time does not fall within the time frame, the profile will
Deployment
not be automatically installed. Instead, the profile will only be deployed if
Schedule
the device checks in during the time frame and after the profile assign date
has passed. The start of the time frame will not automatically trigger a
check in.

7. Click Save Options to return to the main Assign dialog box.

8. When you're finished, click Assign.

Your profile will target your devices according to the specified assignment criteria.

Android Enterprise Work Managed Profile Configurations

Important: These profile configurations are designed for Android Enterprise Work Managed devices.
See Android Plus Profile Configurations for profile configurations for other Android Plus device types.

Always make sure that you select the correct device type when you create new profiles. Available
profile configurations change depending on the selected type.

Security
 Configuration Description
Antivirus Protection Enables antivirus protection on your devices.
Authentication Enforces administrator and user password policies.
Certificates Distributes digital certificates to your devices.
Factory Reset
Designates which Google accounts have access to devices after a factory reset.
Protection
Determines an automatic action that occurs when a device has not connected
Out of Contact
to the deployment server in a specified amount of time.
System Update
Controls when system updates are allowed to install on devices.
Policy

Restrictions
Configuration Description
Application Run Control Restricts which applications can operate on your devices.
Browser Manages internet browser security settings.
Browser Proxy Specifies connection settings for the Google Chrome browser.
Feature Control Disables specific device features such as camera, Bluetooth, and others.
Lockdown Configures custom kiosk display settings for your devices.
Web Filter Specifies which URLs device users can access within Google Chrome.

Connectivity
Configuration Description
APN Configures access point name settings for your devices.
VPN: Pulse Secure Configures Pulse Secure VPN settings for your devices.
VPN: NetMotion Configures NetMotion VPN settings for your devices.
WiFi Configures WiFi settings on your devices.

Email & Others

Configuration Description
Bookmarks Adds bookmarks to the default browser on your devices.
Email Configures email account settings for your devices.
Managed Google Play Configures device user ability to update Managed Google Play apps.
Task Scheduler Configures schedules for executing scripts on devices.

SOTI Apps
Configuration Description
Settings Manager Controls which of the device settings device users can change while a device is in
 Configuration Description
lockdown.
SOTI Hub Configures settings for the SOTI Hub app.
SOTI Surf Configures settings for the SOTI Surf browser app.

iOS Profile Configurations

Configurations are added to profiles to push device settings down to devices. Use the tables
below to see the configurations that are available on this platform.

Note: The Apple platform has two default profiles: App Catalog and Profile Catalog. Both default
profiles are simple web clips that point to the web address for either the App Catalog or the Profile
Catalog. Do not delete these default profiles.

Security and Restrictions

 Configuration Description
Application Run
Restricts which applications can operate on your devices.
Control
Authentication Enforces administrator and user password policies.
Certificates Distributes digital certificates to your devices.
Network Restrictions Determines how managed applications use cellular and roaming data.
Disables specific device features or applications such as camera, YouTube, or
Restrictions
others.
SCEP Configures devices to obtain certificates from a SCEP server.
Single App Mode Restricts a supervised device to the use of a single application.
Single Sign On Allows device users to authenticate once for multiple apps.
Web Content Filter Restricts device user access to websites based on content.

Email, Contact, & Calendars

Configuration Description
Calendars Configures calendar accounts using CalDAV for your devices.
Contacts Configures Contacts accounts using CardDAV for your devices.
Configures Exchange Active Sync email account settings for your
Email: Exchange Active Sync
devices.
Email: IMAP Configures IMAP email account settings for your devices.
Email: POP3 Configures POP3 email account settings for your devices.
LDAP Downloads company contacts configured in LDAP to your devices.
Subscribed Calendars Configures subscribed calendars settings for your devices.

Connectivity
Configuration
AirPlay
APN
DNS Proxy
Global HTTP Proxy
Per App VPN: Cisco
AnyConnect
Per App VPN: Juniper SSL
Per App VPN: Pulse Secure
Per App VPN: F5 SSL
Per App VPN: SonicWALL
Mobile Connect
Per App VPN: Aruba VIA
Per App VPN: Custom SSL
Description
Manages access to AirPlay destinations.
Configures access point name settings for your devices.
Configures DNS proxy settings for iOS devices.
Configures an HTTP(S) proxy for all device traffic.
Configures Cisco AnyConnect VPN account settings for individual
applications on your devices.
Configures Juniper SSL VPN account settings for individual
applications on your devices.
Configures Pulse Secure VPN account settings for individual
applications on your devices.
Configures F5 SSL VPN account settings for individual applications on
your devices.
Configures SonicWALL Mobile Connect VPN account settings for
individual applications on your devices.
Configures Aruba VIA VPN account settings for individual
applications on your devices.
Configures Custom SSL VPN account settings for individual
 Configuration Description
applications on your devices.
Configures NetMotion VPN account settings for individual
Per App VPN: NetMotion
applications on your devices.
VPN: L2TP Configures L2TP VPN settings for your devices.
VPN: PPTP Configures PPTP VPN settings for your devices.
VPN: IPSec (Cisco) Configures IPSec (Cisco) VPN settings for your devices.
VPN: Cisco AnyConnect Configures Cisco AnyConnect VPN settings for your devices.
VPN: Juniper SSL Configures Juniper SSL VPN settings for your devices.
VPN: Pulse Secure Configures Pulse Secure VPN settings for your devices.
VPN: IKEv2 Configures IKEv2 VPN settings for your devices.
VPN: SonicWALL Mobile Configures SonicWALL Mobile Connect VPN settings for your
Connect devices.
VPN: Aruba VIA Configures Aruba VIA VPN settings for your devices.
VPN: Custom SSL Configures Custom SSL VPN settings for your devices.
VPN: NetMotion Configures NetMotion VPN settings for your devices.
WiFi Configures WiFi settings on your devices.

Other
Configuration Description
AirPrint Configures access to AirPrint printers from your devices.
Custom Profiles Distributes custom configuration profiles to your devices.
Fonts Sets custom fonts for your devices.
Managed Domains Separates external data from data that originates from within your organization.
Web Clips Adds URL shortcuts to the home screen of your devices.

SOTI Apps
Configuration Description
SOTI Hub Configures settings for the SOTI Hub app.
SOTI Surf Configures settings for the SOTI Surf browser app.

Windows Modern Desktop Profile Configurations

Configurations are added to profiles to push device settings down to devices. Use the tables
below to see the configurations that are available on this platform.

Important: On devices using Azure AD that support multiple user accounts, the user information is
updated in SOTI MobiControl whenever the device checks in. If you push a profile configuration that
is aimed a specific user rather than the entire device, SOTI MobiControl will only push the profile
when it detects the specified user as the active user on the device.

Security
Configuration Description
Authentication Enforces administrator and user password policies.
BitLocker Configures BitLocker encryption of Windows Modern devices.
Certificates: Client PFX Distributes Client PFX certificates to your devices.
Certificates: Root Distributes Root certificates to your devices.
SCEP Configures devices to obtain certificates from a SCEP server.

Restrictions
Configuration Description
Application Run Control Restricts which applications can operate on your devices.
Assigned Access: Kiosk Mode Configures custom single app kiosk display settings for your devices.
Assigned Access: Configurations Configures custom multi-app kiosk display settings for your devices.
Disables specific device features such as camera, Bluetooth, and
Feature Control
others.
Windows Information
Sets restrictions for accessing corporate data on your devices.
Protection

Email, Contacts, & Calendars

Configuration Description
Configures Exchange Active Sync email account settings for your
Email: Exchange Active Sync
devices.
Email: IMAP Configures IMAP email account settings for your devices.
Email: POP3 Configures POP3 email account settings for your devices.

Connectivity
Configuration Description
APN Configures access point name settings for your devices.
Modern VPN: VPN Native Configures VPN account settings for your devices using the Native
Profile profile.
Modern VPN: VPN Plugin Configures VPN account settings for your devices using the Plugin
Profile profile.
WiFi Configures WiFi settings on your devices.
Using Advanced Configurations
Advanced configurations are a set of device configurations that can perform a variety of
actions at the device and device group level. The capabilities of each advanced configuration
are wide ranging and cover scheduling check-ins to setting deployment server connections
to restricting network access while roaming and much more.

You can access the list of advanced configurations from a device's Device Information panel
or from a device group's Group Information panel.

Not all advanced configurations are available for every device type. In the Group
Information panel, you must select the device family from the dropdown list to see the
advanced configurations available to that device family.

Available Advanced Configurations

Name Description Available On
 Apple
Activation Lock Settings Configures settings for Activation Lock.

 Android Plus
Determines if device user can unenroll their
Agent Settings  Apple
devices.

 Android Plus
Agent Upgrade Settings
 Windows
Determines over which networks device agent Mobile/CE
Agent and Plugin Upgrade
or device plugin can be upgraded.  Windows
Settings on Android Plus
Desktop
devices

 iOS
Bluetooth Disables Bluetooth connectivity on devices.

Connection Settings Determines how and how often devices  Android Plus
connect to the SOTI MobiControl deployment  Windows
server. Mobile/CE
 Windows
Desktop
 Name Description Available On
 Windows
Modern

 Android Plus
 Linux
 Windows
Mobile/CE
Custom Data Manages custom data items.  Windows
Desktop
 Windows
Modern

 Apple
 Android Plus
 Linux
 Windows
Sets priority levels for SOTI MobiControl Mobile/CE
Deployment Server Priority
instances with multiple deployment servers.  Windows
Desktop
 Windows
Modern

 Windows
Health Attestation Policy Manages health attestation policies. Modern

Enables or disables use of device as a personal  iOS

Personal Hotspot
hotspot.
 Android Plus
 Linux
 Windows
Mobile/CE
Remote Control Settings Configures settings for remote control.  Windows
Desktop
 Windows
Modern

 Apple
Remove View Settings Configures settings for remote view.

Sets restrictions for phone data and voice use  Apple

Roaming Restrictions
while roaming.
Allows a device to be shared between
 Android Plus
multiple users, each of whom receives
Sharing Devices  iOS
personalized settings upon logging into the
device.
Support Contact Info Adds contact information for your  Android Plus
organization's IT support to the device agent.
 Name Description Available On
 Apple
 Windows
Mobile/CE
 Windows
Desktop
 Windows
Modern

 Android Plus
 Linux
 Windows
Synchronizes your devices' time with either Mobile/CE
Time Synchronization the deployment server or an SNTP/NTP  Windows
server. Desktop
 Windows
Modern

 Android Plus
 Apple
 Linux
 Windows
Mobile/CE
Update Schedule Configure the check-in schedule for devices.  Windows
Desktop
 Windows
Modern
 Printer

Using Settings Manager

The Settings Manager app enables a SOTI MobiControl administrator to provide controlled access to
a subset of device settings while a device is in Lockdown mode.

When a device has Settings Manager enabled (with no restrictions), device users have access to the
following device settings:

 Display
 Sound
 WiFi
 Bluetooth
Administrators can remove device user access to any of those settings at any time.

To use Settings Manager, you must install the app on your devices and assign a profile containing the
Settings Manager, Lockdown and Authentication configurations to those same devices. The Settings
Manager app is compatible with devices running Android 4.2 and above.

Installing the Settings Manager App on Devices

Before you begin

Note: If you are upgrading from Settings Manager app v13.2.0, build 91 or later, you must uninstall it
from your devices before you can install the later version. To complete this process in a single step,
include uninstall net.soti.settingsmanager as a pre-install script when creating a package containing the
upgraded Settings Manager app.

To install the Settings Manager app on your devices:

1. Download the Settings Manager apk file from the SOTI MobiControl download page.
2. Push the application to your devices using an Application Catalog rule or a Package via a
Profile.

Configuring the Settings Manager App

Before you begin

Make sure you have installed the Settings Manager app on your devices. Review Creating a profile
for the general steps of creating and assigning a profile to devices.

To configure the Settings Manager app:

1. Within the Add Profile dialog box, select Settings Manager from the SOTI apps category.
2. Enable the settings you want the device user to be able to configure in Lockdown mode and
click OK to save the configuration to the profile.
3. Within the same Add Profile dialog box, select Lockdown from the Restrictions category.
 4. In the Lockdown dialog box, select the Device Control tab and click New to open the Add
Menu Item dialog box.
5. Enter a descriptive name for this menu item in the Display Name field.
6. Copy Launch://net.soti.settingsmanager into the Package Name or Script File or URL field.
7. Enable Launch automatically on start-up and then click OK to save the menu item and OK to
save the Lockdown configuration to the profile.
8. Within the same Add Profile dialog box, select Authentication from the Security category.
9. In the Authentication dialog, click Configure in the Device Administrator Password section.
10. Enter a password in the Password field. This password is used to gain full administrator
access to a device in Lockdown mode.
11. Click OK to save the password and then click OK again to save the Authentication
configuration to the profile.
12. Click Save or Save and Assign to send the profile to your devices.

What to do next
Once you assign this profile to a device that has the Settings Manager app installed, the Settings
Manager is enabled and when the device enters lockdown mode, the Settings Manager reads its
configuration file and enables (or disables) the corresponding settings.

Application Types
Application catalog rules are available on the Android Plus, Apple, and Windows Modern platforms.
Each platform supports the distribution of multiple types of applications to their applicable devices.
Always ensure that you select the correct application type when creating an application catalog rule.
SOTI MobiControl will not notify you about compatibility errors.

Android Plus
Use for applications available through the managed Google Play store.

Only supported on Android work managed devices or Android devices

Managed Google with a work profile enabled .
Play Applications
Important: You must bind a Google Managed Enterprise or a Google Domain to
SOTI MobiControl before you can approve and deploy managed Google Play
Store apps to your devices.
Google Play Store
Use for applications available through the Google Play Store.
Applications
Amazon App Store
Use for applications available through the Amazon App Store.
Applications
Use for applications that are owned or managed by your organization. You will
need to upload the .apk to SOTI MobiControl or provide a link to the download
Enterprise location of the file.
Applications Note: Enterprise applications are unrelated to the Android Enterprise solution.
To install Android Enterprise managed applications on your Android Enterprise
devices, use Managed Google Play Applications.
Apple - iOS
Use for applications that are owned or managed by your organization. You will need
Enterprise
to upload the .ipa to SOTI MobiControl or provide a link to the download location of
Applications
the file.
Use for applications available through the Apple App Store.
App Store Note: Use this option to push Apple Volume Purchase Program (VPP) apps (non-
Applications Custom) to your devices. Add a VPP account to SOTI MobiControl prior to creating
an application catalog rule.
Use for Custom applications that are part of your Apple Volume Purchase Program
(VPP) account. You must add a VPP account to SOTI MobiControl before you can
distribute Custom applications to devices.
Custom Note: iOS devices enrolled under User Enrollment only support the installation of
Applications Custom Applications (user-based). Additionally, if the device already has the app
installed, attempting to install the app on the device will fail. You can get around this
by requesting that the device user uninstall the app and then performing a Retry
Installation device action.

Windows Modern
All .xap or .appx applications that are pushed to Windows Phone or Desktop devices must be signed.

 Legacy formats such as .xap or legacy .appx must be signed with a Symantec certificate.
 Non-legacy .appx applications, that is Universal Windows Platform (UWP) applications, can
be signed by any certificate. If they are signed by a Trusted Third-Party CA, then a separate
Root certificate is most likely not required. However, if the application is self-signed, the
Root certificate must be deployed to the device to create a chain of trust.

Use to send .xap or .appx files to devices running Windows Phone 8 or earlier.
Enterprise
Applications You must enable your enterprise apps for windows before you can deploy them to
your devices.
Use to send .xap or .appx files to devices running Windows 10.
Modern
Enterprise
You must establish a chain of trust for Universal Windows Platform applications
Applications
before you can deploy them to your devices.
Use to send traditional Windows applications (.msi) to your devices.
Note: Only available for Windows desktop devices running Windows 10 Pro,
Classic Desktop Education, or Enterprise editions. Ensure you are deploying compatible
Applications applications to the correct machines: 32-bit applications can be installed on both
32 and 64-bit computers, but 64-bit applications cannot be installed on 32-bit
computers.
Managing Applications
SOTI MobiControl provides the ability to easily manage the applications on your devices, granting
you oversight into how your devices are used. You can install essential applications on multiple
devices at once and keep them updated with the latest version.

SOTI MobiControl offers two methods to manage the distribution of applications to devices: using
application catalog rules, and using packages.

Open a device's Device Information panel and move to the Applications tab.

You can also wipe applications data or uninstall applications completely from here.

Creating an Application Catalog Rule

Before you begin

Certain application types require the completion of prerequisite steps. Review Application Types
before beginning.

To create an application catalog rule:

1. On the appropriate platform tab, select the Rules tab.

2. Right-click Application Catalog and select Create Application Catalog Rule.
3. Follow the instructions in the Create Application Catalog Rule wizard.
Monitoring Devices
When you are not actively managing your devices, it is still important that you can continue to
gather information about them and their activities. SOTI MobiControl provides a glut of passive and
active monitoring options for your devices.

You can track location and set up geofences, collect data on a variety of device or system events, and
even create your own data types to track.

Creating an Alert Rule

To create an alert rule:

1. On the appropriate platform tab, select the Rules tab.

2. Right-click Alerts and select Create Alert Rule.
3. Follow the instructions of the Create Alert Rule wizard.

When an alert is triggered, it appears on the Alerts tab, where you can review, acknowledge and
close it.
Creating a Data Collection Rule
To create a data collection rule:

1. On the appropriate platform tab, select the Rules tab.

2. Right-click Data Collection and select Create Data Collection Rule.
3. Follow the instructions of the Create Data Collection Rule wizard.

The SOTI MobiControl database will receive data according to the schedule set in the data collection
rule. To avoid swamping the database, ensure your data truncation settings are set to retain or
remove data appropriately.

Analyzing Collected Data

Before you begin

A data collection rule must be configured and enabled to view the collected data for a device.

To review the data collected from a device by a data collection rule:

1. Click a device name to open its Device Information panel and switch to the Collected Data
tab.
2. The Collected Data tab displays all available collected data by default. Filter the results by on
collected data type or date range to reduce the information to a more manageable level.

Using Location Services

SOTI MobiControl enables you to pinpoint and track your devices in real-time and review their
activity over a historical period. Using our location services, you can analyze the movements of your
devices, enabling you to find lost devices, develop more efficient routes, or control which services
your devices can access depending on location.

Location services are available for the following device families: Android Plus, Apple, Linux, Windows
Desktop Classic, and Windows Mobile / CE. SOTI MobiControl uses a combination of a device's GPS
signal, WiFi and cellular connections to determine location and requires that devices have a device
agent installed and online. On iOS devices, location tracking can also be enhanced with the
installation of a SOTI MobiControl SDK-enabled app. Location tracking is powered by Bing Maps and
offers basic mapping and navigation services.

Tracking Devices
SOTI MobiControl provides two options for tracking your devices to accommodate different
circumstances.

For short-term scrutiny, you can enable tracking in the Device Information dialog window. Once
enabled, SOTI MobiControl will continue to track the movements of the device until the set end time
or you manually stop the tracking. Location data is reported according to the frequency you set and
each data point is reflected on the map by a point. Do not use this a replacement for long-term
tracking, as it consumes significant memory and can only be active for a single device at a time.

For long-term tracking, you can leverage a data collection rule to regularly request a device's
location. You must set up and activate a data collection rule for location before you can use it for
long term tracking. Once enabled, the device's movements will be visible on the Location map for
the period covered by the data collection rule.

Geofences
Geofences are virtual, geographic boundaries that you can apply to your devices. When a device
enters or exits an area covered by a geofence, SOTI MobiControl will notify you and, if configured,
perform a predefined action such as sending messages to devices, relocating the device to another
device group or blocking access to certain services. Geofences allow you to track and regulate device
movements easily and automatically. Geofences can be as large or small as is necessary and can be
easily manipulated to cover any space.

Location Services on iOS Devices

iOS devices can use SOTI MobiControl Location Services if they have a SOTI MobiControl device
agent installed. The device agent must have been launched at least once and have its location
services set to Always in iOS Location Services settings.

You can choose between two accuracy levels:

 Optimal battery performance: is less accurate but consumes less power. This option only
reports significant changes in the device's location when it's connected to an active cellular
network.
  Optimal location accuracy: is more accurate but consumes more power. Location data is
gathered using assisted GPS data from the device (GPS, WiFi, or cellular network).

Locating a Device
To locate a device:

1. Open a Device Information panel for a device and move to the Location tab.

The Location tab is not visible on devices where location services are not available.

2. SOTI MobiControl will automatically initiate a device locate request. Otherwise, click the
Locate icon in the Location menu bar.

The map will reposition itself to display the device's location.

Locating All Devices in a Group

To locate all devices in a device group:

1. Right-click on the device group whose device locations you want to see and select Group
Details.
2. Move to the Location tab.

SOTI MobiControl will automatically show the last known locations of any devices that have
previously been located.

3. Click Locate All to get the current locations of your devices.

Note: Only devices directly within this group will appear. Devices in nested groups are not
included in the scan.

A colored dot will appear on the map for each device. Online devices are green dots. The color of
offline devices varies depending on the last time SOTI MobiControl was able to gather location
information for the device. Check the Last Located legend in the top left corner of the map for which
colors correlate to time ranges.

Devices in close proximity appear as a cluster. Zoom in to see individual dots.

Tracking Device Location

To follow a device's geographical movements:

1. Open a Device Information panel for a device and move to the Location tab.
 The Location tab is not visible on devices where location services are not available.

2. Click the Track icon in the Location menu bar.

3. In the Track Device dialog box, configure the options to your requirements and click OK to
save your settings.

The movements of the device will appear on the map.

Viewing Device Location History

Before you begin

You must have a data collection rule for location set up and enabled to use this feature.

To see a timeline of a device's movements:

1. Open a Device Information panel for a device and move to the Location tab.

The Location tab is not visible on devices where location services are not available.

2. Click the History icon in the Location menu bar.

The movements of the device, as tracked by the data collection rule, will appear on the map.

Setting Up a Geofence
To set up a virtual boundary for your devices:

1. Open a Device Information panel and switch to the Location tab.

The Location tab is not visible on devices where location services are not available.

2. Reposition the map to display the location where you want to place the geofence.
3. Click the Geofences icon in the Location menu bar.
4. Click New Geofence and use your cursor to create a shape. Close the boundary by clicking
the starting point.

A geofence can be any shape.

5. Give your new geofence a name and click Save when you are satisfied.
6. Click the geofence in the Geofences list to enable it for the device.

By default, you will receive an alert whenever a tagged device exits the geofence. To set up more
sophisticated notifications and actions for exit and entry, create a Geofence Alert rule.
Note: If you are creating a lot of geofences within the same area, you may want to hide some of
them so that the different boundaries do not add confusion. Click a geofence's name in the geofence
list to hide its green shape. Hidden geofences are still active.

Using Email Notifications

An SMTP notification profile or email profile allows you to configure email server settings for
generating email messages from SOTI MobiControl. You can generate automatic emails for alerts
from alert rules or telecom expense management rules and set up regularly scheduled reports.

Configure SMTP settings:-

Test Connection:-
Welcome to SOTI MobiControl Help
https://www.soti.net/mc/help/v15.6/en/start.html