MobiControl Release Notes

v14.1 -- Build 1937 -- April 2, 2018


Please note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments.

Contact SOTI's Professional Services and Support Team or visit the MobiControl Documentation Set for information on proceeding with your upgrade.

Release Highlights

macOS Device Management

Introduces support for the enrollment and configuration of macOS devices. Ideal for BYOD deployments of macOS, MobiControl’s device management includes but is not limited to:

  • Self service web-based enrollment
  • Asset inventory and device lifecycle actions such as Lock, Wipe, and Unenroll
  • Device and user configuration such as Email, Calendar, Ethernet/WiFi, VPN, Authentication, Certificate installation, and feature restrictions.

SOTI hub

Expanded Document Repository Support

Introduced support for SharePoint Online, OneDrive, and OneDrive for Business as SOTI hub repositories.

Document Editing and Check Out Support

Adds support for editing documents stored in SharePoint 2013 (On-premises), and SharePoint Online, where the administrative data leakage policy has been set to allow editing.

  • Support for editing .doc, .docx, xls, xlsx, .ppt, .pptx
  • Support for highlighting and annotating .pdf
  • Support document check out and checkin on the supported repositories

Administrative Interface Improvements (New UI)

Device Information Update Notification

The Device List and Information panel will now present a notification to indicate that information about one or more devices in the present view have been updated, and provides the opportunity for the administrator to update the device information.

Keyword Device Search

Removes the option to toggle “Advanced Search” on or off, and adds the ability to search by “Keywords” in the search input dialog. Keyword search allows for rapid value search without having to select a device property, effectively the same as advanced search being toggled off.

Improved Search Input

  • Improved date and time entry by providing a date and time picker
  • Improved value presentation when using the “between” operator
  • Added input validation for values by property type

General Improvements

  • Added the ability to view a full event device event log by double clicking on the event
  • Improved consistency of search/filter dialogs when there are no search results
  • Added “Preferences > Reset Console” option that allows an administrative user to reset user-specific preferences and configurations such as Saved Searches, Charts, etc. to default values.
  • Added a short delay to device group expansion when dragging devices over device groups.
  • Added the option “Ask me every time I start a session” to the “Preferences > Remote Control” dialog allowing an administrator to choose the remote control console of their choice each time.


  • Improved Payload statuses for iOS to show “Partially Installed” and improved events logs when a profile failed to install
  • Added “Restart” and “Shutdown” device actions
  • Restored the “Provisioning Profiles” information table that was available in v13 and earlier environments.
  • Added support for the following options in the “Restrictions” profile configuration:
    • Disable AirPrint
    • Disable keychain storage and AirPrint credentials
    • Require TLS for AirPrint
    • Disable iBeacon discovery for AirPrint
    • Disable System app removal
    • Disable creation of VPN configurations
    • Disable modifying Notification settings
    • Disable modifying Bluetooth settings
    • Disable modifying Diagnostic and Usage Data Settings
    • Disable remote view by Classroom app
    • Disable Apple Music Radio
    • Disable dictation input
    • Restrict joining WiFi networks

Windows Modern

  • Adds support for location-based geo-fencing on Windows 10 devices enrolled as “Windows Modern” devices.


  • Added option in Certificate Template configuration to remove expired certificates from the system upon renewal (released in v13.4)
  • Auto generate new root certificate (MC-35187)


  • Removed the “TCP/IP Direct” option from the “Remote Control Connection” advanced setting dialog (option unsupported since v12.0).

Bug Fixes

  • MC-48009 - Resolved an issue that would cause the Management Service to crash when renewing authentication tokens
  • MC-42146 - Resolved an issue that would prevent an administrator from viewing “Advanced Settings” in a device information panel if the administrator didn’t have the “Show absolute device group paths” permission
  • MC-40453 - Corrected accuracy of the password length password requirement in “Change Password” dialog
v14.0 -- Build 4905 -- October 31, 2017


Please note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments.

Contact SOTI's Professional Services and Support Team or visit the MobiControl Documentation Set for information on proceeding with your upgrade.

Release Highlights

Redesigned Administrative Console

MobiControl v14 introduces a re-designed administrative console that incorporates the administrative needs of a broadening mobility landscape, while maintaining the familiarity and simplicity our customers enjoy of MobiControl. Refer to the MobiControl v14 Administrative Console Transition Guide for a complete list of capabilities and differences.

Improved Search

Search for devices using over 150 device properties. Create granular queries with or without Boolean logic to isolate specific devices of interest quickly and easily.


Display real-time and customizable charts that visually summarize your entire device fleet, a device group or search results.

Data Export

Export device search results to a spreadsheet (CSV format), with customizable device properties to cater to different reporting needs.

Bulk Actions and Action Compatibility

Execute actions across one or more devices and obtain advanced warning if a device may not receive the action request because of compatibility or user privileges.

Other Notable Changes and Improvements

  • Virtual groups with filter criteria can now contain multiple statements for more granular filtering.
  • Announcements provide administrators with information pertaining to their MobiControl environment and product information from SOTI.
  • Support for bookmarking devices and/or specific search queries in the new console.
  • Support for branding the title bar of the MobiControl console with a logo.
  • Improved interface for assigning users to devices.
  • Improved interface for setting Custom Attribute values for devices and device groups.
  • Address of device location is now populated in the Location information panel.
  • Application run control now available for Android Enterprise devices.

Support for Linux Device Management

MobiControl v14 introduces the EMM industry’s first management option for Linux devices, including support for:

  • Remote control for remote troubleshooting
  • Bidirectional file synchronization and package deployment for transferring files
  • Custom Data definitions and data collection to monitor extended device information
  • Execution of Linux shell scripts to automate and execute common Linux tasks

MobiControl manages Linux devices running either Ubuntu 16.10 or later or devices running Raspbian 8.0 or later.

Simplified Android Enterprise Enrollment and Application Distribution

MobiControl v14 adds support for Managed Enterprises which consist of user, device and administrator accounts that organize enterprise apps for your Android devices. Managed Enterprises provide a more streamlined enrollment and application deployment experience, particularly in circumstances where devices may not be assigned to a single user, such as kiosk environments. Managed Enterprises support 'device accounts' - accounts intended for single purpose devices - as well as user accounts so you have flexibility to decide how to manage your enterprise app deployment.

iOS Software Update Management

MobiControl administrators can now force the download and/or installation of iOS updates on company owned devices to ensure consistency across your devices and swift resolution of security vulnerabilities without user intervention.

Bulk Enrollment of Windows 10 Devices

MobiControl v14 adds support for the bulk enrollment of Windows 10 devices using certificates and provisioning profiles, and removes the requirement for authenticating as a directory user to enroll Windows modern devices.

Expanded Public API Support

The MobiControl Public API has been expanded in alignment with the features of the new administrative console, including, but not limited to:

  • Package upload and distribution through Profiles
  • Improved performance when filtering devices by properties
  • Summary information about devices to build charts
  • Expanded device action support including bulk actions

Refer to the API documentation hosted on your environment for more details on the new API methods.

Improved Product Documentation

The documentation for MobiControl v14 has been restructured to more logically group information. Additionally, we have split the documentation into a series of books, each of which focuses on a different component of MobiControl. Visit the MobiControl Documentation Set to learn more.

General Improvements

  • Added a new “Target” device group permission that limits a particular administrator’s ability to deploy Profiles and Rules to selected Device Groups.
  • Added official support for hosting MobiControl on Microsoft Windows Server 2016 and Microsoft SQL Server 2016 for the MobiControl database.


  • Indoor location of devices when using Aruba AirWave is no longer available
  • Sending SMS messages through another device is no longer available
  • Sending messages exclusively through Platform Notification Service is no longer available
  • The ability to locate multiple devices simultaneously on a map is no longer available
  • The ability to upload APNS certificates through MobiControl Administration Utility has been removed in favor of the existing method via “Global Settings” in the administrative console
  • Legacy APIs (those not documented on /MobiControl/API) have been removed
  • Removed the “Device Configured” alert from Alert Rules
  • Removed the ability for local administrative users to recover their password via pre-defined security questions using the “Forgot Password” link on the login page
  • For security reasons, the login page will no longer warn of the number of login attempts remaining when incorrect credentials are provided for a user
  • Identifying “agent-less” iOS devices in the device list have been removed
  • The “View Absolute Device Group Path” permission now only applies to the device group tree – the device information panel and device grid will show the full path regardless of the user’s permission to view the groups in the path
  • Custom Data names must now be unique globally rather than unique by platform – existing names remain unedited however search may return unexpected results without global uniqueness
  • Some actions can no longer be executed on a device group
  • iOS provisioning profiles are no longer visible in the Installed Applications information panel
  • Removed the ability to upload device users and Custom Attributes in bulk using a CSV file
  • Removed the ability to use Baidu as a mapping service for locating devices

Upgrade Considerations

  • See the MoibControl v14 Upgrade Guide for a more comprehensive overview of the differences between MobiControl v14 and previous versions
  • “HTML5” remote control has been renamed to “Web-based” remote control, and requires the installation of SOTI Assist – no license is required to use the SOTI Assist remote control with MobiControl
  • "Android for Work" has been renamed to "Android Enterprise" and retains the same level of functionality
  • Removes official support for Windows Server 2008 and SQL 2008 – R2 still supported, however upgrade will still proceed
  • Updated system and network requirements include a new Windows Service for “MobiControl Search”, and a new network communication port requirement between MobiControl servers
  • Upgrade requires that the MS SQL user used by MobiControl be granted the sysadmin privileges during the upgrade process
  • Agent upgrades are required of Android Enterprise and Windows Mobile/CE, other Android+ devices running MobiControl v13.3 agents are supported and compatible
  • Device Action permissions are now more granular; it is advised that you review the administrative model to verify administrative users have the desired permissions
  • MobiControl EULA must be accepted by any administrative user before logging into the administrative console
  • LDAP that share the same username as a local user must now prefix their username with their domain on the login screen
  • LDAP groups used in filter criteria for a virtual group will appear as the LDAP identifier (referred to as “SID”) after upgrade
v13.4 -- Build 3985 -- November 2, 2017


Please note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments.

Contact SOTI's Professional Services and Support Team for information on proceeding with your upgrade.

Release Highlights

Simplified Android Enterprise Enrollment and Application Distribution

MobiControl v13.4 adds support for Managed Enterprises which consist of user, device and administrator accounts that organize enterprise apps for your Android devices. Managed Enterprises provide a more streamlined enrollment and application deployment experience, particularly in circumstances where devices may not be assigned to a single user, such as kiosk environments. Managed Enterprises support 'device accounts' - accounts intended for single purpose devices - as well as user accounts so you have flexibility to decide how to manage your enterprise app deployment.

You can create multiple Managed Enterprises in MobiControl to accommodate the structure of your organization.

Single Concurrent Session Support in MobiControl Console

MobiControl administrators can now restrict Console users to running a single active session at a time. When enabled, the existing MobiControl session will terminate immediately if a user initiates a new session. Limiting the number of active sessions a user can run allows administrators to better meet their corporate security standards. This new option is part of MobiControl's Access Control Policies, accessible through Console Security Settings and is turned off by default.

v13.3 -- Build 2906 -- December 30, 2016


Please Note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments. If you do not have such practices in place, please contact SOTI's Professional Services and Support Team for consultation before proceeding with your upgrade.

Release Highlights

  • Improved Support for Windows Modern
  • Single Sign-On Compatibility
  • Zebra StageNow
  • Improved Support for Android for Work
  • Support for NetMotion VPN
  • iOS Improvements
  • SOTI surf Enhancements
  • SOTI hub Enhancements

Improved Support for Windows Modern

MobiControl 13.3 augmented our support for the Windows Modern platform in the following areas:

Advanced Security

Windows Information Protection

MobiControl v13.3 adds support for Windows Information Protection (WIP), a transparent containment solution that reduces the inconvenience on end users when protecting corporate data by limiting the ability to share data with unapproved applications and network destinations configured by the administrator.

Windows Defender / Advanced Threat Protection

MobiControl v13.3 adds support for ad-hoc and scheduled Windows Defender scanning, and ensuring devices have the latest definitions to ensure threat protection against managed devices. Additionally, support has been added for onboarding of devices to the Advanced Threat Protection Service (ATP). ATP is a subscription cloud-based monitoring service offered by Microsoft to help enterprises detect, investigate, and respond to advanced attacks on their networks. It supplements the security provided by Windows Defender to bring an additional layer of protection to your desktop devices.

Custom Health Policy

Custom health policies expand on the Health Attestation Report feature introduced in MobiControl v13.0 by adding support for defining the security conditions that are vital to your organization and generating alerts whenever a device triggers a warning or failure of those conditions.

Application Deployment

Broader Application Deployment Compatibility

The Application Catalog rule has been extended to support classic Windows desktop applications in *.msi format, to Windows Modern desktop devices.

Windows Companion for MobiControl

Extract application package information necessary for various Windows Modern profile configurations using the Windows Companion utility available for download from the MobiControl Download page.

Secure Communication and Access

Certificate Distribution

The Certificates profile configuration supports distribution of private-key client certificates. For root certificate management on desktop devices, you can now also explicitly target various user or device certificate stores.

Assigned Access

Assigned access is now available for Windows Modern desktop or tablets to restrict user accounts to a single application chosen by the administrator – suitable for kiosk use cases.

Convergence of the Windows Classic Desktop Features on the Windows Modern Platform

The following Windows Classic features are now available for Windows Modern device enrollments leveraging a device agent that is deployed silently during enrollment.

  • Remote Control
  • File Sync Rule
  • Package Deployment via Profiles
  • Custom Data and Custom Attributes

Federated Authentication

With the release of MobiControl 13.3, we now integrate with Identity Providers (IdP) using SAMLv2 for authentication to the MobiControl administrative console, Self Service Portal, iOS Profile Catalog, and device enrollment for Android and iOS devices.

Zebra StageNow

Support for out of the box staging as well as in field configuration of Zebra devices via Zebra StageNow - a Windows application that helps organizations configure their latest Zebra devices running Android.

Improved Support for Android for Work

Remote Control and View

You can now Remote Control Android for Work Managed Devices for certain Android OEMs with the installation of a Remote Control plugin, and Remote View any Android for Work Managed Profile devices from the MobiControl Web Console.

New Device Provisioning Method

Adds a simple method of provisioning Android for Work managed devices without individual Google accounts by leveraging the “afw#mobicontrol” token.

New Feature Control option

Disable Multi-User Profiles - available on Managed Devices only

Remote Device Reboot

You can now reboot Android for Work Managed Devices from the MobiControl Web Console.

Support for NetMotion VPN

MobiControl 13.3 adds support for the NetMotion VPN using profile configurations on Android+, Android for Work, and iOS devices.

iOS Improvements

  • Devices enrolled in the Apple Device Enrollment Program can now be assigned to specific Add Devices Rules to support different enrollment destinations and Apple DEP enrollment behavior.
  • Lost Mode locks and tracks missing iOS devices from the MobiControl Web Console

SOTI surf Enhancements

As of MobiControl

The latest release of MobiControl improves existing functionality and adds new features to the SOTI surf profile configuration and app. You can now restrict web browsing on different network types, set a website as the app home screen, and designate ‘corporate bookmarks’. Improvements to kiosk mode, website filtering, and privacy settings provide increased regulation of the app.

The SOTI surf app now supports download pausing and resumption, bookmark and history searches, and miscellaneous design modifications to improve user experience. On Android devices only, custom URL schemes (File://) and external certificates are now supported. Download the SOTI surf app from the Apple App Store or the Google Play Store.

It is recommended that you also update the ERG component for SOTI surf using the latest SOTI apps installer (available here) whenever you update your SOTI surf app.

SOTI hub Enhancements

As of MobiControl

You can now designate certain files or folders in your content repository as "Mandatory" downloads. These files and folders are automatically downloaded by the SOTI hub app when it connects to the content repository. Mandatory files and folders appear in a separate menu item in the SOTI hub app, allowing device users to easily and swiftly access these important documents. Device users will be unable to remove these files from the app.

Download the SOTI hub app from the Apple App Store or the Google Play store.

General MobiControl Features

MobiControl v13.3 adds the ability to restrict which networks can be used when upgrading a MobiControl agent.

Upgrade Observations

Samsung ELM Agent Migration

The non-ELM agent for Samsung devices is no longer supported. All devices enrolled with the non-ELM agent must be migrated to the ELM agent prior to upgrade. Refer to the online Help documentation for instructions on the migration process.

Event Log Archival Database

MobiControl 13.3 introduces a second database for event log archival. Event logs older than 48 hours will be moved to this database daily. MobiControl database access permissions must include the ability to create databases or the upgrade will fail.

Android 2.3 (Gingerbread) Deprecation

MobiControl 13.3 will not support devices running Android 2.3.

v13.2 -- Build 3081 -- August 31, 2016


Please Note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments. If you do not have such practices in place, please contact SOTI's Professional Services and Support Team for consultation before proceeding with your upgrade.

Release Highlights

  • Expanded Suite of SOTI apps
  • Improved Android for Work Support
  • Additional MobiControl API Functionality

Expanded Suite of SOTI apps

Our suite of internal mobile applications was designed to work with MobiControl and reduce many of the obstacles inherent in providing protection for your data across multiple mobile devices in specialized distributions.

SOTI hub

The SOTI hub app provides a secure gateway between your enterprise content and your employees’ mobile devices. Originally released with MobiControl 12.2, SOTI hub in MobiControl 13.2 offers several improvements in functionality and compatibility. You can now configure SharePoint 2013 (On Premise) content repositories for SOTI hub.

The latest version of the SOTI hub app also includes an integrated viewer that allows MobiControl administrators to restrict the distribution of enterprise content to the SOTI hub app. Further improvements include, but are not limited to, full compatibility with iOS devices, improved search capability and a design refresh for the mobile app.

SOTI hub is compatible with devices running Android 4.1 or later, or iOS 8 or later.

SOTI surf

The SOTI surf app combines a fully functional mobile browser with a variety of security features. Take advantage of our enterprise resource gateway to encrypt all traffic passing through the SOTI surf browser. It provides safe access to your internal network, allowing device users to seamlessly switch between internet and intranet. Additional security features include support for LDAP authentication, web site and content filtering and numerous data leakage prevention options that restrict browser features with the potential for security breaches.

SOTI surf is available on devices running Android 4.0 or later, or iOS 8 or later.

Settings Manager

MobiControl administrators can now create a Settings Manager profile configuration to determine which device settings are available to device users in Lockdown mode.

Settings Manager is available on devices running Android 4.1 or later.

Improved Android for Work Support

MobiControl 13.2 bolsters our support of Android for Work-enabled devices with the following new or improved features:

Android 7.0 Support

Our Android for Work agent fully supports Android 7.0.

Streamlined Device Provisioning

Get your Android for Work devices ready faster than ever. You can now use NFC to automatically receive enrollment information, speeding up the provisioning process.

Furthermore, you can now disable the Google account requirement during the enrollment process of Managed Devices -- useful for devices with multiple users.

Package Deployment via Profiles

MobiControl now supports package deployment via profiles to Android for Work Managed Devices.

Enhanced Profile Configurations

The Android for Work Email profile configuration adds the ability to configure options for S/MIME encryption and to limit a device user’s ability to open email attachment over a specified threshold.

The Feature Control profile configuration has expanded to provide options that control a device user's ability to modify certain device settings.

Enterprise Binding

The procedure for unbinding Google’s MDM tokens from MobiControl has been simplified. Active application catalog rules on the account are now displayed before the unbinding succeeds.

Additional MobiControl API Functionality

MobiControl 13.2 adds several capabilities to our RESTful web service APIs, including the ability to:

  • Retrieve server information and status
  • Send scripts to device actions
  • Provide a list of all profiles assigned to a device
  • Install and revoke profiles to a specific device

Upgrade Considerations

Generic Android Tab Deprecation

The Android+ platform is now capable of fully supporting those devices previously categorized as generic Android devices. Therefore, the generic Android platform tab will no longer appear on new installations of MobiControl beginning with MobiControl 13.2. If you are upgrading from a previous version of MobiControl and your system contains generic Android devices, you will continue to see the generic Android tab.

v13.1 -- Build 5200 -- May 16, 2016


Please Note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments. If you do not have such practices in place, please contact SOTI's Professional Services and Support Team for consultation before proceeding with your upgrade.

Release Highlights

Enhanced Apple Volume Purchase Program

The Apple Volume Purchase Program (VPP) is designed to simplify application licensing across a large number of devices. It enables organizations to purchase application licenses in bulk, saving on cost, time, and effort. In version 13.1 of MobiControl, we are pleased to announce increased support of VPP with the addition of the following new features:

  • VPP Managed Distribution - Device Based Assignment
  • Manual Reconciliation of Licenses

VPP Managed Distribution - Device Based Assignment

Device-based assignment adds significant flexibility to the Managed Distribution program. Previously, application licenses were tied to an Apple ID which could make license management difficult in certain circumstances - such as when there are multiple users over a device's lifetime. With the introduction of device-based assignment, you can now assign application licenses directly to devices. Using device-based assignment requires no additional effort and switching between Apple ID based and Device-based assignment is quick and easy.

Manual Reconciliation of Licenses

MobiControl 13.1 adds the ability to manually reconcile any licenses that are technically unattached to a device but remain unavailable until after the completion of nightly maintenance. Now you can force an audit on the statuses of your licenses at any time with the click of a button.

Increased API Functionality

MobiControl API now supports the ability to locate devices that are assigned to a specific user and the ability to set custom attribute values at the device level.

Server Configurations

VPP Account Ownership

An Apple VPP account allows you to easily manage your application purchases and license distribution. Some organizations find it useful to share a single Apple VPP account across multiple MDM deployments to satisfy their unique requirements. VPP Account Ownership alleviates any confusion such a division of accounts can cause. With Ownership, any changes regarding your application licensing can only be completed by one MDM at a time. MobiControl 13.1 provides a clear indication of Ownership status, allows you to easily regain Ownership and updates you whenever Ownership is transferred. You'll never have to worry about license distribution conflicts again.

Upgrade Considerations

Android Agents Compatibility

  • All v13.0 Android agents are compatible with the v13.1 release and no upgrade of Android agents is required.

Apple VPP

  • The application publisher must enable "device-based assignment" on their app for IT administrators to take advantage of this feature.
  • Device-based assignment is supported only on devices running iOS 9 or later.
  • Excessive requests to the Apple VPP server will generate a 'Retry After' message, instructing the user to wait until after the period of time specified in the error message has passed before attempting to contact Apple servers again.

Updated Reporting Engine

  • If you receive an Activation Message while attempting to generate reports after upgrading to 13.1, ensure that your MobiControl is correctly activated. Refer to MobiControl Help for more information on Activation.
v13 -- Build 33604 -- December 31, 2015


Please Note: We strongly recommend following the standard IT change control practices and testing of product upgrades in pre-production environments. If you do not have such practices in place, please contact SOTI’s Professional Services and Support Team for consultation before proceeding with your upgrade.


Release Highlights

Improved Android for Work Support

MobiControl now provides expanded support for corporate owned, personally enabled (COPE), corporate owned, business only (COBO) and purpose-built, rugged devices within the Android for Work framework. Customers can now take advantage of streamlined provisioning and consistent manageability of Android devices while maintaining full control of the device.

MobiControl 13 support for Android for Work Managed Devices includes all the existing Profile configurations available for Android for Work Managed Profile devices in previous versions and expands on those capabilities with:

  • Managed Profile
  • Kiosk Mode (Available for devices running Android 6.0 or later)
  • New Feature Control settings
    • Manage Bluetooth
    • Disable Camera
    • Disable Factory Reset
    • Disable Safe Boot
    • Disable Smart Lock
    • Manage WiFi
    • Data Roaming
    • Disable USB File Transfer
  • Support for Work Account-enabled Provisioning
    • End-users activating a brand-new device using a Work-managed Google account are automatically provisioned with the MobiControl Agent.
  • Support for device provisioning via NFC

Improved Support for Windows Modern Devices

With the launch of MobiControl 13, we now provide support Windows 10 Mobile, Mobile Enterprise and IoT Mobile Enterprise operating system Editions on top of our previous support for Windows 10 Pro, Enterprise, Education and Home Editions. Windows 10 Mobile devices are managed from the Windows Modern platform, alongside Windows 10 Desktop, Windows Phone 8.0 and 8.1 devices. Due to operating system differences, not all features within the Windows Modern platform are available on every type of device.

All Windows Modern devices can now take advantage of the Microsoft Azure Active Directory (AD) service as an alternative to On-Premise AD. Azure enrollment allows end-users to enroll their devices over the air rather than requiring their presence on the company network. Secondly, Azure can streamline the MDM enrollment process as part of the out-of-the-box new device initialization workflow, if the device is initialized with Azure AD credentials.

Also new in MobiControl 13 is phase one of the Device Health Attestation feature which enables IT administrators to assess the security health of managed devices through MobiControl. Health is determined based on reports verified and published by the Microsoft Health Attestation Service which MobiControl displays in the device log. A device health reports is submitted by every device on each check in. Future phases will utilize the reported parameters for additional security compliance management features.

The following new features have also been added for improved Windows 10 support in MobiControl:

  • Application Catalog Rule
    • Modern Enterprise Applications for Windows 10 devices (Mobile and desktop)
    • Enterprise Applications (Available for Windows Phone 8.1 only)
  • New Device Configurations
    • Application Run Control
    • Authentication for Windows 10 Desktop
    • Modern VPN (Legacy VPN available for Windows Phone 8.1 only)

MobiControl APIs

Customers can now use MobiControl APIs to create and integrate device management functions into their business workflows around inventory device management, data migration and device lifecycle management. Our set of RESTful web service APIs not only provides comprehensive documentation but also allows developers to immediately assess viability within their specific environments using an interactive test platform.

Package Deployment via Profiles

In MobiControl v13 the method by which administrators distribute packages to managed devices uses the profiles feature introduced in MobiControl v12. The new process creates a single point of origin for all your device provisioning. Packages are created and uploaded to MobiControl via the usual methods but are now deployed to devices from within a profile, alongside device configurations.

Redesigned Self Service Portal

MobiControl’s Self Service Portal grants end-users the ability to quickly and easily solve minor issues with their devices. End-users can locate, lock, wipe and perform other simple tasks for their associated devices, removing IT intervention from the process. Furthermore, new security permission levels within MobiControl allow administrators to limit how much access end-users have to Self Service Portals actions.

Upgrade Observations

Migrating Package Deployment Rules to Profiles

When you upgrade to MobiControl v13, your existing package deployment rules are automatically migrated to profiles. For more information about the migration process, see the Package Rules to Profiles Migration Guide.

Window Modern

  • It is recommended that customers disable Runtime Provisioning during MDM enrollment of devices because it may cause interference during the enrollment process. Limit the use of Runtime Provisioning to pre-provision operations prior to MDM enrollment.
  • The WiFi Hotspot Reporting setting in the Feature Control configuration has been deprecated by Microsoft.
  • Enterprise Data Protection settings in the Feature Control configuration have been removed due to Microsoft postponing the launch of the feature.

Windows 10 Desktop

  • The Enable Internal Storage Encryption setting within the Feature Control configuration for Windows 10 Desktop has been removed due to irregular behavior.

Upgrading to Android Marshmallow or Later

  • The MobiControl Agent no longer users the WiFi Network or the Bluetooth MAC address to generate unique Device IDs. If devices running Android 6.0 or later are re-enrolled after a factory reset, those devices will appear as brand new devices within MobiControl.
  • The MobiControl Agent prompts end-users for required permissions at first launch, rather than at install time. End-users will be unable to proceed with enrollment until all permissions are granted. If permissions are revoked at a later date, end-users will be prompted to restore the required permissions.
    The Android for Work Agent is exempt from this behavioral change and silently self-grants any required permissions.
  • The MobiControl Agent automatically opts out of Google Cloud Auto-Backup

Platform Specific Features

Sony Android

The following device configurations were added to Android+ profiles and are specific to Sony devices:

  • Added support for silent package deployment
  • Added support for the following settings under the Device Feature Control configuration:
    • Disable NFC
    • Disable Cellular Data
    • Disable Removal of MobiControl Agent
  • Added support for the following options under the Email configuration:
    • Exchange ActiveSync
    • NitroDesk TouchDown
  • Added support for the Certificates configuration
  • Added device root status detection
v12.4 -- Build 30627 -- September 25, 2015


Release Highlights

Enhanced Apple iOS 9 Support

Apple iOS 9 provides updates to several features that allow greater flexibility in the management of mobile devices. SOTI is pleased to announce support for Apple iOS 9 with new features in MobiControl that empower MDM administrators and users with increased control over their devices and deployments.

Features available exclusively on iOS 9 devices include:

  • Network Restrictions
    Administrators can restrict the network access of specific applications
  • Application Management State Configuration

Additional iOS Configuration Options

Managing iOS devices is easier than ever with new configuration options:

  • New Device Restrictions
  • Manual Synchronization of DEP Server
  • Device Wallpaper Customization
  • Expanded Action Menu Commands
    • Clear User Restrictions
    • Set Device Wallpaper
    • Set Device Name
  • Per Message Encryption
    Exchange ActiveSync now supports per message encryption using S/MIME
  • Managed Domains
    Administrators can mark email and web domains as managed or unmanaged to the device user
  • Single Sign On Certificate Renewal Distribution
    Renew certificates without device user interaction

Activation Lock Bypass

Activation Lock is an Apple security feature that restricts access to lost devices. Without the correct Apple ID and password, such devices are severely limited in their capabilities. Activation Lock serves as an extra layer of security for your devices. The Activation Lock Bypass allows mobility administrators to bypass the Activation Lock without keeping track of the various Apple ID and password combinations when transferring devices from one user to another.

Migration Considerations

If devices are being transferred from another mobility management solution to MobiControl, they must be factory reset to use Activation Lock Bypass. Attempting to wipe devices that are not factory reset before such migration can cause undefined behavior and may disable the device completely.

Cisco ISE Integration

Cisco Identity Services Engine (ISE) is a network administration product by Cisco that enforces network security and access policies. MobiControl has added integration with Cisco Identity Services Engine (ISE) to simplify secure identity and access management across diverse devices and applications.

v12.3 -- Build 28275 -- July 28th, 2015


Release Highlights

Enhanced Apple VPP Support

The Apple Volume Purchase Program (VPP) provides a solution for organizations that need to distribute iOS applications to corporate-owned and employee-owned iPhones and iPads with a simple, convenient way of managing the purchase and distribution of application licenses at scale.

Apple provides two ways of distributing application licenses: Redemption Codes and Managed Distribution. MobiControl has supported the use of Redemption Codes since MobiControl v9.02 and it is still supported in this version of MobiControl.

With the addition of support for Managed Distribution, MobiControl now provides the following benefits:

  • A centralized console to view up-to-date information on app availability
  • Full lifecycle management of applications - from device deployment to decommissioning
  • The ability to revoke and reassign applications from one user to another, maintaining ownership of application licenses
  • Distribution of Business to Business (B2B) applications

Known Issues

  • If VPP tokens are generated at different times from the same VPP account and are then uploaded to MobiControl, multiple VPP profiles may be created. This will be reflected in the Web Console as two different VPP accounts.
  • Uploading an incorrect token for an existing VPP account causes undefined results. When uploading a new token, please ensure that the correct token is selected for the appropriate account.
  • On iOS 7 devices, when the Apple ID changes and the country of the Apple ID remains the same, MobiControl will not be able to detect the change and no action will be taken to appropriately assign the application license to the new Apple ID on the device.
  • An incorrect bundle ID provided for a B2B app will fail to install the application on the device.

Microsoft Windows 10 Support

One of the key goals of Microsoft Windows 10 is to unify the user experience across various types of devices that run on the Windows OS. The same convergence concept extends to device management. SOTI is pleased to announce Windows 10 Desktop support, offering many similar device management features previously available only on Windows Phone 8.1.

To align with Microsoft's unifying approach, we have renamed the Windows Phone tab to Windows Modern in the Web Console. An Add Device rule will enroll both Windows 10 desktops and Windows 8.1 phones.

Existing Windows desktop management features that rely on the SOTI agent are also available for Windows 10 desktops. The Windows Desktop tab has been renamed to Windows Desktop Classic.

The device management features for Windows Modern are similar on Windows Phone 8.1 and Desktop 10.

The following new features have been made available for Windows 10 Desktop:

  • Certificate Management
  • Device Feature Control
    • Windows Defender administrative options
    • Windows Updates administrative options
  • Email Configuration
  • WiFi Configuration
  • Enhanced device user experience on enrollment certificate renewal. 
    Enrolled Windows 10 devices no longer require manual renewal of enrollment certificates. The server will attempt to renew the certificate on behalf of the device prior to the expiry date.
  • Visual hint to system administrators regarding the type of Windows devices enrolled. 
    Desktop devices enrolled as Windows Modern devices will have a desktop icon as opposed to a phone icon. Other non-phone devices such as tablets will be identified as desktops.
  • Device-type-sensitive payload selection for profile creation.
    A drop-down menu has been added to the profile creation dialogue. A user will indicate the type of devices the profile is targeting using this menu, and only the list of applicable payloads for that device type will be presented.
  • Device information - new attributes added:
    • BIOS and CPU type for Desktop
    • Phone Number, IMEI, IMSI and roaming status for second SIM in dual-SIM devices

Known Issues

  • Admin un-enrollment limitation .A desktop cannot be unenrolled remotely by the admin more than once. Should the device be unenrolled in this manner a second time, the device will not be able to enroll again until it is re-imaged. A suggested workaround is to get the desktop unenrolled by the device user.
  • ROBO (Renewal-On-Behalf-Of). Auto renewal of MDM client certificate will fail if the device is enrolled with the user explicitly providing the MDM server URL (the non-auto-discovery scenario). To avoid losing the device, we recommend using client certificates with a long expiry date. A resolution is expected to be provided by Microsoft in a follow-up service release in the coming months.
  • MDM Server Auto-Discovery in Cloud-based Deployment. This option is currently not supported in MobiControl Cloud. Microsoft MDM client security does not allow HTTP Redirect for a discovery request that is not of the same domain/sub-domain.
  • Desktop Feature Control. Enable Internal Storage Encryption works only if BitLocker is enabled on the device. BitLocker is not enabled by default on desktops.
  • Desktop MDM client does not check-in when the desktop device is in sleep or locked mode.
  • A desktop device can be enrolled under both Windows Modern and Windows Desktop Classic concurrently and will consume two device licenses in that case.
  • Web Console may become unresponsive when certain Windows Phone payloads are combined in a single profile. A browser refresh or relaunch of the Web Console is required to continue operation. Suggested workaround is to configure the payloads in separate profiles. 

Improved Android for Work Support

The following new features have been added for improved Android for Work support in MobiControl:

  • MobiControl administrators creating an Android for Work configuration profile can now add a Pulse Secure VPN payload.
  • When an Android for Work managed profile is activated on a device, and the device user has added a Google account within the managed profile, the MobiControl agent detects the ID of the Google account and displays it in the Information panel in the MobiControl Web Console.
  • After an Android for Work managed profile is activated on a device, and a Google account is added, the device user will be unable to remove or modify the Google account.
  • The instructions provided in the Add Android for Work Enterprise Binding dialog box have been improved.
  • A MobiControl administrator can now add a private app to an application catalog for Android for Work devices so that the app will be deployed only to devices that are in the administrator's domain.
  • A MobiControl administrator now has the ability to enforce a policy in which device users can use their Google accounts only on Android for Work devices.
  • During enrollment and activation of an Android for Work profile, the device user's Google account ID is passed by MobiControl so that the user name does not have to be entered manually.

Browser-based Remote Control

To open a remote control session for a device in previous versions of MobiControl, users had to download and install a separate Windows program. This version introduces a second option for MobiControl installations on Windows 8, Windows 10, or Windows Server 2012 R2 platforms: an entirely browser-based, lightweight and cross-platform version of remote control that uses HTML 5 technology. Unlike the classic version of remote control, this version does not rely on any browser plugins or external programs.

While it is faster and simpler to use, the browser-based version of remote control does not yet support all the features available in the Windows desktop-based version. Currently it supports only the following subset of features:

  • Remote control a device using your keyboard and mouse
  • Browse and download files from the device
  • Display device information such as device memory and battery status
  • Save screenshots of the device
  • Reduce device screen resolution to improve performance on low-quality network connections
  • Allow user to confirm a request to remote control their device

Performance and Scalability Improvements

MobiControl v12.3 includes the following improvements related to performance and scalability:

  • New File Sync, which enables the system to optimize the usage of available resources and exploit network latencies to optimize server performance.
  • 64-bit support and .NET Framework 4.5. As of version 12.3, MobiControl can be installed only on 64-bit versions of Microsoft Windows. See the MobiControl Pre-Installation Checklist for more information.

Upgrade Considerations

The initial release of MobiControl v12.3.0.28275 does not include the improvements delivered within Maintenance Releases of MobiControl 12.2. The first Maintenance Release for 12.3 is scheduled for delivery on August 10th, 2015 and will include these cumulative improvements.

In this version of MobiControl support for 32-bit versions of Microsoft Windows operating systems has been discontinued. This version of MobiControl can be installed only on 64-bit versions of Microsoft Windows. See System Requirements in the MobiControl online help for a complete list of supported Microsoft Windows operating systems.


v12.2 -- Build 23409 -- May 27th, 2015


Release Highlights

SOTI hub

SOTI hub is a new MobiControl feature that enables employees to use their Android devices to access corporate files from outside the organization's internal network. SOTI hub has two parts:

  • A SOTI hub app that is installed on the mobile device to enable the device user to access corporate files.
  • A SOTI hub profile payload that is pushed to the device and that a MobiControl administrator can configure to control the SOTI hub app settings.

Files that you want to make available to the SOTI hub must be hosted in a content repository (an NTFS file server) that is accessible via an IIS WebDAV server.

Some of the key benefits of SOTI hub are:

  • SOTI hub ensures that access to the corporate files is available only to employees' Android devices that are secured and managed by MobiControl.
  • Access to corporate files can be immediately revoked, and cached copies of files within the SOTI hub can be wiped, either on-demand or based on predefined criteria (such as violation of the IT compliance policy).
  • SOTI hub can be configured to require employees to log in using their LDAP credentials before they can gain access to corporate files.

SOTI hub App

The SOTI hub app is what you use on a mobile device to access corporate files. The SOTI hub app must be packaged using MobiControl Package Studio and pushed to mobile devices.

The SOTI hub app enables you to perform the following tasks on your mobile device:

  • Navigate up and down content repository folders and view folder contents.
  • Download and cache files.
  • Open, edit, and delete files.
  • Open files in third-party apps.
  • View file details.
  • Add files to favorite groups.
  • Search for files by file name.
  • Sort and filter files.
  • Control the ability to download files over a cellular network.
  • Control the ability to download files while roaming.
  • Delete cached files to free space on the device.

For information about how to use the SOTI hub app, refer to the MobiControl online help.

SOTI hub Payload

The SOTI hub payload provides the configuration settings that are used by the SOTI hub app on the mobile device. You add the SOTI hub payload to a profile, then push the profile to a mobile device on which the SOTI hub app has been, or will be, installed.

The SOTI hub payload tells the SOTI hub app everything it needs to know to access the content repository, including:

  • The URL of the content repository server that the SOTI hub app will contact.
  • The method of authentication the SOTI hub app will use when contacting the content repository server.
  • The username and password used to authenticate the SOTI hub application to the content repository server.
  • How often the SOTI hub app will communicate with the content repository to refresh the contents.
  • The amount of time that will elapse, during which the user has not interacted with SOTI hub, before the user is logged out of SOTI hub.
  • Whether devices are required to communicate with a MobiControl Enterprise Resource Gateway to access the content repository.
  • Whether devices are able to download content over a cellular network.
  • Whether devices are able to download content while roaming.

For information about the configuration settings available in the SOTI hub payload, refer to the MobiControl online help.

Enterprise Resource Gateway

The Enterprise Resource Gateway is a new MobiControl component that enables you to control Internet traffic using a proxy server. The proxy server acts as a single point of contact – a gateway – serving client requests. The proxy server authenticates each request and forwards it to the desired destination server.

Enterprise Resource Gateway Properties

After you have installed the Enterprise Resource Gateway on a server, you can set various properties for it, such as:

  • The name and URL of the Enterprise Resource Gateway instance.
  • The type of filtering you want the Enterprise Resource Gateway to do: Exchange Server for emails, or Content Repositories for files.
  • Whether to enable Secure Email Access.

For information about the steps required to set up the Enterprise Resource Gateway, refer to the MobiControl online help.

Settings Manager

The Settings Manager is an application that enables a MobiControl administrator to provide controlled access to a subset of device settings when a device is in lockdown mode. The types of device settings that can be controlled via the Settings Manager are:

  • Display
  • Sound
  • WiFi
  • Bluetooth

In MobiControl v12.2, the Settings Manager is supported on Android and Android+ devices only. The device must be enrolled in MobiControl v12.2 using a v12.2 device agent and have a lockdown policy applied.

You upload the Settings Manager to a device as an installable package that has been created using MobiControl Package Studio. Once the Settings Manager has been installed on the device, you can push customized settings to the device.

For information about how to install, configure, and enable the Settings Manager, refer to the MobiControl online help.

Upgrade Observations

MobiControl v12.2 features updated generic Android and Android+ agents, so after upgrade to 12.2 these agents will require an upgrade, unless server-agent compatibility settings are updated.

Android for Work agent will not require an upgrade, but is presently not compatible with SOTI hub and the Settings Manager.  

v12.1 -- Build 22392 -- February 27th, 2015


Release Highlights

  • Android for Work
  • Apple Device Enrollment Program Support
  • New Samsung KNOX 2.0+ Features

Android for Work

Android for Work is a Google - led initiative to build a standardized framework for management of Android devices. It allows administrators to securely deploy email, applications and content within an encrypted secure workspace on any Android device regardless of the OEM.
MobiControl v12.1 supports creating and managing of an Android for Work Managed Profile and related policies on supported Android devices running Android 5.0 or higher.

Application Management is available via Google Play on Android for Work enabled devices. Administrators must 'approve' applications within the Google Play for Work portal. Once an application is approved, it can be added to an App Catalog Rule within MobiControl.

Added Support for Google Play for Work Apps in App Catalog Rule

  • Silent application installation for mandatory applications
  • Display App Catalog Rule as App Collection within Google Play on end-user's devices
  • App Configuration support

Note: APK deployment via Packages is not supported within Android for Work.

Added Support for Android for Work Agent to Android+ Add Device Rule Agent Selection

Android for Work can be activated on a device via the MobiControl for Android for Work agent. The Android for Work agent is hosted exclusively in the Google Play Store.
Android for Work Managed Profiles are activated automatically after enrollment

Note: The MobiControl agent migrates into the Managed Profile after it is created. Device-level policies are limited within a Managed Profile.

Android for Work Policies

Android for Work policies can be deployed via Android+ Profiles dialog by selecting «Android for Work».
Available policies include and are not limited to:

  • Authentication Policy
  • Anti-Virus Policy
  • Certificate Management & Distribution
  • Chrome Management
    • Browser Restrictions such as Disable Password Saving, Default Search Provider, Disable JavaScript, Disable Cookies etc
    • Bookmarks are saved directly to the Managed Chrome Browser under "Managed Bookmarks"
    • Web Filter allows saving URL Whitelist/Blacklist payloads (includes support for wildcards)
    • Web Proxy allows all traffic within Chrome to be routed via Proxy (includes support for PAC File configurations)
  • Device Actions
    • Lock Device
    • Disable Android for Work Profile
    • Wipe Android for Work Profile
  • Device Controls
    • Disable Screenshot
    • Disable Copy/Paste
    • Disable Uninstallation of Managed Apps
    • Disable End-User Un-Enroll
  • Email (PIM Configuration)
  • Out of Contact Policy
  • WiFi (Including Enterprise WiFi)

Click here to learn more about Android for Work.

Apple's Device Enrollment Program (DEP)

MobiControl's support for Apple's Device Enrollment Program provides a seamless out of the box enrollment experience for institutionally owned iOS devices.

  • Automatically enroll device to MobiControl during initial device setup and subsequent factory resets
  • Optionally prevent removal of the MDM management profile
  • Optionally supervise device during enrollment
  • Control whether device can pair with computers
  • Customize various screens shown during setup assistant, for example passcode, registration, location based services, etc.

Click here to learn more about Apple's Device Enrollment Program (DEP).

Samsung KNOX 2.0+ Features

The following Samsung KNOX 2.0 and KNOX 2.2 features have been added:

  • Support for On-Premise KLMS Key Activation (Requires KNOX 2.0+)
  • Support for On-Premise Custom ELM Key Activation (Requires KNOX 2.0+)
  • Split Billing (Requires KNOX 2.2+)

Click here to learn more about Samsung KNOX.

Upgrade Observations

Please note that Android+ profile wizard dialog now includes a drop-down menu to select Android+, Samsung KNOX or Android for Work payloads.

v12 -- Build 18541 -- December 19th, 2014


Release Highlights / Notes

  • Enhanced Device Configuration via “Profiles”
  • Enhanced Device Enrollment
  • MobiControl Stage
  • Windows Phone 8.1
  • Zebra Printer Integration

New Features

Enhanced Device Configuration via “Profiles”

“Profiles” re-designs the creation and distribution of device configurations in MobiControl. A Profile is a named collection of device configurations that represent a user persona or common configurations. Profiles provides the following enhancements to device configuration:

  • Improves visibility of device compliance by providing a versioned installation status of a Profile across all targeted devices.
  • Assign a profile to devices matching properties such as manufacturer, model, OS version, installed applications, etc.
  • Assign a Profile to devices where the associated user is a member of one or more LDAP groups. Exclusion of members based on LDAP groups is also available.
  • Schedule deployment and subsequent revocation of a Profile.
  • Extended security model provides greater flexibility for administrative roles to manage specific profiles.
  • Optionally delegate the installation of a Profile to the device user through the “Profile Catalog”.

Enhanced Device Enrollment

Modifications to device enrollment reduce administrative burden and lessen the complexity of end user device enrollment by introducing the following enhancements:

  • Reduces the need for multiple Add Devices Rules by mapping LDAP groups to Device Groups in a single rule.
  • Provides a single enrollment URL for end users to initiate enrollment with on-screen step-by-step enrollment instructions for iOS, Android, and Windows Phone.
  • Restricts enrollment to approved OS versions.

MobiControl Stage

MobiControl Stage is a rapid provisioning solution that allows for immediate “out-of-the-box” device set up. MobiControl Stage supports rapid staging for Android and Windows Mobile/CE.

  • Expedites the enrollment and initial provisioning by scanning barcodes to configure network connectivity and download the MobiControl device agent.
  • Reduces bandwidth overhead by provisioning devices directly from a local HTTP or FTP server.

Windows Phone 8.1

Introduces support for managing Windows Phone 8.1 devices including but not limited to:

  • Managing additional device configurations such as VPN, WiFi
  • Distribution of Certificates via SCEP
  • Additional actions commands such as Remote Ring, and Remote Lock
  • Inventory of additional device properties such as Phone Number, IEMI/IMSI numbers, encryption status, roaming status
  • Support for requesting a device to checkin via Windows Notification Services
  • Installation of Enterprise Applications
  • Password Caching
  • Additional Feature Controls such as:
    • Disable Idle Return Without Password
    • Disable Action Center Notifications
    • Disable Voice Recording
    • Disable "Save as" option for Office files
    • Disable Cortana
    • Disable Syncing of Settings

Zebra Printer Integration

MobiControl 12 introduces support for managing Zebra WiFi and Ethernet-connected printers including:

  • Distribution of configurations such as network, printer labels, fonts, etc.
  • Maintenance tasks such as firmware upgrades, executing test prints, and gathering logs etc.
  • Configuration of alerts based on various printer attributes.

Upgrade Observations

Migration of Device Configurations to Profiles

During upgrade Device Configurations are applied via Right-Click (on Device Group) > Configure on Device Groups will be migrated to individual “Profiles”. Prior to upgrading review the “Device Configuration to Profiles Migration Guide”.

MobiControl Manager aka “Thick Console” has been discontinued

MobiControl Manager has been discontinued and is no longer supported or compatible with MobiControl 12.

Console Security

  • “Anonymous” authentication to the Web Console has been removed.
    Users will be prompted to provide a password for a default account with the username “Administrator” if console security was not enabled prior to upgrade.
  • Console Security settings have been relocated to All Devices > Servers > Global Settings.

Duplicate Device Groups Renamed

  • Device Groups with non-unique names found in the same path will be renamed by appending a numerical value to the end of the Device Group in the order the groups were created.
  • The system will not prevent you from creating Device Groups with the same name in the same path.

Windows Phone 8.0 Support

  • Windows Phone 8.0 devices that are not upgraded to Windows Phone 8.1 prior to upgrading MobiControl cannot receive new device configurations and will need to re-enroll.

Relocation of iOS Settings

  • Roaming Restrictions have been moved to Right-Click (on Device Group) > Advanced Settings.
  • Application Run Control have been moved to Right-Click (on Device Group) > Advanced Settings.

Discontinued device-specific support

Support has been discontinued for Pocket PC and Smartphone 2002 devices with MIPS, SH3, SH4 and eVC3 processors.

Installation Improvements

  • MobiControl installer will now only disconnect database connections when there is a database schema update required. If necessary, users can force an update of the scheme in the Advanced section of the installer.

Forced SSL Agent Communication

  • Removed the ability to disable SSL for Agent communication.

TCP/IP (Direct) Deprecation

  • Removed support for establishing a direct remote control session between the Remote Control console and a device (TCP/IP Direct)

General Features & Improvements

  • Improved system event logs by logging the username “System” rather than the local computer user the service is running under.
  • Introduced new Global Permission to allow users to “Show absolute device group paths”. Users with this permission will see (but not access) the full device group hierarchy that leads to the device groups they have “View” permissions for.
  • Introduced option in the Add Devices Rule > Advanced card to “Preserve Device Location on Re-enrollment”. Devices that are present in the Web Console, but are re-enrolling will remain in the Device Group they last resided. In other words, the Device Group Targets defined in the Add Devices Rule are ignored.
  • Enhanced Relocation Rules to allow mapping multiple IP ranges to a single mapping entry.
  • Introduced device action in the Self Service portal and the Web Console under Right-Click (on device) to explicitly Un-Enroll a device.
  • Introduced customizable LDAP refresh interval in the All Devices > Servers > Global Settings section. LDAP directory information including group memberships will be updated for each device when it checks in and the data is stale.
  • Added option in All Devices > Servers > Global Settings> LDAP Connections to “Follow LDAP Referrals”. When selected MobiControl will follow LDAP referral provided by the initial LDAP server, or by attempting to discover referrals.
  • Added option in All Devices > Servers > Global Settings> Self Serve to optionally delete devices from the Web Console when un-enrolled by the end user.
  • Extended support to iOS and Windows Phone for deleting devices that have been out of contact after a specified period of time.
  • Added “Global Proxy” option to All Devices > Servers > Global Settings that configures the management service to communicate through an HTTP(s) proxy.
  • Added support for adding applications from Amazon’s App Store to Android+ App Catalog Rules.
  • Added support for logging the reason why a Web Console administrator’s account was un-locked.
  • Enhanced Virtual Groups to support filtering devices by Installed Application and LDAP Group memberships.
  • Added ability to collect and submit Diagnostics Report from within MobiControl Web Console.
  • Improved Activity Logs for users to reflect such activities as logins and logouts, creation, modification and removal of policies, users, rules, devices and device groups, and changes in global settings and license information.
  • Added "Prevent un-enrollment" option to “Agent Settings” dialog.

Platform Specific Features


  • The server will now request un-enrollment when the user initiates un-enrollment via the MobiControl app for iOS.
  • Introduces support for selection of the certificate template to define the certificate issued to the MobiControl app for iOS.
  • App Catalog Web Clip is now optional and is deployed as Profile named “App Catalog”.
  • Enhanced Custom Profiles to support the resolution of macros.
  • Removes erroneous “Define” setting from the Restrictions payload.
  • Adds option under Right-Click (on Device Group) > Advanced Settings > Agent Settings to “Prevent Un-Enrollment from Device Agent”.


  • Introduces support for selection of the certificate template used to issue the certificate to the Device Agent.
  • Adds option under Right-Click (on Device Group) > Advanced Settings > Agent Settings to “Prevent Un-Enrollment from Device Agent”.
  • Adds option in WiFi device configuration to verify the certificate of the enterprise wireless network.
  • Enhances Agent-based enrollment by optionally enrolling using the MobiControl Device Management Address (DMA).
  • Adds Android+ support for the following Android manufacturers:
    • BQ
    • Kyocera
    • Sony


The following device configuration features were added to Android+ profiles and are specific to Samsung devices only:

  • Added support for the following configurations under the Device Feature Control payload:
    • Prevent enrollment when not running as the main user
    • Restrict firmware recovery
    • Disable hardware keys on Samsung via SCRIPT
  • Introduces support for managing Bookmarks in the native web browser
  • Extends the Certificate device configuration payload to allow “Interactive Certificate Installation”

Zebra (Motorola)

The following device configuration features were added to Android+ profiles and are specific to Motorola devices only:

  • Added support for the following configurations under the Device Feature Control payload:
    • Certificate Installation
    • Disable Hardware Keys
    • Disable USB Mass Storage
    • Disable USB Debugging

LG Android

The following device configuration features were added to Android+ profiles and are specific to LG devices only:

  • Added support for the following configurations under the Device Feature Control payload:
    • Disable access to device settings
    • Encrypt External Storage
    • Disable Home Key
    • Disable Media Player
    • Disable Bluetooth Data Transfer
    • Disable Cellular Data
    • Ability to define agent certificate on enrollment
    • Removes the Connection Security configuration which allowed to disable SSL
v11 -- Build 14250 -- May 7th, 2014


  • V11.0.3 Maintenance Releases
  • V11.0.2 Maintenance Releases
  • V11.0.1 Maintenance Releases
  • Release v11.0.0 build 12975 on January 10th, 2014

Online Help

Online Help resource about MobiControl's main components.

Release Highlights / Notes

  • Support for iOS 7 MDM features including App management, data leakage prevention from Managed Apps, and the management of device features such as Touch ID.
  • Support for Samsung KNOX including containerization of enterprise data, and increased device security and integrity monitoring.
  • New App Configuration methods including native iOS 7 App Config, URI based configuration for both Android and iOS App Catalogs, and the ability to script Android intents.
  • Support for managing Windows Phone 8 devices.
  • Support for managing Amazon Kindle HDX devices.
  • Improved Self Service Portal design including custom branding options.
  • Support for scheduling administrative reports.
  • Multi-file upload functionality in the Content Library.

New Features

Windows Phone 8 Features

Introduces support for the enrollment and management of Windows Phone 8 (WP8). Enrollment of devices can be initiated directly from the “Company Apps” section of a WP8 device and does not require an agent.

  • During enrollment, automatic discovery of the target device group will occur based on the LDAP group matched against available add device rules.
  • The WP8 > Information Panel will display inventory of device attributes such as Model, OS Version etc.
  • Support for distribution of an in-house “Company Hub” application during enrollment is provided under All Devices > Servers > Global Settings. Development of a Company Hub requires registration with Microsoft and a Symantec Code Signing Certificate. Refer to, or contact SOTI Support for more details.
  • The following policies can be configured under the Device Configuration section:
    • Device Authentication Policy including complexity, history, and enforcement.
    • Device Feature Restrictions for disabling access to the SD card and enforcing device encryption.
    • Distribution of public-keyed certificates.
    • Distribution of email configurations for POP, IMAP, and Exchange.
    • Support for a Full Device Wipe or Device Lock is provided as a Right-Click (on device) > Action option.

Apple iOS

  • Two new App Configuration methods are available for iOS under the Application Configuration button within an App Catalog rule.
    The “Configuration Command” leverages the native and automatic configuration for iOS 7 apps, whereas the “Configuration URI” option supports a broader range of operating systems and is initiated by the end user from the App Catalog webclip.
  • Added the following MDM payloads to the Device Configuration section.
    • Single Sign On
    • Web Content Filter with Adult Content filter and Whitelisting/Blacklisting that applies to Safari and 3rd party browsers obtained from the App Store.
    • VPN (Per App)
    • AirPlay for the configuration of mirroring destinations and passwords
    • AirPrint for the configuration of print resources
    • Fonts for installing custom fonts
    • Updated WiFi configuration to support Hotspot 2.0 configuration parameters
    • Adds Global HTTP Proxy support (iOS 6)
    • Single App Mode (iOS 6) including iOS 7 enhancements
  • “Feature Control” policies under Device Configuration has been reorganized and renamed to “Restrictions”.
  • Add Device Rules now include the ability to customize the device’s client certificate obtained during enrollment, allowing the selection of an external Certificate Authority.
  • The Right Click (on device) > Action > Device Lock action has been extended to optionally allow for the customization of the lock screen to include a phone number and a custom message useful when attempting to retrieve lost or stolen devices. 
    NOTE: With the appropriate cellular access the phone number can be dialed from the lock screen.
  • Support Contact info under iOS > Right Click (on Device Group) > Advanced has been extended to customize MDM dialogs. For example, App Installation prompts will now show the “Company Name” instead of the server URL.
  • Added the following configuration options to the Restrictions payload under the Device Configuration section:
    • Disable Account Modifications
    • Disable AirDrop
    • Disable App Cellular Data Usage Modification
    • Disable Siri User Generated Content
    • Disable Find My Friends Modification
    • Disable Touch ID (fingerprint scanner) to unlock device
    • Disable Host Pairing
    • Disable Control Center on Lock Screen
    • Disable Notification View on Lock Screen
    • Disable Today View on Lock Screen
    • Disable Open From Managed to Unmanaged
    • Disable Open From Unmanaged to Managed
    • Disable OTA PKI Updates
    • Permitted Apps for Autonomous Single App Mode
    • Force Limited Ad Tracking
    • Disable Bookstore (iOS 6)
    • Disable Erotic Books (iOS 6)
    • Disable Game Center (iOS 6)
    • Disable Interactive Profile Installation (iOS 6)
    • Disable App Removal (iOS 6)
    • Allow Shared Photostream (iOS 6)
    • Disable Siri Profanity Filter (iOS 6)
    • Disable Siri While Device is Locked (iOS 6)
    • Show Passbook notifications when locked (iOS 6)
  • Added the following device attributes in the iOS > Information Panel, and as triggers for Alert Rules:
    • Whether Find My iPhone is enabled
    • Whether a device is Supervised
    • Whether iTunes account is logged in
    • Whether Do Not Disturb is enabled
    • Whether Personal Hotspot is enabled

Samsung KNOX

Samsung KNOX provides an OS level container for separating work data including email, contacts, and even applications. Additionally KNOX provides enhanced device security, 3rd party attestation of security status, and real time monitoring of device integrity.

KNOX is enabled under the Android Device Configuration section, and includes the following features when a value-added per user KNOX license is present:

  • Container-level features:
    • Enforcing Passcode policy including complexity and container timeouts.
    • Configure containerized POP, IMAP, and/or Exchange email with forwarding restrictions.
    • Configure Apps for Single Sign On.
    • Configure Browser Policy.
    • Perform Silent installation, inventory, and blacklist of KNOX Apps.
    • Configure VPN for KNOX container or on Per App basis (requires installation of service APK).
    • Remotely Lock/Unlock container.
    • Restriction to Disable Camera while in container.
    • Restriction to Disable Share via List while in container.
    • Restriction to Use Secure Keypad while in container.
    • Restriction to Disable addition of new email accounts.
  • KNOX Device-level features:
    • Enforce CAC Authentication for the lock screen, browser, and VPN
    • Use of “Attestation” to verify the authenticity of a hardware key that was fused in the device during manufacturing in order to prove the device is not, and has not ever been “rooted”. Devices whose key is invalidated because of “rooting” will be flagged in the Android+ > Information Panel, and through Alert Rules.
    • Integrity Service (requires installation service APK) performs an initial baseline scan of the device and applications, and continuously monitors for changes that would indicate the device was compromised.
    • Configure Alert Rules to be notified of any integrity violation.

Android Features

  • Introduces ability to send intents via Right Click (on device) > Send > Script to trigger App behavior and/or configure the App.
  • App Catalog now features the ability under the Application Configuration section to provide a configuration URI that allows an end user to initiate the configuration of an installed App.
  • The MobiControl agent now includes Filter/Sort capabilities in the Content Library and App Catalog.
  • Adds support for a custom value for the Maximum Screen Timeout values in the Authentication Policy.
  • Adds Call Log as a Data Collection Rule option.
  • Added a report for data usage on a per-application basis.
  • Adds additional device script commands including:
    • Power off device
    • Wake device on schedule
    • Enable/disable WiFi radio
    • Enable/disable Cellular radio
    • Lockdown can now launch .cmd file from lockdown for the purpose of executing pre-defined scripts.
  • Adds support for Android KitKat OS (4.4.2) in

Samsung Android

The following features were added to the Device Configuration section of the Android+ tab and are specific to Samsung devices only:

  • WiFi Hotspot for configuring a device’s hotspot remotely
  • Device Restrictions
  • Block OS Upgrade
  • Disable Voice Dialer/S-Voice
  • Disable Multi-Window
  • Disable USB On-the-Go
  • Disable addition of new email accounts
  • Disable Incoming SMS Messaging
  • Disable Outgoing SMS Messaging
  • Disable Incoming MMS Messaging
  • Disable Outgoing MMS Messaging
  • Prevent Uninstallation of Managed Apps
  • Disable Portal WiFi Hotspot Changes

LG Android

Support for the following device restrictions has been added for LG Android devices:

  • Disable Voice Dialer
  • Disable GPS Mock Locations
  • Disable Microphone
  • Disable NFC
  • Disable USB Debugging
  • Enforce GPS
  • Disable Bluetooth Tethering
  • Disable WiFi-Tethering/Portal WiFi Hotspot
  • Enforce Minimum WiFi Security Level
  • Prevent Uninstallation of Managed Apps
  • Disable Outgoing SMS Messaging

Motorola Android

Support for the following features has been added for Motorola Android devices:

  • Adds support for SD Card encryption
  • Adds support for distribution of private keyed certificates
  • Adds support for configuring system settings via MX XML

Extended Features

  • Add Device Rules now include an option to Cache Password to improve user experience during enrollment.
    When configured the password used for authentication will be used for initial device configurations such as Email, WiFi, and VPN, and then is discarded.
  • Added support in the Add Device Rules for restricting enrollment to one or more approved LDAP groups.
  • Added support for customizing the naming convention of devices used during enrollment through an Add Device Rule.
  • Added manual configuration support for authenticating to the Web Console using Windows NTLM or Kerberos authentication.
  • Added manual configuration support for authenticating iOS device communication through a reverse proxy which forwards NTLM or Kerberos credentials.
  • Added support for retrieving Custom Data from XML files in Data Collection Rules.
  • Introduced Cloud Link as replacement to “Connection Proxy” to extend corporate resources such as LDAP and Certificate services to MobiControl Cloud. Cloud Link can be configured under All Devices > Servers.
  • MC Admin now provides support for customizing the SSL certificates used by the Deployment Server allowing for the use of trusted and/or enterprise certificate authorities.
  • Enhanced security during initial untrusted SSL communication between device agent and the MobiControl server.
    NOTE: Users are allowed to make trust decisions on initial enrollment if using an untrusted SSL certificate, and where the SOTI Enrollment service is not utilized.
  • Enhanced audit trail of user performed and server-initiated actions in the Events Panel of the Web Console.
  • Certificate Services now includes support for requesting certificates from a SCEP server on behalf of a device.
  • Certificate Services now provides the option of specifying Subject Alternative Names in certificate requests.
  • Certificate Services for ADCS over HTTPS now supports Kerberos authentication.
  • Certificate Services added support for publishing issued certificates to LDAP server of authenticated user.
  • Provided more granular log and alert truncation options, configured under All Devices > Servers > Global Settings.
  • File Sync Rules now support providing network credentials in UNC paths.
  • Added LAN Connection as a network requirement for Package Deployment Rules.
  • During package installation, the destination directory will now be created during deployment if it doesn’t exist.
  • Relocation Rules now support Device Group targets, and no longer apply globally.
  • Alert Rules have been expanded to support the variety of following triggers including but not limited to:
    • SIM Card Change
    • SIM Card Inserted
    • SIM Card Removed
    • ELM Activation Errors

Extended Features - Web Console 

  • During device deletion the administrator can now choose to revoke issued device certificates.
    This functionality requires integration with an enterprise CA using DCOM.
  • Improved the license information screen to show breakdown of license use by OS.
  • Logged on administrators and their IPs are now shown under All Devices > Servers.
  • Event Log Panel now includes a filter to view User or Device - generated events individually.
  • Console Security now includes a feature for controlling the administrative view of installed applications.
  • Console Security now allows for multiple LDAP servers to be used for authentication to the Web Console.
  • Deployment Server (DS) and Deployment Server Extensions (DSE) logs are now available for viewing from the ? menu.
  • Customizations to the device grid columns are now persistent across browsers based on authenticated user.
  • Web Console will now warn of APNS expiry 30 days in advance upon logging into Web Console.
  • Sending an SMS message will save the telephone number entered for subsequent use.
  • Public Web API has been extended to support sending scripts, including a message.

Windows Mobile/CE Features

  • Added support for Cold (CE) Clean (Mobile) boot on Motorola devices.
  • Added support for persistent storage of packages on Motorola devices.

Upgrade Observations

ELM Agent for Samsung Android

After upgrade, Samsung Android devices with MDMv4 capabilities will receive a new type of Device Agent during enrollment, referred to as the “ELM Agent”. Without compromising management functionality, Samsung’s Enterprise License Manager (ELM) allows SOTI to deliver timelier updates of the device agent in order to serve our customers better. The following observations however should be considered before upgrading MobiControl:

  • The ELM Agent requires Internet connectivity during enrollment, and periodically thereafter, to validate MDM licensing against Samsung servers.
  • End Users will be required to accept a privacy dialog during enrollment to acknowledge that non-identifying device information will be used to perform MDM license validation.
  • Migration to the ELM agent for devices with MDMv4 capabilities is advised for all devices currently enrolled in the system. A Right-Click (on device) > Agent Update > Migrate to ELM Agent option has been added to the Web Console to initiate the migration process. Migration may temporarily roll back policies and will require end user action as described above.
  • The Web Console will show the agent type installed on each device under the Android+ > Information Panel. “ELM” represents the new agent while “Signed” is used to represent the older agent.
  • The “Signed” agent is still available for download and manual installation under Android+ > Rules > Add Devices > Right Click (on rule) > Download Device Agent but is deprecated for Samsung devices with MDMv4 and higher, and may not be included in future releases.

Virtual Group Behavior Modification

Virtual Groups created in v11 will only include devices that reside in the parent Device Group(s) for which the Virtual Group also resides. That is to say, if you nest a Virtual Group in a Device Group, the scope of the Virtual Group is limited to the parent Device Group(s). Existing Virtual Groups will maintain the old functionality until deleted.

v10.0 -- Service Pack 1 -- August 27th, 2013

Release Highlights

  • iOS7 Compatibility
  • Enhanced Support for Motorola Android Devices
  • Assorted Bug Fixes


iOS7 Compatibility

In line with Apple’s iOS 7 update, MobiControl v10 R4 has been updated to streamline the enrollment process while implementing new app configuration methods. This new enrollment process requires that both components; MobiControl Server, and the MobiControl App be updated to the latest versions.

The new iOS enrollment process places more emphasis on using the enrollment URL rather than an enrollment ID. By using an enrollment URL, users can take advantage of automatic App configuration, rather than typing an enrollment ID:

Old Process (Agent)

  • Open App Store
  • Install MobiControl App
  • Enter Enrollment ID from Add Rule
  • Management Profiles Installed
  • Device Successfully enrolled

New Process

  • Go to Enrollment URL (Add Device Rule)
  • Install Management Profiles
  • User is Prompted, Installs MobiControl App
  • Device Successfully Enrolled
  • MobiControl App is automatically configured after install


Symptoms and solutions for challenges relating to these changes: 

  • MobiControl App continuously asks for device enrollment
  • MobiControl Server and/or App being out of date
  • MobiControl App indicates successful enrollment, but indicates the server is outdated
  • MobiControl v10 R4 SP1 must be applied to the server
  • MobiControl App requests users to reinstall the app
  • User will be required to delete the pre-existing MobiControl app and install the updated MobiControl App when prompted. This newly installed app will be managed by MobiControl’s profiles and configured on install
v10.00 -- Build 9329 -- January 7th, 2013

Upgrade Observations

  • After upgrade all LDAP connections will require re-configuration of Base DN and Authentication Type
    • If using LDAP Authentication for Console Security, ensure that the local administrator account is known prior to upgrading
  • After upgrade Console Security must be managed through Web Console (option has been removed from MobiControl Manager)

Release Highlights

  • Introduces completely redesigned Apple® iOS and Google Android™ device agents featuring:
    • Content Library
    • Application Catalog
    • Support Contact Details
    • Terms & Conditions
    • Message Center
    • Location Discovery (iOS)
    • Device Configuration Summary
  • Introduces Secure Content Library with support for:
    • Pushed or On Demand distribution of content to device agents
    • Effective and Expiration dates for distributed content
    • File Sharing Restrictions (iOS)
    • Content Categorization
    • Versioning
  • Introduces Telephone Expense Management with support for:
    • Monitoring, reporting, and alerting on Data usage (All Mobile Platforms) and Voice usage (Windows Mobile, Android)
    • Adds support for Phone Call Policy and Call Logs (Android)
  • Introduces Certificate Management with support for:
    • Device certificate inventory
    • Integration with Microsoft PKI (ADCS), and Entrust Certificate Authorities for the request and subsequent distribution of certificates (All Mobile Platforms)
    • Support for dynamic and static-challenge SCEP payloads (iOS)
    • Automatic certificate renewal
    • Certificate revocation (when using ADCS via DCOM)
    • Association of Certificate to WiFi, VPN, Email Device Configurations for Authentication or Encryption
  • Introduces customizable and versioned Terms & Conditions for end user acceptance during enrollment
  • Introduces Speed-sensitive Lockdown to customize Lockdown screen when device is travelling faster than defined speed (Android, Windows Mobile)
  • Enhanced Remote Control featuring BlitFire 10x for up to 10x faster Remote Control
    • Remote Control Console now opens as an applet, and is no longer IE-dependent
    • Remote Control Console will attempt to detect the device model and choose the appropriate device Skin (available in most cases)
  • Introduces Anti-Virus/Malware protection via WebRoot (Android)
  • Introduces Categorized Web Filtering via WebRoot (Android)
  • Adds support for Microsoft®Windows 8 Desktop

General Features

  • Enhancements to LDAP integration to support manual specification of Search Patterns and LDAP attributes. Includes support for Open Directory, Domino and other LDAP servers.
  • Optimized performance of File Transfer protocol
  • Adds support for sending a message to the Device as an Alert Rule action
  • Adds support for Management Service to communicate outbound through a proxy via configuration file entry
  • Adds support for Geofence under Alert Rules (Android, iOS)
  • Enrollment can now be achieved without Enrollment service by entering Server Address, Rule Tag and Site Name (Android, iOS)
  • Redesigned Installer featuring detection of current installed state to streamline installation / upgrade process

Web Console Features

  • Introduces Custom Attributes to support adding additional fields to Web Console
  • Redesigned Device Configuration panel (formerly Security Center)
  • Adds support for applying Notes to Device Groups and Virtual Groups
  • Introduces support for using Macros in Device Configuration dialogs that require values for Username and Email
  • Minor changes to Rule cards to streamline configurations
  • Web Console will now display a device’s associated user in the Info Panel
  • Introduces dialog for manually changing a device’s user association
  • Added support for creating and editing "Filter" views
  • App Catalog configuration now supports discovery of Apps through Google Play (Android)
  • Introduced "Configuration Policies" info panel to indicate the Device Configurations assigned to device.
  • Agent Connected/Disconnected state is now shown indicating how long the Agent has been in this status
  • Global Settings now displays the Database Connection String
  • Adds support for opening all Info Panels in Maximize View
  • Introduces method to dismiss yellow console alerts
  • Web Console URL address can now be customized during installation
  • Added additional Console Security permissions related to new features
  • Introduces progress bar during Agent Creation when using Agent Builder Service
  • Device Info Panel now indicates the active connection type (WiFi/3G etc.)
  • Passcode status is now displayed in the Info Panel (Android)
  • Internal/External Encryption status is now displayed in the Info Panel (Android)
  • WiFi signal is now displayed in percentage (%) as well as dB. (Windows Mobile, Android)
  • Hardware Serial Number and OEM Version are now displayed in the Device Info Panel for Android+ devices
  • Add Device Rule filters now support filter by IP Address (iOS, Android), removes filter option for “Agent Name” (Windows Mobile)
  • Renamed Right-Click option “Refresh Device Status” to “Request Device Check-In” to adequately represent the action’s behavior
  • Reorganized Right-Click menu options on Device Group level
  • Adds additional Device Statuses to Alert Rule triggers such as IP Address, Cellular Carrier, OS etc. (Android, iOS)
  • Introduces a Device Tree legend to describe selection colors
  • Introduces support for searching for Device Groups

Apple® iOS Features

  • Added the following iOS Device Configurations:
    • LDAP
    • CalDAV
    • Subscribed Calendars
    • Additional VPN configurations (F5, SonicWall, Aruba VIA, Custom SSL)
  • Introduces support for installing manually-crafted "Custom Profiles"
  • Introduces support for automated enrollment via Apple Configurator via .mobileconfig files
  • Location Services now includes an option to configure GPS Accuracy vs Battery Performance (GPS Mode vs Significant Change)
  • Introduces new APNs Certificate Signing utility for issuing and renewing APNs Certificates
  • iOS Agent will now re-launch after enrollment process is complete when enrollment is initiated through Agent

Google Android™ Features

  • Adds support for Time Sync policy
  • Adds support for Custom Data
  • Adds support for Out of Contact Policy
  • Adds support for Device Relocation rule
  • Introduced the following functionality via script commands
    • Restart device agent (restartagent)
    • Switch agent between foreground/background mode (foregroundmode enable|disable)
    • Create directory (mkdir, md)
    • Launch an application (start)
    • App Whitelisting (see online help)
  • Introduces support for executing an Intent from a Lockdown screen
  • Adds support for manual distribution of certificates (Samsung, LG, and Motorola for certificates containing only a public-key)
  • Introduces persistent storage support for Motorola Android-based devices
  • Introduces Pending Actions panel for awaiting user actions such as starting Encryption Process or Passcode Policy. Pending Actions panel will “Nag” user to perform these functions.
  • Adds support for GCM as C2DM has been deprecated by Google
  • Introduces utility to configure WiFi while in Lockdown
  • Introduces utility to configure Passcode while in Lockdown
  • During Enrollment Device Administrator is now silently "Activated" when device agent is obtained from Deployment Server. Adds flag in mcsetup.ini file to alter this behavior.
  • Android+
    • Added support for the following Feature Restrictions for devices supported under Android+ other than LG and Samsung:
    • Bluetooth
      • Disable outgoing calls via Bluetooth (ICS+)
      • Disable Bluetooth Discoverable mode (GB+)
      • Disable Bluetooth Tethering (ICS+)
      • Disable Bluetooth Desktop Pairing (GB+)
      • Disable Bluetooth Tethering (ICS+)
      • Disable Bluetooth Pairing (GB+)
      • Allow Limited Bluetooth Discoverable mode (ICS+)
    • WiFi
      • Disable WiFi-Profiles (GB+)
      • Disable WiFi Profiles Changes (GB+)
      • Enforce Minimum WiFi Security Level (GB+)
      • Disable WiFi tethering (GB+)
    • Disable Cellular Data (GB+)
    • Disable Clipboard (HC+)
    • Disable USB tethering (ICS+)
    • Disable Google Sync/Backup (GB+)
    • Disable Access to Device Settings (GB+)
    • Enforce GPS Availability (GB+)
    • Disable GPS Mock Locations (GB+)
    • Disable YouTube (GB+)
    • Disable Browser (GB+)
    • Disable Installation from Unknown Sources (GB+)
    • Disable Background Data (GB+)
    • Disable NFC (ICS+)
    • Disable USB Debugging (GB+)
    • Disable USB Mass Storage (GB+)
    • Disable SD Card Access (GB+)
    • Disable All Tethering (ICS+)
  • LG
    • Added support for the following Feature Restrictions for LG devices:
    • Bluetooth
      • Disable outgoing calls via Bluetooth
      • Disable Bluetooth Discoverable mode
      • Allow Limited Bluetooth Discoverable mode
      • Disable Bluetooth Pairing
      • Disable Bluetooth Tethering
      • WiFi
        • Disable WiFi-Profiles
        • Disable WiFi Profiles Changes
        • Enforce Minimum WiFi Security Level
        • Disable WiFi tethering
      • Disable USB tethering
      • Disable Google Backup
      • Disable SD Card Access
      • Disable USB Mass Storage
      • Disable Clipboard
      • Disable USB Media Player
      • Disable NFC
      • Disable USB Debugging
      • Enforce GPS Availability
      • Disable GPS Mock Locations
      • Disable Background Data

Microsoft® Windows Mobile/CE Features

  • Adds support for manual distribution of a known certificate
  • Adds support for configuring Fusion-based WiFi configurations from Web Console
  • Introduces Support Contact Info inside device agent
  • Introduces a utility that allows a device to fetch a package from an FTP server rather than the Deployment Service
  • Adds support for showing Bluetooth in a Custom Navigation Bar while in Lockdown
  • Electronic Serial Number (ESN) of Motorola Windows-based devices is now collected and displayed in the Info Panel of the Web Console

iOS7 Compatibility (Implemented in v10.00.9619 released on August 27th, 2013)

In line with Apple’s iOS 7 update, MobiControl v10 has been updated to streamline the enrollment process while implementing new app configuration methods. This new enrollment process requires that both components: MobiControl Server, and the MobiControl App be updated to the latest versions.

The new iOS enrollment process places more emphasis on using the enrollment URL rather than an enrollment ID. By using an enrollment URL, users can take advantage of automatic App configuration, rather than typing an enrollment ID:

Old Process (Agent)

  • Open App Store
  • Install MobiControl App
  • Enter Enrollment ID from Add Rule
  • Management Profiles Installed
  • Device Successfully enrolled

New Process

  • Go to Enrollment URL (Add Device Rule)
  • Install Management Profiles
  • User is Prompted, Installs MobiControl App
  • Device Successfully Enrolled
  • MobiControl App is automatically configured after install



  • Release 10 build 9912 on March 6th, 2014
  • Release 10 build 9619 on August 27th, 2013
  • Release 10 build 9484 on April 15th, 2013
  • Release 10 build 9354 on March 20th, 2013
  • Release 10 build 9329 on January 7th, 2013
v9.03 -- Build 7800 -- May 1st, 2012


  • Enhanced Reports to support additional formats during export
  • Removed dependency on Active Directory binding for Management Console and device enrollment
  • Additional logging for executed “Action” commands
  • Intelligent device installer with automatic vendor detection and agent selection
  • 9.03 upgrade support for Japanese language
  • Phone call policy for web console updated to block private caller
  • Android+ Chinese language localization support for the device agent
  • Application Catalogue Update Button


Introduction of SOTI’s Android+ technology
  • Provides common set of Mobile Device Management features including Remote Control, Application installation, Device Configuration, and more, across multiple OEMs
  • Provides Remote Control capability across a wider range of Samsung devices
  • Replaces “Samsung Android” tab in Management Console

Samsung Android

Asset Management & Security Management
  • Persistent GPS monitoring
  • Added option to prevent user from removing MobiControl Agent
  • Authenticated device enrollment now captures email address and username from directory service
  • Improved certificate management
Aligning with the Samsung Galaxy SIII launch, 9.03 enhances or adds support for the following device configurations:
  • Background Data
  • Bluetooth:
    • Disable Bluetooth
    • Require password to Enable Bluetooth
    • Disable outgoing calls via Bluetooth
    • Disable Bluetooth Discoverable mode
    • Require password to enable Bluetooth discovery
    • Disable Bluetooth Pairing
    • Disable Bluetooth Desktop Pairing
    • Disable Bluetooth Data transfer
  • Data Protection:
    • Disable Google Backup
    • Disable SD card access
    • Disable USB Mass Storage
    • Disable Kies
    • Disable Clipboard
  • Data Protection:
    • Disable Google Backup
    • Disable SD card access
    • Disable USB Mass Storage
    • Disable Kies
    • Require password to enable Bluetooth discovery
    • Disable Bluetooth Pairing
    • Disable Bluetooth Desktop Pairing
    • Disable Bluetooth Data transfer
  • Enable / Disable:
    • USB Media Player
    • NFC
    • Home Key
    • Screen Capture
    • USB Debugging
    • Factory Reset
    • Access to Device Settings
    • Voice Dialer
    • YouTube
    • Browser
    • Installation From Unknown Application Sources
  • Samsung Native Email Client:
    • IMAP and POP3
    • MS Exchange Policies
      • Both sync calendar and sync email intervals
      • Allow/Disallow HTML Email
      • Maximum Email Truncation Size
      • Enable Signature Editing
      • Peak Sync Schedule
      • Peak Days
      • Peak Start/End Times
      • Sync Schedule On/Off Peak
  • VPN:
    • Support for L2TP
    • Support for PPTP
  • Wi-Fi:
    • Disable Wi-Fi
    • Disable Wi-Fi Profiles
    • Disable Wi-Fi Profile Changes
    • Disable Prompt for Credentials
    • Enforce Wi-Fi Data Only
    • Enforce minimum Wi-Fi Security Level
    • Always prompt for Wi-Fi Certificate Credentials
  • Wi-Fi:
    • Disable all tethering
    • Disable Wi-Fi tethering
    • Disable Bluetooth tethering
    • Disable USB tethering

Apple iOS

  • Improved device enrollment process
  • Enhancements to Documents Portal including File Sharing controls
  • Improved application status monitoring for Managed Apps
  • Application Catalog compatibility checks for iPad, iPhone-Only Apps
  • Authenticated device enrollment now captures email address and username from directory service
v9.02 -- Build 6270 -- January 27, 2012


  • Automatic Actions on Alert: Configure automated actions such as relocate device to a new device group or block MS Exchange Email Access based on a variety of alerts.

Samsung Android

Remote Control
  • Live remote control of devices for optimal helpdesk troubleshooting
  • View and Control devices with desktop keyboard and mouse in real time
  • View and Manage device services, tasks, and file explorer
Asset Management
  • Enroll, Provision and configure groups of devices wirelessly
  • Management Dashboards and advanced reports audit a variety of device information
  • Send messages to devices using Google’s Cloud to Device Messaging
Application Management
  • Install, update and remove applications without user interaction
  • Manage application security with certificate installations
  • Ability to wipe application data
  • Enforce application blacklists
Configuration Management
  • Enable or Disable:
    • Android Market
    • Camera
    • Data Usage while Roaming
    • WiFi
    • Bluetooth
    • Microphone
    • Access Point
  • Remove managed MS Exchange account and data
  • Configure Access Point Settings, WiFi Settings, and Strong Password requirements
MS Exchange Policies
  • Enable or Disable MS Exchange Account Access
  • Ability to configure secure device connection to authorized MS Exchange Server
  • Ability to configure device side MS Exchange settings such as email address, passwords, SSL certificates, email notification types, and sync intervals
Location Based Services
  • Locate, Track and Historically Bread crumb device GPS location and movement globally
Security Management
  • Enforce LockDown Policies that block use of the operating system and replace the device home screen with a customizable screen with access to select applications only.
  • Remote Actions include Lock, Unlock, Wipe, & Restart
  • Full Device Encryption including SD card
  • Install security & identity certificates on device
  • Detect Rooted devices

Apple iOS

  • New APNS Certificate Generation Process
  • Configure IMAP/POP Email Accounts
  • Volume Purchase Plan (VPP) Integration
  • Location Data Collection: locate and track devices without user interaction
  • App Store Integration for Application Catalog Configuration
  • File Synchronization within MobiControl Agent File Browser
  • Send Enrollment Invitation Email
  • Application Blacklist: Alert on prohibited applications installed
  • Configure certificate based authentication for MS Exchange, WiFi, and VPN
  • iOS 5 MDM Features:
    • Disable iCloud device and document sync
    • Disable Photo Stream
    • Prevent moving messages between email accounts
    • Prevent applications from sending corporate emails
    • S/MIME encryption enforcement
    • Configure WiFi Proxy and configure auto join network connections
    • Report on Voice Roaming status and battery status
    • Disable voice and data roaming
    • Disable SIRI
    • Disable Diagnostic Crash logs
    • Application Management
      • Request user to install application
      • Specify if app should remain or be removed if MDM profile is removed
      • Prevent app data back up to iTunes or iCloud
      • Report on application status: needs redemption, redeeming, user prompted, installing, managed, managed but uninstalled by user, unknown, user rejected install, failed
      • Remove managed apps

Google Android

  • Enforce LockDown Policies that block use of the operating system and replace the device home screen with a customizable screen with access to select applications only


  • Build 6270 replaces build 6222 that was posted on January 13, 2012.
v9.00 -- Build 5679 -- September 30, 2011


  • Differentiated device licensing
  • Aruba AirWave integration: access point management
  • Windows Desktop lockdown (XP/7)
  • Secure Email Access: MS Exchange filter to block access to unmanaged devices
  • SOTI Service Portal:
    • MobiControl Device Messaging Service: Apple APNS, Google C2DM, and SMS message relay
    • MobiControl Device Agent Service: Agent Builder
    • MobiControl Licensing Service: Differentiated Licensing
    • MobiControl Location Services: uses Bing maps key system

Web Console

  • Windows Mobile & Windows Desktop configuration
  • Device Agent Wizard for Windows devices
  • Management dashboard view
  • Additional graphical displays and User Interface enhancements

Google Android

  • Data Collection
  • File Synchronization
  • C2DM messaging
  • Real Time location tracking
  • Historical location bread crumbing
  • Agent User Interface enhancements
  • NitroDesk TouchDown integration

Apple iOS

  • Additional device security information
  • Enterprise application Provisioning Profile management
  • Configure Web Clips
  • SSL encrypted communication between agent and deployment server
  • Apple Push Notification Service messaging
  • Agent user interface enhancements
v8.51 -- Build 5251 -- April 18, 2011

Improved Performance:

  • Enhanced web interface
  • Optimized reporting of device activity


Bug Fixes

  • Fixed assorted minor issues with web interface, device agents, and deployment server



  • Build 5251 replaces build 5250 that was posted on April 14, 2011.
v8.50 -- Build 5240 -- March 22, 2011

New Platform Support

  • Apple iOS v4+ devices (iPhone, iPodTouch, iPad)
  • Android v2.2+ devices.

Apple iOS Features

  • OTA Device Enrollment and Provisioning: Users can self provision authorized devices with valid Active Directory credentials or unique password authentication and enroll into corporate networks wirelessly.
  • Dynamic Asset Management: Organize and manage devices individually or by custom groupings.
  • Extensive Live Device Information View and Audit
  • Encrypted OTA Device Settings Configurations
  • Device Feature and Applications Restrictions
  • Device Certificate Management: Upload, View, and Delete Certificates on devices
  • Application Management: View all installed 3rd party App Store and In-House Enterprise applications. Customize a private Application Catalog to direct users to private in house applications or recommended 3rd party applications.
  • Detect Jail-broken devices
  • Locate live device GPS coordinates on an interactive map
  • Real Time Remote Actions: Lock, Unlock, Wipe, Corporate Data Wipe
  • Remote Control device agent
  • Live Two-Way Chat
  • Alerts and Reports

Google Android Features

  • OTA Device Enrollment and Provisioning: Users can self provision authorized devices with valid Active Directory credentials or unique password authentication to enroll into corporate networks wirelessly.
  • Dynamic Asset Management: Organize and manage devices individually or by custom groupings.
  • Extensive Live Device Information View and Audit
  • OTA Password and WiFi Settings Configurations
  • Application Management: View all installed 3rd party App Store and In-House Enterprise applications. Customize a private Application Catalog to direct users to private in house applications or recommended 3rd party applications.
  • Detect Rooted Devices
  • Locate live device GPS coordinates on an interactive map
  • Real Time Remote Actions: Lock, Unlock, Wipe, Corporate Data Wipe
  • Alerts and Reports

Web Console

  • New Contemporary Redesign
  • Multi-Platform layout for viewing and managing devices
  • Extensive Web Help Files
  • Configuration of Rules
    • Add Devices Rules
    • Deployment Rules
    • File Sync Rules
    • Device Relocation Rules
    • Data Collection Rules
    • Alerts Rules
  • Viewing and Management of Alerts
  • Configuration of Console Security

Remote Control

  • Optimized communication protocol
  • Improved support for communication across load balancing appliances

Enhanced Support for Windows Devices

  • Extended desktop lockdown functionality to include support for devices running the Windows 7 operating system.
  • Added support for many new Windows based devices, including: Intermec CN70.

Bug Fixes

  • Fixed assorted minor issues with Location Services, Remote Control and connections over cellular networks.