In order to successfully enroll and manage your iOS 11+ devices, several requirements must be met.

 

Minimum MobiControl Version

 

iOS 11 changes the way iOS devices retrieve identity certificates during the MDM enrollment process. SOTI MobiControl customers that enroll iOS 11 devices using the Internal MobiControl Certificate Authority (the default Certification Authentication Authority option in SOTI MobiControl Add Device rules, see attached) need to ensure their version of MobiControl meets the respective minimum version requirement. It is important to note that devices that are already under SOTI MobiControl management and are subsequently upgraded to iOS 11 will continue to be managed by MobiControl.

 

The minimum SOTI MobiControl version requirement for each major version of SOTI MobiControl are as follows:

  • For SOTI MobiControl v12, the minimum version is v12.4.0.31044
  • For SOTI MobiControl v13, the minimum version is v13.3.0.3690
  • For SOTI MobiControl v14, the minimum version is v14.0.0

 

For customers that do not meet the minimum SOTI MobiControl version requirement, the recommended course of action is as follows:

  • Customers running MobiControl versions 11 and earlier should upgrade to v13.3.0.3690.  Both server and agent side upgrade are required.
  • Customers running MobiControl v12.x should upgrade to the latest Maintenance release of v12.4.
    •    We recommend v12.4 for those customers who want to upgrade as fast as possible and avoid the additional risk that comes with upgrading to a new major version.  Keep in mind however that v12.x is no longer getting regular maintenance updates, and so the customer must plan for an upgrade to v13 or v14 in the near future.
  • Customers running MobiControl v13.x should upgrade to the latest Maintenance release of v13.4.

 

TLS 1.2 Requirement

 

iOS 11 requires a minimum of TLS 1.2 for all secure communications.  Therefore, TLS 1.2 must be enabled on all servers that host the MobiControl Deployment Server.  Although newer versions of Windows Server have TLS 1.2 enabled by default, older versions such as Windows Server 2008 R2 do not.

 

To enable TLS 1.2, please follow these steps:

  • Start the registry editor by clicking on Start and Run. Type in "regedit" into the Run field (without quotations).
  • Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file. Note: You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.
  • Browse to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  • Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder.  Rename this folder to TLS 1.2.
  • Right click on the TLS 1.2 key and add two new keys underneath it.
  • Rename the two new keys as:
    • Client
    • Server
  • Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.
  • Rename the DWORD to DisabledByDefault.
  • Right-click the name DisabledByDefault and select Modify... from the drop-down menu.
  • Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.
  • Create another DWORD for the Client key as you did in Step 7.
  • Rename this second DWORD to Enabled.
  • Right-click the name Enabled and select Modify... from the drop-down menu.
  • Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
  • Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).
  • Finally, reboot the server.