Changes in iOS 13 that Impact SOTI MobiControl Customers

iOS 13 includes changes that affect all customers that manage iOS devices using SOTI MobiControl. They impact two different areas of SOTI MobiControl.

Clear Passcode

iOS 13 will include changes in the MDM protocol that affect SOTI MobiControl’s ability to clear the passcode from iOS 13 devices. In order to support these changes, we have issued Maintenance Releases for SOTI MobiControl 13.4 and 14.4. &nb

iOS 13 includes changes that affect all customers that manage iOS devices using SOTI MobiControl. They impact two different areas of SOTI MobiControl.

Clear Passcode

iOS 13 will include changes in the MDM protocol that affect SOTI MobiControl’s ability to clear the passcode from iOS 13 devices. In order to support these changes, we have issued Maintenance Releases for SOTI MobiControl 13.4 and 14.4.  SOTI MobiControl 15 will account for these changes and will not be affected when it is released.

To ensure uninterrupted management of your iOS devices, customers must upgrade their SOTI MobiControl server before any of their iOS devices are upgraded to iOS 13. Devices that are upgraded to iOS 13 before the SOTI MobiControl server is upgraded will permanently lose the ability to have their passcode cleared by SOTI MobiControl.  To be able to clear the passcode on these devices again, they would need to be re-enrolled into the latest version of SOTI MobiControl.

Recommended course of action for affected customers:

• Customers running SOTI MobiControl 13.x or older should upgrade to SOTI MobiControl 13.4 MR 23 (build 5450).
• Customers running SOTI MobiControl 14.x should upgrade to 14.4.1 or higher.

For customers that are not able to upgrade their production environments of SOTI MobiControl before the release of iOS 13, we recommend the following course of action to help prevent their iOS devices from being upgraded to iOS 13:

• For iOS 11.3+ supervised devices, enforce a delay in the availability of iOS updates for up to 90 days.
  •    This capability is available in the Restrictions profile in SOTI MobiControl v14.1.2 or higher as shown below:
  • Customers on older versions of SOTI MobiControl can leverage the same capability by assigning the following Custom Profile:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures restrictions</string>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.apple.applicationaccess.0CE8FAD3-5C91-4571-ABED-BC4A41D32D58</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>0CE8FAD3-5C91-4571-ABED-BC4A41D32D58</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>enforcedSoftwareUpdateDelay</key>
<integer>90</integer>
<key>forceDelayedSoftwareUpdates</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Restriction to delay availability of OS Updates</string>
<key>PayloadDisplayName</key>
<string>Custom Restriction</string>
<key>PayloadIdentifier</key>
<string>SOTI-iMac.BA674B4E-7290-4743-9674-3DAC89BB9987</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5D77F004-5A96-4024-A5DE-533789295DD1</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

• For all other iOS devices, inform your users to delay updating to iOS 13 until they are notified it is safe to do so.

SOTI MobiControl Agent

iOS 13 will expand security requirements for communication between any iOS app and an MDM server such as SOTI MobiControl.  In particular, the requirements mandate that the SSL certificate of the server with be signed using an RSA public key with a length of at least 2048 bits and use the SHA-256 signature hashing algorithm. 

This requirement will affect customers that use the iOS SOTI MobiControl Agent app and whose SOTI MobiControl Deployment Server’s SSL certificate (DS certificate) does not meet the aforementioned requirements. Customers that started with a fresh installation of SOTI MobiControl v14.1.8+ or have changed their DS certificate to use a commercial SSL server certificate already have a viable DS certificate and are therefore not affected. If required, the details of the DS certificate can be viewed by cross-referencing the certificate shown in the MobiControl Administration Utility with the certificate in Microsoft Management Console.

Affected customers will not be able to use the SOTI MobiControl Agent’s features such as Remote Screen Sharing, File Sync, Content Library, Location Data Collection, etc., on their iOS 13 devices. 

Recommended course of action for affected customers:

• Purchase a commercial SSL certificate that meets the requirements above and bind it to SOTI MobiControl’s Deployment Server. The use of a commercial SSL server certificate is considered a best practice and therefore it is the recommended option.
  • On-premise customers must use the MobiControl Administration Utility to ensure that the Primary Agent Address matches the Alternative DNS name in the SSL server certificate as shown below:
  • Cloud customers can contact SOTI Support for assistance in this matter. 
• If purchasing a commercial SSL certificate is not a viable option for the customer, then the customer can upgrade to MobiControl 14.4.1 and regenerate both the MobiControl Root certificate and the Deployment Server’s SSL certificate. On-premise customers can use the MobiControl Administration Utility to regenerate the certificates. Cloud customers can contact SOTI Support for assistance in regenerating the certificates.  Extreme caution must be exercised to ensure that the new root certificate is deployed to all devices before the Deployment Server certificate is updated.  Failure to do so will result in the loss of management of all existing devices and will require those devices to be re-enrolled.  

Important consideration for affected customers:

• Some legacy Windows CE/Mobile devices do not support SHA-256 certificates.  In order to manage these devices along side iOS 13 devices a very specific configuration is required.  Please contact SOTI Support for assistance.