2024.0 SOTI MobiControl Release Notes Build 1075 | October 03, 2023

Going forward, the versioning of all SOTI products is being changed to provide a more consistent label that better reflects the timing of the release. 2024.0 is the next release after 15.6 for SOTI MobiControl, and all following releases will use this numbering convention.

This release includes the following new features:

In SOTI MobiControl, you can now export Android profiles and their configurations from one environment and import them into to another. Administrators can leverage this feature to quickly transfer profiles between multiple environments, reducing the need for repetitive manual copying and eliminating the chance of human error.

We’ve added support for Mobile SSO for Android and iOS, Imprivata, and Microsoft Authenticator for single sign-on (SSO) for apps on your managed devices.

You can now use Microsoft Entra ID Shared Device Mode for signing shared device users in and out of Microsoft apps such as Outlook and Teams, as well as 3rd party apps integrated with the Microsoft Authentication Library (MSAL). You can also configure automatic logouts, retain or clear app-specific data after logout, or set conditional access for Microsoft 365 apps to keep shared app access secure.

Shared device users can now tap their Imprivata NFC-enabled badges to securely and quickly access their Android Work Managed devices and business-critical mobile applications thanks to SOTI MobiControl’s integration with the Imprivata MDA app. Only applications integrated with the Imprivata MDA SDK will be able to SSO via this method.

This option is for businesses which aren’t looking to leverage Microsoft’s Shared Device Mode or Imprivata’s MDA but are still looking to improve the security and productivity of their frontline workers with SSO. SOTI Mobile SSO is powered by SOTI Identity, where-in SAML and OIDC capable mobile applications are registered, and users authenticated. After an initial sign-on, subsequent authentication challenges are managed without any further user interaction via certificate-based authentication.

Our Search function has undergone a complete re-design under the hood with our latest release. It now delivers vastly improved searching and indexing speed as well as overall greater reliability. Moreover, customized property indexing delivers even faster results while optimizing resource use.

With this feature, users can now directly authenticate iOS, macOS and Android devices upon enrollment using Entra ID (formerly “Azure AD”) without the need to configure Entra ID as an IdP. This streamlines a previous lengthy and potentially frustrating experience into a quick, simple process.

In MobiControl 15.5.0, SOTI introduced integration with Microsoft to conditionally grant or deny access to Microsoft 365 apps on iOS and Android devices based on the devices' compliancy statuses. This was originally limited to corporately-owned dedicated and BYOD devices – a one-to-one association between device and user. This new improvement no longer requires user to device association, meaning MobiControl can deem a device compliant or non-compliant without affecting the users. Lastly, registration of the device to Microsoft Entra ID (formerly “Azure AD”) will be automatically triggered, removing the need for repetitive manual authorization.

Admins can now select the specific apps they want to apply Microsoft 365 App Protection Policy to, instead of having to apply to all apps. This is applicable to Android and iOS devices. We’ve also introduced the Access Restriction tab where users can set app access policies for Microsoft 365 mobile applications on the Android platform, such as requiring a PIN or corporate credentials to access the protected apps.

You can now see all the Profiles you’ve assigned to a device group without the need for cross-referencing profiles or devices. This information is accessible in the new Profiles & Policies tab when viewing a Device Group or by selecting Profiles & Policies when right-clicking on a Device Group. Users can filter the assigned profiles and policies by device family and quickly access individual profiles and policies by clicking on the accompanying hyperlink.

MobiControl can now provide real-time external notifications to third party applications via Webhooks. This opens valuable automation opportunities for customers to instantly update their external systems whenever a specific event or condition in MobiControl occurs. Webhooks are triggered via Signal Policies, where users have a wide range of events and conditions to choose from. Users are also able to craft the payload and choose what parameters about a managed device they would like to receive with the webhook notification.

Administrators can now take advantage of custom data pulled from devices to create conditions for triggering Signal Policies. These conditions are supported for the Managed Device category. This feature allows a myriad of new customized conditions which can be configured accordingly to more business specific use cases.

Signal Policy users are now able to monitor and trigger Signal Policies for Apple devices. Customers deploying iOS, and macOS devices are now able to create complex and customized conditions for triggering automated actions from a wide range of properties and events found across MobiControl.</

You can now access and update License Information directly via clicking License Information in the hamburger menu. Users can also use public APIs to View and Update License information.

In this latest update, we've diligently worked to enhance and streamline the user experience on several fronts. Windows Modern Enrollment, File Sync, Data Collection, and Telecom Expense Management Rules are now accessible as Policies. Reports have been integrated into the new-generation user interface. Administration of Cloud Link Agents, Enterprise Resource Gateway, and Printer Administration Servers is now conveniently accessed via Global Settings. Additionally, we've centralized Management Server and Deployment Server logs under System Health for your convenience.

You can now set a limit on the number of devices that can be enrolled into MobiControl through an Enrollment Policy, providing more precise control of automated enrollment.

MobiControl users can now view a list of configurations and device groups that a particular custom data or custom attribute is associated with while making changes to that respective custom data or custom attribute.

The System Overview page in System Health has been updated with information for the Signal Database and Signal Servers status. These improvements allow MobiControl administrators to know at a glance the status of the Signal Database and the status of individual Signal Servers so that actions can be taken immediately to remedy any issues found.

With this new feature, users are now able to create and manage their own API clients directly within the MobiControl web console. Users can create and configure API clients by simply accessing the new API Client option under the Services tab in Global Settings. Users will be able to create API clients with a few simple clicks and get access to the client credentials information needed to authorize their application.

Customers are now able to enroll devices and assign SOTI Identity users to devices in MobiControl via a username. This allows customers to skip the process of creating enterprise email accounts for all their end users. These users may be searched for across MobiControl where user search is supported and the associated email or username of the user is displayed in the User Details section of the Device Information panel.

Users are now able to employ the IN and NOT IN search operators when performing a device search or assigning Profiles and Policies. Users may copy and paste multiple comma-separated values or enter strings and numeric values in combination with an IN or NOT IN operator to specify the list of search results they wish to receive. Device Properties, applicable Extended Properties, Custom Data, and Custom Attributes are supported when using these operators.

Users are now alerted that there are new notifications to be read with a red dot indicator on the Notification bell icon. Unread notifications are now distinguishable from read notifications with a blue dot next to each unread notification. The users can now also mark a notification as Read or Unread and have the option to Mute or Unmute notifications. The notifications can now be filtered to view only Read, Unread, or Muted notifications or a combination of the three according to the user’s preferences.

Users can now use Enterprise Java Beans Certificate Authority (EJBCA) in MobiControl, a trusted entity that stores, signs and issues digital certificates. EJBCA also supports Enrollment over Secure Transport (EST) protocol which is a cryptographic protocol that automates the issuance of certificates for public key infrastructure clients that need client certificates associated to a certificate authority. This new feature allows users to deploy EJBCA certificates for Wi-Fi profiles in MobiControl.

With this new feature, users can now use basic authentication with server-side Simple Certificate Enrollment Protocol (SCEP) for the ADCS certificate authority type. SCEP secures the message exchange for the certificate signing request.

You can now restrict specified MobiControl users from accessing the Location or Collected Data tabs in the Per Device view across your entire device fleet.

With this feature, customers can now automate actions to be performed on their Android devices after a set period of inactivity. You have the options to have the device play media or wipe app data after the device has been inactive for the specified period. This feature is only available to Android devices on MobiControl agent 15.4.0 or above.

With this new enhancement, you can now view the user account currently logged in, reset the user account to log in with another user, and schedule OTA firmware updates to all the devices enrolled in MobiControl. These additional tools will help administrators provide quicker, more efficient results.

Customers can now view all information related to primary and secondary SIM as well as configured eSIM on the MobiControl web console. With more information available where you need it, you’ll have an easier time making more informed decisions. This feature is only available to Android devices on MobiControl agent 15.4.0 or above.

We’ve added a new feature that enables administrators to configure shared devices so that they automatically logout after a set period of time or a set period of inactivity. This prevents applications that potentially contain corporate or personal information from being accessed by unauthorized users, keeping data secure and private.

You can now specify what data is retained and what data is wiped on user logout of a shared device. This new feature means greater control over retaining important data while still removing unneeded or potentially sensitive data from devices with multiple users.

MobiControl admins are now able to create Android Enterprise enrollment QR codes directly from the web console. Previously, this feature was only available either through our Stage Programmer app or creation through a third-party QR code generator. With this addition, you are now able to create, save, edit and manage Android enrollment QR codes directly from the Enrollment Policy menu.

Agentless enrollment support is now extended to Corporate Personal devices. Admins can now enroll their Corporate Personal Devices via AMAPI, a cloud-based native solution provided by Google that uses new APIs where agent work is handled by Google.

With this enhancement, we’ve added support for a preview section in Lockdown, where admins can see a demonstration of the lockdown screen after selecting the necessary manufacturer and model along with the selected template before assigning it to the device. This makes it easier to ensure the template you’ve chosen is the right one for your device lockdown screen.

In the past, admins that wanted to utilize the power of OEMConfigs on their Android devices needed to deploy an App Policy, add the specific OEM application and then edit the Managed App Config for that application. With this new feature, we have enabled admins to configure OEMConfigs straight through profile configurations for Android Work Managed for the following OEM’s into the 2024.0.0 release: Samsung, Zebra, Honeywell, Panasonic and Datalogic. Admins will simply need to push a profile containing the appropriate OEMConfig payload without having to go through the process to configuring the Managed App Config for the OEM application in App Policies.

For all Android Enterprise profiles (Work Managed, Work Profile and Corporate Personal), we have enabled the ability for admins to select between configuring a list of blacklisted applications or whitelisted Applications for the Application Run Control configuration. This will ensure that instead of admins having to set a large list of applications to block based on their company's security and compliance policies, they can simply list out the select applications to allow on the device using Android Enterprise profiles, thus blocking user access to all other applications. By using this feature, admins can prevent any confidential information being shared unwillingly with third-party apps.

For Android Classic devices, admins have been able to configure Phone Call policies to set restrictions on incoming and outgoing calls. However, to accomplish this same behaviour on Android Work Managed devices, admins needed to use custom scripts to accomplish the same behaviour. With this enhancement, we have added Phone Calls configuration support within Android Work Managed profiles to configure their organizational policies regarding incoming and outgoing calls on their Work Managed device. Deploying this configuration can increase the productivity of a device user by restricting unauthorized phone calls based on the business' needs.

MobiControl admins that enroll Android Enterprise devices have access to Android native VPNs that can be configured to secure their network traffic on their devices. In the past, admins had to create custom scripts to configure these native VPNs that were prone to configuration errors. With this enhancement, we’ve added the ability to configure four new VPN types in Android Work Managed profiles: IPSec XAuth RSA, IPSec XAuth Hybrid RSA, L2TP and PPTP. Configuring these native VPNs is easily discoverable through profiles and provides admins an error-free experience.

In the past, when an admin wanted specific profiles or configurations to be active on their Android device for particular days of a given week and inactive for the remainder of the week, they needed to manually apply and revoke those profiles from their Android devices. With the addition of Profile Scheduling on Android, the admin can set a profile to be activated and deactivated from their devices based on a reoccurring weekly schedule that is configured at the time of assignment. This new feature can satisfy use cases such as activating a device lockdown exclusively during work hours, Mondays to Fridays from 9am to 5pm, and removing the lockdown while outside of work hours. In addition to that, admins can set different profiles to be active on different days of the week based on the business needs.

With Shared iPad for Business, multiple users can share an iPad by having their corresponding app data, files, policies, or mail accounts automatically loaded to the device when they sign in. Each user will have a separate storage partition on the device. Admins will have the ability to remotely delete or log out users. They will also be able to disable temporary sessions, so that only users with Managed Apple IDs can access the Shared iPad resources.

We’ve added support for various configurations, such as Kerberos ESSO Payload, Cellular Payload, IKEv2 VPN Payload, Lock Screen Message Payload, Per-App DNS Proxy, and Per-App Content Filter, so admins can leverage the fixes and benefits provided by these additional settings. This expanded range of configurations empowers admins to enhance the functionality and security of their systems, ensuring a more comprehensive and tailored experience for their users.

Admins can now schedule script execution on macOS devices, eliminating the need for manual intervention and ensuring consistent and reliable task execution. This empowers admins to automate the execution of scripts and, along with the Custom Data feature, you can target devices more efficiently. This feature is only available to macOS devices on MobiControl agent 2024.0.0 or above.

The new Custom Data feature provides you a valuable resource for better identification and targeting of macOS devices by allowing you to define your own searchable custom data sets. Defined custom data for macOS devices can be accessed in the MobiControl web console under Device Listing, Search, as well as under the Assign dialog. This targeted approach allows for more efficient allocation of resources, quicker troubleshooting, and seamless execution of device management tasks. This feature is only available to macOS devices on MobiControl agent 2024.0.0 or above.

Admins can now bypass Activation Lock for enrolled macOS devices from within MobiControl via device action or manually on the device. This enables the swift transfer of devices to users and reduces device downtime. For security purposes, the Activation Lock Bypass Code for each device is stored in encrypted format and can only be viewed on the MobiControl web console by authorized individuals once they have the required permissions.

This new feature adds the capability of setting and resetting the Recovery Lock password from the MobiControl web console. This capability empowers organizations with an additional layer of protection by controlling the Recovery Lock password centrally and ensuring that only authorized individuals can access and make modifications to the device recovery.

You can now prevent device users from disconnecting from the MobiControl agent via the Disconnect button and potentially disrupting critical business operations. Admins can choose whether the Disconnect button is visible to users of the macOS MobiControl Agent from the MobiControl web console.

Login Items and Background Items are new features introduced in macOS Ventura. They provide users with the capability to manage and control which applications and processes run during the device startup and in the background. Device users may intentionally or unintentionally prevent critical applications and processes, including the MobiControl Agent, from running on their devices. With this release of the agent, admins can selectively disable the ability to change Login and Background Items and ensure the integrity and availability of critical applications and processes.

With the introduction of Erase All Content and Settings (EACS) support for macOS devices, admins can securely and efficiently wipe all data and settings from macOS devices when necessary, using the legacy WIPE device action enhanced to support EACS. With just a few clicks, devices can be returned to their original factory state, ensuring data privacy and security. This capability streamlines the device reset process, saving time and effort for admins.

With the revamped UI of the Software Updates Card for macOS devices, admins can view their information in a more an intuitive way. The new interface offers a streamlined way review available updates, providing greater clarity on the updates and making it easier to make informed choices.

File Sync policies created for the Apple platform can now be assigned to macOS devices. With the new macOS support, administrators can now choose scripts to use (applicable for macOS only) while configuring file sync policies for Apple device family.

Administrators can now remotely lock and secure their Linux-based devices. This new feature renders the Linux device inaccessible to unauthorized users and serves as a valuable anti-theft measure. Access control mechanisms ensure that only authorized users or administrators can trigger the remote lock, enhancing the security of Linux devices and protecting your sensitive data. This is available in CentOS 8 and Ubuntu.

We’ve migrated the Windows Modern Add Device rule to Enrollment Policy in MobiControl to support all the enrollment options available in the new front-end user interface of the Windows Modern device enrollment workflow.

We’ve added a new enrollment type for our MobiControl Cloud customers to enroll their Windows Modern devices via Microsoft Entra Join (formerly “Azure AD Join”) Cloud Enrollment. This enrollment type was already available for on-premises instances but now it is also available for cloud instances. Entra ID Join is one of the methods for enrolling a Windows device into MobiControl – when the user signs into the device using Entra ID credentials, the device automatically enrolls into the MDM. We have implemented and published the MobiControl application in Entra ID cloud infrastructure which acts as trusted broker to facilitate Entra ID Join for MobiControl cloud customers.

In the past, when transferring large forms of business-critical content across a fleet of Windows Modern devices, this would cause a performance load on the MobiControl deployment server, resulting in the delayed distribution of files when the server is responsible for multiple tasks. With this enhancement, we are adding support for Windows Modern devices to be configured to receive content through XtremeHub enabled devices rather than the deployment server. Until now, only Android and Windows Classic devices could use the power of XtremeHub in association with content distribution.

The Multi-App Kiosk Mode payload, previously known as Assigned Access: Configurations, is a great way to restrict a Windows Modern device users' access to a set of pre-defined applications, specified by the admin at the time of assignment. With this enhancement, we have added support for multiple users and user groups to be assigned to a single Multi-App Kiosk Mode payload, without the need to create duplicate payloads for multiple user accounts. Users that are part of local groups, AD groups, and Azure AD groups can be configured to be restricted to a Multi-App Kiosk Mode when they log in. Also, we have added support for the admin to specify a particular application to auto-launch once the device is logged into, further securing the device from unwanted access.

Previously, for admins to configure the Windows Defender Firewall for their MobiControl enrolled Windows Modern devices, they were forced to apply configurations through Group Policy or configure the firewall directly on the device. With this enhancement, we have provided the ability for admins to configure Firewall Settings and Firewall Rules payloads to set up their Windows Defender Firewall settings on their Windows Modern devices based on their business requirements to prevent unauthorized connections to their enterprise network.

Till now, the Lockdown payload on Windows Modern devices relied on an out-dated rendering engine based on Internet Explorer, meaning that many webpages and applications were not natively supported as they became incompatible with Internet Explorer. With this enhancement, we have updated the Lockdown payload to adopt a Microsoft Edge rendering engine, fit for any modern application and use case. Additionally, we have added support for home screen items to be selected to auto-launch when the device logs in. Combining this with the ability to set login options to auto login, this creates a seamless experience for any kiosk application of Lockdown to fully secure a Windows Modern device.

Password Complexity enables customers to configure complex passwords that are strong and difficult to breach. Previously, customers could not set criteria for complex passwords in the authentication payload or choose similar passwords for work and personal accounts, making their company devices more susceptible to phishing attacks and security breach. The Password Complexity feature prevents any unauthorized attempts to the customers device by utilizing the key capabilities of this feature.

Administrators can now conveniently access BitLocker recovery keys through the MobiControl web console. This enables them to quickly provide the recovery key to the authorized device user in the event it is required by BitLocker.

Admins can now schedule script execution on Windows Modern devices, eliminating the need for manual intervention and ensuring consistent and reliable task execution. This empowers admins to automate the execution of scripts and, along with the Custom Data feature, you can target devices more efficiently. This feature is only available to Windows Modern devices on MobiControl agent 2024.0.0 or above.

Admins can now configure automated script execution on Windows Modern devices when the device is out of contact for a specified period, eliminating the need of manual execution of scripts, ensuring consistent and reliable task execution when the device is out of contact. This empowers IT administrators to automate the execution of scripts. This feature is only available to Windows Modern devices on MobiControl agent 2024.0.0 or above.

You can now block USB and serial ports on Windows Modern devices, minimizing risk of data leakage and unauthorized access of devices. Admins can configure feature control profiles to specify the USB and serial ports to deny access to. This feature is only available to Windows Modern devices on MobiControl agent 2024.0.0 or above.

Admins can now see the status of PowerShell scripts sent to devices via Send Script action and request the output of executed scripts from the device. By enabling the Capture Script Status and Output toggle while sending a script to the device, admins can take full advantage of this new feature. This feature is only available to Windows Modern devices on MobiControl agent 2024.0.0 or above.

We’ve added support for devices with the Windows CE 8.0 OS to MobiControl, expanding the available options for supported operating systems.

While configuring the Security settings for Zebra Printer Wi-Fi configurations, the username field in the authentication section had to be hardcoded. This led to IT admins wasting a lot of time and effort to update the username for every printer. Users can now use macros for the username field, where the username can be set to the printer’s Device Name or the Device Serial number dynamically.

We’ve added the ability to add multiple tabs in Kiosk Mode to access other URLs. Admins can configure this feature from the web console.

Admins can now configure links to reopen the same previously open tabs. With this toggle on, device users can navigate back to a previously opened tab and resume their work by clicking on the same link. If the tab is already open, no new tab is opened after clicking the link.

You can now to specify a list of URL patterns that Surf can use to automatically select client certificates, reducing manual effort for your admins.

Admins can now configure whether device users can access device settings, and enable or prevent those users from managing their APNs.

Admins can enable users to manage their own device security, including the ability to change their device PINs or password from Settings Manager.

User can now sync their device's date and time with the data from SNTP servers if the device does not sync automatically.

You can now toggle the permission to enable users to use their device’s flashlight.

You can now configure what sections of Settings Manager device users can access. You can even specify a section outside of the main screen as the default landing screen.

In MobiControl version 2024.0.0 and above, we will no longer support the following OS versions. These versions will be deprecated as Microsoft has already ended the support for them and they have reached the end of their lifecycle:

The following new REST APIs are included in this release: