Using MDM to deploy devices with mobile network connections
You can deploy Apple devices with eSIMs using mobile device management (MDM). As you prepare your organisation, consider the following.
How your MDM solution helps you add mobile data plans
MDM solutions can enforce restrictions that help ensure continuity by preventing users from modifying crucial settings. Even more important, MDM solutions have the ability to remotely trigger and automate the download and installation of an eSIM to a device. This allows for a scalable and efficient deployment experience and end users.
Note: eSIMS can also be installed automatically without using MDM. See eSIM and SIM support.
If you are using an MDM solution, it should support the following:
Allow for the device to be erased while retaining mobile plan.
Initiating download, installation and activation of eSIMs using the Refresh Mobile Plans command. For more information, see MDM commands.
Restrict users from modifying eSIM settings on the device.
Restrict users from transferring eSIM to another device.
Prevent eSIMs from being deleted when the user selects Erase All Contents and Settings or when the device is set to wipe after a certain number of incorrect passcode attempts.
Restrict modifying mobile app data on the device.
Restrict modifying mobile data plan settings (non-US service providers).
About the Refresh Mobile Data Plans command
The Refresh Data Plans command is sent from the MDM solution to the device and provides the address of the service provider’s eSIM (SM-DP+) server. The device then downloads, installs and activates its eSIM. It may take up to 3 minutes for the installation and activation to occur. To troubleshoot installation and activation issues:
Check MDM logs to ensure the Refresh Mobile Plan command has been sent and received.
Verify that the device is connected.
Contact the mobile service provider to determine whether the eSIM profile for the devices in question are available for download. If for example, the eSIM assigned to a device has already been downloaded once, it’s deleted and won’t be available for further retries.
Contact the service provider to verify activation of the account and data plan on the provider’s systems.
About the eSIM modification restriction
To prevent users from adding or removing eSIMs, your MDM solution can use the eSIM Modification restriction, AllowESIMModification. When using this restriction:
MDM administrators can still use the Refresh Mobile Data Plans command MDM to install eSIMs.
Users see a notification in Settings for any eSIM distributed by the service provider using eSIM Network Activation. Although they see that a “Mobile Plan is Ready to be Installed”, the restriction prevents users from installing the eSIM.
About the forcePreserveESIMOnErase restriction
To prevent an eSIM on a supervised device from being deleted when the user selects Erase All Contents and Settings or when the device is set to wipe after a certain number of incorrect passcode attempts, the MDM solution must use the forcePreserveESIMOnErase restriction.
Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device.
About the allowESIMOutgoingTransfers restriction
To prevent eSIMs from being transferred to another device using eSIM Quick Transfer, use the allowESIMOutgoingTransfers restriction.
How to manage the eSIM when resetting devices
Because an eSIM is software based, there are several ways you can remove it when you’re resetting or erasing a device. Also, you should remove the eSIM when retiring or reselling a device.
To help ensure that users don’t accidentally remove their eSIM, consider employing MDM restrictions. For example, don’t let them use Erase All Content and Settings.
If you want to preserve the eSIM and want to erase the device:
Put the device recovery mode
Initiate an MDM Remote Wipe command with the Preserve Data Plan option enabled
Go to Settings > General > Reset and select Erase All Content and Settings, then preserve the data plan when prompted to preserve it
Use Apple Configurator for Mac to reset the device
Note: eSIMs aren’t removed eSIM using “Erase All Contents and Settings” in Apple Configurator or using DFU restore mode
If you don’t want to preserve the eSIM and want to erase the device:
Initiate an MDM Remote Wipe command with the Preserve Data Plan option disabled
Go to Settings > General > Reset and select Erase All Content and Settings and remove the data plan when prompted to preserve it
Have a local erase remove the eSIM, if the passcode policy is set to erase the device after a specified number of failed attempts and if the end user exceeds this limit