Using MDM to deploy devices with mobile connections
You can deploy Apple devices with eSIMs using mobile device management (MDM). As you prepare your organisation, consider the following.
How your MDM solution helps you add mobile plans
MDM solutions can enforce restrictions that help ensure continuity by preventing users from modifying crucial settings. Even more importantly, MDM solutions have the ability to remotely trigger and automate the download and installation of an eSIM to a device. This allows for a scalable and efficient deployment experience and end-users.
Note: eSIMS can also be installed automatically without using MDM. See eSIM and SIM support.
If you are using an MDM solution, it should support the following:
Allow for the device to be erased while retaining mobile plan.
Initiating download, install and activation of eSIMs using the Refresh Mobile Plans command. For more information, see MDM commands.
Restrict users from modifying eSIM settings on the device.
Restrict users from transferring eSIM to another device.
Prevent eSIMs being deleted when the user selects Erase All Contents and Settings, or when the device is set to wipe after a certain number of incorrect passcode attempts.
Restrict modifying mobile app data on the device.
Restrict modifying mobile plan settings (non-US providers).
About the Refresh Data Plans command
The Refresh Data Plans command is sent from the MDM solution to the device and provides the address of the network provider’s eSIM (SM-DP+) server. The device then downloads, installs and activates its eSIM. It may take up to 3 minutes for the installation and activation to occur. To troubleshoot installation and activation issues:
Check MDM logs to ensure the Refresh Mobile Plan command has been sent and received.
Verify that the device is connected.
Contact the network provider to determine whether the eSIM profile for the devices in question are available for download. If for example, the eSIM assigned to a device has already been downloaded once, it’s deleted and won’t be available for further retries.
Contact the network provider to verify activation of the account and data plan on their systems.
About the eSIM modification restriction
To prevent users from adding or removing eSIMs, your MDM solution can use the eSIM Modification restriction, AllowESIMModification
. When using this restriction:
MDM administrators can still use the Refresh Mobile Plans command MDM to install eSIMs.
Users see a notification in Settings for any eSIM distributed by the network provider using eSIM Network Activation. Although they see that a “Mobile Plan is Ready to be Installed”, the restriction prevents users from installing the eSIM.
About the forcePreserveESIMOnErase restriction
To prevent an eSIM on a supervised device from being deleted when the user selects Erase All Contents and Settings or when the device is set to wipe after a certain number of incorrect passcode attempts, the MDM solution must use the forcePreserveESIMOnErase
restriction.
Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device.
Restricting eSIM transfers
In iOS 18 and iPadOS 18, or later, the allowESIMOutgoingTransfers
restriction can be used to prevent eSIMs from being transferred to a newly setup device using eSIM Quick Transfer.
How to manage the eSIM when resetting devices
Because an eSIM is software based, there are several ways you can remove it when you’re resetting or erasing a device. Also, you should remove the eSIM when retiring or reselling a device.
To help ensure that users don’t accidentally remove their eSIM, consider employing MDM restrictions. For example, don’t let them use Erase All Content and Settings.
If you want to preserve the eSIM and want to erase the device:
Put the device recovery mode
Initiate an MDM Remote Wipe command with the Preserve Data Plan option enabled
Go to Settings > General > Reset and select Erase All Content and Settings, then preserve the data plan when prompted to preserve it
Use Apple Configurator for Mac to reset the device
Note: eSIMs aren’t removed eSIM using “Erase All Contents and Settings” in Apple Configurator or using DFU restore mode
If you don’t want to preserve the eSIM and want to erase the device:
Initiate an MDM Remote Wipe command with the Preserve Data Plan option disabled
Go to Settings > General > Reset and select Erase All Content and Settings and remove the data plan when prompted to preserve it
Have a local erase remove the eSIM, if the passcode policy is set to erase the device after a specified number of failed attempts, and if the end-user exceeds this limit