Using a device management service to deploy devices with cellular connections
You can deploy Apple devices with eSIMs using a device management service. As you prepare your organization, consider the following:
How your device management service helps you add cellular plans
Device management services can enforce restrictions that help ensure continuity by preventing users from modifying crucial settings. Even more important, they have the ability to remotely trigger and automate the download and installation of an eSIM to a device. This allows for a scalable and efficient deployment experience for end users.
Note: You can also automatically install eSIMs without using a device management service. See eSIM and SIM support. However, if you’re using a device management service, it needs to support the following:
Allow for the device to be erased while retaining cellular plan.
Initiating download, install and activation of eSIMs using the Refresh Cellular Plans command. For more information, see Device management commands.
Restrict users from modifying eSIM settings on the device.
Restrict users from transferring eSIM to another device.
Prevent eSIMs from being deleted when the user selects Erase All Contents and Settings or when the device is set to wipe after a certain number of incorrect passcode attempts.
Restrict modifying cellular app data on the device.
Restrict modifying cellular plan settings (non-U.S. carriers).
About the Refresh Cellular Plans command
The device management service sends the Refresh Cellular Plans command to the device, and provides the address of the carrier’s eSIM (SM-DP+) server. The device then downloads, installs, and activates its eSIM. It may take up to 3 minutes for the installation and activation to occur. To troubleshoot installation and activation issues:
Check the device management service logs to ensure sending and receiving of the Refresh Cellular Plan command.
Verify that the device is connected.
Contact the carrier to determine whether the eSIM profile for the devices in question are available for download. If for example, the eSIM assigned to a device has already been downloaded once, it’s deleted and won’t be available for further retries.
Contact the carrier to verify activation of the account and data plan on the carrier’s systems.
About the eSIM modification restriction
To prevent users from adding or removing eSIMs, your device management service can use the eSIM Modification restriction, AllowESIMModification. When using this restriction:
Device management service administrators can still use the Refresh Cellular Plans command to install eSIMs.
Users see a notification in Settings for any eSIM distributed by the carrier using eSIM Carrier Activation. Although they see that a “Cellular Plan is Ready to be Installed,” the restriction prevents users from installing the eSIM.
About the forcePreserveESIMOnErase restriction
To prevent the deletion of an eSIM on a supervised device when the user selects Erase All Contents and Settings, or when the device erases after a certain number of incorrect passcode attempts, the device management service needs to use the forcePreserveESIMOnErase restriction.
Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device.
Restricting eSIM transfers
For devices with iOS 18 and iPadOS 18, or later, the allowESIMOutgoingTransfers restriction can be used to prevent eSIMs from being transferred to a newly setup device using eSIM Quick Transfer.
How to manage the eSIM when resetting devices
Because an eSIM is software based, there are several ways you can remove it when you’re resetting or erasing a device. Also, you should remove the eSIM when retiring or reselling a device.
To help ensure that users don’t accidentally remove their eSIM, consider using device management service restrictions. For example, don’t let them use Erase All Content and Settings.
If you want to preserve the eSIM and want to erase the device:
Put the device recovery mode
Initiate a Remote Wipe command with the Preserve Data Plan option enabled
Go to Settings > General > Reset and select Erase All Content and Settings, then preserve the data plan when prompted to preserve it
Use Apple Configurator for Mac to reset the device
Note: eSIMs aren’t removed eSIM using “Erase All Contents and Settings” in Apple Configurator or using DFU restore mode.
If you don’t want to preserve the eSIM and want to erase the device:
Initiate a Remote Wipe command with the Preserve Data Plan option disabled
Go to Settings > General > Reset and select Erase All Content and Settings and remove the data plan when prompted to preserve it
Have a local erase remove the eSIM, if the passcode policy is set to erase the device after a specified number of failed attempts, and if the end user exceeds this limit