
Using a device management service to deploy devices with mobile network connections
You can deploy Apple devices with eSIMs using a device management service. As you prepare your organisation, consider the following:
How your device management service helps you add mobile plans
Device management services can enforce restrictions that help ensure continuity by preventing users from modifying crucial settings. Even more important, they have the ability to remotely trigger and automate the download and installation of an eSIM to a device. This allows for a scalable and efficient deployment experience for end users.
Note: You can also automatically install eSIMs without using a device management service. See eSIM and SIM support. However, if you’re using a device management service, it needs to support the following:
- Allow for the device to be erased while retaining mobile plan. 
- Initiating download, installation and activation of eSIMs using the Refresh Mobile Plans command. For more information, see Device management commands. 
- Restrict users from modifying eSIM settings on the device. 
- Restrict users from transferring eSIM to another device. 
- Prevent eSIMs from being deleted when the user selects Erase All Contents and Settings or when the device is set to wipe after a certain number of incorrect passcode attempts. 
- Restrict modifying mobile app data on the device. 
- Restrict modifying mobile data plan settings (non-US service providers). 
About the Refresh Mobile Data Plans command
The device management service sends the Refresh Mobile Plans command to the device, and provides the address of the service provider’s eSIM (SM-DP+) server. The device then downloads, installs and activates its eSIM. It may take up to 3 minutes for the installation and activation to occur. To troubleshoot installation and activation issues:
- Check the device management service logs to ensure sending and receiving of the - Refresh Mobile Plancommand.
- Verify that the device is connected. 
- Contact the mobile service provider to determine whether the eSIM profile for the devices in question are available for download. If for example, the eSIM assigned to a device has already been downloaded once, it’s deleted and won’t be available for further retries. 
- Contact the service provider to verify activation of the account and data plan on the provider’s systems. 
About the eSIM modification restriction
To prevent users from adding or removing eSIMs, your device management service can use the eSIM Modification restriction, AllowESIMModification. When using this restriction:
- Device management service administrators can still use the Refresh Mobile Plans command to install eSIMs. 
- Users see a notification in Settings for any eSIM distributed by the service provider using eSIM Network Activation. Although they see that a “Mobile Plan is Ready to be Installed”, the restriction prevents users from installing the eSIM. 
About the forcePreserveESIMOnErase restriction
To prevent the deletion of an eSIM on a supervised device when the user selects Erase All Contents and Settings, or when the device erases after a certain number of incorrect passcode attempts, the device management service needs to use the forcePreserveESIMOnErase restriction.
Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device.
Restricting eSIM transfers
For devices with iOS 18 and iPadOS 18, or later, the allowESIMOutgoingTransfers restriction can be used to prevent eSIMs from being transferred to a newly set up device using eSIM Quick Transfer.
How to manage the eSIM when resetting devices
Because an eSIM is software based, there are several ways you can remove it when you’re resetting or erasing a device. Also, you should remove the eSIM when retiring or reselling a device.
To help ensure that users don’t accidentally remove their eSIM, consider using device management service restrictions. For example, don’t let them use Erase All Content and Settings.
If you want to preserve the eSIM and want to erase the device:
- Put the device recovery mode 
- Initiate a Remote Wipe command with the Preserve Data Plan option enabled 
- Go to Settings > General > Reset and select Erase All Content and Settings, then preserve the data plan when prompted to preserve it 
- Use Apple Configurator for Mac to reset the device - Note: eSIMs aren’t removed eSIM using “Erase All Contents and Settings” in Apple Configurator or using DFU restore mode. 
If you don’t want to preserve the eSIM and want to erase the device:
- Initiate a Remote Wipe command with the Preserve Data Plan option disabled 
- Go to Settings > General > Reset and select Erase All Content and Settings and remove the data plan when prompted to preserve it 
- Have a local erase remove the eSIM, if the passcode policy is set to erase the device after a specified number of failed attempts and if the end user exceeds this limit