Jump to:navigation, search


Integration of iOS devices into the Mobile Security Portal

Last adaptation to the version: 1.5 (11.2019)


  • Localization only possible for supervised devices
  • Changes in the enrollment process
  • Detailed description of the steps on the device
  • Detailed description of the steps with MacOS for supervised devices

Technical requirements

  • iPhone / iPad (min. iOS 11)
  • Access to the Securepoint Mobile Security Portal
  • For security reasons, Apple provides the full functionality for iOS devices only in supported mode.
    Requirements for this:
    • Apple Mac (min. macOS 10.14 or later)
    • Apple Configurator 2 (at no charge in the App Store)

    • It is possible to have notifications sent automatically as soon as a device is enrolled or unenrolled.
      Further information in our Wiki article.

For a large number of devices and users, it is recommended that you map the assignment using roles.

Installation on the device

The onboarding of iOS can be performed in supervised or unsupervised mode. The differences are listed in a Functional Comparison Overview.

Unsupervised device

User without access to Securepoint Mobile Security Portal

Invitation mail
Preliminary work of the administrator in the Securepoint Mobile Security Portal:
  Devices /   Send invite
  • Selection of a user
  • Select an e-mail address

  Send invite
Send invitation

The E-mail to the user includes:

  • a link to the 'Securepoint Mobile Security App in the Play-Store:
  • the enrollment code
  • alternatively a QR code
  • instructions on how to proceed.

Administrator with access to the Securepoint Mobile Security Portal

Register iOS device
Preliminary work of the administrator in the Securepoint Mobile Security Portal:
  Devices /   Register new device / iOS

The QR code can be scanned with the camera app.
The following steps must be executed:

  • Website QR Code. open securepopint.cloud in Safari
  • This website is trying t odownload a configuration profile. Do you want to allow this?
  • Install configuration profile Securepoint MDM via menu Settings → Profile loaded
  • Install Securepoint Mobile Security certificate and add it to the list of trusted certificates.
  • Trust Remote management

Supervised device

All data, configurations and individually installed apps are deleted during this process!
The device is reset to the factory settings. Operating system updates are kept. This process is required in iOS to ensure complete control over the device and to prevent unwanted apps from being allowed or uninstalled.


If the device has already been connected to an Apple user account, this connection must be disconnected:

  • Log on to https://appleid.apple.com with the login data, used on the device.
  • In the Devices section, remove the device in question.
Configuring the device
Preparation in Apple Configurator2:
  • Connect your iPhone / iPad to your Mac
  • Ignore the message "A new network connection was found" with Cancel .

Apple Configurator 2 open and select the device
button Prepare
Manual configuration
activation of:

Supervise devices

Allow devices to pair with other computers

Register at MDM server:
Server: New Server…
If another device has already been enrolled, the server can be selected here. Otherwise the configuration is done in the next step.
If no MDM server has been specified yet:   Devices /   Enroll new device / iOS
copy URL
If no MDM server has been specified yet: A meaningful name can be assigned here.
This configuration can be selected directly for other devices that are to be registered for the same customer (or tenant).
Name: Unique name ( customizable)

Hostname or URL: Insert the URL from the dialog Enroll new device in the Securepoint Mobile Security Portal (see previous step)

If no MDM server has been specified yet: Unable to verify the server's enrollment URL

Since macOS does not know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the certificate cannot be checked, but is still correct!
If no MDM server has been stored yet: Add trust anchor for the MDM server:
The certificate *.securepoint.cloud is already installed.
If no MDM server has been stored yet:
Sign in to the device enrollment program.
Has to be skipped.
If no MDM server has been stored yet:
Create an organization, if necessary:
If this is the first device for this organization to be registered in the portal, information about the organization should be entered.
Details of the organization
Generate a new supervision identity
Configure iOS Setup Assistant: Select the steps that the user must perform in the System Wizard.
This step must be confirmed by entering the username and password of the MacOS user account.
Update Settings
Configurator could not perform the requested action because "iPhone" was already prepared.
If this message appears, this device has already been configured once and the System Assistant settings cannot be transferred directly. With erase all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.

  • Configuration of the smartphone with the steps previously configured for the iOS installation wizard.
  • Allow remote management

Login to the portal

The device is now displayed in the portal and the enrollment must be completed by clicking on the device tile.

Device Alias

For better identification, the device should be given an alias name:
a0a0 (4-digit ID) (in the upper part of the device tile)

Ownership Selection

There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:

Owner 'COPE
  • The following functions are additionally available in the device administration in the Mobile Security Portal:
  Localize Only available if the device has been registered in supervised mode.
at: Operations  =>   Enable Lost Mode
  Clear password   at: Operations
  Wipe Data at: Operations  : Deletion of personal data

  Applications   Monitoring of installed apps, installation, deinstallation
Owner BYOD Standard functional range.
  • no localization
  • No way to remove the local device password
  • No deletion of personal data
  • No control for installed apps


Terms of License and Ownership
Ownership Selection between
COPE (Corperate owned, Personal enabled)

BYOD (Bring‑Your‑Own‑Device)

With BYOD additionally:

User Device user from the user administration.

The user cannot be changed afterwards for BYOD devices.
Accept the terms of the license and privacy policy
  agree Accepting and saving the settings
Displays the updated properties.