Overview

Maintaining a consistent security posture across a large, distributed mobile device fleet is one of the most challenging responsibilities an enterprise IT team faces. Devices go out of contact, users attempt to modify settings, OS updates introduce new vulnerabilities, and certificates expire. SOTI MobiControl addresses this challenge through a combination of Compliance Policies, Signal Policies, and automated device actions that continuously monitor device state and respond to security or compliance deviations without requiring manual administrator intervention.

This article explains how to configure compliance and security enforcement in SOTI MobiControl, covering what triggers automated responses, what actions the system can take, and how to ensure a consistent security baseline across all device types.

Compliance Policies

Compliance Policies in SOTI MobiControl define the rules that a device must satisfy to be considered compliant with the organisation's security standards. Common compliance conditions include requiring a minimum OS version, enforcing encryption-at-rest, requiring a passcode of a specified minimum complexity, prohibiting rooting or jailbreaking, requiring specific applications to be installed, and restricting device use to permitted geographic regions.

When a device violates a compliance condition, SOTI MobiControl can automatically trigger one or more remediation actions. Administrators configure these actions as part of the Compliance Policy definition. Available actions include sending an alert notification to the administrator, displaying a warning message on the device screen, limiting access to corporate resources (such as blocking Exchange email access or restricting access to SOTI Hub content), unenrolling the device from management, and performing a full device wipe as a last resort for devices that contain sensitive data and cannot be remediated remotely.

Signal Policies — Event-Driven Automation

Signal is SOTI MobiControl's event-driven policy engine that automates device management responses based on real-time events and conditions. Where Compliance Policies evaluate device state periodically, Signal Policies respond instantly to specific trigger events — such as a device leaving a defined geofence, a battery reaching a critically low level, a specific application being installed or uninstalled, a Cloud Link Agent going offline, or a user logging out of a shared device session.

When a Signal trigger fires, the administrator-defined action executes automatically. Signal supports a broad range of actions including blocking or allowing Exchange access, clearing SOTI Hub's cache, logging out shared device users, relocating a device to a different device group, sending an administrator alert, and executing a device script. The ability to trigger script execution from Signal Policy allows highly sophisticated automated responses — for example, automatically running a cleanup script when a shared device user logs out to delete any locally cached user data.

Geofencing and Location-Based Compliance

SOTI MobiControl includes a powerful geofencing engine that allows administrators to draw custom geofences of any shape on a map using the MobiControl console. Geofences can be configured to trigger automated policy actions when a device enters or exits the defined boundary. For example, a device that leaves a permitted work site could automatically have its camera disabled, its access to certain applications restricted, or an alert sent to the fleet manager. Conversely, when a device enters the geofence — such as a distribution centre — it could be automatically assigned additional apps or relaxed connectivity policies appropriate to that location.

Signal Policies now support outdoor geofence triggers, meaning that automated actions are fired in real time as devices cross geofence boundaries while in the field, without requiring any manual intervention from the administrator.

Certificate Management and the Certificates Dashboard

Expired certificates are a common cause of sudden, unexpected device failures in enterprise mobility environments. SOTI MobiControl addresses this risk with the Certificates Dashboard — a dedicated management view that provides a comprehensive overview of all certificates deployed across the managed device fleet. Administrators can see certificate expiry dates at a glance, filter by certificate type or device group, and proactively schedule certificate renewals before expiry. The Certificates Dashboard sends proactive notifications when certificates approach their renewal date, eliminating the scenario where a certificate expires silently and causes widespread application authentication failures or VPN connectivity outages.

Directory-Based Unenrollment

When a user leaves the organisation and their Active Directory account is disabled, SOTI MobiControl can automatically unenroll or disable the mobile devices associated with that user. Administrators configure this behaviour within the Enrollment Policy for directory-authenticated enrollments. The moment MobiControl detects that the associated AD user account is in a disabled state, it triggers the defined device action — either unenrolling the device so it can be reclaimed and reassigned, or disabling the device so the former employee cannot access any managed apps or data if they still have physical possession of the device. This automates a critical offboarding step that is frequently overlooked in manual processes.

SOTI Identity Conditional Access