How to Prepare an iPhone for TikTok Ads: a 10-Step Checklist

The checklist is ordered the way you should walk a clean device (or one freshly Erase All Content and Settings-ed). Skip any step and you leave the weak link TikTok will eventually grab the account by. Each item is an action plus a short note on why it matters.

1. Reset Network Settings Before First Use

Settings → General → Transfer or Reset iPhone → Reset → Reset Network Settings

Wipes all Wi-Fi networks, DNS cache, VPN configurations, certificates, proxy settings. Without this step, artifacts from prior use can linger on the device: stale DNS resolvers, cached SSIDs, expired profiles. Any of them can surface at the worst possible moment.

After the reset, the iPhone will ask to reconnect to Wi-Fi — do it once you're properly prepared (see step 6).

2. Switch the Apple ID Region to the Target Geo

Settings → [Name] → Media & Purchases → View Account → Country/Region

The Apple ID region is one of TikTok's toughest geo signals because it determines which App Store the device sees. If you run on the US — the Apple ID must be US. If on Germany — German.

Apple requires a valid payment method for the country (though sometimes it accepts "None" when creating a fresh ID for the target country). On an existing ID, region changes are allowed only with a zero balance and no active subscriptions. It's cleaner to spin up a separate Apple ID per geo and store them in a password manager.

3. Install TikTok Studio from the Right App Store

After switching the Apple ID region, sign out of App Store and sign back in. Only then does App Store "see" that the region has changed. Now installing TikTok Studio (or TikTok Ads Manager — the app name varies by region) will pull the right build for the target market.

This matters because the different regional builds of TikTok differ in the list of permitted features, the authentication flow, and sometimes the servers they reach out to on first launch.

4. Pull the SIM (or Insert a Target-Geo SIM)

Any SIM in the slot exposes the carrier through the CarrierBundle API with a concrete MCC/MNC code. TikTok reads that code and compares it to the IP geo. Mismatch = quiet ding to the account's trust score.

Two options:

• Pull the SIM physically — the cleanest scenario. Operate over Wi-Fi + tunnel only. The app receives no carrier data.
• A SIM from the target geo — if you need cellular (e.g., to receive an SMS verification code). Then MCC/MNC lines up with the IP geo, and the conflict disappears.

An eSIM with data disabled DOES NOT work — the carrier is still leaked via CarrierBundle. Either remove the eSIM from the list entirely or physically pull the plastic SIM.

5. Disable Location Services for TikTok (or Globally)

Settings → Privacy & Security → Location Services → TikTok → Never

Ideally — disable Location Services on the device as a whole if the device is dedicated to TikTok:

Settings → Privacy & Security → Location Services → Off

The iPhone derives location from GPS, the Wi-Fi neighborhood (BSSIDs of nearby APs known to Apple), and Bluetooth beacons. Even if TikTok has no direct GPS access, it can obtain geo through indirect APIs. A full Location Services disable closes that vector.

The downside: Find My iPhone, Maps, etc., break — but a work device shouldn't need any of that.

6. Install the System VPN Profile or Shadowrocket with VLESS

Two options, both working:

A. IKEv2 via .mobileconfig

1. Get the .mobileconfig file from the proxy provider (ProxyGrow ships one automatically with every purchased IP).
2. Open it in Safari or AirDrop it to the iPhone.
3. iOS will prompt to install the profile — Settings → Profile Downloaded → Install.
4. Enter the device passcode.
5. Turn on VPN: Settings → VPN → toggle.

Enable Connect On Demand in the profile properties — the iPhone will automatically bring the tunnel up on any network connection.

B. VLESS via Shadowrocket

1. Buy and install Shadowrocket from the App Store (you need an Apple ID from a region where the app is available — typically US or Hong Kong).
2. Get the vless:// link from the provider.
3. Copy it → open Shadowrocket → tap + at the top → Type: Subscribe → paste the link.
4. Pick a node → flip the toggle at the top of the screen.
5. In Shadowrocket settings enable Global Routing (all traffic through the tunnel) and Remote DNS = 1.1.1.1.

A detailed comparison of what to pick in each scenario — IKEv2 vs SOCKS5 for TikTok Ads on iPhone.

7. Check for an IPv6 Leak

Tunnel on → Safari → open ipleak.net (or ipv6-test.com).

Find the IPv6 section. Possible outcomes:

• Empty field or "Not detected" — IPv6 is inactive or fully closed by the tunnel. This is normal.
• Shows an IPv6 that matches the tunnel's IPv4 or belongs to the same provider (ProxyGrow) — also normal, the tunnel supports dual-stack.
• Shows an IPv6 with a geo different from the IPv4 — leak. Do not launch an account in this configuration.

If a leak is detected — disable IPv6 on the Wi-Fi: Settings → Wi-Fi → (i) next to the network → Configure IPv6 → Link-Local Only. Then recheck.

8. Check for a DNS Leak

dnsleaktest.com → tap Extended test.

The results should show DNS resolvers located in the same geo as your IP. For example, a US tunnel IP — resolvers should be in the US (typically Cloudflare, Google, or the proxy provider's DNS).

If you see resolvers from:

• the local home ISP (Orange Romania, Deutsche Telekom, etc.),
• any geo other than your tunnel's geo,

— that is a leak. Open the tunnel settings and explicitly set DNS = 1.1.1.1 (or another public resolver). In Shadowrocket — Settings → DNS → Remote DNS = 1.1.1.1. In .mobileconfig — the DNS → ServerAddresses section.

After the fix, restart the tunnel and recheck.

9. Verify the Final IP — IP Geo / App Store / TikTok Must All Match

The final check before registration. All three points must show the same country:

1. IP — ipleak.net shows the geo of your tunneled IP (e.g., US, Atlanta).
2. App Store — open App Store, see dollar prices, US apps on the top charts, US account in the corner.
3. TikTok — at first launch the app determines a country. Open TikTok, scroll the feed: content should be predominantly in English and from the US (or whatever the target geo is).

If any one of the three doesn't match — stop. Registering an account in this state = ban within 24–48 hours.

10. Do Not Reuse IPs Across Accounts — Rotate the IP per Profile

The most common and most expensive violation. One IP = one account (at most — one pre-planned "family" bundle of 2–3 accounts that were designed as a cluster). No "well it's still clean, the old account died long ago, let's put another on top."

Rules:

• New account = new IP. Before registering the next profile, hit reset — the modem swaps the session and you get a fresh mobile IP. With ProxyGrow there's a reset URL for exactly this: open it in a browser → the IP changes → the same IKEv2 config and the same VLESS link already point to your new session. No "cooldown" wait — the carrier hands out an IP from its pool, and the chance of getting the exact same address twice is minimal.
• One config format = one account. Since both the IKEv2 and the VLESS config point to the same mobile IP, using both formats on the same device does not mean "two different IPs" — it is one IP with two transports. A new profile needs a reset.
• Keep a binding log. A simple sheet in Notion / Google Sheets: IP → date → account → status. That way you can see which profile sat on which IP and whether there was overlap with another account of yours.
• At scale — a dedicated modem (Quectel RM520, Sierra MC7455, Fibocom L860) per group of accounts, with automated IP rotation via AT+CFUN=4 / AT+CFUN=1 or APN switching — for teams building a farm themselves without an external service.

What to Do Next

This checklist is the mandatory minimum on every device, not a one-time exercise. Before every new account — repeat steps 4 (SIM), 6 (new config), 7–9 (re-verify leaks and geo). On a streamlined process it takes 5 minutes and saves 100% of the spend on creative and balance top-ups.

If any single item in the checklist tempts you to skip it "because it's probably fine" — 80% of the time, that is exactly the step the account dies on.

Configs for Step 6 — ProxyGrow

Real mobile IPs with carrier ASNs (Vodafone, Orange, Digi, etc.). Each IP is delivered simultaneously as an IKEv2 .mobileconfig file and a vless:// link — both transports run over the same mobile channel. Rotation is via URL: open it in a browser, get a new IP, keep working with the same config. No sharing, no "cooldown" — the modem swaps sessions instantly.

→ Website: proxygrow.com → Telegram: t.me/ProxyGrow (also has a PDF version of this checklist for offline use)