Apple Supervised Mode

How to get iOS devices supervised?

This article gives you a quick overview of Apple's Supervised Mode for iOS Mobile Device Management (MDM), its benefits and how to implement it.

Apple is moving more and more MDM features in iOS to "supervised only", meaning that non-supervised iOS devices will become less manageable. For all companies and organizations that make use of the Device Enrollment Program (DEP), Apple even recommends to supervise all devices by default.

Supervision and the Device Enrollment Program (DEP)

By default, all iOS devices are running in non-supervised mode. There are only two methods to make a device supervised:

1. By using a Mac with the Apple Configurator 2 tool, connecting the iOS device via USB and re-provisioning (wiping) the device. Obviously, this is not a viable solution for a large number of devices – it just doesn't scale well and also requires each device to go through the IT department before it can be delivered to its end user.

2. By enrolling a device with DEP.

This makes DEP in an enterprise context the only viable way to make devices supervised. Also, DEP is the only way to make an MDM enrollment mandatory and non-deletable, which is a requirement for many use cases.

Apple's DEP program is a great technology that makes the administrator's life so much easier. You can register for DEP by going to the Apple DEP Portal – a new Apple ID will be created during the process. This Apple ID has to have two factor authentication enabled and can also be used to join the Volume Purchase Program (VPP) Learn more about Apple IDs and Apple VPP in our other insight here. Once you log into the DEP portal, you can specify and connect your MDM server as well as your DEP customer ID.

From that point on, devices purchased under the DEP program will automatically show up in your MDM solution no longer requiring a manual enrollment process. You can distribute the ordered devices to your users without any IT personnel touching them (the devices!) first. As soon as the user switches his new device on for the first time, it gets enrolled in your MDM solution.

A factory reset of a DEP enrolled iOS device – MDM enrollment was configured to be mandatory so the user has no choice here.

Supervision and MDM

Apple is making more and more MDM restrictions and other configurations which are useful in enterprise scenarios deprecated on non-supervised devices. Here are some examples of restrictions which will work only for supervised devices in the next iOS version:

• Blocking app installations from the App Store
• Blocking app removal
• Blocking Game Center connections and Multiplayer gaming
• Blocking iCloud sync of documents
• Blocking explicit iTunes content and/or the whole iTunes store
• Blocking Safari
• Blocking video conferencing

It is expected that this list will grow with each new iOS release. So it's definitely a good idea to start using supervised mode as soon as possible.

Settings of a supervised iOS device enrolled into an MDM. No option for the user to remove the MDM profile.

So, what should I do?

If your iOS devices are DEP registered, you can specify supervision in the DEP profile in your MDM solution. If not, you can make them supervised with the Apple Configurator 2. Starting with iOS11, Apple also allows you to enter a non-DEP device into DEP using the same Apple Configurator (Version 2.5 and higher). The process is almost the same, there's just one more box to tick and there's a 30-day grace period during which the user can remove the DEP assignment from his device. This is intended as a security measure so that devices cannot be "hijacked" by unauthorized people.