Brendon
Baxter

What is Apple device supervision?

Brendon Baxter

Jan 4, 2022

7 min read

Supervision is a device management feature introduced by Apple that would allow organizations like schools and businesses to manage their devices more efficiently and effectively.

Organizations can get more control over their Apple devices by adding supervision, in addition to the existing Mobile Device Management (MDM) or Unified Endpoint Management (UEM) efforts.

History of supervision on Apple devices

Supervision was initially introduced in iOS 10.5 with the sole intention of giving organizations granular control over their devices. Later on, the supervision feature was made available for every Apple device.

In comparison to other Apple devices, supervision enables a lot more device management tools in iOS and iPadOS.

Supervision was closely associated with Apple DEP (Device Enrollment Program) enrollment, now known as Automated Device Enrollment, in the case of macOS devices as it was the only way to supervise Macs initially. After the introduction of User Approved MDM enrollment, the two terms, Automated Device Enrollment and supervision were used separately.

Note: Apple DEP is now known as Automated Device Enrollment

How to supervise Apple devices

Enabling supervision on Macs and other Apple devices is a bit different.

macOS devices

The only way to supervise a Mac is to enroll the device using a User Approved MDM (UAMDM) enrollment method. UAMDM is a relatively new feature that was released along with the macOS X 10.13.2 High Sierra update.

Before the macOS X 10.14.4 Mojave update, only devices that were enrolled using Automated Device Enrollment or DEP method would get your Mac supervised.

After the 10.14.4 update, all devices that were enrolled via a UAMDM would result in the device being supervised. Devices enrolled via Automatic Device Enrollment would automatically be recognized as a UAMDM enrollment.

Devices that were enrolled and then updated to macOS 11+ would be supervised only if the previous enrollment was approved by a local administrator.

Other Apple devices

Automatic Device Enrollment is the only automatic method of supervising other Apple devices, like iPhone, iPod touch and iPad. Manual setup of supervision on these devices can be done using Apple Configurator 2.

Devices that run iOS 10.5+, iPadOS 13.1+ and tvOS 12.2+ support supervision.

Devices that have iOS 13, iPadOS 13.1 and tvOS 13 will be automatically supervised if they are enrolled using Automated Device Enrollment. If not automatically supervised then the device has to be manually supervised using a Mac and Apple Configurator 2.

Supervision and Hexnode

Hexnode lets you manage supervised Apple devices very easily. Enrollment and deployment of supervised Apple devices are made easy with the use of Hexnode.

Apart from Automated Device Enrollment and Apple Configurator enrollment Apple devices can be enrolled using other methods with Hexnode. Devices can be enrolled using enrollment links or QR codes that can be shared in any way.

Pushing Custom Configuration Profiles to Apple devices is also possible through the Hexnode portal. Custom Configuration profiles can be used to configure settings that Hexnode does not support.

And if you get lost anywhere in between, fear not Hexnode’s help documents can guide you to an easy and simplified device management experience.

Supervised vs Unsupervised device features
Platform Setting Supervised Unsupervised
iOS and iPadOS Allow putting a device into recovery mode from an unpaired host 
Allow NFC (iOS specific) 
Allow app clips 
Allow shared iPad temporary session (iPadOS specific) 
Add Game Center friends 
Multiplayer gaming 
Safari AutoFill 
Use Safari 
iTune Store 
Allow network drive connections 
Allow USB device connections 
Force Wi-Fi 
Allow Find My Device and Find My Friends 
Playback of explicit music, podcasts, and iTunes U content 
iCloud document and data 
Modify personal hotspot settings 
Modify eSIM setting 
Password and Proximity AutoFill 
Share password over AirDrop 
Automatic Date and Time setup 
Require teacher’s permission to leave classroom- teacher-created classes 
Defer software updates 
Remove system apps 
Require Touch ID or Face IDauthentication for AutoFill 
Modify Bluetooth settings 
Modify cellular network settings 
Add VPN configurations 
AirPrint 
Discover AirPrint using iBeacon 
Classroom to perform AirPlay and View Screen without prompting 
Classroom can focus students on a single app and lock the device without prompting 
Automatic joining Classroom classes without prompting 
Store AirPrint credentials in Keychain 
Modify diagnostic settings 
Restric app usage 
Apple music 
Radio 
Modify Notification settings 
Modify passcode settings 
Automatic app download 
Pair with Apple Watch 
Modify device name 
Modify wallpaper 
Keyboard shortcuts 
Modify TouchID fingerprints and FaceID faces 
Predictive keyboard 
Auto correctection 
Spell check 
Define and look up 
Modify Restrictions or Screen Time settings 
Erase all content and settings 
AirDrop 
Modify Find My settings 
Modify account settings 
Autonomous Single App mode 
User-generated content in Siri 
Install Configuration profiles 
Game Center 
Apple Books 
iMessage 
Siri profanity filter 
Pair with non-Apple Configurator 2 hosts 
Install apps using App Store 
Remove apps 
macOS Require teacher’s permission to leave classroom- teacher-created classes 
Classroom to perform AirPlay and View Screen without prompting 
Classroom can focus students on a single app and lock the device without prompting 
Automatic joining Classroom classes without prompting 
tvOS Prevent TV from going to sleep 
Defer software updates 
Restrict app usage 
AirPlay security 
Pair with Remote app 
Modify device name 

Steps to supervise an Apple device using DEP/ Automated Device Enrollment

  1. Configure your UEM in the Apple Business Manager (ABM) portal.
  2. After the UEM is configured assign devices to the UEM server.
  3. Enable the supervision option while pushing the configuration profile.
  4. The device when turned on, becomes supervised and can be controlled from the UEM console.

Steps to supervise an Apple device using Apple Configurator 2

  1. Create a Wi-Fi profile using the Apple Configurator 2.
  2. Create a Blueprint in the Configurator and add the Wi-Fi profile to it.
  3. Prepare the device.
  4. Push or add the blueprint to the target device.

Note: The device has to be connected to the Mac using a USB cable for using Apple Configurator 2.

Difference between devices supervised via Automated Device Enrollment and those supervised without it

The main difference between these modes of supervision is the retainment of supervision after device is reset. For devices enrolled using Automated Device Enrollment, the supervision is retained even after the device is factory reset. But in case of devices supervised without using Automated Device Enrollment, the supervision is lost when the device is reset.

How to remove supervision from Apple devices?

If your device is supervised and managed using Apple Configurator 2, then the best course of action to make the device unsupervised would be to wipe the device. But do keep in mind that this would cause all the data to be wiped too. So, backup all the data if it is necessary before wiping the device.

The same goes for devices that are enrolled in a UEM/MDM using Apple Configurator 2 or any enrollment method other than Automated Device Enrollment.

In the case of devices that are enrolled using Automated Device Enrollment there are 2 options:

  1. Remove supervision without disenrolling from MDM/UEM
    • For this, the profile name for the device has to be found from the MDM/UEM portal.
    • Then from the ABM portal, supervision can be turned off in the configuration profile.
    • The device then has to be reset.
  2. Remove both the supervision and the enrollment
    • For this, the device has to be first unassigned from the ABM portal.
    • Then the device has to be reset.

In both of the above cases the data in the device has to be backed up if it is necessary.

How to check if an Apple device is supervised or not

Usually, the supervision status of iPhones, iPads, iPods and Apple TV can be found on the settings page. The status is displayed as a message at the top of the main settings page.

In the macOS devices the device supervision status is displayed in the settings but on a different page. Here the status is shown as a small message at the bottom of the Profiles page in System Preferences.

The question of whether or not you require Apple supervision is straightforward. And the answer would be, supervision is the way to go if you want fully granular control over your company’s Apple devices. If the company does not require complete control over its equipment, supervision may not be necessary.

Share
  •  
  •  
  •  
  •  
  •  

Brendon Baxter

Product Evangelist@Hexnode. Read. Write. Sleep. Repeat.

Share your thoughts