List of iOS Supervised mode features by version
Apple introduced Supervised mode in iOS 5 to allow IT admins to have increased control over the devices. Supervision is a feature specifically designed for institutionally owned iOS devices. Supervision on iOS devices must be set up before activation – on a brand-new device or a fully erased device. With supervised mode, IT can have more control over devices and can restrict several features such as keyboard shortcuts, AirDrop, Messages, Erase and changing passcodes.
List of supervised mode features for iOS devices
Here’s the list of the major iOS supervised mode features based on different iOS versions.
- App Lock (Single App Mode): This feature forces the device to run on a single app.
While single app mode is enabled, the selected app will stay in the foreground. This is extremely useful in cases where the device is intended for unique purposes like:
- Preventing students from leaving the exam screen.
- Preventing the accidental app exit.
- To prohibit access to any other apps by setting up a kiosk.
- For providing kiosks for customers to browse the menu and place the order in a restaurant.
It disables hardware buttons and functions, including
- Home button (except for triple-click function)
- Side switch (when used to lock screen rotations and mute system generated sounds)
- Sleep/wake button and many more.
Single app mode also prevents services like notifications from communicating with the user.
- Global HTTP Proxy: This feature allows you to specify global HTTP proxy settings so that all HTTP traffic passes through the proxy, i.e., it forces all internet communications through a single global proxy server. This provides data security since all communication is filtered through the Global HTTP proxy.
- Block Book Store, iMessage: Book Store deals with the sales and delivery of EPUB content. Disabling this feature in a supervised device will prevent the user from accessing the iBooks content.
iMessage is a free Internet-based messaging service offered by Apple Inc. iMessage is Apple’s built-in instant messaging service. It is incorporated with the Messages app on iOS devices. iMessage can be used to send texts, documents, photos, videos etc., over Wi-Fi or mobile data to other iOS or OS X users. This is equivalent to ordinary messaging for most users with devices running iOS 5 or later. In the supervised mode, we can disable this feature.
- Block Game Center: Game Center is a social gaming service for games on Apple’s platform. In Game Center, you might see invites and other notifications. It cannot be blocked unless the device is in supervised mode. If unsupervised, you can still disable game invites, friend requests etc. but not the entire app.
- Use Profanity filter: Prevent Siri from using explicit languages. The profanity filter in Siri will be disabled by default.
- Prevent installation of Configuration Profiles by UI: Configuration profiles are XML files. They are composed of settings such as passcode guidelines, functionality and configuration specifications for VPN, Wi-Fi, email etc. These profiles allow for systematized control of enterprise iOS systems. The configuration profile can be distributed by the IT department to the devices for quick configuration. Cellular data settings can be configured on a device without entering all the information manually by distributing a configuration profile file containing the APN settings through a cellular carrier. More than one profile is supported on a mobile device. There are five ways to deploy configuration profiles:
- Via email.
- Using Apple Configurator by connecting the device to a Mac.
- Through a webpage link.
- Using over-the-air enrollment.
- Using an MDM Server.
If a malicious person creates their own configuration profile files and distributes them, those profiles, when configured, would make the device use a malignant proxy or VPN. This will allow the attacker to monitor the network and harm the device or misuse the data. Configuration profiles can also install certificates. A malicious certificate could impersonate a secure website like bank etc. The additional installation of configuration profiles can be inhibited on enterprise-managed devices. If there are additional configuration profiles installed, IT can remove them remotely if needed.
- Block AirDrop, AirPlay: AirDrop lets users wirelessly transfer data across devices that are in the immediate vicinity over a direct Wi-Fi connection. The size of the file which AirDrop can accommodate is unrestricted. Wi-Fi and Bluetooth must be enabled for AirDrop to recognize other devices. AirDrop must be enabled on other devices as well. Besides, the user at the receiving end must accept the transfer. This feature can be disabled only in supervised mode.
AirPlay app helps to stream audio, video, photos, etc., together with related metadata between devices wirelessly. Airplay cannot be disabled unless the device is in supervised mode.
- Disallow Host Pairing: Restrict the pairing of the iOS device with any host computer. If this box is unchecked, the device will be able to bind with any workstation and sync with iTunes, iPCU, etc. If checked, the device can only pair with the supervision host. Host pairing can be disabled only in supervised mode. When a device pairs with other devices, it generates pairing records, which can be used to access your iPhone or iPad without your consent. These pairing records in the hands of an attacker will result in chaos depending on the data on the devices. We can create profiles that will disallow pairing with other Macs and non-Configurator hosts. Once it’s done, the generation of new pairing records will be prevented.
- Activation Lock Bypass: Activation Lock is a feature of the Find my iPhone app. Activation Lock is enabled automatically as the Find my iPhone app is turned on. Once it is enabled, the Apple ID and password of the user must be entered to turn off Find my iPhone or Erase the device or reactivate the device. This provides more security to the devices and improves the chances of recovery. This feature gives a little peace of mind in case the device is stolen, but it can also be a real pain if you forget the password or if the user of the device leaves the company without removing the activation lock. In iOS 7.1, Apple introduced Activation Lock Bypass, which will remove the activation lock without requiring the user’s Apple ID and password. You can request the bypass code that will override the activation lock and allow the iOS to be reused. When you have the bypass code, enter it on the password field and leave the Apple ID blank.
- Autonomous Single App Mode: It allows apps to place themselves in single app mode during certain events, such as a testing app, which prevents access to outside information. When the test is complete, the devices will be released from the single app mode. Autonomous single app mode provides the most effortless method for securing the iPad for assessment, as no invigilator is required. To use autonomous single app mode, the device must be supervised, and you need to create a configuration profile in restrictions that whitelists the apps that can use autonomous single app mode.
- Web Content Filtering: This feature limits the websites with adult content and lets you blacklist any sites the enterprise does not want users to access. When enabled, this feature will apply to any browsers you use.
- Silent App Push: Apps can be installed without user intervention with the help of a feature called silent app push. It allows the IT department to install an app in a device via MDM without the user’s permission, i.e., once they push the app from the MDM, the app will appear installed on the device. This works for apps in the iTunes app store and also for enterprise apps.
- Cellular data usage modification: This feature controls the cellular data usage modifications for specific apps. If disabled, no modifications in cellular data usage can be accomplished.
- Find My Friend Modifications: Find My Friend is an application and service put forward by Apple to trace the location of users owning iOS devices via GPS. This option, if disabled, prevents any changes to the Find My Friend settings from going live.
- Access to user-generated content: Enabling this option allows Siri to access the user-generated content from the web. This feature works only if Siri is enabled on the user’s device.
- Prevent account modification: This restriction will prevent users from creating new accounts or modifying their existing ones. It also includes modification of accounts from apps, such as Mail, Calendar, etc.
- Always-On VPN: This mode forces the applications to connect only through a specified VPN. This mode is designed for businesses and other organizations. If enabled, the VPN will always be activated. Always-On VPN does not require any user intervention unless multi-factor authentication is enabled.
- Prevent Spotlight Internet results: Spotlight assists in different tasks like finding items on iOS devices and browsing the Internet. It is accessible from the Home screen. Restricting Spotlight prevents suggested websites from appearing in the search results.
- Prevent Erase content and settings: We can prevent a supervised iOS device from being wiped while setting the restriction for the device, i.e., the end-users will not be able to erase the device. It is useful in school student’s usage scenarios where devices are supervised.
- Prevent Restrictions UI: This option in supervised mode can prevent users from enabling restrictions on the device.
- Predictive Keyboard: Predictive keyboards deliver upcoming words as suggestions to increase the frequency of typing. Disabling this option prevents the functioning of the predictive keyboard, thus blocking the incoming suggestions.
- Definition lookup: This feature allows the users to restrict access to the definition feature available on supervised iOS devices when disabled.
- Set Wallpaper: This setting allows organizations to set their company logo or tailor-made images as the home screen or lock screen wallpaper across their fleet of devices.
- Add or remove Touch ID: Prevent users from adding or modifying fingerprints on the devices. Disabling this option will require the user to use the configured password to unlock the device.
- Auto-correct words: Prevent the device from auto-correcting misspelled words with the ones in the dictionary. The option is enabled by default.
- Suggest words on misspellings: This feature will allow the device to check for misspellings and suggest words if found misspelled. If this feature is disabled, users will not be able to see misspelled words underlined in red.
- Enhanced Blacklisting: From iOS 9.3 onwards, even if blacklisted apps are downloaded on a supervised device, they will not work. This feature enables admins to enforce more restrictions over an app as compared to older iOS versions.
- Prevent News: News app is one of the unremovable apps in iOS. On an unsupervised device, the app can be hidden but not blocked. However, the user can access the app if required. In supervised mode, access to the app will be restricted.
- Allow managed app installation exclusively: Managed apps are apps that are managed by the enterprise through an MDM. We can implement enterprise apps and other purchased apps as managed apps. Unlike standard apps, managed apps:
- Do not back up their data.
- Get removed when the MDM profile is removed.
Since the apps on the devices are managed, the employees are free from worrying about the app update, installation or anything of that sort. Managed apps are controlled by the system manager and can be updated or removed by an administrator after installation. Managed apps allow an organization to deploy apps over the air using MDM while providing security and privacy.
- Prevent keyboard shortcuts: Shortcuts can be made to substitute long or repeatedly used texts (words or phrases or email addresses). Disabling the creation of shortcuts will prevent any malpractices that will compromise the device.
- Prevent passcode modification: Prevent adding, changing or removing device passcode by the user. In a normal device, the passcode can be changed by tapping touch ID and passcode in settings.
- Prevent device name changes: Prevents users from renaming the device. In an unsupervised device, the name can be changed easily by tapping settings.
- Prevent wallpaper changes: In unsupervised devices, wallpaper can be changed from the device settings. In supervised mode, this feature can be disabled, thereby preventing the user from changing the wallpaper.
- Download all purchased apps automatically: If enabled, purchased apps that are downloaded on a device will automatically be downloaded on other devices that are logged in with the same Apple ID.
- Prevent changes to enterprise app trust: Enterprise apps are apps that are custom-made for an organization. Apple’s Developer Enterprise Program helps to create and distribute proprietary enterprise apps for iOS devices. These apps must be trusted before they can be used. The process of app distribution is more secure if it is done using an MDM and it does not require user interaction. Users can also install these apps themselves from a website operated by their organization. In supervised mode, the user will not be able to change the enterprise app trust settings. i.e., they cannot establish trust for a developer that is not of the enterprise.
- Prevent Apple Music: Apple Music is an app used to play music on iOS devices. This app can be disabled only in supervised mode.
- Treat AirDrop as managed destination: If AirDrop is treated as an unmanaged destination, managed apps cannot share files or attachments through AirDrop.
- Prevent pairing with a watch: Apple Watch relies on a wirelessly connected iPhone to perform basic functions like calling and texting. If the feature is set to false, it disables pairing with the Apple watch. Existing paired devices will be unpaired.
- Radio services permission: This option allows the users to either enable or disable radio services on the default iOS Music app.
- Notification settings modification: iOS allows modifying the notification settings as per the user’s requirements. This option allows the users to prevent changes in the notification settings if disabled.
- Diagnostic submission settings modification: This option prevents changes in the diagnostic data submission settings, thus restricting users from sending diagnostic data.
- Enable Lost Mode: The Lost Mode is a feature to lock down the devices, preventing unauthorized access to the device if it is lost or stolen. It facilitates administrators to fetch the location of lost devices. This action can be executed on supervised devices running iOS 9.3 and later.
- App Notifications: Manage and control how app notifications are displayed on the devices. This feature lets administrators manage notifications for each app on their supervised devices running iOS 9.3 or later.
- Add Google accounts: Create Google accounts remotely on supervised devices running iOS 9.3 or later. Once the user authenticates the configured Google account, all Google services will be automatically synced with the devices, such as Calendar, Contacts, Notes, Mail, etc.
- Lock Screen Message: Remotely set a lock screen message on supervised iOS 9.3+ devices that may help in retrieving the devices if it gets lost or misplaced.
- Home Screen Layout: Create a unified look for your entire fleet of devices by setting the layout of the home screen with the help of Hexnode UEM. It helps maintain a distinctive tailor-made look for supervised iOS 9.3+ devices.
- Multi App Kiosk Mode: Lock the devices down to a handful of whitelisted apps where the users will not be able to access any apps or features on the device other than these whitelisted apps.
- Website Kiosks: Lock the devices down to only the required set of websites on supervised iOS 9.3 and later devices. It enforces a complete browser lockdown approach by allowing access to only pre-approved or whitelisted websites determined by the admin.
- Install app from App Store: Allow installation of apps on the device by enabling this option. Disabling this option blocks the App Store and hides the icon from the home screen, thus preventing the users from installing or updating their applications.
- Bluetooth settings modification: The users can make changes in the Bluetooth settings as and when required by enabling this option.
- Dictation input: Enabling this option allows the users to submit voice input, keeping aside the keyboard, to enter text on your iOS devices.
- Power Off: Remotely power off devices without displaying any prompts to the end-users. This action works on supervised iOS 10.3+ devices.
- Restart Device: Remotely restart iOS devices to execute any pending reboot action or for troubleshooting or testing purposes. Note that the restart action works only on supervised iOS 10.3+ devices.
- Remotely Ring Device: This action allows you to play sounds on the devices remotely, even if the device is muted. This action is particularly useful in finding a lost device.
- Connect to MDM-configured Wi-Fi networks: This feature ensures that users can connect to only the Wi-Fi networks configured from the MDM console (Policies > iOS > Networks > Wi-Fi).
- System App Removal: System apps are pre-installed apps under the /system/app folder/ on the user’s device. Disabling this option prevents the removal of system apps from the device via the Hexnode MDM console.
- Disallow creation of VPN configurations: Users can now be disallowed from creating their own VPN configurations on their devices. User-customized VPNs might close down access to corporate devices.
- Secure printing with AirPrint: AirPrint lets the user print anything from the device wirelessly. Users can securely carry out printing using trusted certificates and store the AirPrint credentials within keychain storage. It can also prevent fraudulent AirPrint Bluetooth beacons from obtaining classified information through cyber-attacks like phishing.
- Add or remove Face ID: Prevent users from adding, changing, or removing the Face ID from the devices. The option is disallowed by default.
- Cellular plan modification: Prevent users from changing any settings related to their cellular plan. This option is allowed by default.
- Delay Software Updates: Defer OS updates for devices running iOS 11.3+ for up to 90 days. During this defer period, the users will not be able to receive the updates until the specified number of days after the software update release date. After the specified period, users can download the install the newly available software updates.
- Force Automatic Date and Time: This feature provides the option to set the date and time automatically on the device and prevent the user from making any further changes in the device settings. The time zone of the device can be updated by enabling Location Services on the device.
- Autofill Passwords: Disabling this option prevents the password autofill functionality, and users will not be prompted to use saved passwords in Safari or other apps. Moreover, Automatic Strong Passwords will also be disabled, thus blocking strong password suggestions.
- Password Proximity Requests: Restricting this feature will prevent the device from requesting passwords from devices in proximity.
- Password Sharing: When connecting to a network for the first time, users can share the network password with other iOS devices using a mechanism identical to AirDrop for faster connectivity.
- Modify Screen Time: Prevent users from setting their own Screen Time settings on their devices (Settings > Screen Time).
- Personal Hotspot modification: Restrict users from modifying the Personal Hotspot settings on their supervised 12.2+ devices.
- eSIM modification: Prevent users from adding or removing a cellular plan to the eSIM on their devices.
- Camera: Access to the device camera is enabled by default. When the feature is disabled, the Camera icon is hidden from the screen.
- Facetime: Access to the FaceTime app is disabled when the device camera is disabled. Users will not be able to access the FaceTime app to make audio or video calls.
- Show App Store on device: It is enabled by default. If the feature is disabled, the App Store icon will be hidden from the screen.
- iTunes Store: It is enabled by default. If the feature is disabled, the iTunes Store icon is hidden from the home screen.
- Force user to enter iTunes store password for each purchase: It is forced by default. Users are required to type in their Apple ID and password for each in-app or iTunes purchase.
- Safari: It is enabled by default. The Safari icon is hidden if the option is disabled. Moreover, access to web clips is also disabled.
- Autofill (Safari): If the feature is enabled, it allows Safari to autofill web forms with the user’s name, phone number, email, password, etc. If disabled, autofill will be disabled, and the use of strong passwords will not be suggested to the users either.
- Add friends in Game Center: It is enabled by default. It allows users to find or add friends in the Game Center.
- Backup: If this option is enabled, users can back up their files to iCloud.
- Sync documents: If enabled, it allows users to sync their documents and data on the devices with their iCloud accounts.
- Explicit music, podcasts and iTunes U services: If the feature is enabled, it permits users to access adult-rated music and podcast and iTunes U services. If it is disabled, explicit content listed or purchased from the iTunes store will be inaccessible.