Supervised mode is a feature introduced by Apple in iOS 5 that allows IT to have more power than available normally. With supervised mode, IT can have more control over devices and can restrict several features such as keyboard shortcuts, AirDrop, Messages, Handoff, Erase and changing passcodes.
List of iOS supervised mode features
App Lock (Single App Mode)
It is a feature in supervised devices that forces the device to run a single app. While single app mode is enabled, the selected app will stay in the foreground. This is extremely useful in cases where the device is intended for a unique purpose.
- Preventing students from leaving the exam screen.
- Preventing the accidental app exit.
- To prohibit access to any other apps by setting up a kiosk.
- For providing kiosks for customers to browse the menu and place the order in a restaurant.
It disables hardware buttons and functions including
and many more. Single app mode also prevents services like notifications, from communicating with the user.
Global HTTP Proxy
This feature allows you to specify global HTTP proxy settings so that all HTTP traffic passes through the proxy i.e. it forces all internet communications through a single global proxy server. This provides data security since all communication is filtered through the Global HTTP proxy.
Block iBookstore, iMessages
iBook store deals with the sales and delivery of EPUB contents. Disabling this feature in a supervised device will prevent the user from accessing the iBooks content.
iMessage is a free Internet-based messaging service offered by Apple Inc. iMessage is Apple’s built in instant messaging service. It is incorporated with the messages app on the iOS devices. iMessage can be used to send texts, documents, photos, videos etc. over Wi-Fi or mobile data to other iOS or OS X users. This is equivalent to ordinary messaging for most users with devices running iOS 5 or later. In the supervised mode we can disable this feature.
Block Game Center
Game center is a social gaming service for games on Apple’s platform. In game center you might see invites and other notifications. This app is a part of the iOS operating system – like all Apple’s included app, it cannot be blocked unless the device is in the supervised mode. If not supervised you can still disable game invites, friend requests etc. but not the entire app.
Block AirDrop, AirPlay, etc.
AirDrop lets users to wirelessly transfer data across devices which are in the immediate vicinity over a direct Wi-Fi connection. The size of the file which AirDrop can accommodate is unrestricted. Wi-Fi and Bluetooth must be enabled in order for AirDrop to recognize other devices. The other devices also must have AirDrop enabled. Besides, the user at the receiving end must accept the transfer. This feature can be disabled only in supervised mode .
AirPlay app helps to stream audio, video, photos etc together with related metadata between devices wirelessly. Airplay cannot be disabled unless the device is in supervised mode.
Disallow Host Pairing
Restrict the pairing of the iOS device with any host computer. If this box is unchecked, the device will be able to bind with any workstation and sync with iTunes, iPCU, etc. If checked, the device can only pair with the supervision host. Host pairing can be disabled only in supervised mode. When a device pair with other devices it generates pairing records, which can be used to access your iPhone or iPad without your consent. These pairing records in the hands of an attacker will result in chaos depending on the data on the devices. We can create profiles that will disallow pairing with other Macs and non configurator hosts. Once it’s done, generation of new pairing records will be prevented.
Activation Lock Bypass
Activation lock is feature of Find my iPhone app. Activation lock is enabled automatically as Find my iPhone app is turned on. Once it is enabled, the Apple ID and password of the user must be entered to turn off Find my iPhone or Erase the device or reactivate the device. This provides more security to the devices and improves the chances of recovery. This feature gives a little peace of mind in case the device is stolen, but it can also be a real pain if you forget the password or if the user of the device leaves the company without removing the activation lock.
In iOS 7.1 Apple introduced Activation Lock Bypass, which will remove the activation lock from without requiring the user’s Apple ID and password. You can request the bypass code that will override the activation lock and allow the iPad to be used again. When you have the bypass code, enter it on the password field and leave the Apple ID blank.
Autonomous Single App Mode
It allows apps to place themselves in single app mode during certain events such as a testing app, which prevents access to outside information. When the test is complete the devices will be released from the single app mode. Autonomous single app mode provides the most effortless method for securing iPad for assessment, as no invigilator is required. To use autonomous single app mode the device must be supervised and you need to create a configuration profile in restrictions that whitelists the apps that can use autonomous single app mode.
Web Content Filter
This feature limits the websites with adult contents and lets you blacklist any sites the enterprise do not want users to access. This feature when enabled will be applicable to any browsers you use.
Set background & lock screen
In a supervised device, it was impossible to set background and lock screen before iOS7. But in iOS 7 both these are possible by using Apple configurator 2 or an MDM.
Silent App Push
Apps can be installed without user intervention with the help of a feature called silent app push. It allows the IT department to install an app in a device via MDM without the user’s permission i.e.; once they push the app from the MDM, the app will appear installed on the device. This works for apps in the iTunes app store and also for enterprise apps.
Cellular data usage modification
This feature controls the cellular data usage modifications for specific apps. If disabled, no modifications in the cellular data usage can be accomplished.
Find My Friend Modifications
Find My Friend is an application and service put forward by Apple to trace the location of users owning iOS devices via GPS. This option, if disabled, prevents any changes to the Find My Friend settings from going live.
Access to user-generated content
Enabling this option allows Siri to access the user-generated content from the web. This feature works only if Siri is enabled on the user’s device.
This mode forces the applications to connect only through a specified VPN. This mode is designed for businesses and other organizations. After enabling it, the VPN will always be activated. If VPN connection fails the apps on your device will not be able to connect to internet until it comes back up.
Prevent Cloud Sync
The supervised mode prevents managed applications from using cloud sync. Admin can restrict managed apps from backing up any data to iCloud. But it will allow the personal, user downloaded apps to back up to cloud.
Prevent Spotlight Internet results
Spotlight is an easy way to find almost anything on your iOS devices. You can also search the internet. Spotlight is accessible from the Home screen. In an unsupervised device, this feature can be controlled by unchecking the apps in the spotlight search list. But you cannot block the app as such. In supervised mode we can block all internet search results from “Spotlight Search”.
Handoff lets you transfer your activities between iPhone, iPad, and Mac. This feature lets users to continue their work in different iOS devices without any fuss. Handoff uses Bluetooth. The transferring requires Wi-Fi, either directly or via iCloud. In a normal device handoff feature can be enabled or disabled. But in supervised mode if the feature is disabled, the user cannot enable it.
We can prevent a supervised iOS device from being wiped while setting the restriction for the device i.e.; the end users will not be able to erase the device. It is useful in school student’s usage scenarios where devices are supervised.
Prevent Restrictions UI
This option in supervised mode can prevent users from enabling restrictions on the device.
Prevent installation of Configuration Profiles by UI
Configuration profiles are XML files. They are composed of settings such as passcode guidelines, functionality and configuration specifications for VPN, Wi-Fi, email etc. These profiles allow for systematized control of enterprise iOS systems. The configuration profile can be distributed by the IT department to the devices for quick configuration. Cellular data settings can be configured on a device without entering all the information manually by distributing a configuration profile file containing the APN settings, through a cellular carrier. More than one profile is supported on a mobile device.
There are five ways to deploy configuration profiles:
- Via email.
- Using Apple configurator by connecting the device to a Mac.
- Through a webpage link.
- Using over-the-air enrollment.
- Using an MDM Server.
If a malicious person creates their own configuration profile files and distribute them, those profiles when configured would make the device use a malignant proxy or VPN, which will allow the attacker to monitor the network and harm the device or misuse the data. Configuration profiles can also install certificates. A malicious certificate could impersonate a secure website like bank etc.
The additional installation of configuration profiles can be inhibited on the enterprise managed devices. If there are additional configuration profiles installed, IT can remove them remotely if needed.
Predictive keyboards deliver upcoming words as suggestions to increase the frequency of typing. Disabling this option prevents the functioning of the predictive keyboard thus blocking the incoming suggestions.
This feature allows the users to restrict access to the definition feature available on supervised iOS devices when disabled.
The admins will be able to enforce more restrictions over the blacklisted apps because from iOS 9.3 onwards the apps that are blacklisted will not work on a supervised device, while it may still get downloaded.
The news app is one of the unremovable apps in iOS. In an unsupervised device you can only hide the app but cannot block the app as such. The user can always unhide the app. But in supervised mode the user will not be able to access the app.
Allow managed app installation exclusively
Managed apps, as the name implies, are the apps that are managed by the enterprise through an MDM. We can implement enterprise apps and other purchased apps as managed apps. Unlike standard apps, managed apps:
- Do not back up their data.
- Gets removed when the MDM profile is removed.
Since the apps on the devices are managed the employees are free from worrying about the app update, installation or anything of that sort. Managed apps are controlled by the system manager and can be updated or removed by an administrator after installation. Managed apps allow an organization to distribute all kind of apps over air using MDM, while providing security and privacy.
Prevent keyboard shortcuts
Shortcuts can be made to substitute long or repeatedly used texts (words or phrases or email id etc). Disabling the creation of shortcuts will prevent any malpractices that will compromise the device.
Prevent passcode modification
Prevents adding, changing or removing device passcode by the user. In a normal device, the passcode can be changed by tapping touch id and passcode in settings.
Prevent device name changes
Prevents users from renaming the device. In an unsupervised device, the name can be changed easily by tapping settings.
Prevent wallpaper changes
In usual cases the wallpaper can be changed in the device settings. In supervised mode this feature can be disabled so that no one will be able to change the wallpaper
Prevent automatic app downloads
Automatic app downloading is definitely easier than manual app downloading. But sometimes if an unauthorized or faulty app gets distributed among the devices that might end in chaos. By preventing automatic app downloading IT can assure the safety of the apps before distribution.
Prevent changes to enterprise app trust
Enterprise apps are those apps which integrates all aspects of a firm’s operation. Apple’s Developer Enterprise Program helps to create and distribute proprietary enterprise apps for iOS devices. These apps must be trusted before they could be used. The process of app distribution is more secure if done using an MDM and also it does not require user interaction. Users can also install these apps themselves from a website operated by their organization. In supervised mode the user will not be able to change the enterprise app trust settings. i.e.; they cannot establish trust for a developer that is not of the enterprise.
Prevent Apple Music
Apple Music is a music playing app in iOS devices. In normal case Apple music is an app that cannot be disabled. This app can be disabled only in supervised mode
Prevent Mail Drop
Mail drop is used to send large files through iCloud. You can send attachments up to 5Gb in size. This feature can be disabled in supervised mode only. When the feature is disabled we cannot send files via Mail drop.
Treat AirDrop as managed destination
If AirDrop is treated as an unmanaged destination, managed apps like email can’t share files or attachments through AirDrop.
Prevent pairing with a watch
Apple Watch relies on a wirelessly connected iPhone to perform basic functions like calling and texting. If the feature is set to false, disables pairing with Apple watch. If any watches are already paired, it will be unpaired.
Radio services permission
This option allows the users to either enable or disable radio services on the default iOS Music app.
Notification settings modification
iOS allows modifying the notification settings as per the user’s requirements. This option allows the users to prevent changes in the notification settings if disabled.
Diagnostic submission settings modification
This option prevents changes in the diagnostic data submission settings thus restricting users from sending diagnostic data.
Bluetooth settings modification
The users can make changes in the Bluetooth settings as and when required, by enabling this option.
App installation permission
Allow installation of apps on the device by enabling this permission. Disabling this option blocks the App Store and hides the icon from the home screen thus preventing the users from installing or updating their applications.
Enabling this option allows the users to submit voice input, keeping aside the keyboard, to enter text on your iOS devices.
System App Removal
System apps are pre-installed apps that are placed under the /system/app folder/ on the user’s device. Prevent the removal of system apps from the device by disabling this option via the Hexnode MDM console.
Disallow creation of VPN configurations
Users can now be disallowed from creating their own VPN configurations on their device. User-customized VPNs might close down access to corporate devices.
Secure printing with AirPrint
AirPrint lets you print anything from the device wirelessly. With Hexnode, the users can securely carry out printing using trusted certificates, store the AirPrint credentials within keychain storage, and prevent spurious AirPrint Bluetooth beacons from phishing for network traffic.
Force Automatic Date and Time
This feature provides the option to set date and time automatically on the device and prevents the users from making any further changes in the device settings. The device’s time zone can be updated by enabling location services on the device.
Disabling this option prevents the password autofill functionality and users will not be prompted to use saved password in Safari or in apps. At the same time Automatic Strong Passwords will also be disabled, thus blocking strong password suggestions.
Password Proximity Requests
Restricting this feature will prevent the device from requesting passwords from devices in close proximity.
When connecting to a network for the first time, users can share the network password with other iOS devices using a mechanism similar to AirDrop for faster connectivity.
Managed apps can edit contacts in unmanaged accounts, even if the managed apps are prevented from editing unmanaged destinations. Similarly, unmanaged apps can read contacts from managed accounts, even if the unmanaged apps are prevented from reading in managed destinations.