Supervised mode is a feature introduced by Apple in iOS 5 that allows IT to have more power than available normally. With supervised mode, IT can have more control over devices and can restrict several features such as keyboard shortcuts, AirDrop, Messages, Handoff, Erase and changing passcodes.
List of iOS supervised mode features
App Lock (Single App Mode)
It is a feature in supervised devices that forces the device to run a single app. While single app mode is enabled, the selected app will stay in the foreground. This is extremely useful in cases where the device is intended for a unique purpose.
- Preventing students from leaving the exam screen.
- Preventing the accidental app exit.
- To prohibit access to any other apps by setting up a kiosk.
- For providing kiosks for customers to browse the menu and place the order in a restaurant.
It disables hardware buttons and functions including
and many more. Single app mode also prevents services like notifications, from communicating with the user.
Global HTTP Proxy
This feature allows you to specify global HTTP proxy settings so that all HTTP traffic passes through the proxy i.e. it forces all internet communications through a single global proxy server. This provides data security since all communication is filtered through the Global HTTP proxy.
Block iBookstore, iMessages
iBook store deals with the sales and delivery of EPUB contents. Disabling this feature in a supervised device will prevent the user from accessing the iBooks content.
iMessage is a free Internet-based messaging service offered by Apple Inc. iMessage is Apple’s built in instant messaging service. It is incorporated with the messages app on the iOS devices. iMessage can be used to send texts, documents, photos, videos etc. over Wi-Fi or mobile data to other iOS or OS X users. This is equivalent to ordinary messaging for most users with devices running iOS 5 or later. In the supervised mode we can disable this feature.
Block Game Center
Game center is a social gaming service for games on Apple’s platform. In game center you might see invites and other notifications. This app is a part of the iOS operating system – like all Apple’s included app, it cannot be blocked unless the device is in the supervised mode. If not supervised you can still disable game invites, friend requests etc. but not the entire app.
Block AirDrop, AirPlay, etc.
AirDrop lets users to wirelessly transfer data across devices which are in the immediate vicinity over a direct Wi-Fi connection. The size of the file which AirDrop can accommodate is unrestricted. Wi-Fi and Bluetooth must be enabled in order for AirDrop to recognize other devices. The other devices also must have AirDrop enabled. Besides, the user at the receiving end must accept the transfer. This feature can be disabled only in supervised mode .
AirPlay app helps to stream audio, video, photos etc together with related metadata between devices wirelessly. Airplay cannot be disabled unless the device is in supervised mode.
Disallow Host Pairing
Restrict the pairing of the iOS device with any host computer. If this box is unchecked, the device will be able to bind with any workstation and sync with iTunes, iPCU, etc. If checked, the device can only pair with the supervision host. Host pairing can be disabled only in supervised mode. When a device pair with other devices it generates pairing records, which can be used to access your iPhone or iPad without your consent. These pairing records in the hands of an attacker will result in chaos depending on the data on the devices. We can create profiles that will disallow pairing with other Macs and non configurator hosts. Once it’s done, generation of new pairing records will be prevented.
Activation Lock Bypass
Activation lock is feature of Find my iPhone app. Activation lock is enabled automatically as Find my iPhone app is turned on. Once it is enabled, the Apple ID and password of the user must be entered to turn off Find my iPhone or Erase the device or reactivate the device. This provides more security to the devices and improves the chances of recovery. This feature gives a little peace of mind in case the device is stolen, but it can also be a real pain if you forget the password or if the user of the device leaves the company without removing the activation lock.
In iOS 7.1 Apple introduced Activation Lock Bypass, which will remove the activation lock from without requiring the user’s Apple ID and password. You can request the bypass code that will override the activation lock and allow the iPad to be used again. When you have the bypass code, enter it on the password field and leave the Apple ID blank.
Autonomous Single App Mode
It allows apps to place themselves in single app mode during certain events such as a testing app, which prevents access to outside information. When the test is complete the devices will be released from the single app mode. Autonomous single app mode provides the most effortless method for securing iPad for assessment, as no invigilator is required. To use autonomous single app mode the device must be supervised and you need to create a configuration profile in restrictions that whitelists the apps that can use autonomous single app mode.
Web Content Filter
This feature limits the websites with adult contents and lets you blacklist any sites the enterprise do not want users to access. This feature when enabled will be applicable to any browsers you use.
Set background & lock screen
In a supervised device, it was impossible to set background and lock screen before iOS7. But in iOS 7 both these are possible by using Apple configurator 2 or an MDM.
Silent App Push
Apps can be installed without user intervention with the help of a feature called silent app push. It allows the IT department to install an app in a device via MDM without the user’s permission i.e.; once they push the app from the MDM, the app will appear installed on the device. This works for apps in the iTunes app store and also for the enterprise apps.
This mode forces the applications to connect only through a specified VPN. This mode is designed for businesses and other organizations. After enabling it, the VPN will always be activated. If VPN connection fails the apps on your device will not be able to connect to internet until it comes back up.
Prevent Cloud Sync
The supervised mode prevents managed applications from using cloud sync. Admin can restrict managed apps from backing up any data to iCloud. But it will allow the personal, user downloaded apps to back up to cloud.
Prevent Spotlight Internet results
Spotlight is an easy way to find almost anything on your iOS devices. You can also search the internet. Spotlight is accessible from the Home screen. In an unsupervised device, this feature can be controlled by unchecking the apps in the spotlight search list. But you cannot block the app as such. In supervised mode we can block all internet search results from “Spotlight Search”.
Handoff lets you transfer your activities between iPhone, iPad, and Mac. This feature lets users to continue their work in different iOS devices without any fuss. Handoff uses Bluetooth. The transferring requires Wi-Fi, either directly or via iCloud. In a normal device handoff feature can be enabled or disabled. But in supervised mode if the feature is disabled, the user cannot enable it.
We can prevent a supervised iOS device from being wiped while setting the restriction for the device i.e.; the end users will not be able to erase the device. It is useful in school student’s usage scenarios where devices are supervised.
Prevent Restrictions UI
This option in supervised mode can prevent users from enabling restrictions on the device.
Prevent installation of Configuration Profiles by UI
Configuration profiles are XML files. They are composed of settings such as passcode guidelines, functionality and configuration specifications for VPN, Wi-Fi, email etc. These profiles allow for systematized control of enterprise iOS systems. The configuration profile can be distributed by the IT department to the devices for quick configuration. Cellular data settings can be configured on a device without entering all the information manually by distributing a configuration profile file containing the APN settings, through a cellular carrier. More than one profile is supported on a mobile device.
There are five ways to deploy configuration profiles:
- Via email.
- Using Apple configurator by connecting the device to a Mac.
- Through a webpage link.
- Using over-the-air enrollment.
- Using an MDM Server.
If a malicious person creates their own configuration profile files and distribute them, those profiles when configured would make the device use a malignant proxy or VPN, which will allow the attacker to monitor the network and harm the device or misuse the data. Configuration profiles can also install certificates. A malicious certificate could impersonate a secure website like bank etc.
The additional installation of configuration profiles can be inhibited on the enterprise managed devices. If there are additional configuration profiles installed, IT can remove them remotely if needed.
The admins will be able to enforce more restrictions over the blacklisted apps because from iOS 9.3 onwards the apps that are blacklisted will not work on a supervised device, while it may still get downloaded.
The news app is one of the unremovable apps in iOS. In an unsupervised device you can only hide the app but cannot block the app as such. The user can always unhide the app. But in supervised mode the user will not be able to access the app.
Allow managed app installation exclusively
Managed apps, as the name implies, are the apps that are managed by the enterprise through an MDM. We can implement enterprise apps and other purchased apps as managed apps. Unlike standard apps, managed apps:
- Do not back up their data.
- Gets removed when the MDM profile is removed.
Since the apps on the devices are managed the employees are free from worrying about the app update, installation or anything of that sort. Managed apps are controlled by the system manager and can be updated or removed by an administrator after installation. Managed apps allow an organization to distribute all kind of apps over air using MDM, while providing security and privacy.
Prevent keyboard shortcuts
Shortcuts can be made to substitute long or repeatedly used texts (words or phrases or email id etc). Disabling the creation of shortcuts will prevent any malpractices that will compromise the device.
Prevent passcode modification
Prevents adding, changing or removing device passcode by the user. In a normal device, the passcode can be changed by tapping touch id and passcode in settings.
Prevent device name changes
Prevents users from renaming the device. In an unsupervised device, the name can be changed easily by tapping settings.
Prevent wallpaper changes
In usual cases the wallpaper can be changed in the device settings. In supervised mode this feature can be disabled so that no one will be able to change the wallpaper
Prevent automatic app downloads
Automatic app downloading is definitely easier than manual app downloading. But sometimes if an unauthorized or faulty app gets distributed among the devices that might end in chaos. By preventing automatic app downloading IT can assure the safety of the apps before distribution.
Prevent changes to enterprise app trust
Enterprise apps are those apps which integrates all aspects of a firm’s operation. Apple’s Developer Enterprise Program helps to create and distribute proprietary enterprise apps for iOS devices. These apps must be trusted before they could be used. The process of app distribution is more secure if done using an MDM and also it does not require user interaction. Users can also install these apps themselves from a website operated by their organization. In supervised mode the user will not be able to change the enterprise app trust settings. i.e.; they cannot establish trust for a developer that is not of the enterprise.
Prevent Apple Music
Apple Music is a music playing app in iOS devices. In normal case Apple music is an app that cannot be disabled. This app can be disabled only in supervised mode
Prevent Mail Drop
Mail drop is used to send large files through iCloud. You can send attachments up to 5Gb in size. This feature can be disabled in supervised mode only. When the feature is disabled we cannot send files via Mail drop.
Treat AirDrop as managed destination
If AirDrop is treated as an unmanaged destination, managed apps like email can’t share files or attachments through AirDrop.
Prevent pairing with a watch
Apple Watch relies on a wirelessly connected iPhone to perform basic functions like calling and texting. If the feature is set to false, disables pairing with Apple watch. If any watches are already paired, it will be unpaired.