What is Supervision?
Supervision is a procedure designed for institutionally-owned iOS devices. Supervising a device lets you have more control over it. You can set additional restrictions, automate actions and more.
By default, all iOS devices are not supervised. Devices can be set up as supervised only prior to activation, that is, before the Set-up Assistant first appears on the device, a brand-new device or fully erased one.
Why do you need to Supervise your iOS devices?
Supervision unlocks the extra features intended for corporate-owned devices. If you want the apps you provision for the devices to install silently, you need to supervise the device.
If you want to blacklist applications, set a global proxy, lock device in single-app mode, force web content filtering or set wallpapers, you need supervision.
Ok, so, how do you supervise a device?
iOS devices can be supervised by using
- Apple Configurator OR
- Device Enrollment Program (DEP)
Supervision using Apple Configurator involves hooking up the devices to a Mac whereas Supervision via DEP is entirely over-the-air. Then again, using Apple Configurator is quite handy but the DEP registration and approval may take around 5-10 business days.
Supervising using Apple Configurator 2
Download and install Apple Configurator 2 from the Mac App Store. You will require a Mac with OS X 10.6.6 or later. The iOS device should have OS version 6 or above to supervise using Apple Configurator 2. Once these pre-requisites are met, follow the steps to supervise your device.
Step 1: Create a Wi-Fi profile
- Open Apple Configurator 2.
- Click on File > New Profile.
- Give a name to the profile. All other fields are optional.
- Select Wi-Fi from the left menu and click Configure.
- Give the name of the Wi-Fi network at Service Set Identifier (SSID)
- Select Auto join.
- Configure the Proxy Setup and select the Security Type.
- Provide the Wi-Fi password.
- Select Network Type as Standard.
- Click on File and Save the profile.
Step 2: Create Blueprint and add Wi-Fi profile
Step 3: Prepare the device
- Select the Blueprint and click Prepare.
- Select the Configuration type as Manual and click Next.
- To enroll in Hexnode MDM from the Apple Configurator, select New server and click Next.
- Enter the server name and server URL.
- Server URL can be obtained from Enroll > Platform-Specific > iOS > Apple Configurator. Set a default user to activate the enrollment URL and copy it.
- Provide the URL and click Next.
- The required Anchor certificates will be automatically added. Click Next.
- Create an organization by providing your organizational details and click Next.
- Select Generate a new supervision identity and click Next.
- Select the iOS Setup Assistant steps that you want to show up in the device and click Prepare.
The next step is to establish a connection between your unsupervised iOS device and Mac with a USB. After connecting, you can see your device in the Apple Configurator window.
Step 4: Apply Blueprint
Supervising using Apple Device Enrollment Program (DEP)
The Device Enrollment Program (DEP) is one of the deployment programs by Apple. DEP helps deploying devices in bulk by automatically applying settings and configurations upon the initial device start up, making it ready to be used right out of the box . Over-the-air supervision of iOS devices is possible only if these devices are enrolled in DEP. DEP requires an MDM to Supervise it remotely.
You will have to enroll your organization in DEP to access the program.
Configuring DEP in Hexnode MDM
- Go to Enroll > Platform-Specific > iOS > Apple Business/School Manager.
- Click on Configure DEP Account.
- Create a DEP account and download the certificate file.
- Go to Apple Business Manager Page and sign in to your account.
- Verify your identity and enter the verification code.
- Navigate to Settings > Organization Settings > Device Management Settings and click on Add MDM Server.
- Give the MDM Server Name.
- Upload the Certificate file you downloaded in Step 3.
- Click on Save and then select Download Token(from your server) to download the Server Token.
- Go back to the MDM DEP settings page and upload the Server Token you have just downloaded.
- You can choose or ignore the settings to add Pre-approved device or enforce User Authentication, here.
- Select a Default DEP profile at DEP Policy and click Save.
Add devices to DEP
Now that you have configured DEP, you can add devices to your account. Only devices purchased from Apple or an authorized dealer, on or after 1st March 2011 can be added to DEP. Also, the devices should be running at least iOS 7.0.4 or OS X 10.10.
Step 1: Add Devices to Apple DEP
In Apple Business Manager page, under Device Assignments, there are two steps in which you can enroll devices.
- Choose Devices By: There are three options in this section – Serial Number, Order Number, and Upload CSV File. Devices can be enrolled to this server either by providing the devices’ serial numbers or by providing the purchase order number. A CSV file can also be uploaded containing the list of serial numbers of those devices needed to be enrolled.
- Choose Action: In this section, select Assign to Server option from the first drop-down box, and select the MDM virtual server from the second list, to which you need to add the devices.
After enrolling devices in DEP portal, the details of assigned devices can be seen in the device assignment history, including order number, the MDM server to which the device is assigned, assignment date and the device type.
Step 2: Supervise
The DEP policy can be configured from the Hexnode MDM console. It is here that you will have the option to supervise the device.
- Go to Enroll > Platform-Specific > iOS > Apple Business/School Manager..
- Click on +Associate DEP Policy (or edit existing DEP policies by clicking on them). The policy page contains some text boxes and checkboxes. Fill in the details and select the options you require.
- Display name: Any name that is used to distinguish this DEP policy from other DEP policies.
- Department: Used to mention a group.
- Support phone number: A phone number provided to the users in case they have any doubts regarding DEP enrollment.
Check boxes include the following. The actions performed when checked is explained below:
- Mandatory: Users are required to complete the enrollment before setup.
- Supervised: Check this option to supervise your device. Making a device supervised unlocks additional options of device management that cannot be provided by an ordinary MDM server.
- Allow Pairing: The device can be paired with a computer to sync content.
- Removable: Determines whether the MDM profile installed on the device can be manually removed.
- Is Multi-User: A multi-user is a user who has more than one device registered with DEP.
- Skip Steps: Skip setup steps of the following
- Location: This is the first setup screen where you can select the language and country. This step can be skipped by checking Location in Skip Steps.
- Restore: When the device is reset, checking this option will skip restoring the device back from backup. Backup can be restored later. This option will set up the device as a new device.
- Apple ID: Hides the screen where an existing or a new Apple ID is required to be entered when the device is first set up.
- TOS: The device agrees to the terms of service and conditions automatically.
- Diagnostic: Skip sending diagnostic information to Apple.
- Siri: This setup step, that can be skipped using DEP, prompts whether to use Siri.
- Passcode: Hides the screen to set up passcode when the device is first set up.
- Registration: Skip registration screen.
- Biometric: Skip the screen where you are asked to provide your biometrics if the device supports it.
Payment: Skip Apple Pay setup screen.
- Zoom: Skip the step to use Zoom which shows larger text and controls. Needs iOS 6 or above for this feature. Zoom can be setup from the first setup screen.
- FileVault:Skip FileVault setup screen.
Once the devices are enrolled with DEP, DEP settings needs to be pushed to the device from the MDM server. To do this, reset the device. The device will restart and starts the activation process. During this process, iOS activation servers provide the device with the link of MDM server. This link is that provided by the organization through MDM server DEP portal.
Renew DEP Server Token
The DEP server token is valid for a period of one year. Apple stores the public key permanently, so there is no need to upload a new public key to Apple DEP website. Just click on Generate New Token, and a new server token is created with the same public key.