What is iOS Supervised mode?
Supervised mode is a feature introduced by Apple in iOS 5 to differentiate institutionally owned iOS devices from personal devices. Supervision offers tremendous benefits to organizations and institutions. It unlocks additional management features than those available in any Mobile Device Management software. Supervision allows IT departments to restrict many features that are inappropriate for corporate-owned or shared devices, such as AirDrop, Messages, Handoff, and even Erase. Supervision offers the organization an enhanced level of security and a deeper layer of device management.
How to supervise iOS device?
Method 1: Using Apple Configurator 2
Method 2: Using Apple Device Enrollment Program
Supervising using Apple Configurator 2
Download and install Apple Configurator 2 from the Mac App Store. You will require a Mac with OS X 10.6.6 or later. The iOS device should have OS version 6 or above to supervise using Apple Configurator 2. Once these pre-requisits are met, follow the steps to supervise your device.
Step 1: Create a Wi-Fi profile
- Open Apple Configurator 2.
- Click on File → New Profile.
- Give a name to the profile. All the fields are optional. Select the Security type as “With Authorization” and provide a password. Set Automatically remove profile as “Never”.
- Select Wi-Fi from the menu on the left and click Configure.
- Give the name of the Wi-Fi network at Service Set Identifier (SSID)
- Select Auto join.
- Select proxy type and security type.
- Provide the Wi-Fi password.
- Select network type as Network type as Standard.
- Click on File and Save the profile.
Step 2: Supervising using Apple Configurator 2
Create Blueprint and add Wi-Fi profile
- On the Apple Configurator window click on Blueprints → Edit Blueprint.
- Click on New button at the bottom left corner of the page.
- Name the Blueprint.
- Click on Add → Profiles and select the Wi-Fi profile you created earlier and click Add.
Prepare the device
- Connect the device(s) to the Mac with a USB.
- Select the device(s) and click Prepare.
- Select the Configuration type as Manual and click Next.
- To enroll in Hexnode MDM from the Apple Configurator, select New server and click Next.
- Provide the server name and server URL as provided in the Configurator enrollment tab in Hexnode MDM’s Admin section and click Next.
- The required Anchor certificates will be automatically added. Click Next.
- This is the step for supervising the device. Select Supervise devices and select Allow devices to pair with other computers. Click Next.
- Provide your organizational details here by selecting New organization.
- Select Generate a new supervision identity and click Next.
- Select the iOS Setup Assistant steps that you want to show up in the device.
- Click Prepare.
Now, connect the iOS device to the Mac. Click on the device and click on Blueprints. Select the Blueprint and apply it to the device. The device will be reset and will be enrolled in the MDM as well as be supervised.
Note: The Blueprint can also be prepared the same way, so that the devices need not be prepared individually. In this case all you need to do is connect the device and apply the Prepared Blueprint.
Supervising using Apple Device Enrollment Program (DEP)
The Device Enrollment Program (DEP) is one of the deployment programs by Apple. DEP helps deploying devices in bulk by automatically applying settings and configurations upon the initial device start up, making it ready to be used right out of the box . Over-the-air supervision of iOS devices is possible only if these devices are enrolled in DEP. DEP requires an MDM to Supervise it remotely.
You will have to enroll your organization in DEP to access the program. Find out more.
Configuring DEP in Hexnode MDM
- Go to Admin →DEP →Configure DEP.
- Create a DEP account and download the certificate file.
- Go to Apple Deployments Program page and sign in to your account.
- Verify your identity and enter the verification code. Click Continue.
- Select Device Enrollment Program.
- Select Manage Servers and click on Add MDM Server.
- Give the MDM server name and click Next.
- Upload the Certificate file you downloaded in Step 2 by clicking on Choose File and click Next.
- Download the Server Token and click Done.
- Go back to the MDM DEP settings page and upload the Server Token you just downloaded.
- You can choose or ignore the settings to add pre-enrolled device or enforce user authentication, here.
- Select a Default DEP profile at DEP Policy and click Save.
Add devices to DEP
Now that you have configured DEP, you can add devices to your account. Only devices purchased from Apple or an authorized dealer, on or after 1st March 2011 can be added to DEP. Also, the devices should be running at least iOS 7.0.4 or OS X 10.10.
Step 1: Add Devices to Apple DEP
In Apple DEP web page, under Manage Devices, there are two steps in which you can enroll devices.
- Choose Devices By: There are three options in this section – Serial Number, Order Number, and Upload CSV File. Devices can be enrolled to this server either by providing the devices’ serial numbers or by providing the purchase order number. A CSV file can also be uploaded containing the list of serial numbers of those devices needed to be enrolled.
- Choose Action: In this section, select Assign to Server option from the first drop-down box, and select the MDM virtual server from the second list, to which you need to add the devices.
After enrolling devices in DEP portal, the details of assigned devices can be seen in the device assignment history, including order number, the MDM server to which the device is assigned, assignment date and the device type.
Step 2: Supervise
The DEP policy can be configured from the Hexnode MDM console. It is here that you will have the option to supervise the device.
- Go to Admin > DEP > DEP Policy.
- Click on +Add Policy (or edit existing DEP policies by clicking on them). The policy page contains some text boxes and checkboxes. Fill in the details and select the options your require.
- Display name: Any name that is used to distinguish this DEP policy from other DEP policies.
- Department: Used to mention a group.
- Support phone number: A phone number provided to the users in case they have any doubts regarding DEP enrollment.
Check boxes include the following. The actions performed when checked is explained below:
- Mandatory: Users are required to complete the enrollment before setup.
- Supervised: Check this option to supervise your device. Making a device supervised unlocks additional options of device management that cannot be provided by an ordinary MDM server.
- Allow Pairing: The device can be paired with a computer to sync content.
- Removable: Determines whether the MDM profile installed on the device can be manually removed.
- Is Multi-User: A multi-user is a user who has more than one device registered with DEP.
- Skip Steps: Skip setup steps of the following
- Location: This is the first setup screen where you can select the language and country. This step can be skipped by checking Location in Skip Steps.
- Restore: When the device is reset, checking this option will skip restoring the device back from backup. Backup can be restored later. This option will set up the device as a new device.
- Apple ID: Hides the screen where an existing or a new Apple ID is required to be entered when the device is first set up.
- TOS: The device agrees to the terms of service and conditions automatically.
- Diagnostic: Skip sending diagnostic information to Apple.
- Siri: This setup step, that can be skipped using DEP, prompts whether to use Siri.
- Passcode: Hides the screen to set up passcode when the device is first set up.
- Registration: Skip registration screen.
- Biometric: Skip the screen where you are asked to provide your biometrics if the device supports it.
Payment: Skip Apple Pay setup screen.
- Zoom: Skip the step to use Zoom which shows larger text and controls. Needs iOS 6 or above for this feature. Zoom can be setup from the first setup screen.
- FileVault:Skip FileVault setup screen.
Once the devices are enrolled with DEP, DEP settings needs to be pushed to the device from the MDM server. To do this, reset the device. The device will restart and starts the activation process. During this process, iOS activation servers provide the device with the link of MDM server. This link is that provided by the organization through MDM server DEP portal.
Renew DEP Server Token
The DEP server token is valid for a period of one year. Apple stores the public key permanently, so there is no need to upload a new public key to Apple DEP website. Just click on Generate new token, and a new server token is created with the same public key.