iOS Supervised Mode
What is Supervision?
Supervision is a procedure designed for institutionally-owned iOS devices. A supervised Apple device lets you have more control over it. You can set additional restrictions, automate actions and more.
By default, all iOS devices are not supervised. Devices can be set up as supervised only prior to activation, that is, before the Set-up Assistant first appears on the device, a brand-new device or fully erased one.
Why do you need to Supervise your iOS devices?
Supervision unlocks the extra features intended for corporate-owned devices. If you want the apps you provision for the devices to install silently, you need to supervise the device.
If you want to blacklist applications, set a global proxy, lock device in single-app mode, force web content filtering or set wallpapers, you need supervision.
Ok, so, how do you supervise a device?
iOS devices can be supervised by using
- Apple Configurator
- Device Enrollment Program (DEP)
Supervision using Apple Configurator involves hooking up the devices to a Mac whereas Supervision via DEP is entirely over-the-air. Then again, using Apple Configurator is quite handy but the DEP registration and approval may take around 5-10 business days.
Supervising using Apple Configurator 2
Download and install the app Apple Configurator 2 from the Mac App Store. You will require a Mac with OS X 10.6.6 or later. The iOS device should have OS version 6 or above to supervise using Apple Configurator 2. Once these pre-requisites are met, follow the steps to supervise your device.
Step 1: Create a Wi-Fi profile
- Open Apple Configurator 2.
- Click on File > New Profile.
- Give a name to the profile. All other fields are optional.
- Select Wi-Fi from the left menu and click Configure.
- Give the name of the Wi-Fi network at Service Set Identifier (SSID)
- Select Auto join.
- Configure the Proxy Setup and select the Security Type.
- Provide the Wi-Fi password.
- Select Network Type as Standard.
- Click on File and Save the profile.
Step 2: Create Blueprint and add Wi-Fi profile
Step 3: Prepare the device
- Select the Blueprint and click Prepare.
- Select the Configuration type as Manual and click Next.
- To enroll in Hexnode UEM from the Apple Configurator, select New server and click Next.
- Enter the server name and server URL.
- Server URL can be obtained from Enroll > Platform-Specific > iOS > Apple Configurator. Set a default user to activate the enrollment URL and copy it.
- Provide the URL and click Next.
- The required Anchor certificates will be automatically added. Click Next.
- Create an organization by providing your organizational details and click Next.
- Select Generate a new supervision identity and click Next.
- Select the iOS Setup Assistant steps that you want to show up in the device and click Prepare.
The next step is to establish a connection between your unsupervised iOS device and Mac with a USB. After connecting, you can see your device in the Apple Configurator window.
Step 4: Apply Blueprint to iPad or iPhone
Supervising using Apple Device Enrollment Program (DEP)
The Device Enrollment Program (DEP) is one of the deployment programs by Apple. DEP helps deploying devices in bulk by automatically applying settings and configurations upon the initial device start up, making it ready to be used right out of the box . Over-the-air supervision of iOS devices is possible only if these devices are enrolled in DEP. DEP requires an MDM to Supervise it remotely.
You will have to enroll your organization in DEP to access the program. Once your organization is enrolled and devices are added to ABM, perform the below steps to enroll and supervise your devices:
Step 1: Configuring DEP Configuration Profile
To configure DEP profile from the Hexnode console, follow the below steps:
- Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Configuration Profiles > Configure DEP Profile.
- Edit the Default DEP profile or create a new configuration profile by selecting Configure DEP profile.
- Here you can provide a Display name and select the option to Enable supervision to make the device supervised upon enrollment.
- Click Save.
Here is a list of additional configuration parameters for DEP profile that help customize the DEP-enrolled devices:
- Department: Name of the department to which the devices are assigned.
- Support Email Address: Users can query to this email address for support during setup.
- Support phone number: Users can contact this number if they need help during setup.
- Enroll Devices in MDM: If enabled, prevents users from bypassing the MDM Remote Management during the initial device setup.
- Allow MDM Profile Removal: If enabled, the MDM profile can be removed after device enrollment.
- Allow iTunes pairing: If enabled, users can sync their devices with iTunes. If disabled, every iTunes related actions will be prevented. To re-enable it, the device must be wiped and re-enrolled.
- Allow Shared Devices:If enabled, multiple users can share Apple School Manager deployed devices.
- Enable Hexnode UI for Authentication: If disabled, the device management must be set up from Apple’s default Remote Management setup wizard. If enabled, users will be redirected to Hexnode’s default enrollment window. Users can read and agree to the Hexnode EULA terms from here before proceeding with the enrollment. This feature is supported on iOS 13+ and macOS 10.15 or later devices.
- Enrollment authentication settings: Select the mode of authentication for enrollment (Overrides the User authentication at Enroll > All Enrollments > No-Touch > Apple Business/School Manager.) Available options are:
- No authentication – If enabled, the admin must choose the specific Domain and Default user.
- Use Global Authentication Settings – If enabled, the authentication mode as selected on Enroll > Settings > Authentication Modes is considered.
- Configure user accounts: Enable this option to create an ‘Administrator’ user in Mac devices.
- Don’t show the selected steps: To have a customized setup experience for your DEP devices upon activation, check the boxes corresponding to steps that you want to avoid during the setup of iOS devices.
All DEP Devices
|Set Up Assistant Options||Supported versions||Description|
|Apple ID||iOS 7.0+||Skip Apple ID setup.|
|Biometric||iOS 8.1+||Skip biometric setup.|
|True Tone Display||iOS 9.3.2+||Skip True Tone Display pane.|
|Apple Pay||iOS 8.1+||Skip Apple Pay setup.|
|Restore||iOS 7.0+||Disable restoring from backup.|
|ScreenTime||iOS 12.0+||Skip the Screen Time pane.|
|Appearance||iOS 13.0+||Skip the Choose Your Look window.|
|Diagnostics||iOS 7.0+||Skip sending diagnostic information to Apple.|
|Location Services||iOS 7.0+||Skip setting up Location Services.|
|Privacy||iOS 11.3+||Skips the privacy pane.|
|Siri||iOS 7.0+||Disable users from configuring Siri.|
|Terms and Conditions||iOS 7.0+||Hide terms and conditions from the user.|
|Set Up Assistant Options||Supported versions||Description|
|Move from Android||iOS 9.0+||Remove Move from Android option from the Restore pane.|
|Keyboard||iOS 11.0+||Skip the Keyboard pane.|
|Watch Migration||iOS 11.0+||Skip the screen for watch migration.|
|iMessage and FaceTime||iOS 12.0+||Skip the iMessage and FaceTime screen.|
|Passcode||iOS 7.0+||Hides and disables the passcode pane.|
|SIM Setup||iOS 12.0+||Skip the add cellular plan pane.|
|Onboarding||iOS 11.0+||Skip on-boarding informational screens.|
|Software Update||iOS 12.0+||Skip the mandatory software update screen.|
|Home Button Sensitivity||iOS 10.0+||Skip the Home Button screen.|
|Device to Device Migration||iOS 13.0+||Skip Device to Device Migration pane.|
|Zoom||iOS 8.3+||Skip the Zoom pane which shows larger text and controls.|
|Welcome/Get Started||iOS 13.0+||Skip the Get Started pane.|
Step 2: Creating a DEP Account in Hexnode
To assign devices to the MDM server,
- Log in to the Hexnode UEM portal.
- Navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager.
- Click on Add DEP Account.
- Provide an Account name and download the certificate file Hexnode_Apple_DEP_cert.pem.
- Now, log in to the Apple Business Manager account.
- Click on your name at the bottom left of the sidebar and go to Preferences > MDM server assignment. Here, click on Add MDM Server.
- Provide the MDM server name and upload the public key (the previously obtained DEP certificate) and click Save.
- Once saved, click on Download Token > Download Server Token.
- Now, go back to your Hexnode UEM console and upload the token in the Upload DEP server token file field.
- Optionally, you can check the box Add as Pre-approved device to pre-approve the DEP devices that you want to enroll using Hexnode.
- Select a Default Configuration Profile. You can either proceed with the Default DEP profile or attach a different configuration profile with the DEP Account, from the drop-down.
- Choose the mode of User authentication while enrolling devices.
- Use global authentication settings: If this option is selected, the authentication mode as selected under Admin > Enrollment > Authentication Modes is considered.
- No authentication: Device enrollment can be completed without any user authentication. Specify the user to which the device should be assigned.
- Domain: Choose the domain (Hexnode’s local directory or any integrated directory domains) in which the user resides.
- Default user: Select the user in the chosen domain to which all the DEP devices should be assigned to.
- Click on Next to complete configuring DEP.
Step 3: Assign Devices to the MDM server
Once the DEP configuration is completed successfully, you can either assign Apple devices individually or as bulk to the device management server.
Individual Device Assignment
- Select the required device from the Devices page and click on Edit MDM server.
- Click on Assign to the following MDM and select the server from the drop-down. Tap Continue.
- On clicking on Confirm, the device is assigned to the management server.
Bulk Device Assignment
- From the Devices page, you can either
- Manually select the devices that you want to assign. On macOS devices, press Command key and select the device names. On Windows, use the control CRTL key.
- Apply filters to the list of devices. Filters such as Device Management, Source, Order number, Device type, Storage size are available. To select a filter criterion, tap on Filter below the Search bar and check in the required boxes corresponding to each filter option. Now, click on Search to sort out devices based on the specified criterion. From the filtered device list, you can either select All devices or click on specific device names.
- Tap on Edit corresponding to the Edit MDM server option.
- Select Assign to the following MDM and pick the server from the drop-down. Click on Continue.
- Finally, click on Confirm to assign the device to the management server.
The details of assigned devices including the order number, the MDM server to which the device is assigned, assignment date and the device type is displayed in the device Assignment History.
Step 4: Sync Devices with Hexnode
Devices added to the Hexnode-specific MDM server in the Apple Business Manager portal must be synced with Hexnode. The information about the newly added devices will be imported into the integrated DEP Account through this synchronization. To sync devices with Hexnode,
- Navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Accounts on your Hexnode UEM portal.
- Click on Sync all DEP accounts.
To view all the devices synchronised from the MDM server in the ABM portal, go to DEP Devices. To fetch a list of the devices linked to a specific DEP Account, switch the device filter from All Devices to that DEP Account.
Renew DEP Server Token
One year is the expiration date for the DEP server token. There is no need to upload a new public key to the Apple DEP website since Apple stores the public key permanently. You can create a new server token with the same public key by simply clicking on Generate new token.
What happens at the device end?
Once you turn on a device that has not been activated yet and establish an internet connection, Apple server will push the DEP profile previously associated with the device via Hexnode UEM. As a result, the device will be enrolled in the Hexnode UEM portal. However, already activated devices must be reset to its factory settings to get it enrolled in the MDM.
If enrollment authentication was enforced via the MDM, the device will get enrolled only after user authentication. However, if enrollment authentication is not turned on, the device will get directly enrolled in the MDM.
On opening the Settings app, the user will see a banner that shows your organization name along with a link that opens up a manual on Device Supervision.