Category filter
iOS Device Supervision: Core Differences in Management (Supervised vs. Unsupervised)
Supervision is a critical device state for corporate-owned Apple devices. It grants the MDM solution (Hexnode UEM) extensive administrative control that is unavailable on default (unsupervised) devices or those enrolled via simpler methods like User Enrollment (BYOD).
This document outlines the key differences in security, restrictions, and remote actions based on the device’s supervision status.
Core Differences in Management Control
The primary difference lies in the level of control the organization maintains over the device and the management profile itself.
| Control Aspect | Unsupervised Device | Supervised Device (Corporate-Owned) |
|---|---|---|
| MDM Profile Removal | Users can manually remove the MDM profile via Settings at any time. | MDM profile is non-removable by the user. |
| Enrollment Method | Typically Profile Installation, Self-Enrollment, or User Enrollment. | Must be enrolled via Automated Device Enrollment (ADE) or Apple Configurator. |
| Activation Lock Bypass | MDM cannot manage or bypass Activation Lock. | MDM can remotely clear the Activation Lock, ensuring the device remains manageable. |
| Restrictions | Limited set of basic restrictions (e.g., passcode complexity). | Unlocks an extensive set of advanced restrictions (e.g., disabling iMessage, AirDrop, etc.). |
Remote Actions Comparison
The availability of Hexnode’s one-time remote actions on iOS devices vary based on its supervision status.
Listed below are the remote actions available for iOS devices in Hexnode UEM.
| Category | Feature | Supervised | Unsupervised (Device Enrollment) | Unsupervised (User Enrollment) |
|---|---|---|---|---|
| Scanning & Monitoring | Scan Device | |||
| Scan Device Location(if enabled) | ||||
| Scan for Apps | ||||
| Device Control | Power off Device | |||
| Restart Device | ||||
| Disenroll Device | ||||
| Security | Lock Device | |||
| Wipe Device | ||||
| Clear Password | ||||
| Remote Ring | ||||
| Enable Lost Mode | ||||
| Disable Lost Mode | ||||
| Clear Activation Lock | ||||
| Updates | Update OS | |||
| Applications | Install Application | |||
| Uninstall Application | ||||
| Deployments | Initiate Automation | |||
| Edit | Rename Device | |||
| Set Friendly Name | ||||
| Edit Device Attributes | ||||
| Change Owner | ||||
| Change Ownership | ||||
| Policies & Accounts | Associate Policy | |||
| Groups & Domains | Add devices to group/td> | |||
| Kiosk(only when the Kiosk policy is applied) | Enable Kiosk mode | |||
| Disable Kiosk mode | ||||
| Network | Update eSIM (iOS 13.0 or later) | |||
| Enable Personal Hotspot | ||||
| Disable Personal Hotspot | ||||
| Enable Data Roaming | ||||
| Disable Data Roaming | ||||
| Others | Broadcast Message | |||
| Hexnode App Logs | ||||
| Delete Location History | ||||
| Export Device Details | ||||
| Clear media |
Policies Comparison
The following policies are available to configure for iOS devices:
| Category | Feature | Supervised | Unsupervised (Device Enrollment) | Unsupervised (User Enrollment) |
|---|---|---|---|---|
| Passcode | ||||
| Hexnode Business Container | Business Container | |||
| Hexnode Email | ||||
| App Management | Required Apps | Installs silently | Installs on user confirmation | Installs on user confirmation |
| Application Blocklisting/Allowlisting (iOS 9.3+) | Blocklisted apps which are already installed will be hidden. | Device is marked as non-compliant if a blocklisted app is already installed on the device. | Cannot blocklist apps | |
| App Catalog | ||||
| Web Clips | ||||
| App Notifications | ||||
| App Configurations | ||||
| Network | Wi-Fi | |||
| VPN (Except VPN Always On) | ||||
| VPN Always On | ||||
| Per- App VPN | ||||
| VPN Always On | ||||
| APN | ||||
| Network Slicing (iOS 17+) | ||||
| Network Relay (iOS 17+) | ||||
| Security | Extensible SSO (iOS 13+) | SCEP | ||
| Certificates | ||||
| Global HTTP Proxy | ||||
| Web Content Filtering | ||||
| Unmarked Email Domains (Managed Domains) | ||||
| Managed Web Domains (Managed Domains) | ||||
| Managed Web Domains for Password Autofills on Safari (Managed Domains) | ||||
| OS Updates | ||||
| Accounts | ||||
| Exchange ActiveSync | ||||
| CardDav | ||||
| Calendar | ||||
| CalDav | ||||
| Google Accounts | ||||
| LDAP | ||||
| Expense Management | Network Usage Rules | |||
| Network Data Usage Management | ||||
| Configurations | Deploy Custom Configurations | |||
| Fonts | ||||
| Wallpaper | ||||
| AirPrint | ||||
| AirPlay | ||||
| Lock Screen Message | ||||
| Home Screen Layout | ||||
| Tracking and Fencing | Location Tracking | |||
| Geofencing | ||||
| Troubleshooting | Hexnode app logs | |||
| Patches and Updates | Software Update preferences (iOS 18+) | |||
| Customizations | Hexnode App UI | |||
| Kiosk Lockdown | Kiosk Mode |
iOS Restrictions
The following restrictions can be configured on iOS devices.
Basic Restrictions
| Category | Feature | Supervised | Unsupervised (Device Enrollment) | Unsupervised (User Enrollment) |
|---|---|---|---|---|
| Allow Device Functionality | Camera(iOS 4+) | |||
| Facetime(iOS 4+) | ||||
| Screen Capture | ||||
| Allow Remote Screen Observation (when Screen Capture is enabled, iOS 12+) | ||||
| Touch ID | ||||
| Siri | ||||
| Allow Siri while device is locked | ||||
| Voice dialing | ||||
| Automatic sync while roaming | ||||
| Allow Application Settings | Install apps | |||
| iTunes Store(iOS 4+) | ||||
| Force user to enter iTunes store password for each purchase | ||||
| In-app purchases | ||||
| Trust enterprise app | ||||
| Users can modify enterprise app trust | ||||
| Backup enterprise-deployed iBooks | ||||
| Sync managed app data with iCloud | ||||
| YouTube(below iOS 6) | ||||
| Safari(iOS 4+) | ||||
| Autofill(iOS 4+) | ||||
| Fraud warning | ||||
| JavaScript | ||||
| Block pop-ups | ||||
| Accept cookies | ||||
| Access Passbook when the device is locked | ||||
| Add friends in Game Center(iOS 4.2.1+) | ||||
| Allow iCloud Settings | Backup(iOS 5+) | |||
| Sync documents(iOS 5+) | ||||
| Photo Stream (disallowing might cause data loss) |
||||
| Share photo streams | ||||
| iCloud photo library | ||||
| Sync enterprise book metadata across devices | ||||
| Allow Security and Privacy Settings | Lock screen notifications | |||
| Today View on lock screen | ||||
| Control Center on lock screen | ||||
| Over the air PKI updates | ||||
| Limit ad tracking | ||||
| Send diagnostic data to Apple | ||||
| Accept untrusted TLS certificate | ||||
| Force encrypted backup | ||||
| Show notification on Apple Watch if worn | ||||
| Allow Explicit Content | Explicit music, podcasts and iTunes U services | |||
| iBooks store erotica | ||||
| Rating region | ||||
| Content rating | ||||
| Movies (region-based rating) | ||||
| TV shows (region-based rating) |
||||
| App ratings |
Advanced Restrictions
Advanced Restrictions are available only for supervised devices.
| Category | Feature | Supported version |
|---|---|---|
| Allow Device Functionality | AirDrop | |
| Apps can modify cellular data usage | ||
| Add or remove TouchID | ||
| iMessage | ||
| RCS messaging | ||
| Game Center | ||
| Multiplayer gaming | ||
| Install configuration profile | ||
| Handoff | ||
| Definition lookup | ||
| Predictive keyboard | ||
| Auto-correct words | ||
| Suggest words on misspellings | ||
| QuickPath Keyboard | ||
| Keyboard shortcuts | ||
| USB Drive Access in Files App | ||
| Network Drive Access in Files App | ||
| Pair with Apple Watch | ||
| Modify diagnostic data submission settings | ||
| Modify Bluetooth settings | ||
| Use voice to type | ||
| Force Wi-Fi ON | ||
| Connect to MDM-configured Wi-Fi networks only | ||
| Users can modify Personal Hotspot settings | ||
| Create VPN configuration | ||
| AirPrint | ||
| Connect with iBeacon | ||
| Store AirPrint credentials in Keychain | ||
| Use trusted certificates for secured printing | ||
| Modify cellular plan settings | ||
| eSIM Modification | ||
| Outgoing eSIM transfer | ||
| Live Voicemail | ||
| Force preserve eSIM on erase | ||
| Auto dimming | ||
| iPhone mirroring | ||
| Call recording | ||
| Allow App Settings | Install app from App Store | |
| Install apps from third-party app marketplaces | ||
| Install apps from web | ||
| Remove apps | ||
| Remove system apps | ||
| iBooks Store | ||
| Apple Music | ||
| iTunes Radio | ||
| News | ||
| Podcasts | ||
| Download all purchased apps automatically | ||
| Lock apps | ||
| Hide apps | ||
| Allow App Settings | Activation Lock | |
| Modify an account | ||
| Erase content and settings | ||
| Siri can access user-generated content | ||
| Find My Friends | ||
| Find My Device | ||
| Modify Find My Friends | ||
| Use profanity filter | ||
| Show web results using Spotlight Search | ||
| Modify Restrictions/ Screen Time | ||
| Modify passcode | ||
| Modify device name | ||
| Modify wallpaper | ||
| Users can modify default browser | ||
| Users can turn notifications on/off | ||
| Force Automatic Date and Time | ||
| Autofill Passwords | ||
| Request passwords from nearby devices | ||
| Share passwords via AirDrop Passwords feature | ||
| Allow USB accessories when locked | ||
| Prevent pairing with non-Configurator hosts | ||
| Shared iPad temporary session | ||
| Allow Apple Intelligence | Genmoji | |
| Image Playground | ||
| Image Wand | ||
| Personalized Handwriting Results | ||
| Writing Tools | ||
| Mail Summary | ||
| ChatGPT integration | ||
| ChatGPT user account sign-in |
Need more help?
