Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing iOS Devices
  3. Supervision

Category filter

iOS Supervised Mode

Jump To

What is iOS Supervision?

Supervision is a specialized mode for institutionally owned iOS devices that grants administrators deeper control over device configurations. It unlocks advanced restrictions, enables silent app installations, and supports specific features like Autonomous Single App Mode (Kiosk) and Global Proxy that are unavailable on unsupervised devices.

Why supervise iOS devices?

Supervision is essential for corporate environments requiring strict compliance and automation.

  • Silent Installations: Deploy apps without user interaction.
  • Advanced Restrictions: Allowlist/blocklist apps, force web content filtering, and prevent account modification.
  • Kiosk Mode: Lock a device to a single application.
  • Global Proxy: Route all device traffic through a specific proxy server.

Methods to supervise iOS devices

There are two primary methods to enable supervision:

  1. Apple Configurator: Requires a Mac and a physical USB connection. Best for small batches.
  2. Automated Device Enrollment (ADE) / Apple Business Manager (ABM): Entirely over-the-air. Best for bulk deployments and “zero-touch” configuration.

Method 1: Supervision via Apple Configurator 2 (Mac Only)

This method involves physically connecting devices to a Mac.

Note:

  • Hardware: Mac with OS X 10.6.6+ and iOS device with OS 6+.
  • Software: Apple Configurator app installed from the Mac App Store.
  • Device Status: Find My iPhone/iPad must be turned off to prevent activation lock errors.

Step 1: Create a Wi-Fi Profile

  1. Open Apple Configurator.
  2. Navigate to File > New Profile.
    create Wi-Fi profile in Apple Configurator
  3. Enter a profile name. Set Security Type to “With Authorization” and provide a password. Also, set Automatically Remove Profile to “Never”.
    WiFi-Profile-Creation-2
  4. Select Wi-Fi from the left menu and click Configure.
    WiFi-Profile-Creation-3
  5. Enter the Service Set Identifier (SSID) and select Auto Join.
  6. Configure Proxy Setup and Security Type.
  7. Enter the Wi-Fi password.
  8. Select Network Type as Standard.
    WiFi-Profile-Creation-4
  9. Go to File > Save to save the profile.
    WiFi-Profile-Creation-5
    WiFi-Profile-Creation-6

Step 2: Create a Blueprint

  1. Click File > New Blueprint.
    Supervise iOS devices using Apple Configurator
  2. Name the blueprint.
    Blueprint-and-WiFi-Profile-2
  3. Select the new Blueprint and click Add > Profiles, select the Wi-Fi profile created in Step 1, and click Add.
    Blueprint-and-WiFi-Profile-3
    Blueprint-and-WiFi-Profile-4
    Blueprint-and-WiFi-Profile-5

Step 3: Prepare the Device

  1. Select the Blueprint and click Prepare.
  2. Set Configuration type to Manual and click Next.
    Preparing-Device-1
  3. Select New server and click Next.
    Preparing-Device-2
  4. Enter the Server name and Server URL:
    Preparing-Device-3
    • Go to Hexnode portal: Enroll > Platform-Specific > iOS > Apple Configurator.

      Preparing-Device-4

    • Copy the URL from the portal and paste it into Apple Configurator, and click Next.
      Preparing-Device-5
  5. Anchor certificates are added automatically. Click Next.
    Preparing-Device-6
    Preparing-Device-7
  6. Enter organizational details to create an organization and click Next.
    Preparing-Device-8
  7. Select Generate a new supervision identity and click Next.
    Prepare the device – generate a new supervision identity
  8. Choose which iOS Setup Assistant steps to show or hide, then click Prepare.
    Preparing-Device-10
    Preparing-Device-11
Note:


You can apply a “Prepared Blueprint” to multiple devices by connecting them and selecting the Blueprint.

Step 4: Apply Blueprint

  1. Connect the iOS device to the Mac via USB.
  2. In Apple Configurator, right-click the device.
  3. Select Apply > [Your Blueprint Name].
    Apply Blueprint to iPhone or iPad
  4. Click Apply.
    Apply-Blueprint-2
    Apply-Blueprint-3
  5. Result: The device will reboot with MDM enrollment, Wi-Fi, and Supervision settings applied.
    Apply-Blueprint-4

Method 2: Supervision via Automated Device Enrollment (ADE)

This method automates supervision over-the-air during the initial device setup (out-of-the-box experience). It requires the organization to be enrolled in Apple Business Manager (ABM) or Apple School Manager (ASM).

  1. On the Hexnode UEM portal, go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager.
  2. Click Add ADE Account.
  3. Enter an Account Name and download the certificate file (Hexnode_Apple_DEP_cert.pem).
  4. Log in to Apple Business Manager.
  5. Go to Preferences > MDM server assignment > Add MDM Server.
  6. Upload the Hexnode certificate (public key) and click Save.
  7. Click Download Token to get the server token.
  8. Return to Hexnode and upload the token in the Upload ADE server token field.
  9. Optionally, you can enable Add as Pre-approved device to pre-approve the ADE devices that you want to enroll using Hexnode.
  10. Select the Default Configuration Profile. Either use the default ADE profile or choose another from the dropdown.
  11. Configure the User Authentication Mode:
    • Use global authentication settings: Follows the settings under Admin > Enrollment > Authentication Modes.
    • No authentication: Allows enrollment without user verification; specify the user to assign the device to.
      • Domain: Choose the directory domain (Hexnode local or an integrated directory).
      • Default user: Assigns all ADE devices in this account to the selected user in that domain.
  12. Click Next to finish.

Step 3: Assign Devices to the MDM Server

Once the ADE configuration is complete, you can assign Apple devices individually or in bulk to the device management server.

Note:


By designating a default MDM server, new devices added to Apple Business Manager (ABM) will be automatically assigned.
To configure the default MDM server in ABM:

  1. Click on your name (bottom-left of the sidebar).
  2. Go to Preferences > MDM Server Assignment.

Individual Device Assignment

  1. On the Devices page, select the device to assign, and click on Edit MDM server.

    2. Edit MDM server for Apple devices in ABM portal

  2. In the dropdown, choose Assign to the following MDM and select the desired server. Click Continue.

    Assign Apple devices in ABM to MDM server

  3. Click Confirm to finalize the assignment.

Bulk Device Assignment

Option 1: Manually select devices

  1. On the Devices page, hold the Command key (Mac) or Control key (Windows) to select multiple devices.

Manual selection of ABM devices for bulk assignment to the MDM server

Option 2: Apply Filters

  1. Use filters like Device Management, Source, Order number, Device type, and Storage size to narrow down your device list.
  2. Click Filters below the search bar, select the criteria, and click Search.

    Configure filter criteria to sort out devices in ABM

  3. From the filtered list, select All devices or individual devices.
    Select all the filtered devices in ABM portal.
  4. Click Edit next to Edit MDM server.
    Edit MDM server option in ABM portal.
  5. Select Assign to the following MDM from the dropdown and choose the MDM server.

    Assign selected devices to the MDM server.

  6. Click Continue, then click Confirm to assign the devices to the management server.

The assigned device details, including order number, MDM server, assignment date, and device type, will be visible in the Assignment History.

Step 4: Sync Devices with Hexnode

Devices added to the Hexnode-specific MDM server in the Apple Business Manager (ABM) portal need to be synced with Hexnode. This process imports information about newly added devices into the integrated ADE account.

  1. On the Hexnode UEM portal, go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Accounts.
  2. Click Sync all ADE accounts.
  3. Verification: Check Devices to see the synced list. To filter devices by a specific ADE Account, change the device filter from All Devices to the desired ADE Account.

Renew ADE Server Token

The ADE server token is valid for one year. After the token expires, there is no need to upload a new public key to Apple ADE, as the public key is permanently stored. To renew the token, simply click Generate new token.

Warning:

  • Device Enrollment and ABM (Apple Business Manager):
    • If a device is released from Apple Business Manager (ABM) before enrollment, it cannot be enrolled through Apple ADE.
    • If a device is released after enrollment, it will be removed from both ABM and Hexnode UEM.
  • Re-enrollment Options for iOS 11.0+ Devices:
    • Devices with iOS 11.0 and above can be re-enrolled using Apple ADE with Apple Configurator.
    • However, during the initial 30-day provisional period, users can remove MDM management by:
      • Navigating to Settings > General > Device Management > Remove Management.
      • Or by wiping the device and selecting Leave Remote Management during the reset process.

Device End-User Experience

  • New/Wiped Devices: Upon boot and internet connection, the device detects the ADE profile. It will automatically enroll in Hexnode and apply Supervision settings.
  • Provisional Period: Devices added to ABM manually (via Apple Configurator) have a 30-day provisional period. Users can remove management via Settings during this time. After 30 days, management can become permanent.
  • Renewing Token: The ADE server token expires yearly. Use Generate new token in ABM and upload it to Hexnode to renew without re-enrolling devices.

a supervision alert message shows on the device settings

When the user opens the Settings app, a banner will appear showing your organization’s name, along with a link to the Device Supervision manual.

Troubleshooting Tips

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing iOS Devices