iOS Supervised Mode

{$errors[0]$}
ios supervised mode
 

What is iOS Supervised mode ?

Supervised mode is a feature introduced by Apple in iOS 5 to differentiate institutionally owned iOS devices from personal devices. Supervision offers tremendous benefits to organizations and institutions. Supervised devices are ideal for functioning in Healthcare, Retail, Education and related sectors.

 It unlocks additional management features than those available in any Mobile Device Management software. Supervision allows IT departments to restrict many features that are inappropriate for corporate-owned or shared devices, such as AirDrop, Messages, Handoff, and even Erase. Supervision offers the organization an enhanced level of security and a deeper layer of device management.

How to enable iOS supervised mode ? 


1. Using Apple configurator



The iPad is increasingly becoming a business tool in many industries with people integrating their iPads into core business and management operations. Since the collective aka fleet management of iPads proved to be difficult, an efficient way of managing the deployment and maintenance of iPads became crucial. This is where the Apple Configurator makes its way into the scenario as a blessing, being a follow-up to Apple's previous iPhone Configuration Utility (IPU).

The Apple Configurator has three modes:

Prepare  


Prepare is used for initial setup and deployment. Preparing a device restores the iOS device and will wipe any data on it. Here, you can configure the basic settings like adding the company logo/wallpaper, default passwords, etc. Import Profile feature can be used to import an already existing profile. Otherwise, one can create a new profile from scratch with Create New Profile. Once the settings are configured, they're saved locally within an XML file called {profile name}.mobileconf. Once the device has been put together for configuration, click the Prepare button at the bottom of the Configurator window to apply the desired configuration.

Supervise  


Supervision can be enabled using the Apple Configurator or by using 3rd party MDM softwares that support the Apple Device Enrollment Program (DEP). If you use Apple Configurator alone to manage your devices, then they need to be physically connected to a Mac. However, Mobile Device Management softwares like Hexnode MDM allows you wirelessly enroll, configure, manage and secure those devices. More importantly, you'll have more granular control over the devices like App management, location tracking, and remote device management capabilities.

After the iPad configuration with Supervision is prepared, it can be re-applied in the future.  Supervise will reset the device (removing the unnecessary user-data that was put on the device during its usage including notes, data in apps, phone numbers, etc).

A useful feature in Supervise mode is “Export Info” that will generate a list of all currently supervised devices with UDID, Device Name, Device Capacity, Wi-Fi Mac Address, and Bluetooth Mac address (great for asset management, tracking, loss prevention and upgrade planning).

When one makes changes and one or more devices are not connected, and the changes are applied the next time those devices are connected, this is referred to by Apple as device check-in. When a device or a group of devices is updated, the changes made on them are applied automatically once saved, by clicking the Apple button at the bottom of the Configurator window.

Assign  


The Assign pane enables one to create and manage user accounts and to assign devices to specific users. There are two lists in the Assign pane, the user groups to the left and the users list to the right of it. Users can be created by clicking the Add button under the users list. One can organize users into groups by creating a group, naming it, and then dragging users into it.

If your Mac is connected to a corporate directory system like Microsoft’s Active Directory or Apple’s Open Directory, you can create accounts in Configurator based on their existing network accounts (the ones that they use to log into various computers).

To assign or check out a device, select the user and click the Check Out button at the bottom of the Configurator window. Select the group containing the device from the pop-up menu and drag the appropriate device to a user account. Once the devices have been assigned, they are connected to the Mac via USB and Configurator will complete the check-out process.

When users return devices, they can be checked in again by connecting them to the Mac running Configurator, selecting the users in the Assign Pane and clicking the Check In button. Configurator will back up the user data automatically and use it if a different device is to be assigned to that user.

2.Using Device Enrollment Program (DEP)

Apple Device Enrollment Program (DEP) is a deployment program from Apple for the fast deployment of iOS and OS X devices. The configuration of devices which are purchased through DEP can be done over the air in bulk without requiring any physical contact with the device. The device can be enrolled in an MDM and can be supervised from the DEP portal itself. DEP is the only way to supervise devices wirelessly. Any step that usually appears during the initial set up process can be set to skip. Any restrictions can be applied to the device without a single tap through the actual device.

Only the devices which are purchased directly from Apple or from an authorized Apple reseller can be deployed using Device Enrollment Program. Any Mac or iOS device that has been purchased on or after 2011 March 1 can be enrolled in DEP.

Deploying the devices using DEP takes four steps

  • Enroll
  • Set up
  • Configure
  • Assign

First, you need to enroll your organization in Apple Deployment Programs

  • In deploy.apple.com create your program agent account, where you are to give your business email, a valid phone number, D-U-N-S number, Apple customer number or reseller ID. The customer number is obtained when a direct purchase is made from Apple. If you are purchasing from a reseller, verify if they are participating in DEP. If they are, they will give you the reseller ID. The Apple ID is created using this email address, so this email address you provide should not be associated with another Apple ID.
  • Once you have entered all the details and clicked next, an email will be sent to your mail containing the Apple ID and temporary password along with further steps for enrollment.
  • You will be prompted for two-step verification. Two-step verification enables additional security to your Apple ID in such a way that any unauthorized access to your account will be prevented even if the password is compromised. A four digit verification code will be sent by SMS. Type this code in and verify your account.

Continue enrollment process by providing information like verification contact, business or institution information, Apple Customer Number, DEP Reseller ID and DEP Customer ID. After submitting the application, Apple will review the information and notify you if verification is completed or not.

When purchasing a device from Apple or a reseller you will need to add the customer number or reseller ID to the Apple DEP account. When reseller ID is submitted you will receive a DEP customer ID and you have to provide this to the reseller who will use it to submit information about your device purchases to Apple. Resellers have the ability to add devices to your DEP account which is purchased after 2011.

Adding more Admins

Once the enrollment is done you can set up the corporate devices from deploy.apple.com

  • Sign in to your account and select Device Enrollment Program.
  • At the top right corner you will see the admin. Clicking on that, you can view the organizational details like your reseller, your DEP customer ID etc.
  • You can have multiple resellers. By clicking on Admins in the side bar and add more admins. The admins can be selected from the list and can be provided with appropriate access for DEP or VPP.

When providing email address for these admins you have to provide one which does not have an Apple ID associated to it.

Enrolling MDM server with DEP

  • Select Device Enrollment Program from the side bar. You will see the Manage Servers page. You can add one or more MDM servers here by clicking Add MDM Server. Then you can give a name to the server and choose to automatically assign devices or not. Selecting this option will result in automatic assigning of devices to this particular MDM server in the future. If you are using multiple MDM servers leave the option unchecked.
  • After the MDM server are set up click next. Here Apple will require you to upload the public key for the MDM server.
  • Download the public key from your MDM server and upload it back in the DEP portal.
  • Click next. And then it will have you download the server token for you MDM server.
  • Download the token and click done.
  • Upload this server token in your MDM server and thus enroll the MDM with DEP.

Now in the DEP portal you can see your MDM server listed.

Adding devices for deploying

For adding devices

  • Click on Manage Devices on the side bar of DEP portal. You can choose devices by serial number or order number or by uploading a CSV file.
  • Assign an MDM server to these devices.
  • Create DEP profile in your MDM and apply it to the devices

You can set the MDM enrollment mandatory or not, choose to supervise, allow pairing with other computers, whether the MDM profile can be removed or not, whether the device is for multiple users etc. You can also select steps that can be skipped during the initial setup of the device. You can provide details on the organization and add contact details for support. Once the settings are saved you can assign this policy to the devices. So when the device is activated for the first time these profile settings will be applied automatically in the background

List of Supervision features by iOS version


iOS 6


App Lock (Single App Mode)


It is a feature in supervised devices that forces the device to run a single app. While single app mode is enabled, the selected app will stay in the foreground. This is extremely useful in cases where the device is intended for a unique purpose.

E.g.;

  • Preventing students from leaving the exam screen.
  • Preventing the accidental app exit.
  • To prohibit access to any other apps by setting up a kiosk.
  • For providing kiosks for customers to browse the menu and place the order in a restaurant.

It disables hardware buttons and functions including

  • Home button (except for triple click function)
  • Side switch (when used to lock screen rotations and mute system generated sounds)
  • Sleep/wake button

and many more. Single app mode also prevents services like notifications, from communicating with the user.

Global HTTP Proxy


This feature allows you to specify global HTTP proxy settings so that all HTTP traffic passes through the proxy i.e. it forces all internet communications through a single global proxy server. This provides data security since all communication is filtered through the Global HTTP proxy.

Block iBookstore, iMessages


iBook store deals with the sales and delivery of EPUB contents. Disabling this feature in a supervised device will prevent the user from accessing the iBooks content.

iMessage is a free Internet-based messaging service offered by Apple Inc. iMessage is Apple’s built in instant messaging service. It is incorporated with the messages app on the iOS devices. iMessage can be used to send texts, documents, photos, videos etc. over Wi-Fi or mobile data to other iOS or OS X users. This is equivalent to ordinary messaging for most users with devices running iOS 5 or later. In the supervised mode we can disable this feature.

Block Game Center


Game center is a social gaming service for games on Apple’s platform. In game center you might see invites and other notifications. This app is a part of the iOS operating system - like all Apple’s included app, it cannot be blocked unless the device is in the supervised mode. If not supervised you can still disable game invites, friend requests etc. but not the entire app.

iOS 7


Block AirDrop, AirPlay, etc.


AirDrop lets users to wirelessly transfer data across devices which are in the immediate vicinity over a direct Wi-Fi connection. The size of the file which AirDrop can accommodate is unrestricted. Wi-Fi and Bluetooth must be enabled in order for AirDrop to recognize other devices. The other devices also must have AirDrop enabled. Besides, the user at the receiving end must accept the transfer. This feature can be disabled only in supervised mode .

AirPlay app helps to stream audio, video, photos etc together with related metadata between devices wirelessly. Airplay cannot be disabled unless the device is in supervised mode.

Disallow Host Pairing


Restrict the pairing of the iOS device with any host computer. If this box is unchecked, the device will be able to bind with any workstation and sync with iTunes, iPCU, etc. If checked, the device can only pair with the supervision host. Host pairing can be disabled only in supervised mode. When a device pair with other devices it generates pairing records, which can be used to access your iPhone or iPad without your consent. These pairing records in the hands of an attacker will result in chaos depending on the data on the devices. We can create profiles that will disallow pairing with other Macs and non configurator hosts. Once it’s done, generation of new pairing records will be prevented.

Activation Lock Bypass


Activation lock is feature of Find my iPhone app. Activation lock is enabled automatically as Find my iPhone app is turned on. Once it is enabled, the Apple ID and password of the user must be entered to turn off Find my iPhone or Erase the device or reactivate the device. This provides more security to the devices and improves the chances of recovery. This feature gives a little peace of mind in case the device is stolen, but it can also be a real pain if you forget the password or if the user of the device leaves the company without removing the activation lock.

In iOS 7.1 Apple introduced Activation Lock Bypass, which will remove the activation lock from without requiring the user’s Apple ID and password. You can request the bypass code that will override the activation lock and allow the iPad to be used again. When you have the bypass code, enter it on the password field and leave the Apple ID blank.

Autonomous Single App Mode


It allows apps to place themselves in single app mode during certain events such as a testing app, which prevents access to outside information. When the test is complete the devices will be released from the single app mode. Autonomous single app mode provides the most effortless method for securing iPad for assessment, as no invigilator is required. To use autonomous single app mode the device must be supervised and you need to create a configuration profile in restrictions that whitelists the apps that can use autonomous single app mode.

Web Content Filter


This feature limits the websites with adult contents and lets you blacklist any sites the enterprise do not want users to access. This feature when enabled will be applicable to any browsers you use.

Set background & lock screen


In a supervised device, it was impossible to set background and lock screen before iOS7. But in iOS 7 both these are possible by using Apple configurator 2 or an MDM.

Silent App Push 


Apps can be installed without user intervention with the help of a feature called silent app push. It allows the IT department to install an app in a device via MDM without the user’s permission i.e.; once they push the app from the MDM, the app will appear installed on the device. This works for apps in the iTunes app store and also for the enterprise apps.

iOS 8


Always-On VPN


This mode forces the applications to connect only through a specified VPN. This mode is designed for businesses and other organizations. After enabling it, the VPN will always be activated. If VPN connection fails the apps on your device will not be able to connect to internet until it comes back up.

Prevent Cloud Sync  


The supervised mode prevents managed applications from using cloud sync. Admin can restrict managed apps from backing up any data to iCloud. But it will allow the personal, user downloaded apps to back up to cloud.

Prevent Spotlight Internet results


Spotlight is an easy way to find almost anything on your iOS devices. You can also search the internet. Spotlight is accessible from the Home screen. In an unsupervised device, this feature can be controlled by unchecking the apps in the spotlight search list. But you cannot block the app as such. In supervised mode we can block all internet search results from “Spotlight Search”.

Prevent Handoff  


Handoff lets you transfer your activities between iPhone, iPad, and Mac. This feature lets users to continue their work in different iOS devices without any fuss. Handoff uses Bluetooth. The transferring requires Wi-Fi, either directly or via iCloud. In a normal device handoff feature can be enabled or disabled. But in supervised mode if the feature is disabled, the user cannot enable it.

Prevent Erase  


We can prevent a supervised iOS device from being wiped while setting the restriction for the device i.e.; the end users will not be able to erase the device. It is useful in school student’s usage scenarios where devices are supervised.

Prevent Restrictions UI 


This option in supervised mode can prevent users from enabling restrictions on the device .

Prevent installation of Configuration Profiles by UI


Configuration profiles are XML files. They are composed of settings such as passcode guidelines, functionality and configuration specifications for VPN, Wi-Fi, email etc. These profiles allow for systematized control of enterprise iOS systems. The configuration profile can be distributed by the IT department to the devices for quick configuration. Cellular data settings can be configured on a device without entering all the information manually by distributing a configuration profile file containing the APN settings, through a cellular carrier. More than one profile is supported on a mobile device.

There are five ways to deploy configuration profiles:

  • Via email.
  • Using Apple configurator by connecting the device to a Mac.
  • Through a webpage link.
  • Using over-the air enrollment.
  • Using an MDM Server.
If a malicious person creates their own configuration profile files and distribute them, those profiles when configured would make the device use a malignant proxy or VPN, which will allow the attacker to monitor the network and harm the device or misuse the data. Configuration profiles can also install certificates. A malicious certificate could impersonate a secure website like bank etc.

The additional installation of configuration profiles can be inhibited on the enterprise managed devices. If there are additional configuration profiles installed, IT can remove them remotely if needed.

iOS 9


Enhanced Blacklisting


The admins will be able to enforce more restrictions over the blacklisted apps because from iOS 9.3 onwards the apps that are blacklisted will not work on a supervised device, while it may still get downloaded.

Prevent News  


The news app is one of the unremovable apps in iOS. In an unsupervised device you can only hide the app but cannot block the app as such. The user can always unhide the app. But in supervised mode the user will not be able to access the app.

Allow managed app installation exclusively  


Managed apps, as the name implies, are the apps that are managed by the enterprise through an MDM. We can implement enterprise apps and other purchased apps as managed apps. Unlike standard apps, managed apps:

  • Do not back up their data.
  • Gets removed when the MDM profile is removed.

Since the apps on the devices are managed the employees are free from worrying about the app update, installation or anything of that sort. Managed apps are controlled by the system manager and can be updated or removed by an administrator after installation. Managed apps allow an organization to distribute all kind of apps over air using MDM, while providing security and privacy.

Prevent keyboard shortcuts


Shortcuts can be made to substitute long or repeatedly used texts (words or phrases or email id etc). Disabling the creation of shortcuts will prevent any malpractices that will compromise the device.

Prevent passcode modification 


Prevents adding, changing or removing device passcode by the user. In a normal device, the passcode can be changed by tapping touch id and passcode in settings.

Prevent device name changes


Prevents users from renaming the device. In an unsupervised device, the name can be changed easily by tapping settings.

Prevent wallpaper changes  


In usual cases the wallpaper can be changed in the device settings. In supervised mode this feature can be disabled so that no one will be able to change the wallpaper

Prevent automatic app downloads


Automatic app downloading is definitely easier than manual app downloading. But sometimes if an unauthorized or faulty app gets distributed among the devices that might end in chaos. By preventing automatic app downloading IT can assure the safety of the apps before distribution.

Prevent changes to enterprise app trust  


Enterprise apps are those apps which integrates all aspects of a firms operation. Apple’s Developer Enterprise Program  helps to create and distribute proprietary enterprise apps for iOS devices. These apps must be trusted before they could be used. The process of app distribution is more secure if done using an MDM and also it does not require user interaction. Users can also install these apps themselves from a website operated by their organization. In supervised mode the user will not be able to change the enterprise app trust settings. i.e.; they cannot establish trust for a developer that is not of the enterprise.

Prevent Apple Music  


Apple Music is a music playing app in iOS devices.  In normal case Apple music is an app that cannot be disabled. This app can be disabled only in supervised mode

Prevent Mail Drop  


Mail drop is used to send large files through iCloud. You can send attachments up to 5Gb in size. This feature can be disabled in supervised mode only. When the feature is disabled we cannot send files via Mail drop.

Treat AirDrop as managed destination  


If AirDrop is treated as an unmanaged destination, managed apps like email can’t share files or attachments through AirDrop.

Prevent pairing with a watch  


Apple Watch relies on a wirelessly connected iPhone to perform basic functions like calling and texting. If the feature is set to false, disables pairing with Apple watch. If any watches are already paired, it will be unpaired.
Simple Secure iOS MDM !