What is iOS Supervised Mode? How do I activate Supervision?
Last updated May 9, 2019
What is Supervision?
Supervision was introduced by Apple in iOS 5 as a special mode that gives a SimpleMDM administrator more control of a device than is typically permitted. Supervised mode is intended to be used on devices that are institutionally-owned. Whereas many companies use SimpleMDM to control devices owned by employees in a bring-your-own-device (BYOD) fashion, some companies own the devices themselves and necessitate control of the device which would otherwise be considered overbearing.
What Does Supervision Allow For?
As of iOS 9.3, the following features are made available when a device is placed under supervision:
- App Lock (Single App Mode)
- Global HTTP Proxy
- Activation Lock Bypass
- Autonomous Single App Mode
- Web Content Filter
- Set background & lock screen
- Silent App Push
- Always-On VPN
- Allow managed app installation exclusively
Additionally, you can block/disallow:
- iBookstore
- iMessages
- Game center
- AirDrop
- AirPlay
- Host pairing
- Cloud Sync
- Spotlight internet results
- Handoff
- Erase
- Restrictions UI
- Installation of configuration profiles by UI
- News
- Keyboard shortcuts
- Passcode modifications
- Device name changes
- Wallpaper changes
- Automatic app downloads
- Changes to enterprise app trust
- Apple Music
- Mail Drop
- Pairing with a watch
How To Activate Supervised Mode for iOS
There are two ways that a device can be placed in supervision. The best method to use depends upon your deployment.
Note: Placing a device in supervision will result in the device being completely reset. All data and settings will be deleted. If you restore the data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) that the device was in during the backup. Apple does this presumably to prevent companies from supervising employee owned devices.
Supervise a Device with Apple Configurator
Apple Configurator is a macOS application. To supervise a device with Apple Configurator, you must have a macOS computer and USB cable available. Each device that is to be supervised will need to be connected to the computer. This is a good method if you have just a few devices to supervise, or, you can’t use the other method for some reason.
- Download the latest version of Apple Configurator. We’re using Apple Configurator 2.2 in this guide. https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12
- Attach your iOS device to the computer using the USB cable.
- Start Apple Configurator.
- In the “All devices” view, click the iOS device.
- Click “Prepare”
- Select “Manual” from the “Configuration” drop down
- On the “Enroll in MDM Server” screen, optionally define an MDM server using your SimpleMDM enrollment URL.
- On the “Supervise Devices” screen, make sure that the checkbox next to “Supervise devices” is checked.
- Add the details of your company on the following screen if desired.
- Generate a supervision identity when asked to do so if you haven’t already.
- Click the “Prepare” button once you reach the end of the dialog boxes.
- The device will be prepared and reset.
Supervise Devices using Apple Device Enrollment Program (DEP)
Apple has a program called the Device Enrollment Program (DEP) which is used to bootstrap brand new devices with a working configuration. For instance, DEP can be used to automatically enroll devices in SimpleMDM when they are first unboxed and turned on. It can also be used to place devices in Supervision mode automatically. This process is the way to go if your organization has a non-trivial number of devices that need to be placed under supervision.
More information on Apple DEP is available here: Explained: The Apple Device Enrollment Program
To configure DEP to supervise your new devices, complete the following steps from within SimpleMDM:
- Click “Devices”, then click the “Enrollments” sub-menu option and select the “Apple DEP” tab.
- If you haven’t already, pair SimpleMDM with your Apple DEP account
- Once paired, make sure “Place device in Supervised mode” is checked and click “Save”
SimpleMDM will automatically update your DEP account so that all future devices are set to be supervised. Simply turn on any devices registered in your DEP account. During boot, they will communicate with Apple DEP and switch to supervised automatically.
Comments (26)
Leave a Reply
Start your 30-day free trial of SimpleMDM
Start My Free TrialTest-Drive SimpleMDM Right Now. No Credit Card Required.
Start My Free Trial
Is it possible to turn off the device when in supervised, single app lock?
Yes. A device can be turned off, even when in single app lock an with buttons disabled by holding down the lock and the home button at the same time for approximately 5 seconds. When the device is turned back on, the device will return to single app lock.
Is it possible to take off supervised mode without apple configurator
Hi Arnas! You will need to use Supervisor or add the device to a DEP account to un-supervise a device.
First time user of Simple MDM , Trying to push apps to new supervised devices and it s requiring me to sign in to ITunes using a existing or create new apple I.D. I was under the impression that under supervised mode i would be able to push apps to devices w/o the the user of the device not needing to do anything
Hi Jose- Supervision allows you to install apps to devices without asking the user for permission. You will still need to account for app licensing requirements.
Here is a helpful article on the Apple Volume Purchase Program (VPP) which will help you avoid the Apple ID prompt: https://support.simplemdm.com/knowledgebase/articles/1132102-4-managing-app-licenses
If you have further questions, feel free to contact support@simplemdm.com. We’re here to help.
I purchase ipad 4th generation last 2 years ago from Ebay .com and yesterday i restored but when i setup look like linked to pearson education inc.( MDM ) so i cant unlock my ipad again before unlinked so please can u help me .
You will need to contact the seller of the device or Pearson Education and ask them to remove the device from their Apple DEP account.
if i am using a supervised ipad can someone view my photos
Supervision does not currently grant an MDM access to the Photo app data.
You write “You will need to use Supervisor or add the device to a DEP account to un-supervise a device.” But in the article, you wrote “If you restore the data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) that the device was in during the backup. Apple does this presumably to prevent companies from supervising employee owned devices.” That’s confusing. Would restoring from an unsupervised backup take it out of supervised mode or not?
Supervisor and DEP are the two mechanisms available for changing the supervised state on a device. If you want to make an unsupervised device supervised or vice versa, you will need to use either Apple Configurator or DEP. The quote above is not meant to imply that using DEP will unsupervise the device by default, rather, that DEP can be used to remove the supervision if desired.
Apple provides additional clarification about this:
About Device Enrollment: If you restore from a backup while setting up an enrolled device
Is it possible to stop a user from entering their AppleID on the iPads using Apple Configurator 2?
Is it possible to allow users only access to specific apps? phone, messages, email, camera, photos and one 3rd party app?
Yes, SimpleMDM supports this. Please see our post on app restrictions: Block/Hide Any iOS App
Is it possible to supervise a device without sim card (using configurator 2)?
Yes, supervised mode is set before the device enters the Setup Assistant screens. You may still need a SIM card to use the device.
I tried Simple MDM a while ago to solve this problem and was unsuccessful. I’ll try it again if you think the current version will do what I need.
I use Apple Configurator to lock an iPad in Single App Mode. I would like to be able to track the iPad’s location remotely and see its history. It only has WiFi, not a cell connection. The last time I tried it, Configurator Single App Mode kept other apps like SimpleMDM, Google Maps, and FollowMee from running in the background and letting me check the location remotely. FindMyPhone does work but only gives the current location and not the history when the iPad has a WiFi connection. I used to use Guided Access and FollowMee. But the behavior of Guided Access changed so that when the iPad’s battery runs down completely and is recharged, Guided Access doesn’t reopen automatically. Is there a way to use SimpleMDM to track the iPad’s location and history while locking it into a particular app at all times, not giving access to the home screen?
Hi Alan- You’ve accurately observed that iOS does not allow other apps to run in the background when a device is in single app mode. This is still the behavior. If you would like location tracking, you will either need to use MDM Lost Mode or the app in Single App Mode will need to provide the tracking functionality.
Our understanding is that devices will restart in Single App Mode when it is enabled. You mentioned Guided Access, which is similar in functionality to Single App Mode, however is configured on the device itself instead of MDM. Guided Access many have slightly different behavior. We recommend testing the scenarios you wish to use the device in, using the latest version of iOS, to be certain.
Is it possible to supervide an iPad over the air (without USB cable?)
Hi Max- Yes, this is possible if you utilize the Apple Device Enrollment Program (Apple DEP). This program allows businesses to configure devices as supervised when they are initialized for the first time. More information on Apple DEP is available, here: Explained: The Apple Device Enrollment Program
My organization owns two different DEP accounts and two different MDM solutions. We want to take phones deployed on DEP account and MDM solution “A” and move them to DEP account and MDM solution “B”. I had heard that was not possible. Is it possible and what are the steps in brief? Thanks.
Hi Jeff. Our recommendation is to:
If wiping the devices isn’t an option, proceed with step 1 and then, instead of wiping the devices, unenroll them from MDM solution “A” instead. Once this is completed, you can manually enroll them with MDM solution “b”. Third party open-source tools exist, like UMAD, that encourage users to complete the DEP enrollment and/or User Approved MDM (UAMDM) steps if devices were enrolled manually instead of with DEP.
Thanks will give it a try as soon as I have a window of opportunity in the coming month and respond back.
If I have used a DEP & MDM and given the device to an employee who has then logged into their own personal iCloud account, can I still completely wipe the phone without needing them to log out or visiting an Apple Store? Can I also wipe the phone completely remotely if they have left the business but still retain the device?
Hi Emily! Activation lock is the iOS feature that requires a user to remove their Apple ID before the device is truly “unlocked” for future use. If you’ve enrolled a device with SimpleMDM using DEP, activation lock is, by default, disabled. Even if a user has entered an Apple ID, you will still be able to wipe the device and use it without them needing to sign out. The wipe process will sign them out automatically.
If you are using a different vendor, your mileage may vary.