What is iOS Supervised Mode? How do I activate Supervision?

Last updated May 2, 2022

What is Supervision?

Supervision, introduced by Apple in iOS 5, is a special mode that gives an administrator more control of a device. It is intended for institutionally-owned devices. iOS supervised mode now extends to iPadOS and tvOS, but for simplicity in this article, we use iOS broadly.

While SimpleMDM historically controlled devices owned by employees in a bring-your-own-device (BYOD) fashion, companies now frequently own the devices themselves. This introduces new opportunities for controlling the device with SimpleMDM that previously would have been overbearing for an employee-owned device.

What Does Supervision Allow For?

The following are examples of what’s possible under supervision:

  • Restrict access to apps
  • Filter web content
  • Configure home screen layouts
  • App lock (Single App Mode)
  • Activation lock bypass
  • Silent app installations
  • Enable Lost Mode
  • Push remote OS updates
  • Enable additional restrictions

For Apple’s current list of all supervised restrictions, please visit https://support.apple.com/guide/mdm/supervised-restrictions-mdm54960f92a/web

How To Activate Supervised Mode for iOS

The device enters supervision in two ways. The best method depends upon your deployment.

Note: Placing a device in supervision resets the device. All data and settings delete. If you restore data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) used during backup. Presumably, Apple does this to prevent companies from supervising employee-owned devices.

Supervise a Device with Apple Configurator

Apple Configurator is a macOS application. To supervise a device with Apple Configurator, you must have a macOS computer and USB cable available. Each device needs to connect to the computer. For a few devices, this is a good method.

  1. Download the latest version of Apple Configurator. We used Apple Configurator 2.2 in this guide. https://apps.apple.com/us/app/apple-configurator-2/id1037126344
  2. Attach your iOS device to the computer using the USB cable
  3. Start Apple Configurator
  4. In the “All devices” view, click the iOS device
  5. Click “Prepare”
  6. Select “Manual” from the “Configuration” dropdown
  7. On the “Enroll in MDM Server” screen, optionally define an MDM server using your SimpleMDM enrollment URL
  8. On the “Supervise Devices” screen, ensure “Supervise devices” is checked
  9. Add the details of your company on the following screen if desired
  10. Generate a supervision identity when prompted (if you haven’t already)
  11. Click the “Prepare” button once you reach the end of the dialog boxes
  12. The device will prepare and reset

Supervise Devices using Automated Enrollment with Apple Business Manager (formerly Apple Device Enrollment Program (DEP))

Automated enrollment with Apple Business Manager is used to bootstrap new devices with a working configuration. For instance, automated enrollment can be used to automatically enroll devices in SimpleMDM when they are first unboxed and turned on. It can also place devices in Supervision mode automatically. This process is the way to go if your organization has a non-trivial number of devices that need to be placed under supervision.

More information on Apple automated enrollment/DEP is available here: Explained: The Apple Device Enrollment Program

To configure automated enrollment to supervise your new devices, complete the following steps from within SimpleMDM:

  1. Click “Enrollments” under the Devices heading
  2. Under the “Create Enrollment” dropdown, select “Automated Enrollment (DEP)”
  3. If you haven’t already, follow the instructions to pair SimpleMDM with your Apple Business Manager account
  4. Once paired, make sure “Place device in Supervised mode” is checked and click “Save”
  5. Associate your devices with the connected server in Apple Business Manager
  6. Activate your devices and connect them to the internet to complete enrollment

Once automated enrollment is configured, SimpleMDM automatically enables supervision on all devices enrolled from your Apple Business Manager account.

Comments (49)

Yes. A device can be turned off, even when in single app lock an with buttons disabled by holding down the lock and the home button at the same time for approximately 5 seconds. When the device is turned back on, the device will return to single app lock.

First time user of Simple MDM , Trying to push apps to new supervised devices and it s requiring me to sign in to ITunes using a existing or create new apple I.D. I was under the impression that under supervised mode i would be able to push apps to devices w/o the the user of the device not needing to do anything

Hi Jose- Supervision allows you to install apps to devices without asking the user for permission. You will still need to account for app licensing requirements.

If you have further questions, feel free to contact support@simplemdm.com. We’re here to help.

I purchase ipad 4th generation last 2 years ago from Ebay .com and yesterday i restored but when i setup look like linked to pearson education inc.( MDM ) so i cant unlock my ipad again before unlinked so please can u help me .

You will need to contact the seller of the device or Pearson Education and ask them to remove the device from their Apple DEP account.

You write “You will need to use Supervisor or add the device to a DEP account to un-supervise a device.” But in the article, you wrote “If you restore the data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) that the device was in during the backup. Apple does this presumably to prevent companies from supervising employee owned devices.” That’s confusing. Would restoring from an unsupervised backup take it out of supervised mode or not?

You will need to use Supervisor or add the device to a DEP account to un-supervise a device.

Supervisor and DEP are the two mechanisms available for changing the supervised state on a device. If you want to make an unsupervised device supervised or vice versa, you will need to use either Apple Configurator or DEP. The quote above is not meant to imply that using DEP will unsupervise the device by default, rather, that DEP can be used to remove the supervision if desired.

If you restore the data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) that the device was in during the backup. Apple does this presumably to prevent companies from supervising employee owned devices.

Apple provides additional clarification about this:

When you restore a backup that you made from the same device, it applies the supervision and management settings from the backup. If you restore a backup that you made from a different device, it applies the supervision and management settings that the Device Enrollment Program or Apple School Manager designates.

About Device Enrollment: If you restore from a backup while setting up an enrolled device

If the device is supervised and I restore it then enrol it with new/different Apple ID – the device will be unsupervised now or not?

Backups retain the supervision state. If you restore to a previous backup where the device was unsupervised, it will restore as unsupervised.

Is it possible to stop a user from entering their AppleID on the iPads using Apple Configurator 2?

Is it possible to allow users only access to specific apps? phone, messages, email, camera, photos and one 3rd party app?

Yes, supervised mode is set before the device enters the Setup Assistant screens. You may still need a SIM card to use the device.

I tried Simple MDM a while ago to solve this problem and was unsuccessful. I’ll try it again if you think the current version will do what I need.

I use Apple Configurator to lock an iPad in Single App Mode. I would like to be able to track the iPad’s location remotely and see its history. It only has WiFi, not a cell connection. The last time I tried it, Configurator Single App Mode kept other apps like SimpleMDM, Google Maps, and FollowMee from running in the background and letting me check the location remotely. FindMyPhone does work but only gives the current location and not the history when the iPad has a WiFi connection. I used to use Guided Access and FollowMee. But the behavior of Guided Access changed so that when the iPad’s battery runs down completely and is recharged, Guided Access doesn’t reopen automatically. Is there a way to use SimpleMDM to track the iPad’s location and history while locking it into a particular app at all times, not giving access to the home screen?

Hi Alan- You’ve accurately observed that iOS does not allow other apps to run in the background when a device is in single app mode. This is still the behavior. If you would like location tracking, you will either need to use MDM Lost Mode or the app in Single App Mode will need to provide the tracking functionality.

Our understanding is that devices will restart in Single App Mode when it is enabled. You mentioned Guided Access, which is similar in functionality to Single App Mode, however is configured on the device itself instead of MDM. Guided Access many have slightly different behavior. We recommend testing the scenarios you wish to use the device in, using the latest version of iOS, to be certain.

My organization owns two different DEP accounts and two different MDM solutions. We want to take phones deployed on DEP account and MDM solution “A” and move them to DEP account and MDM solution “B”. I had heard that was not possible. Is it possible and what are the steps in brief? Thanks.

Hi Jeff. Our recommendation is to:

  1. From within the Apple Business Manager interface (or Apple DEP portal), reassign the devices currently assigned to MDM server of solution “A” to the MDM server of solution “B”. This will not materially affect the devices themselves.
  2. Next, either initiate a wipe of the devices through MDM solution “A” or wipe them from the devices themselves. When they enter the Setup Assistant screens during first boot, they will enroll with MDM solution “B”.

If wiping the devices isn’t an option, proceed with step 1 and then, instead of wiping the devices, unenroll them from MDM solution “A” instead. Once this is completed, you can manually enroll them with MDM solution “b”. Third party open-source tools exist, like UMAD, that encourage users to complete the DEP enrollment and/or User Approved MDM (UAMDM) steps if devices were enrolled manually instead of with DEP.

Thanks will give it a try as soon as I have a window of opportunity in the coming month and respond back.

Finally responding back. So we didn’t have to assign the device to the new MDM but just unassign it from the existing. Then we wiped the device and enrolled it as a supervised device in our new MDM. I think what was originally at issue was that Apple support told us we couldn’t do this, and we couldn’t when they told us that. That was back in 2018, though. But when we did this last year, it worked and everything was fine. I appreciate the help. 🙂

If I have used a DEP & MDM and given the device to an employee who has then logged into their own personal iCloud account, can I still completely wipe the phone without needing them to log out or visiting an Apple Store? Can I also wipe the phone completely remotely if they have left the business but still retain the device?

Hi Emily! Activation lock is the iOS feature that requires a user to remove their Apple ID before the device is truly “unlocked” for future use. If you’ve enrolled a device with SimpleMDM using DEP, activation lock is, by default, disabled. Even if a user has entered an Apple ID, you will still be able to wipe the device and use it without them needing to sign out. The wipe process will sign them out automatically.

If you are using a different vendor, your mileage may vary.

I’ve been creating a profile for the Teacher’s iPads on Configurator 2 and I’ve come across a difficulty. When I’m going through the restrictions I’ve allowed them to use passcodes so they can have emails however this seems to also allow them to go in a delete the profile. Or … have a missed a restriction that I should have ticked to stop this from happening. I have it so they can’t delete Apps or install Apps as I want to manage this through Configurator 2 and I thought that would also stop them from deleting the profile as well?

Hi Robyn- If you are using SimpleMDM, this should not be an issue. Please contact technical support if this is the case. If you are using Apple Configurator without an MDM, you’ll want to seek help from Apple or another outlet.

Hi Kammy – The Apple MDM protocol does not directly enable a vendor or company to track what a user is searching for in any web browser within iOS. If a company configures a web proxy, they may be able to track web traffic, however, this does not directly relate to Supervised mode nor the Apple MDM protocol.

Does supervised mode allow for screen capture of device screens? Can I schedule this to happen intermittently or at desired set times?

Hi Curious – Supervision, and Apple MDM for that matter, do not currently support screen capture.

On step 4 of the DEP supervision method, a message above the checkbox says “These options are not configurable as of iOS 13 and macOS 10.15. They can be optionally configured for previous OS versions.”

On iOS 13+ devices, do these features still work and are just not customizable or do they not work at all? I’m hoping the former as that is quite a big feature to lose if its the other way around. TIA.

Hi Jack- As of iOS 13 and macOS 10.15, enrollment is forced, Supervision is forced, and the device cannot be unenrolled by the user.

Hi Matt- We are not familiar with the extent of Intune’s functionality. We suggest you contact Microsoft.

Can my social media activity and passwords be viewed and tracked on a supervised iPad with MDM? Can my internet activity?

Using MDM directly, no, this information cannot be tracked. Your company could, however, configure the device to send all traffic through a VPN or web proxy which would cause your traffic to traverse their systems. This could give them a primitive understanding of your activity (for instance, they could see which domains you are visiting).

Thanks! So they couldn’t see passwords or posts, just generally sites I visited? How might I check to see if they are routing traffic through a VPN or web proxy, please?

This is outside the scope of our product. We would generally suggest asking your employer for clarification.

When I use Apple configurator 2 to enroll my ipad the “supervise page” doesn’t show.
At the end of the process, my ipad is not supervised.
How can I supervised my devise?

Hi Loic- If you are a SimpleMDM customer, please contact our support and we’ll be happy to help.

In simple terms, I am attempting to create supervised devices that come in assigned to ABM by the wireless provider. I did not assign or sync the phones prior to attempting enrollment and now the devices my users have are unsupervised. I have attempted a wipe, deleting the device and user in AirWatch (VMware) and each time I am unable to get the devices to become supervised. Not sure what step I may be missing. Any thoughts?

If the devices were not assigned to/synced with the MDM server at the time they went through Setup Assistant initially, then they would not have been pointed to the MDM service in order to initiate the Automated Enrollment process. The typical process to resolve this would be: 1. assign the devices to the MDM server in ABM (and sync it in your MDM, if needed), 2. wipe the devices again, and then 3. connect to the internet and complete Setup Assistant again – the Automated Enrollment process should kick in during setup once assigned to the server.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now