iOS Supervised Mode

Last Updated: 01/02/2021

This article investigates iOS supervised mode and the functionality it can bring. Supervised mode has a direct impact to MDM (Mobile Device Management) and for the purposes of this article I have referenced Microsoft Intune as the example MDM provider. Please note that supervised mode and some of the methods listed within will be applicable to other MDM providers. Please check with your MDM provider to validate features when using Supervised mode and the enrolment methods listed.

What is Supervised Mode?

Supervision or Supervised mode was introduced by Apple in iOS 5. It’s a mode that gives an administrator more control of the device. It is intended for corp owned devices rather than personally owned devices. Supervision is generally not carried out on user owned devices that are used for work (BYOD). Supervision effectively unlocks more options for organisations needing to control devices, it therefore goes hand in hand with Mobile Device Management (MDM) as it will extend the options and capability of the MDM solution.

What can we do with Supervised Mode?

The following key points can be achieved with Supervision (This is not an exhaustive list):

• Advanced Control of apps (Including, but not limited to:)
  • Disabling and hiding of the iTunes store
  • Restricting users from removing apps
  • Silent app installation
  • Configuring App placement and Home Screen Layout
• Single App Mode/Kiosk mode – Device boots up and loads a single app.
• Activation Screen Bypass – Initial screen when setting up a new device can be bypassed.
• Enable Lost Mode – This differs to Find my iPhone and will lock the device and display a message, as well as relaying location data to the MDM tool (if supported).
  • More info on Lost Mode with Intune: https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-lost-mode
• Control over OS update delay
  • https://support.apple.com/en-gb/guide/mdm/mdm02df57e2a/web
  • Combining Intune into the mix allows you to force updates on iOS/iPadOS. https://docs.microsoft.com/en-us/mem/intune/protect/software-updates-ios
• Enable a number of MDM additional restrictions
  • For a full list of restrictions that can be set with Supervised mode and MDM, visit:

https://support.apple.com/en-gb/guide/mdm/mdm54960f92a/web

How to configure Supervision

There are 2 key ways of putting a device into Supervised mode, which method is used will depend on the circumstance and requirement. (Mainly how many devices need to be put into supervised mode).

The first way is to use Apple Configurator (which is a macOS application) which of course requires a Mac book to use. To supervise the device you will need to connect the device to the mac via USB and prepare the device. Each device that needs to be supervised will need to be connected. This method is good if you have a few devices or existing devices outside of DEP/ABM. In any case it is manual as each device will need to be connected to Apple Configurator  and configured to Supervised mode.

Please note with this method, placing a device in supervised mode will reset the device to its factory settings. Exercise caution when backing up the device too, there are a number of articles that suggest that if you restore a backup taken from a unsupervised device to a supervised device, this will switch it back to an unsupervised device. I haven’t tested this as of yet.

The next method is more around automated enrolment for new devices. This is done via Apple Business Manager (ABM), formerly known as Device Enrolment Program (DEP). Please note that a number of MDM tools will still refer to this as DEP.

By using Apple Business Manager, you can bootstrap new devices with a supervised configuration. What this will result in is when a device is unboxed and powered on by a user, it will automatically enrol to an MDM provider of your choice, as well as becoming configured in supervised mode already. Additionally, it will bypass the need for the user to require an Apple ID to initialise the device (as if this is a corporate device, we do not want users to use there personal Apple ID).

This method is best used when there are a larger number of mobile devices within your organisation, as well as just taking away the overhead of using Apple Configurator. 

Additional Information

Here are a few reference articles from both Apple and Microsoft that compliment this article: 

Getting Started Guide for Apple Business Manager: https://www.apple.com/business/docs/site/Apple_Business_Manager_Getting_Started_Guide.pdf

Apple Configurator 2 User Guide: https://support.apple.com/en-gb/guide/apple-configurator-2/welcome/mac

DEP/ADE Intune Guide (Including setup steps): https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios

Apple Configurator with Intune guide: https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-configurator-enroll-ios

Summary

Hopefully this guide has provided insight into what Supervised mode is and what it can be used for. As a general recommendation, I would use Apple Configurator for testing (assuming you have a Mac to hand) but would highly recommend the use of DEP/ABM for a more hands off implementation of supervised mode.

Additionally, one of the key reasons of using supervised mode is to control the iOS updates and not have this in the hands of the user. Some organisations that need to remain compliant will need to rollout updates in a set time frame.

Thank you for reading, please leave a comment below if you have any feedback or suggestions.