This article details supervision for iOS devices, how to ensure devices are supervised, and the limitations of unsupervised iOS devices under mobile device management.
Please note: Within this article "iOS" refers to iOS on iPhone and iPod Touch, iPadOS on iPad and tvOS on Apple TV.
What is supervision?
Supervision is a enrolment state an iOS device can be configured to which provides much greater control by a management solution or mobile device management (MDM), such as datajar.mobi.
It is intended to be used for institutionally-owned devices, and is one method an institution may use to prove that they own a device.
Supervised enrolments are intend to provide large amounts of control to institutions. Unsupervised enrolments are intended to provide enablement instead of provide control.
How do I make sure my devices are supervised?
There are two primary methods to supervising an iOS device:
Apple Configurator 2
Supervision via Apple Configurator 2 is a tethered enrolment, requiring the iOS device to be connected to a Mac computer running Apple Configurator 2 every time it needs to be enrolled. Due to this, it can be considered more restrictive and difficult to carry out.
Automatic Device Enrolment
Supervision via Automatic Device Enrolment (ADE, previously known as DEP) utilises either the Apple Business Manager or Apple School Manager portals to push devices to a management solution during the initial setup. As a result, the devices can be enrolled as supervised fully "over-the-air", without the use of a second device.
What are the management limitations with unsupervised iOS devices?
Enrolling a device in an unsupervised state is intended to provide enablement and not control, and as a result there are limitations on what can be achieved and controlled on an unsupervised device. Please see below:
- Supervised devices can have App deployments happen silently in the background. Unsupervised devices will display a confirmation message for each App that is being deployed.
- Supervised devices can have App updates for in-use Apps installed in the background once closed. Unsupervised devices will display a confirmation message if the App is in use.
- Supervised devices can take control and manage App settings silently. Unsupervised devices will display a confirmation message for each locally installed App the system is trying to manage.
The following list of controls require the iOS device to be enrolled and supervised:
- Block use of Camera
- Block FaceTime
- Force allow AirPlay screen observation via Classroom
- Force allow AirPlay screen observation via Classroom without prompting
- Block incoming AirPlay Request
- Block pairing of TV with Remote app
- Block AirDrop
- Block Messages
- Block Siri while a device is locked
- Block user-generated content in Siri
- Force enable Profanity filter assistant
- Block new devices setup proximity prompt
- Block iCloud backup
- Block iCloud documents & data
- Block erase all content and settings
- Block adding VPN configurations
- Force allow Classroom can lock student devices or apps without prompting
- Force require Teacher permission to leave Classroom unmanaged classes
- Force automatically join Classroom classes without prompting
- Block installing configuration profiles
- Block modifying account settings
- Block modifying Bluetooth settings
- Block modifying cellular plan
- Block modifying cellular data app settings
- Block modifying eSIM settings
- Block Find My Device
- Block Find My Friends
- Block modifying Find My Friends settings
- Block modifying notifications settings
- Block Screen Time
- Block modifying wallpaper
- Block modifying personal hotspot settings
- Block pairing with no-supervision configured host
- Block near Field Communication (NFC)
- Block modifying diagnostics settings
- Block modifying passcode
- Block modifying Touch ID/Face ID
- Block password AutoFill
- Force require Touch ID or Face ID authentication before AutoFill
- Force require AirDrop Passwords
- Block proximity based password sharing requests
- Block pairing with Apple Watch
- Block connection to unmanaged Wi-Fi networks
- Block Wi-Fi power off
- Block AirPrint
- Block AirPrint to destinations with untrusted certificates
- Block discovery of AirPrint printers using iBeacons
- Block storage of AirPrint credentials in Keychain
- Block keyboard shortcuts
- Block QuickPath keyboard
- Block Auto-correction
- Block Spell-check
- Block definition lookup
- Block dictation
- Force allow USB restricted mode
- Block USB drive access in Files app
- Block network drive access in Files app
- Block modifying device name
- Force automatic date and time
- Force software update deferral
- Block device sleep
- Block App Clips
- Block installing apps using App Store
- Block automatic app downloads
- Block removing apps
- Block iTunes Store
- Block Book Store and Audiobooks in the Books app
- Block Apple Music
- Block Apple Music Radio
- Block News
- Block Podcasts
- Block Game Center
- Block multiplayer gaming
- Block adding Game Center friends
- Block use of Safari
- Block Safari AutoFill
- Block Safari fraud warning
- Block Safari deprecated WebKit TLS 1.0/1.1 in Safari
- Block Safari pop-ups
- Block / force allow Safari Cookies
- Block use of certain Apps
- Force autonomous Single App Mode
- Block playback of explicit music, podcasts, and iTunes
- Filter Web Content
- Force Global HTTP Proxy
- Configure home screen layouts
- Configure home screen / lock screen wallpapers
- Prevent device unenrolment
- Block / force allow App Notifications
- Force always on VPN
The following list of commands and actions require the iOS device to be enrolled and supervised:
- Collect activation lock bypass codes
- Enable Lost Mode
- Deployment of iOS updates
For more information on supervision on iOS, consult the below Apple Support articles for reference:
- Apple | Supervision of Apple devices
- Apple | Get started with a supervised iPhone, iPad, or iPod touch
- Apple | Supervised restrictions for iPhone and iPad devices
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.