Abstract: This article gives you a quick overview of Apple's Supervised Mode for iOS Mobile Device Management (MDM), its benefits and how to implement it.
Apple is moving more and more MDM features in iOS to "supervised only", meaning that non-supervised iOS devices will become less manageable. For all companies and organizations that make use of the Device Enrollment Program (DEP), Apple even recommends to supervise all devices by default.
By default, all iOS devices are running in non-supervised mode. There are only two methods to make a device supervised:
This makes DEP in an enterprise context the only viable way to make devices supervised. Also, DEP is the only way to make an MDM enrollment mandatory and non-deletable, which is a requirement for many use cases.
Apple's DEP program is a great technology that makes the administrator's life so much easier. You can register for DEP by going to the Apple DEP Portal – a new Apple ID will be created during the process. This Apple ID has to have two factor authentication enabled and can also be used to join the Volume Purchase Program (VPP) (learn more about Apple IDs and Apple VPP in our other insight here). Once you log into the DEP portal, you can specify and connect your MDM server as well as your DEP customer ID.
From that point on, devices purchased under the DEP program will automatically show up in your MDM solution, no longer requiring a manual enrollment process. You can distribute the ordered devices to your users without any IT personnel touching them (the devices!) first. As soon as the user switches his new device on for the first time, it gets enrolled in your MDM solution.
A factory reset of a DEP enrolled iOS device – MDM enrollment was configured to be mandatory so the user has no choice here.
Apple is making more and more MDM restrictions and other configurations which are useful in enterprise scenarios deprecated on non-supervised devices. Here are some examples of restrictions which will work only for supervised devices in the next iOS version:
It is expected that this list will grow with each new iOS release. So it's definitely a good idea to start using supervised mode as soon as possible.
Settings of a supervised iOS device enrolled into an MDM. No option for the user to remove the MDM profile.
If your iOS devices are DEP registered, you can specify supervision in the DEP profile in your MDM solution. If not, you can make them supervised with the Apple Configurator 2. Starting with iOS11, Apple also allows you to enter a non-DEP device into DEP using the same Apple Configurator (Version 2.5 and higher). The process is almost the same, there's just one more box to tick and there's a 30-day grace period during which the user can remove the DEP assignment from his device. This is intended as a security measure so that devices cannot be "hijacked" by unauthorized people.