Device supervision is a crucial aspect of managing Apple in the enterprise, but it’s essential to understand what it’s good for, what its limits are, and how to ensure you get a deployment started on the right foot.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
Supervision gives organizations control over the iOS devices they own and manage. With device supervision, you can apply additional restrictions like turning off AirDrop or disabling the App Store. Supervision can only be turned on when a device is being set up as new. If you want to supervise and existing device, it must be wiped ahead of time.
By default, an iPhone or iPad isn’t supervised. Supervision can only be turned on when you set up a new device. If your iPhone, iPad, or iPod touch isn’t supervised now, your administrator needs to erase your device to set up supervision completely. Most organizations will typically supervise their devices through their mobile device management system using the device enrollment program through Apple School Manager or Apple Business Manager. Still, some organizations with limited devices might use a program like Apple Configurator or iMazing to supervise locally. Apple Configurator is only available for macOS, so for Windows users, iMazing is the only option.
In my opinion, it’s vital to supervise all of the devices an organization owns and manages. The only reason not to use supervision is for a bring your own device program in place where employees are enrolling their iOS devices to gain access to corporate resources like a secure Wi-Fi network or in-house corporate applications. If you’re company has supervised your devices you and see a notification that it can monitor your location, rest assured the only time they have access to your location is if the device is put into ‘Lost Mode’.
The primary reason I recommend a supervision only model is for the additional controls it gives you when managing iOS devices. When a device is supervised, you can do things like Restrict access to certain default apps, disallow USB device connections, disable AirDrop, force Bluetooth on, Force Wi-Fi on, and enable additional restrictions, and much more. On Apple’s support website, there is a detailed list. One key thing for device supervision is that it prevents the users from doing a factory reset of the device without putting it in DFU mode. If the device is supervised using Apple School/Business Manager, a DFU’d iOS device will be forced to re-enroll into the MDM once it activates. This feature makes for a great theft deterrent as the devices are useless without enrolling back into the MDM and can be located.
Wrap up on device supervision
I highly advise all businesses and schools to supervises their company owned devices. When possible, pair it with Apple School/Business Manager and use the device enrollment program. It offers a zero-touch deployment model so rollout is even faster. If you have just a handful of devices to set up, check out iMazing (especially on Windows) or Apple Configurator to supervise locally.
Photo by Adeolu Eletu on Unsplash