What most administrators don’t realize is that by “default” what you can control on the Apple iOS devices is very limited out of the box. Large enterprises get around this by using Mobile Device Management (MDM) platforms, like Mosyle.
Unfortunately, the idea of an MDM for smaller organizations limited with funding, individuals or non-profits is not within reach. The good news is there is an alternative, and it’s the same technology that these MDM’s are built on – Apple Configurator.
As the name implies, the Apple Configurator allows you to enable and disable features you might otherwise be unfamiliar with. For instance, if you want to disable the ability to use a VPN on a device, this is the best way to do it. Or maybe limit what a user can do in their network settings, this is where you would do it.
Supervised vs Unsupervised Mode
Before you begin, let’s take a minute to touch on the differences of Supervised vs Unsupervised Mode. Unsupervised mode gives you limited control, while Supervised mode gives you full control. We recommend supervised mode where possible, but below is a table to help think through the differences:
|Supervised Devices||Unsupervised Devices|
|Devices can be protected against Factory Reset||Devices can be Factory Reset anytime|
|Airdrop can be restricted||Airdrop cannot be restricted|
|Individual Apple iDs not needed for enrollment||Each device needs an Apple iD for enrollment|
|Unenrollment from MDM is not possible||Unenrollment from MDM is possible|
|Silent App installation is possible||App installation requires user confirmation|
|Web content can be filtered||Web content cannot be filtered|
|App notifications can be controlled||App notifications cannot be filtered|
|The device can be run in Kiosk mode||The device cannot be run in Kiosk mode|
|TouchID can be restricted||TouchID cannot be restricted|
|iMessage can be restricted||iMessage cannot be restricted|
|Screentime can be restricted||Screentime cannot be restricted|
|Homescreen wallpaper and lock screen message can be configured by Admin||User can customize Homescreen wallpaper and lock screen message|
|Global HTTP Proxy can be configured||Global HTTP Proxy cannot be configured|
|Game Center Access can be controlled||Game Center Access cannot be controlled|
How To Configure iOS Devices in Supervised Mode
Warning: This procedure will erase the iOS device.
The following steps can be used with any iOS device. This example will use an iPad.
Special thanks to our customer, Daniel Markarian, for taking the time to document and share the process. If you have content ideas and want to get them added to the forum, please send them to firstname.lastname@example.org
0. Disable Find My iPad on your iOS device.
1. Install and launch Apple Configurator 2 on a Mac.
2. Attach iOS device to Mac.
3. Tap [Trust] on our iOS device.
4. Click on iOS device in Apple Configurator 2.
5. Select [Prepare…] under Actions menu.
6. Enable Supervise devices. Click [Next].
7. Do not enroll in MDM. Click [Next].
8. Select New Organization… Click [Next].
9. Do not sign in. Click [Skip].
10. Enter Name of your family / organization. This Name will later be shown in Settings on the iOS device as “This [device] is supervised and managed by My Family.”
11. Select Generate a new supervision identity. Click [Next].
12. Show all steps. Click [Prepare].
13. Enter the password for your Mac.
14. If prompted, Click [Erase].
15. Wait for Apple Configurator 2 to erase your iOS device.
16. Wait for Apple Configurator 2 to activate Supervised Mode on your iOS device.
Frequently Asked Questions
Q. What if I already have applications and data on my iPad? Can I back up my iPad, prepare the iPad in Supervised Mode, and then restore my iPad from backup?
Sadly, no. It is not clear to me whether this is intentional on the part of Apple, or a bug, but the process of restoring the iPad from the [unsupervised] backup undoes Supervised Mode. This does work, however, if you restore to another [supervised] iPad (that is, a different iPad than the iPad on which you performed the backup). This is workable if you have two or more iPads to work with.
Q. Can I do this without a Mac?
No, Apple Configurator 2 is only available for the Mac.
Q. How is Supervised Mode better?
You can enable certain features in Apple Configurator that cannot be defeated easily. Single App Mode, under Actions > Advanced, for example, is very similar to Guided Access, however, it cannot be defeated by a user simply draining the battery of the iPad and restarting.
You can do many additional things with Profiles, similar to how enterprises manage their iPads.
Q. How do you create a profile?
Select New Profile under the File Menu.
Select a type of profile to create, such as DNS Proxy, and fill out the necessary fields from your provider.
Select File > Save… to save the profile. Add this profile to your iPad with Actions > Add > Profiles…