IOS Supervised Mode

What is IOS Supervised mode?

iOS Supervised Mode is a feature of Apple’s mobile device management (MDM) framework that gives administrators additional control over iOS devices, making it ideal for devices owned by organizations or institutions. Without supervision, an administrator has limited management of devices, and the user can override settings assigned by the administrator. IOS Supervised mode allows administrators to control features like:

  • Camera,
  • AirDro,
  • Apple Music,
  • Application removal,
  • Application installation.
  • Easing all content and settings.
  • FaceTime.

How Can IOS Supervised Mode be Enabled in an Organization?

An Apple mobile device can be put into supervised mode and managed by a second device, such as a Mac computer, using the Apple Configurator application. This approach works well when a few devices need to be monitored, but as the number of devices increases, management becomes more complicated; In that case, an MDM solution, such as NinjaOne, is the best approach. Please note that enabling supervised mode will erase all data on the mobile device.

How to Enable IOS Supervised Mode in NinjaOne?

There´s three steps to enable supervised mode in NinjaOne:

1. Enable Apple MDM in NinjaOne.

This enablement is done only once and is the same for Apple or Android devices, which means that once it is done for Android, it no longer needs to be done for Apple and vice versa.

2. Enable the Automated Device Enrollment Service (ADEs).

This enablement only needs to be done once and is typically performed by the owner or administrator of the NinjaOne instance. An Apple Business Manager (ABM) or Apple School Manager (ASM) account with administrative rights is required. During this process, a NinjaOne-generated public key and an Apple-issued token file are manually exchanged. See the next section for detailed instructions on this enablement.

3. Configure the ADE profile.

The ADE profile defines the settings for devices enrolled using the Automated Device Enrollment Service, in this configuration, the supervised mode switch should be set to On.

How to Enable Automated Device Enrollment (ADE) in NinjaOne?

This step should be performed by the owner or administrator of the NinjaOne instance, who should have an Apple Business Manager (ABM) or Apple School Manager (ASM) account.

These accounts should be verified and functional. Check the prerequisites for ABM or ASM.

1. Go to Administration, then Apps, then Installed.

2. Click NinjaOne MDM.

3. Click Enroll, at the right of Automated Device Enrollment (ADE), the Automated Device Enrollment dialog box appears.

4. Download the public key (Step 1 in the dialog box), it´s a .PEM file.

5. Go to the Apple Business Manager Site, (Step 2 in the dialog box) and log on with your ABM ID; The same steps apply for ASM.

(See below screenshot for reference)

Apple Business Manager Site

6. On the ABM site, select your account at the bottom left of the page and then select Preferences.

(See below screenshot for reference)

Select Preferences

7. Select MDM Server Assignment.

8. Select Add MDM server at the top of the page.

(See below screenshot for reference)

Add MDM server

9. Give the MDM server a name (This is the NinjaOne server, use the name of your choice).

10. Upload the public key file by clicking Choose File and selecting the .PEM file you downloaded on step 4.

11. Click Save. The new server name appears on the left side of the screen (Training & Enablement EU in this case).

12. Click on the server name that you just added.

13. Click Download server token at the top of the page.

(See below screenshot for reference)

Download server token

14. A warning message appears saying that downloading a new server token will reset your existing one. Click Download MDM Server Token.

15. After downloading the token file (.p7m file), go back to NinjaOne.

16. Once you´re back in NinjaOne, upload the token file to NinjaOne (Step 3 in the dialog box).

17. The Automated Device Enrollment service should now appear as Enrolled.

18. Follow the instructions in the next section to Configure the ADE profile.

How to Configure The ADE Profile in NinjaOne?

The ADE profile defines the setup process for devices enrolled using the Automated Device Enrollment Service. When an Apple device is enrolled in this way, at some point it will be reset to factory defaults and restarted as if it was brand new. This ADE profile specifies how the initial setup process will behave; some or all setup options can be skipped. It also determines whether the device will enroll in supervised mode. Follow the next instructions to configure the ADE profile.

1. Go to Administration, then Apps, then Installed, and then NinjaOne MDM.

2. Under Actions, to the right of Automated Device Enrollment), select Edit profile & devices.

(See below screenshot for reference)

Edit profile & devices

3. Fill out the fields required. One of them is Supervised mode, which is on by default.

(See below screenshot for reference)

Supervised mode

4. Adjust the settings per your preferences.

5. Click Save at the bottom of the page.

How to Enroll an Apple Device in Supervised Mode in NinjaOne?

The enrollment process for an existing (not brand new) device in supervised mode, unlike any other device, requires several steps and additional equipment. By following these steps, the device will be first added to Apple Business Manager (ABM) and then synchronized with NinjaOne.

Next you will find roughly the steps required to enroll one IOS device in supervised mode to NinjaOne.

  1. Using a Mac computer, iPad, or iPhone, add the device to Apple Configurator locally.
  2. Using Apple Configurator, prepare the Apple device (which resets the device to factory settings). After this step, the device will show up in ABM under Apple Configurator.
  3. Move the device from Apple Configurator to the MDM Server.
  4. Synchronize NinjaOne with ABM.
  5. Perform the initial setup on the Apple device.

You can find more detailed information about these steps in this other document. (Link to MDM for IOS devices)

Once the device is enrolled in NinjaOne, policies can be applied to manage it. Within Apple policies, the restrictions section includes settings that are exclusive to devices in supervised mode, providing additional control over their configuration and functionality.

What Are The Advantages of Using NinjaOne for Mobile Application Management?

  • Unified management.

Mobile devices can be managed from the unified console, the same as all other devices.

  • Cost savings.

Policies streamline application management, saving time and resources.

  • Integration with Other Tools.

The platform integrates with other IT management and service desk tools, providing a more cohesive and efficient IT management ecosystem.

FAQ

iOS Supervised Mode is a special mode for managing Apple devices, particularly in organizational settings such as schools, businesses, and other institutions. When a device is in Supervised Mode, it provides administrators with a higher level of control and access to advanced management features that are not available on unsupervised devices.

Enabling iOS Supervised Mode requires an MDM solution, such as NinjaOne, and an account with Apple Business Manager (ABM) or Apple School Manager (ASM). These systems are linked together using a public key and a server token, a process known as Automated Device Enrollment (ADE).

iOS Supervised Mode offers enhanced control over device settings and restrictions, improved security, and compliance measures. It allows organizations to enforce advanced security configurations, remotely manage apps and settings, and customize device setups for a seamless and secure user experience.

Next Steps

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.