How to… Supervision is a mobile device management technology which enables businesses and institutions to take full ownership over their iOS and iPadOS devices. Once a device is supervised, powerful configuration and security options become available:

  • Single App mode
  • Advanced restrictions
  • Security policies
  • Restrict pairing with other computers
  • And more…

Supervising iPhone, iPad and iPod touch is easily achieved with iMazing’s Supervision wizard, available in iMazing 2.12 and above on both macOS and Windows. Here’s how:

  1. Install and launch iMazing, and connect the target iOS device to the computer.
  2. In iMazing’s Actions list, scroll down and click the Supervision button.
  3. Review supervision options and confirm.

This guide covers supervision features available in the standard version of iMazing. For more advanced requirements, we also offer iMazing Configurator Edition, a suite of tools which enable powerful automations and finer grained control over company devices, including supervising devices without losing existing data. iMazing Configurator is strictly licensed for professional use only. Learn more about iMazing Configurator

For a quick overview of supervision and other useful features for your business, take a look at the following video:

Before you begin

Download and install iMazing on your Mac or PC computer

In-Depth Tutorial

1. Launch iMazing and connect your device

To supervise iPhone, iPad or iPod touch with iMazing, the device must be connected via USB, and run at least iOS 10.

2. Scroll down in the Actions list and click Supervision

iMazing Home Screen, Supervision action button highlighted iMazing will display an informative screen about supervision. Click Next and you’ll be taken to the supervision options screen: iMazing Supervision Wizard, not configured

If the iOS device is already supervised, clicking the Supervision action will open another screen presenting actions which are specific to managing supervised devices, such as setting wallpapers or enabling/disabling Single App Mode. Learn more in our Managing Supervised Devices guide.

3. Choose a supervising organization

The first thing to do is to pick a supervising organization. In technical terms, an organization is a digital certificate (the supervision identity) associated with information about the organization. Creating or importing an existing organization with iMazing is very simple and can be done inline in the Supervision wizard.

  1. Click the Organization drop down and select Choose…, iMazing will display its organizations library: iMazing Supervision Wizard, choosing an organization
  2. If your organization library is empty, click the + button to create one.
  3. Once you have at least one organization in your library, select one and click Choose.

iMazing Supervision Wizard, configured, top options As soon as you have selected an organization, you can supervise the target device, or configure additional options.

The organization’s supervision identity is stored in the macOS Keychain or in the Windows Certificate Store. We recommend that you also keep a safe copy by exporting your organization from iMazing’s library and storing it safely. Exported organizations are password protected (AES 256 encryption).

4. Understand and configure the supervision wizard’s options

Most of the options exposed here can also be configured at a later stage. Special attention must be given to the Allow pairing and Allow activation lock settings which cannot be changed once the device is supervised. Allow pairing without supervision identity: true by default. If you set this option to false, the supervised device will be prohibited from pairing (and hence communicating) with unauthorized computers. Pairing will only be possible if the supervising organization is imported in iMazing or Apple Configurator.

The supervising organization becomes extremely important if you disable this option. Losing the supervising organization will result in admins being unable to access data on the device permanently.

On iOS 13 and above, this setting can also be controlled with a configuration profile once the device is supervised. If you wish to control the setting via a profile, you should leave it to true here. Disable USB Restricted Mode: true by default. In iOS 11.4.1, Apple introduced a new security feature which automatically disables iOS and iPad OS devices’ USB port if the device isn’t unlocked for more than an hour. Just like Apple Configurator, iMazing will by default disable this behaviour since it prevents admins from locally managing company devices. Save passcode unlock token: false by default. Enable this option and iMazing will save a special token allowing you to clear the passcode of the device. Saving a passcode unlock token can also be done at a later stage, but only if the device is not passcode protected.

If the device is rebooted, or inactive for more than 24 hours, it will enter a special secure mode known as BFU (Before First Unlock). In that mode, communication with the device becomes impossible without unlocking it first, even if supervised.

Allow activation lock: false by default. Usually, signing in to iCloud has the side effect of enabling Apple’s activation lock feature: the device, even if erased, will be permanently tied to a specific Apple ID unless the user signs out by providing his Apple ID credentials. This feature can cause company devices to become unusable, and is by default disabled on supervised devices. Skip setup assistant: false by default. Enable this option to skip iOS setup assistant post configuration. Note that skipping the setup assistant will also skip important security steps such as passcode protection and Touch ID / Face ID configuration, and is consequently appropriate only in very specific use cases, such as setting up devices in fully locked Single App Mode for example. Wi-Fi profile: choose a Wi-Fi configuration profile which iMazing will install on the target device, letting it connect to your network without any user interaction. You can directly create a Wi-Fi profile from here if you do not have one already configured in iMazing’s Profile Library – simply click Choose… in the Wi-Fi profile dropdown to display the Profile Library, then the + button to create a new Wi-Fi profile. Device name: self explanatory. Name the target supervised device in advance. From here, scrolling down reveals a few more options: iMazing Supervision Wizard, configured, bottom options Language & Region: self explanatory. Set the device’s language and region, especially useful if you opt for skipping the setup assistant. Wallpapers: self explanatory. Drag and drop images to the lock screen and home screen drop zones, or click the Choose… buttons to open a file picker. Somewhat puzzlingly, setting an iPhone or iPad wallpaper from a computer is only possible if the device is supervised. Accessibility: enable built-in accessibility features such as Zoomed mode, inverted colors or Voice Over.

5. Click Next and Confirm

When you’re satisfied with your configuration, click Next. iMazing will present a final confirmation screen:
iMazing Supervision Wizard, Confirmation Screen Supervising with iMazing or Apple Configurator will always fully erase the target device first. This is by design and is meant to protect user privacy and limit abusive use of supervision in non-professional contexts. Furthermore, once a device is supervised, the iOS Settings app displays a notice at the top of the Settings app: iOS Settings app, supervision notice

Going Further

Once a device is supervised, clicking the same Supervision action button in iMazing will open an options panel letting you directly enable Single App Mode, set wallpapers, clear the passcode and more. Please refer to our Managing Supervised Devices guide for more information, or jump straight to our Single App Mode tutorial if that’s your main use case.

Configuration Profiles

Configuration profiles enable advanced configuration of iOS devices. Many settings exposed in profiles are only applicable to supervised devices: advanced restrictions, web content filters, setup assistant configuration and more become available in a supervised context only. iMazing can push configuration profiles to your devices, store them in a library, and even create and edit them. Head to Getting started with iOS configuration profiles to learn more.

Removing Supervision

You must erase the device to remove supervision. Once the device is erased, it can be supervised again.

What is Supervision?

Supervision, introduced by Apple in iOS 5, is a special mode that gives an administrator more control of a device. It is intended for institutionally-owned devices. iOS supervised mode now extends to iPadOS and tvOS, but for simplicity in this article, we use iOS broadly. While SimpleMDM historically controlled devices owned by employees in a bring-your-own-device (BYOD) fashion, companies now frequently own the devices themselves. This introduces new opportunities for controlling the device with SimpleMDM that previously would have been overbearing for an employee-owned device.

What does Supervision allow for?

The following are examples of what’s possible under supervision:

  • Restrict access to apps
  • Filter web content
  • Configure home screen layouts
  • App lock (Single App Mode)
  • Activation lock bypass
  • Silent app installations
  • Enable Lost Mode
  • Push remote OS updates
  • Enable additional restrictions

How to activate Supervised Mode for iOS

The device enters supervision in two ways. The best method depends upon your deployment. Note: Placing a device in supervision resets the device. All data and settings delete. If you restore data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) used during backup. Presumably, Apple does this to prevent companies from supervising employee-owned devices.

Supervise a Device with Apple Configurator

Apple Configurator is a macOS application. To supervise a device with Apple Configurator, you must have a macOS computer and USB cable available. Each device needs to connect to the computer. For a few devices, this is a good method.

  1. Download the latest version of Apple Configurator. We used Apple Configurator 2.2 in this guide.
  2. Attach your iOS device to the computer using the USB cable
  3. Start Apple Configurator
  4. In the “All devices” view, click the iOS device
  5. Click “Prepare”
  6. Select “Manual” from the “Configuration” dropdown
  7. On the “Enroll in MDM Server” screen, optionally define an MDM server using your SimpleMDM enrollment URL
  8. On the “Supervise Devices” screen, ensure “Supervise devices” is checked
  9. Add the details of your company on the following screen if desired
  10. Generate a supervision identity when prompted (if you haven’t already)
  11. Click the “Prepare” button once you reach the end of the dialog boxes
  12. The device will prepare and reset

Supervise Devices using Automated Enrollment with Apple Business Manager (formerly Apple Device Enrollment Program)

Automated enrollment with Apple Business Manager is used to bootstrap new devices with a working configuration. For instance, automated enrollment can be used to automatically enroll devices in SimpleMDM when they are first unboxed and turned on. It can also place devices in Supervision mode automatically. This process is the way to go if your organization has a non-trivial number of devices that need to be placed under supervision. To configure automated enrollment to supervise your new devices, complete the following steps from within SimpleMDM:

  1. Click “Enrollments” under the Devices heading
  2. Under the “Create Enrollment” dropdown, select “Automated Enrollment (DEP)”
  3. If you haven’t already, follow the instructions to pair SimpleMDM with your Apple Business Manager account
  4. Once paired, make sure “Place device in Supervised mode” is checked and click “Save”
  5. Associate your devices with the connected server in Apple Business Manager
  6. Activate your devices and connect them to the internet to complete enrollment

Once automated enrollment is configured, SimpleMDM automatically enables supervision on all devices enrolled from your Apple Business Manager account. SimpleMDM SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically. If your employer or school issues you a iPhone or iPad, it might be supervised. Learn what it means to use a supervised device, what the owner can see, and how to tell if your iPhone or iPad is being supervised. Supervision gives schools and businesses greater control over the devices that they own. With supervision, your administrator can apply extra restrictions like turning off AirDrop or preventing access to the App Store. It also provides additional device configurations and features, like silently updating apps or filtering web usage. By default, your iPhone or iPad isn’t supervised. Supervision can only be turned on when you set up a new device. If your iPhone or iPad isn’t supervised now, your administrator needs to completely erase your device to set up supervision.

Check to see if your iPhone or iPad is supervised

You can find out if your iPhone or iPad is supervised by looking at the settings for your device. The Supervision message is found at the top of the main Settings page. Your organization also has the option to display a custom ownership message on the Lock Screen using the Shared Device Configuration profile payload.

Find out what your administrator is supervising

If your iPhone or iPad is supervised, the organization that owns your device has the ability to install a profile to control what features your device has access to. If you want to see what features your administrator has modified from the default settings, you’ll need to check your settings. Tap Settings > General > VPN & Device Management. If there is a profile installed, tap on it to see what type of changes are made. iPhone displaying an installed profile in VPN & Device Management To learn more about the features changed for your specific organization, ask your administrator whether these settings are enforced.

If your administrator is monitoring your location

You might see a message in your settings that your business or school can monitor your internet traffic and locate your device. The only time your administrator can view the location of your iPhone or iPad is if they put your device into Managed Lost Mode. When this mode is turned on, it reveals the location of the device to the administrator. If your administrator puts your device into Managed Lost Mode, your device locks and you will see a message on the Lock Screen. Your organization can’t track the location of the device without locking it and showing a notification. Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information. Published Date: Supervised Mode is intended for organizations, but you can enable it on your own iPhone or iPad. Supervised Mode gets you a few extra features like hiding included apps, and always-on VPNs. You’ll need a Mac to do this, and your device will be wiped during the setup process. Supervised Mode could be used to seriously lock down a child’s device like an organization would lock down an employee’s device, too.

What You Need to Know About Supervision

RELATED: How to Hide iOS’ Built-In Apps in iOS 9 and Earlier If you’re in charge of a large organization’s devices, you’ll probably want to use Apple’s Device Enrollment Program to wirelessly enable supervision on your devices instead. We’ll be covering the manual method here, which anyone with a Mac can use to manually enable supervision on one or more iPhones or iPads they own. The manual method uses Apple Configurator, which Apple only offers for Macs. Older versions of Apple Configurator were also offered for Windows, but aren’t anymore. There’s no way around this: You’ll need a Mac for this. When you put a device into supervised mode, the data on it will be erased. You can still sign in with your iCloud account and restore an iCloud backup later–or create a manual backup with iTunes ahead of time and restore that backup afterwards–but you’ll have to set up your iPhone or iPad again.

First: Disable Find My iPhone or Find My iPad

RELATED: How to Track, Disable, and Wipe a Lost iPhone, iPad, or Mac Before continuing, you’ll want to disable the Find My iPhone or Find My iPad feature on your device. This disables “Activation Lock,” which will otherwise prevent Apple Configurator from automatically setting up your device without your iCloud ID. Don’t worry–you can re-enable this after you supervise the iPhone or iPad again. To do this, open the “Settings” app on the device, tap “iCloud,” tap “Find My iPhone” or “Find My iPad,” and disable the “Find My iPhone” or “Find My iPad” option. To get started, you’ll need to open the Mac App Store and install the free “Apple Configurator 2” app from Apple. You’ll be asked to connect an iPhone, iPad, iPod Touch, or Apple TV device to your Mac. Use the standard USB cable you normally use to charge the phone or tablet to connect it to your Mac. On the iPhone or iPad, you’ll be asked whether you want to trust the connected Mac. Tap the “Trust” button. After a moment, you’ll see the connected device appear in the Apple Configurator window. Double-click your connected device in the window and you’ll see more information about it. Click the “Prepare” button on the toolbar to prepare the device for supervision. Select “Manual” configuration and click “Next” to continue with the manual supervision configuration. If you have a mobile device management server, you can enroll your device in an MDM server from here. If you don’t–and you won’t if you’re just doing this on your own devices–select “Do not enroll in MDM” and click “Next” to continue. Enable the “Supervise devices” option here. By default, “Allow devices to pair with other computers” is also checked. This will allow your iPad or iPhone to pair with other computers–for example, to sync with iTunes on other computers. You can prevent your iPhone or iPad from pairing with computers other than your Mac by unchecking the “Allow devices to pair with other computers” option. Click “Next” when you’re ready to continue. You’ll need to enter an organization name here to continue. This organization name will appear on the device, indicating the “organization” the device is supervised by. Enter anything you like here and click “Next” to continue. You can also enter a phone number, email, and address for the organization, if you like–but you don’t have to. You’ll now want to select “Generate a new supervision identity” unless you’ve done this before. Click “Next” and” the tool will generate a new “supervision identity” for your organization. If you’ve already created a supervision identity–perhaps you’re supervising more than one device–you can select “Choose an existing supervision identity.” Each supervision identity has its own security certificate. If you’ll just be working with your supervised device on your single Mac, you don’t need to worry about this–it’ll just work with your Mac. Other Macs won’t be able to manage your device unless you export the supervision identity to them. You’ll now be able to choose which steps appear during the first-time setup assistant on your supervised device. This allows organizations to customize the setup process for their users. For example, an organization could define these settings in a configuration profile and then hide the associated screens from the first-time setup process. Assuming you just want to supervise your own device, you can just leave “Show all steps” enabled to not adjust the first-time setup process. Click the “Prepare” button and Apple Configurator will supervise your device. Warning: Apple Configurator will wipe your device after you click “Prepare”! Apple Configurator will now go through the process of wiping your device, setting it up, and supervising it. When it’s done, you can connect your device to your Mac with a USB cable and manage it from Apple Configurator, creating configuration profiles and applying them–even if they require a supervised device. This means you can now hide those incldued apps, enable an always-on VPN, and change other powerful settings. If you’ve supervised a device with Apple Configurator and you want to remove that supervision, you can just reset the device to its factory default settings. This will remove the “supervision” on the device and it’ll be back to normal. To prevent users from removing supervision, you can use configuration profiles to lock down the iPhone or iPad and disable access to the options on the “Reset” screen in Settings. READ NEXT

  • › How to Create an iOS Configuration Profile and Alter Hidden Settings
  • › How to Configure a Proxy Server on an iPhone or iPad
  • › How to Put an iPad Into “Kiosk” Mode, Restricting It to a Single App
  • › How to Use Your Car as an Emergency Electricity Source During a Blackout
  • › How Much Money Does Upgrading to LED Christmas Lights Save?
  • › StumbleUpon Made the Internet Feel Small
  • › Astronomers Discover Closest Black Hole to Earth (Which is Still Far)
  • › How to Sign Out of Google on All Your Devices

Leave a comment

Your email address will not be published. Required fields are marked *