Administrators have the option of enabling Supervised Mode for devices enrolled through Apple Configurator, which enables additional enhanced security features. However, this mode does introduce several limitations on the device.
Once a device is supervised and enrolled in Workspace ONE UEM, the administrator has the following enhanced features available for configuration when compared to normal devices.
- Elevated Restrictions over MDM
- Prevent User from Removing Applications. Removing applications can also be restricted locally on the device using restrictions under System Configuration.
- Prevent AirDrop.
- Prevent users from modifying iCloud and Mail account settings which prevents account modification.
- Disable iMessage.
- Set iBookstore Content rating restrictions.
- Disable Game Center and iBookstore.
- Enhanced Security
- Prevent end users from visiting websites with adult content in Safari.
- Restrict which devices can connect to specified AirPlay destinations, such as Apple TVs.
- Prevent the installation of certificates or unmanaged configuration profiles.
- Force all device network traffic through a global HTTP proxy.
- Kiosk Mode
- Lock down devices to one app with single app mode and disable the home button.
- Customize Wallpaper and Text on Device
- Enable or Clear Activation Lock
- USB Access to supervised devices is restricted to the supervising Mac.
- Cannot copy data to and from the device using iTunes unless the Apple Configurator identity certificate is installed on the device.
- Media such as photos and videos cannot be copied from the device to a PC or Mac. To transfer this type of data, use the VMware Content Locker to sync the content with the user’s Personal Documents section. Alternatively, a file sharing application can be used to transfer the data over WLAN/WWAN to a server.
- Supervised mode prevents access to device-side logs using the iPhone Configuration Utility (IPCU).
- This mode makes it harder to troubleshoot any application or device issues. The reason for this difficulty is the logs from the device can only be obtained if the device is connected to the supervising Mac. To remediate some of the challenges, use the Workspace ONE SDK to send logs and logistics from the applications to the UEM console.
- Devices cannot be reset with factory settings easily.
- Once a device is factory reset, it must be brought back to the supervising Mac to restore it back to supervised mode. This procedure may be problematic if the Mac is not near the device.
In deciding whether or not to enable Supervised Mode, consider the following. While it enables additional features that enhance security on the device, the USB limitations must be considered.
The proximity of the device to the supervising Mac plays an important role in the decisions. Since the USB limitation prevents access to device-side logs, a device experiencing issues must be shipped back to a depot and restaged to restore functionality.
Deciding on supervision in advance is important because the process to supervise or “unsupervise” requires the shipping of the device to an IT location or depot.