Advantages of Supervision
Supervision is a specialized mode of device management which gives the admin additional control over the devices. Supervising iOS devices enables multiple device configurations to be provisioned on the devices. Devices can be supervised by enrolling them via Apple Configurator or Apple Business Manager (ABM), previously called Device Enrollment Program (DEP). Apple School Manager (ASM) is a program for educational institutions, similar to ABM.
Pre-requisites for Supervision
- Devices need to be factory reset.
- For enrollment via Apple Configurator, a free program by Apple and similar to ABM, a Mac running 10.7 or later versions is required, with a compatible version of Apple Configurator installed.
- Devices to be enrolled, must be running iOS 6 or later versions.
- For ABM enrollment, ABM must be available in your country and the devices must either be purchased directly from Apple or its authorised resellers. Devices running iOS 11 or capable of being upgraded to iOS 11 can be enrolled with ABM via Apple Configurator as explained here.
Due to the aforesaid pre-requisites, Supervision is ideal for organization-owned devices.
Right from onboarding the devices to securing them, device Supervision has several benefits.
- Supervising devices through ABM, is a pre-emptive measure against users revoking management. ABM enrollment ensures mandatory device management, even if the device is factory reset.
- Supervising devices through ABM also permits automated user assignment. Being an out-of-the-box enrollment method, ABM ensures the devices are provisioned with the required policies and apps even before they are handed over to the employees.
- Supervision allows you to skip a few or all of the initial setup steps that appear on the device, on device activation, making the device ready for corporate usage.
- The number of device restrictions that can be applied to Supervised devices is myriad. For example, to achieve Data Loss Prevention (DLP) you can configure the following payloads:
- Sharing of corporate data from managed via AirDrop can be restricted.
- On Supervised iOS devices, the web content that can be viewed from the default browser, can be controlled using Web Content Filter. Specific URLs can be blocklisted/allowlisted, along with automatic blocking of websites with erotic content.
- Devices can be provisioned to connect to a secure Wi-Fi network. Also, users can be allowed/restricted from configuring VPN.
- Global HTTP Proxy routes all the network communications of managed devices through the enterprise's proxy. Configuring Global HTTP proxy can secure data on the devices.
- Users can be restricted from backing up data onto iCloud.
- iTunes pairing and other USB connections can be restricted.
- Restrict users from deleting apps and installing unapproved apps.
If you want complete corporate data isolation, the same can be achieved using containerization.
- Single purpose iOS devices can be provisioned as Kiosk. Supervision permits devices to be locked down to a single app or a set of apps. This also permits granular control over the device by restricting the volume buttons, auto-lock etc.
- Devices being used for digital signage or as point-of-sale (POS), might require a wallpaper with the organization's logo. This can be provisioned on devices, using the Wallpaper payload.
- Apps distributed from MDM have to be manually installed by users on managed devices by entering the Apple ID. But if the devices have been Supervised and apps purchased from ABM are distributed, the apps can be installed silently, without any user intervention.
- ABM lets you simplifies license management for apps. The licenses distributed to devices can be revoked and re-used to distribute apps to other devices.
- Apart from the corporate apps distributed from MDM, users can install apps which are not approved by the organization. These apps can be blocklisted and removed immediately or prevented from being installed later.
OS Update management
- By Supervising iOS devices, OS updates can be managed easily. The OS updates can be delayed and deployed to a test group before being deployed to all the devices, preventing bandwidth choking and loss of productivity. The updates can even be force deployed to protect the devices from security vulnerabilities and exploits.
- In case the device is stolen or lost, an alarm can be remotely triggered on the device which sounds even if the device is in silent mode. Also, if Lost Mode is enabled on such a device, the device can be tracked even if the device location is off, and the ME MDM app is not installed on the device. In Lost Mode a message and contact number can be displayed on the lock screen, which can help in retrieving the device.
- Supervised devices can be remotely shutdown or restarted effortlessly.