Understanding Supervision, MDM, DEP and VPP
- Apps Volume Purchasing (VPP)
Apple's mobile device management solutions present a mosaic of technologies which many newcomers find difficult to understand. In this article, we'll explain the roles of supervision, MDM, DEP and VPP. We'll also point out key differences between local and remote device management, and show how iMazing can be leveraged to help with specific scenarios.
For the sake of simplicity, we will focus on deployment of these technologies on the latest available Apple mobile OS' at the time of writing: iOS 13, iPadOS 13 and tvOS 13.
💡 This article intends to provide a brief overview of Apple mobile device management technologies. We encourage administrators to refer to Apple's official documentation before implementing their solution of choice.
1.1 Local vs Remote Device Management
Managing and configuring devices can be done locally with Apple Configurator 2 (AC2) or iMazing Configurator, and remotely via MDM. Remote management has obvious advantages: devices do not need to be connected to the admin's computer in order to be configured and provisioned, thus greatly facilitating management of large fleets of devices. But remote management does not deal with data. MDM will not back up devices or provision them with files, nor does it provide tools to recover documents and data from them. For this reason, admins often rely on both local and remote management. The table below illustrates the key differences between the two:
|Local Management (iMazing, AC2)||Remote Management (MDM)|
|Schedule OS Update||No||Yes|
|OS Update / Restore||Yes||No|
|Single App Mode||Yes||Yes|
1.2 iMazing Configurator vs Apple Configurator
There are a few important differences between Apple Configurator and iMazing Configurator. The latter benefits from iMazing's large set of data transfer and backup tools, which enable provisioning a larger panel of data types and performing more powerful backups.
|Apple Configurator||iMazing Configurator|
|Files to File Sharing Apps||Yes||Yes|
|Media to Native Apps1||No||Yes|
|Custom Backup Location||No||Yes|
- 1Media to Native Apps includes photos to the Photos app, audio to the Music app, video to the TV app, EPUBs and PDFs to the Books app, and contacts to the Contacts app.
- 2Portable Blueprints: iMazing Blueprints can be shared by exporting them as AES 256 encrypted
- 3Bulk Deployment in Apple Configurator is very limited, with no detailed progress report. iMazing Configurator features detailed live reporting and logging and supports simultaneous configuration of dozens of devices.
For a more thorough comparison between iMazing Configurator and Apple Configurator, please refer to our iMazing Configurator Overview article.
2.1 What Is Supervision?
Supervision expresses a company or institution's ownership of a device. This ownership is enforced by a digital certificate, the supervision identity. Once a device is supervised, the supervising organization is granted far greater control over it: new features become available, and in general user consent is no longer necessary to push configurations or restrictions. Consequently, supervision should only be used on company owned devices, and never in a BYOD context.
2.2 What Does Supervision Do?
Supervision enables a whole new set of configuration features available via both local and remote management:
- Clear passcode
- Single app mode
- Set wallpapers
- Deploy configuration profiles silently
- Non-removable profiles
- And more...
💡 Deploying a configuration profile on a non-supervised device prompts the user to manually install the profile in the Settings app, which in turn requires entering the device's passcode.
In addition, many settings exposed in configuration profiles are only applied if the device is supervised. These are referred to as supervised only settings. Here are a few examples:
- Restrict apps
- Enforce a web content filter
- Prevent passcode modification
- Block Find my iPhone
- And many more...
For a detailed overview of settings available with and without supervision, you may refer to Apple's Configuration Profile Reference, or browse available settings with a profile editor. iMazing Profile Editor is free and features deep search capabilities which let you immediately surface all supervised only settings available.
Other features enabled by supervision only make sense when managing devices via MDM:
- Lost mode
- Mandatory MDM enrollment
- Silent deployment of apps
- Activation lock bypass code
💡 Deploying an app via MDM to a non-supervised device prompts the user to accept its installation. Deploying an app locally is always silent.
When managing a device locally with Apple Configurator or iMazing, the features above are only available if the supervising organization is properly configured in these solutions. Please refer to the documentation for more information:
- iMazing Configurator Overview - Managing Organizations
- Organization preferences in Apple Configurator 2 on Mac
2.3 Supervised Pairing
Pairing refers to the trust relationship between a host computer and an iOS or iPadOS device. Pairing requires a USB connection and user interaction on the device (passcode and trust prompt). Once pairing is established, the host computer can communicate with the device without any further user interaction.
If a device is supervised and the supervising organization properly configured in Apple Configurator or iMazing, pairing may be established directly when connecting the device via USB, without unlocking the device. In recent years, iOS has become even more secure thanks to the following restrictions:
- USB restricted mode shuts down the USB data connection completely if a device is not unlocked for more than one hour. This mode can be disabled with a configuration profile – this is done by default when supervising a device with Apple Configurator or iMazing Configurator. MDM commands can still be received, and most local management features still work via the Wi-Fi connection if it is enabled.
- BFU mode (Before First Unlock) also prevents communications between an iOS device and its host. BFU kicks in when a device reboots or when it hasn't been unlocked for more than 24 hours. The only way out of BFU mode is to unlock the device with it's passcode (no biometric identification), or to fully erase it.
⚠ BFU mode also disables communication with the MDM server, which prevents Clear Passcode and Erase commands from being received. Because of this, admins should immediately remove the passcode or erase devices which are meant to be re-assigned, and not wait more than 24 hours or shut down the device.
💡 A supervised device in BFU mode can be erased by iMazing if the supervising organization is properly configured. Without supervision, a full OS restore is required (Reinstall iOS command in iMazing)._
2.4 Restricted Pairing (Allow Pairing)
It is possible to restrict pairing of supervised devices to supervising hosts only. Depending on the context, this setting is named Allow Pairing, Allow pairing with non-configurator hosts, Allow pairing with other computers, or Allow host pairing. If Allow Pairing is set to
false, pairing between the supervised device and a computer will only be possible if the supervising organization is properly imported in the software which communicates with the iOS device (Apple Configurator or iMazing). This setting can be configured when the device is initially supervised, or via a configuration profile.
⚠ Important: if pairing is restricted during supervision, the device will have to be fully erased to allow non-supervised pairing. For this reason, it is preferable to restrict pairing via a configuration profile's Restrictions payload instead. This is especially important for DEP enrolled devices, please see the DEP section below for additional information.
2.5 How to Supervise an iOS or iPadOS Device?
There are 2 ways to supervise devices: locally via Apple Configurator or iMazing Configurator, or remotely via Apple's Device Enrollment Program (DEP). There are crucial differences between the two:
Both Apple Configurator and iMazing Configurator can supervise iOS or iPadOS devices. In Apple Configurator, supervision is part of the Prepare device process documented here: Intro to preparing devices in Apple Configurator 2 on Mac. Supervising a device with Apple Configurator will always fully erase it.
In iMazing Configurator, supervision is achieved by configuring and applying a blueprint. The setting is documented here: iMazing Configurator: Blueprints Deep Dive, Organization & Supervision
Local supervision can be used in conjunction with an MDM too, in which case supervised only settings can be pushed remotely via the MDM server.
Remote Supervision (DEP)
Supervision can also be applied automatically via Apple's Device Enrollment Program (DEP). This terminology is currently being replaced by Device Enrollment – we are temporarily sticking to the legacy term here because it is still widely used.
Remote supervision requires the following:
- An Apple Business Manager or Apple School Manager account.
- An iOS, iPadOS or tvOS device that is added to the Apple Business (or School) Manager account (more on that below).
- A default MDM server for MDM enrollment configured in the Apple Business (or School) Manager account.
- A properly configured device enrollment profile for automated enrollment in the MDM server.
Once everything is configured properly, devices automatically phone home when they are activated, apply the enrollment profile (which always supervises devices since iOS 13), and enroll in MDM.
For this to happen, the device need to be added to the Apple Business Manager or Apple School Manager account. This can be done in 2 ways:
- Purchase devices directly from the Apple Store for Business page. They will be automatically added to your Apple Business Manager or Apple School Manager account.
- Add devices to your account manually with Apple Configurator.
⚠ Devices supervised remotely will use an auto-generated supervision identity. If you intend to also manage the devices locally, you must manually add your own certificate to the Supervising Host Certificates field of the enrollment profile. This is usually done via your MDM provider’s interface, but not all MDMs expose the setting – Jamf Now for instance does not, but Jamf Pro does.
For more information and detailed instructions, please refer to Apple's Use Device Enrollment page.
2.6 Backing Up, Erasing and Restoring Supervised Devices
Backing up and restoring backups from or to supervised devices presents unique challenges. Fortunately, iMazing is well equipped to deal with these scenarios. Local and DEP supervision behave somewhat differently:
- Devices supervised locally lose the supervised state when they are erased.
- The configuration (including supervision) is included in the backup, but only restored if the backup is restored to the same device.
If you need to migrate data from a supervised device to a non-DEP device, standard backup restore will not work. iMazing Configurator on the other hand can restore a backup to a different device whilst preserving supervision.
- Devices supervised via DEP will re-acquire supervision automatically after being erased, when enrollment is completed.
- Migrating data to a DEP device via backup/restore works as expected, with supervision applied even if the data comes from a non-supervised device.
- Restoring a backup of the same device breaks automated MDM enrollment.
If you need to restore a backup of a DEP device to the same device, standard backup restore with Apple Configurator, the Finder or iTunes may not work. iMazing features tools which can help in this situation too.
In Apple's ecosystem, MDM refers to remote mobile device management. The mobile moniker is misleading: macOS laptop or desktop computers can also be enrolled in MDM. Apple does not directly offer MDM services: businesses and institutions turn to third party MDM vendors who provide MDM server infrastructure and web based interfaces to enroll and manage devices. Here are a few examples of popular Apple MDM vendors:
💡 iMazing itself is not an MDM solution, but is often used in conjunction with one to manage data and backups. iMazing Configurator features dedicated tools to speed up MDM enrollment, see the Host-Assisted Enrollment section below for more info.
There are multiple ways in which a device can be enrolled in MDM, some suitable for supervised company owned devices and others appropriate for bring your own device (BYOD) situations.
3.1 Open Enrollment
An enrollment link is sent to the user. The user must approve enrollment and install the MDM configuration profile manually. Open enrollment is notably useful for enforcing security policies on BYOD devices, pushing company apps, and pre-configuring network connections. Because devices enrolled in this way are not supervised, admins have a limited control over them:
- Cannot erase devices
- Cannot locate devices
- Installing apps and profiles requires user consent
- Limited restrictions
- Can list device apps and remove MDM installed apps
3.2 User Enrollment
With iOS 13 and macOS 10.15, Apple introduced a new way to manage BYOD devices, User Enrollment. This approach should be privileged over other solutions because it results in clean segregation of managed corporate data and personal data located on the same device. Apple documentation on the subject is still very sparse, but a few major MDM vendors cover this new enrollment strategy:
User Enrollment does not supervise devices, and generally gives admins less control over devices than Open Enrollment, resulting in a light device management that's extremely mindful of user privacy.
3.3 Host-Assisted Enrollment
iMazing Configurator and Apple Configurator can be leveraged to supervise and enroll iOS devices. In Apple Configurator, this is achieved through the Prepare action.
In iMazing Configurator, zero-touch MDM enrollment can be configured in the General section of blueprints: iMazing Configurator: Blueprints Deep Dive - MDM Enrollment.
3.4 Automated Enrollment (DEP)
If a device is added to your Apple School Manager or Apple Business Manager account, and assigned to an MDM server, MDM enrollment can be automated. You can configure device enrollment settings in your MDM solution of choice – in Jamf Now for instance, this is configured in the Automated Enrollment section.
💡 Since iOS 13, DEP enrolled devices are always supervised. This change is not retroactive: devices enrolled without supervision before being updated to iOS 13 will not be automatically supervised before being erased and prepared anew.
iMazing Configurator can help with achieving zero-touch configuration of DEP devices, saving administrators precious time by taking care of installing a Wi-Fi profile, and advancing the iOS setup assistant as much as possible. Read the MDM and DEP section of the following article for more information: https://imazing.com/guides/configurator-blueprints#mdm-dep
Adding a Device to DEP
Apple Configurator's Prepare wizard also offers the option to add a device to DEP (Add to Device Enrollment Program). Somewhat confusingly, the wizard requires an Organization to be configured, but the organization's supervision identity is not used to supervise the device. Consequently, you must configure supervising host certificates in your MDM if you wish to also manage devices locally – see How to Supervise an iOS or iPad OS Device - Remote Supervision section above for more detail.
4. Apps Volume Purchasing (VPP)
In a device management context, app licenses are purchased by the administrator via an Apple Business Manager or Apple School Manager account. This process is referred to as Volume Purchasing, and used to be available separately via Apple's Volume Purchase Program (VPP). VPP is being phased out and will be completely retired in December 2020 (Upgrade from Apple Deployment Programs official page). We still use the VPP terminology here because of its prevalence online.
Once licenses are purchased in Apple Business Manager or Apple School Manager, they need to be assigned to devices or users (device-based assignment or user-based assignment). License assignment is not handled in Apple Business Manager, but through the MDM solution or local management solution. If you opt for device based assignment, iMazing can automatically assign and un-assign licenses as you install and uninstall apps. Please see the following article for more information: iMazing Configurator Overview - Apps
The differences between device-based and user-based license assignment are explained very thoroughly in the following Apple article: Distribute content with Apps and Books in Apple School Manager and Apple Business Manager.