How to...

Manage Supervised iPhones and iPads

Manage Supervised iPhones and iPads

💡iMazing 3
This guide is for the legacy iMazing version 2. For information on version 3, please visit this page.

  1. Introduction
  2. Before you begin
    1. Supervise your devices if needed
    2. Check if a device is supervised
    3. Import the supervising organization
  3. 'Supervised only' features
    1. Silent pairing
    2. Supervised device settings
      1. Wallpapers
      2. Save passcode unlock token
      3. Clear passcode
      4. Clear Screen Time password
      5. Single app mode
    3. Configuration profiles
      1. Apply 'supervised only' profile settings
      2. Install profiles silently
      3. 'Non-removable' profiles
  4. Going further

1. Introduction

Supervising iOS devices is the only way for your business or institution to truly take ownership of its iOS and iPadOS devices. What are the precise settings and actions which become available once a device is supervised? In this guide, we'll give a brief overview of the technology behind supervision, and cover supervised device management capabilities in iMazing 2.12 and above.

The features covered here are appropriate for small businesses. For more advanced device management tools, including powerful automations and bulk deployment, please check out iMazing Configurator Edition.

The video below introduces iMazing's supervision related tools:



2. Before you begin

Download and install iMazing on your Mac or PC computer.

2.1 Supervise your devices if needed

Before getting started, you'll need at least one supervised device. If your devices aren't supervised yet, please refer to our How to supervise iPhone, iPad and iPod touch guide.

2.2 Check if a device is supervised

Supervised devices feature an explicit disclaimer in the iOS Settings app: iOS Settings app, supervision notice

In iMazing, you'll see the supervising organization's name displayed in the device detail view, here DigiDNA: iMazing Main View, Supervising Organization Highlighted

2.3 Import the supervising organization

When you supervise an iOS device, you choose (or create) a supervising organization. This organization contains a digital certificate (the supervising identity) which is required to communicate with the device in a privileged mode, as supervisor. This mechanism guarantees that your managed devices do not become less secure: the digital certificate of the organization acts like a key to your supervised devices.

Now, if the devices were supervised by another computer, or by Apple Configurator or via Apple's Automated Device Enrollment (ADE, formerly Device Enrollment Program – DEP), you will need to import the supervising identity in iMazing's library:

  1. Open iMazing's Preferences window
  2. Select the Library tab
  3. Click the '+' button to import or create an organization or supervising identity

Learn more about Managing Organizations in iMazing.

You will of course need to have exported the organization from Apple Configurator or from another iMazing instance before you can import it on your current terminal.

ADE: If you purchase your devices via Apple's Device Enrollment Program and wish to manage them locally and not just remotely, you must configure your MDM's device enrollment profile very carefully. Please refer to our Understanding Supervision, MDM and ADE guide for more information.

3. 'Supervised only' features

Once you have connected a supervised device to iMazing and ensured that the supervising organization is configured in iMazing's library, you will gain access to a whole new suite of device management features, ranging from putting the device in Single app mode to installing advanced configuration profiles silently.

3.1 Silent pairing

Before your computer can communicate with an iOS or iPadOS device, a trust relationship needs to be established. This is referred to as pairing. Usually, connecting an iOS device to a macOS or Windows terminal for the first time will result in a prompt computer side to unlock the iOS device. Then, a Trust this computer? prompt appears on the mobile device, followed by a passcode prompt if you accept the trust prompt.

A supervisor host, such as iMazing when properly configured, can connect to supervised devices with zero interaction: simply connect the device while iMazing is running, and the entire pairing process happens in the background silently.

3.2 Supervised device settings

Select a supervised device in the left sidebar and scroll down the actions list to reveal the Supervision action button: iMazing Main View, Supervision Action Highlighted

Click the Supervision action button to display the Supervised Device Settings screen: iMazing Supervised Settings Screen, Default Options

Configure your desired settings and click Apply to push them to the device.

💡 If the device isn't supervised yet, the same Supervision action will display the supervision wizard described in How to Supervise iPhone, iPad and iPod touch.

For convenience, the first three groups of options present settings which are not specific to supervised devices:

  • Device name
  • Language and country
  • Accessibility settings

The remaining settings are only available on supervised devices:

3.2.1 Wallpapers

iMazing Supervised Settings Screen, Wallpapers Configured

It is surprising that wallpapers require supervision to be set from a computer, probably a historical choice by Apple.

3.2.2 Save passcode unlock token

Click this button to immediately retrieve a passcode unlock token from the device and save it in the macOS keychain or Windows certificate store. This action only works if no passcode is set on the device. For this reason, it is usually done at the same time as the device is supervised.

3.2.3 Clear passcode

This button is only enabled if you have previously saved a Passcode unlock token. Click the button to immediately clear the device's passcode. This action cannot be undone, and a new passcode can only be set manually on the device itself.

3.2.4 Clear Screen Time password

Click this button to remove the Screen Time (previously Restrictions) password from the device. This action does not require a passcode unlock token, cannot be undone, and a new Screen Time password can only be set manually on the device itself.

3.2.5 Single app mode

Single app mode is one of the most useful features unlocked by supervision. When you enable Single app mode on an iPhone, iPad or iPod touch, the device will automatically launch the app of your choice and lock itself to that app. The device's users will have access to no other app until an admin exits Single app mode. Additional options can be configured to lock various hardware buttons and built-in behaviours. Learn more in our How to put iPhone, iPad and iPod touch in Single App Mode guide.

3.3 Configuration profiles

Configuration profiles are light-weight files bearing the .mobileconfig extension which you can install on macOS, iOS and iPadOS devices to enforce specific settings. iMazing packages a configuration profile editor (iMazing Profile Editor) for creating and editing profiles, and a profile library where you can store and manage your profiles. You can also use iMazing to install profiles to your devices, extract them, or remove them. The following guides cover configuration profile-related topics:

3.3.1 Apply 'supervised only' profile settings

Many settings available via configuration profiles are simply ignored if the target device is not supervised. These settings are labelled as supervised only settings in iMazing Profile Editor. A few examples:

  • Web content filters
  • More than half of the settings available in the Restrictions category (disallow Siri, Messages, Camera...)
  • App whitelists and blacklists
  • Single app mode profiles
  • And more...

3.3.2 Install profiles silently

Installing a configuration profile usually requires quite a bit of user interaction on the device itself: the device needs to be unlocked, after which pushing the profile with iMazing or Apple Configurator will only result in the device offering the new profile as available for review. It is up to the user to open the Settings app and manually confirm the profile's installation on his system.

On supervised devices, iMazing can push profiles silently with zero user interaction, thereby greatly reducing human overhead for admins.

3.3.3 'Non-removable' profiles

All configuration profiles can be configured to be non-removable – that option can be configured in iMazing Profile Editor and saved along with the profile. The catch? To protect user privacy and agency, profiles are only truly non-removable if the target device is supervised. This guarantees that only company owned devices can be configured without user consent, which is a perfectly healthy restriction.

The supervisor host (iMazing or Apple Configurator, with the adequate supervising organization configured) can remove even non-removable profiles.

4. Going further

Apple's mosaic of device management technologies can seem daunting at first. Head to our Understanding Supervision, MDM and ADE article for a general overview.