This guide applies to Apple devices
What is Device Supervision?
Device supervision is an Apple security feature that provides enhanced management capabilities for iOS, iPadOS, and macOS devices. According to Apple’s documentation, supervision enables additional restrictions and management features that are not available on non-supervised devices.How Device Supervision Works
Device supervision works by establishing a trusted relationship between Apple devices and your organization through specific enrollment methods. When a device is supervised, Apple grants additional management permissions that allow Iru Endpoint to apply more restrictive policies and control more device functions. The supervision process happens during device enrollment and cannot be changed afterward without re-enrolling the device. This creates a permanent management relationship that provides enhanced security and control capabilities.How Devices Become Supervised
Devices become supervised through specific enrollment methods:Automated Device Enrollment (ADE)
Corporate-owned devices enrolled through Apple Business Manager or Apple School Manager become supervised automatically during the initial setup process. This provides the highest level of management control available. For setup details, see Configure Automated Device Enrollment.Apple Configurator
Devices can be manually supervised using Apple Configurator on Mac, which requires a physical device connection. This method is typically used for corporate-owned devices that need supervision but weren’t enrolled through ADE.Manual Enrollment (Non-Supervised)
BYOD devices enrolled through the enrollment portal remain non-supervised. This user-initiated enrollment process provides essential management capabilities while respecting device ownership. For BYOD setup, see Apple BYOD Management.Supervision Impact on Iru Endpoint Management
Supervised Device Capabilities
When devices are supervised, Iru Endpoint can apply additional restrictions and management features:Enhanced Security Restrictions
- App installation control - Prevent users from installing apps from the App Store
- App removal prevention - Users cannot remove installed applications
- Configuration profile protection - Users cannot manually install or remove management profiles
- Device reset prevention - Users cannot erase all content and settings
- Find My restrictions - Users cannot modify Find My settings
Advanced Management Features
- Single App Mode - Lock devices to a single application
- Kiosk mode - Restrict device functionality for specific use cases
- Advanced network controls - More granular Wi-Fi and network management
- Enhanced parental controls - Additional restrictions for educational environments
- System app management - Remove or hide built-in Apple applications
Corporate Control Features
- Account modification prevention - Users cannot change account settings
- Cellular data app settings - Control which apps can use cellular data
- AirDrop restrictions - Prevent file sharing between devices
- Game Center removal - Hide gaming features on corporate devices
Non-Supervised Device Limitations
BYOD devices enrolled through manual enrollment have limited management capabilities:Available Management
- Basic security policies - Passcode requirements, FileVault encryption
- Network configuration - Wi-Fi and VPN profiles
- Certificate deployment - Device identity certificates
- App distribution - Corporate app installation
- System preferences - Basic system configuration
Unavailable Restrictions
- App Store access - Users can still install apps from the App Store
- App removal - Users can remove corporate applications
- Profile management - Users can remove MDM profiles
- Device reset - Users can erase and reset their devices
- Advanced restrictions - Many supervision-only features are unavailable
Choosing the Right Enrollment Method
Use Automated Device Enrollment When:
Choose ADE when you’re deploying corporate-owned devices that need the highest level of security control. This method works well for kiosk deployments, single-app scenarios, educational environments requiring strict controls, and shared devices that need extensive management capabilities.Use Manual Enrollment When:
Manual enrollment is ideal for BYOD programs where employee privacy is important. Use this method when basic security requirements are sufficient, user flexibility is valued, or you need quick deployment without the complexity of ADE setup.Iru Endpoint Library Items and Supervision
Library Items Available on All Devices
Iru Endpoint supports these Library Items on both supervised and non-supervised devices: Passcode for password and biometric requirements, FileVault for Mac disk encryption, Wi-Fi for network configuration, VPN for secure network access, Certificates for device identity and authentication, and Custom Apps for corporate application deployment.Library Items Requiring Supervision
Some Library Items only work on supervised devices due to Apple’s security restrictions. These include App Lock for single application mode, Advanced Restrictions for App Store and system app controls, Parental Controls for enhanced content filtering, System Extensions for advanced system modifications, and Kernel Extensions for low-level system access.Best Practices for Supervision
1
Plan Your Device Strategy
Determine which devices need supervision based on ownership and security requirements.
2
Choose Appropriate Enrollment
Use Automated Device Enrollment for corporate devices and Manual Enrollment for BYOD.
3
Configure Blueprints Accordingly
Create separate Blueprints for supervised and non-supervised devices with appropriate Library Items.
4
Communicate Limitations
Clearly explain to users what management capabilities are available on their device type.
5
Regular Review
Periodically assess whether your supervision strategy meets your security needs.
Troubleshooting Supervision Issues
Device not showing as supervised
Device not showing as supervised
Possible causes:
- Device was enrolled through manual enrollment instead of ADE
- Apple Business Manager configuration issues
- Device was reset after initial enrollment
- Verify enrollment method in Iru Endpoint
- Check Apple Business Manager device assignment
- Re-enroll device through ADE if corporate-owned
Restrictions not applying
Restrictions not applying
Possible causes:
- Library Item requires supervision but device is not supervised
- Blueprint configuration issues
- Device compliance problems
- Verify device supervision status
- Check Library Item requirements
- Ensure Blueprint is properly configured
Users removing management profiles
Users removing management profiles
Possible causes:
- Device is not supervised (manual enrollment)
- Users have administrative access
- Insufficient user communication
- Use ADE for corporate devices to prevent profile removal
- Implement user training and communication
- Consider device ownership model
Summary
Device supervision is a fundamental aspect of Apple device management that directly impacts what Iru Endpoint can control on your devices. Understanding the differences between supervised and non-supervised devices helps you choose the right enrollment method for your security requirements, set appropriate expectations for management capabilities, configure Blueprints with compatible Library Items, and communicate effectively with users about device management. For maximum security and control, use Automated Device Enrollment with corporate-owned devices. For BYOD programs, manual enrollment provides essential security while respecting user privacy and device ownership.Related Documentation
Configure Automated Device Enrollment
Set up Automated Device Enrollment
Apple BYOD Management
Configure BYOD enrollment
Configuring Apple Enrollment
Complete Apple enrollment guide
Activation Lock
Configure activation lock settings
Configure Shared iPad
Multi-user iPad setup
Liftoff
Mac setup experience
Enrollment Configurations Overview
Authentication and enrollment setup
Configure Require Authentication for Enrollment
Authentication setup