The type of MDM enrollment you choose when enrolling an Apple device determines how that device will operate and which policies you can apply to the device. When you enroll a company-owned iOS, iPadOS, or macOS device via Apple’s Automated Device Enrollment, the device automatically becomes supervised. Supervision gives you greater control over how your devices are configured and used. You can also create a supervised policy to enforce specific restrictions on using the devices (for example, users are not allowed to play multiplayer games in Game Center or they don’t have access to the App Store).
This article uses the term iOS devices to include iPhones and iPads. For more information on supported MDM enrollment methods, see Choose an MDM Enrollment Method.
Understanding Supervised Devices
These types of company-owned Apple devices can be supervised:
- Company-owned macOS Devices
- Enrolled through Automated Device Enrollment with Zero-Touch Onboarding – This streamlined automatic enrollment creates a supervised, company-owned macOS device that is shipped directly to the user.
- Enrolled through Device Enrollment – If a macOS device was not added to Apple Business Manager (ABM) or Apple School Manager (ASM), you can manually enroll a supervised device by downloading, distributing, and installing your organization’s JumpCloud MDM enrollment profile.
Very few MDM profiles require supervision on macOS, but Software Updates and Kernel Extensions both do. All JumpCloud MDM enrollments for macOS deliver supervision. Any of the macOS policies can be assigned to a supervised macOS device, resulting in a supervised policy.
All macOS devices running macOS (Big Sur) or later automatically become supervised when enrolled in MDM via Device Enrollment.
For instructions on enrolling company-owned macOS devices with Device Enrollment or Automated Device Enrollment, see Adding MacOS Devices to MDM.
- Company-owned iOS Devices
- Enrolled through Automated Device Enrollment with Zero-Touch Onboarding – This streamlined automatic enrollment creates a supervised, company-owned iOS device that is shipped directly to the user. See Adding iOS Devices to MDM.
If an IOS device was previously enrolled in MDM with Automated Device Enrollment and then unenrolled, the device will be Supervised if you then enroll it in Device Enrollment. You do not need to wipe the iOS device before enrolling it with Device Enrollment. For more information on Device Enrollment, see Adding iOS Devices to MDM.
- Enrolled through Apple Configurator 2 – You must have the iOS device in your physical possession and the device must be connected to a macOS device that is running Apple Configurator 2. If you have an Apple TV device, it must be on the same Wi-Fi network and in close proximity to the macOS device. During this process, the device is erased and all data is lost. See Prepare an iPhone, iPad, or Apple TV Manually in Apple Configurator.
If an iOS device does not have Supervision enabled at the time of enrollment, the device cannot have Supervision added to it after the fact.
If you want the iOS device to be supervised but you did not enroll it through Automated Device Enrollment or Apple Configurator 2, you must wipe the device. Simply restoring an iOS device backup from an unsupervised device to the same device does not result in a supervised device.
Understanding Supervised Policies
JumpCloud currently provides one supervised policy for iPhones, the Disable FaceTime policy. For instructions on creating and applying this policy, see Configuring Settings for iOS and iPadOS Devices.