If you manage Apple devices, "supervision" is one of the most important concepts you need to understand. It's often confused with management, but the two terms do not mean the same thing. In this article, you'll learn what supervision is, how it works, and what you need to know about it when managing Apple devices.
What Is Supervision?
Think of supervision as a hard-coded setting on a device that tells its operating system that it is organizationally owned. Supervision is intended only for devices that are owned by the organization.
As a result of that proof of ownership, Apple grants the organization more management capabilities via MDM than you would get without it; you can think of supervision as a special subset of management. Supervision gives the organization full control over many more settings and configurations than management alone.
For example, on a supervised device you can restrict access to Bluetooth, turn Bluetooth on or off, disable AirDrop, enforce settings such as notifications and wallpapers, and restrict the user from removing apps. Additionally, you can change the state of the device: You can, for example, remotely wipe it, restart it, enable Lost Mode, and more.
How Do I Add Supervision to Devices?
There are two paths to establishing supervision on Apple devices: Apple Business Manager (Apple School Manager, if you’re in the education sector) and Apple Configurator for Mac. The path you choose depends on how you initially obtained the devices you want to supervise.
In general, the easiest way to establish supervision on a device is with Apple Business Manager. You can set up your instance of Apple Business Manager so that any devices you purchase from Apple or an authorized reseller, or through a carrier, are automatically added to your account. (Resellers and carriers may also be able to add your previous order’s devices to your Apple Business Manager instance retroactively.)
Unique identifiers link purchased devices to your account: your Apple Customer Number (if ordering directly from Apple) or your Organization ID and Reseller Number (when ordering through an authorized reseller). To learn more about this, see Apple's support article, "Manage device suppliers in Apple Business Manager".
Once devices are in your Apple Business Manager account and enrolled in your MDM solution using Automated Device Enrollment, they are automatically supervised; no additional configuration is required. As long as the device’s serial number exists in Apple Business Manager and it’s running iOS 13, iPadOS 13.1, tvOS 13, or macOS 10.14.4 or later, it will continue to be supervised. Existing iPhone, iPad, and Apple TV devices will need to be erased and go through Setup Assistant again to benefit from supervision.
Establishing supervision isn’t the only thing that Apple Business Manager enables. It also enables mandatory and locked MDM, preventing users from opting out of the MDM relationship. And it provides tools to manage users’ Managed Apple IDs, Apps and Books and to generate reports. Best of all, it is free. It can, however, take several days for your account to be approved and activated.
Adding Supervision with Apple Configurator
But what about devices that aren’t in Apple Business Manager? Perhaps you obtained them from an unauthorized online reseller or bought them used, or they were donated to your organization. In cases like this, you can use Apple Configurator for Mac to add iOS, iPadOS, and tvOS devices to Apple Business Manager; you can do the same for Mac computers with Apple Configurator for iPhone. There are two paths to doing so.
First, you can use Apple Configurator (for Mac or for iPhone) to add the devices to Apple Business Manager. But this method has two limitations: The device you’re adding to Apple Business Manager will need to be erased. And there’s a 30-day provisional period once the device is enrolled with MDM, during which the user can remove the device from management, Apple Business Manager, and supervision.
Alternatively, Apple Configurator for Mac can itself supervise iOS, iPadOS, and tvOS devices manually. This is useful if you don't have an Apple Business Manager account (though you really should), Apple Business Manager is not available in your country, or the device is too old. Here, too, devices can't be supervised unless you first erase them.
For more details on all of this, see Apple’s support article, “Add devices from Apple Configurator to Apple Business Manager.”
You should note that there are some differences between platforms when it comes to enabling supervision.
Mac computers that are present in Apple Business Manager can become supervised without Automated Device Enrollment—when a profile-based or manual enrollment workflow is followed instead. However, such Mac computers will not maintain supervision if they are erased. And if the user removes management from such a device, which is possible under those enrollment flows, the Mac will become unsupervised.
If iPhone or iPad devices are manually supervised with Apple Configurator for Mac, they too will become unsupervised when erased, but not when management is removed.
Supervision of Personal Devices
As you can see, supervision is tightly—but not exclusively—bound to ownership. This raises the question: Can you as an admin supervise somebody's personal device? The short answer is, Yes—but you shouldn't.
Supervision should be reserved for devices owned by the organization, not by users. Supervision is purpose-built to let an organization exert extensive control over the device. Think of it this way: Would you want your IT department to lock your personal device? Enable Single-App Mode and lock it to just one app? Looking at it from that perspective should guide you.
When planning your approach to device management, think about who owns what. If users are using their own devices for work, those devices can be enrolled and managed via MDM to a certain extent. That level of management can provide users with required business apps and data while protecting both user privacy and business data.
If, on the other hand, the device is owned by the organization and enrolled into an MDM solution, you can then supervise it—automatically or manually—and enjoy far more extensive management capabilities.
Supervision is a smart way to separate management capabilities between devices owned by the organization and those owned by the user. As an admin, you can leverage supervision to fully manage devices, taking advantage of all the available MDM commands, payloads, and queries. For users with personal devices (the BYOD model), the limits on supervision allow those devices to stay personal, under their owners’ control, while you still benefit from more limited but necessary management.