When setting up a new MDM, it is best to first envision the goals that you would like to achieve through its deployment. Objectives can vary by client, but securing devices from theft and managing activation locks from previous employee’s devices (Apple IDs / Google Accounts) are two of the most common. However, many of our clients are surprised to find out that their MDM cannot facilitate these tasks (and more) by default. Enrolling devices in supervised mode is the key to accessing an MDM’s most powerful tools.
What is Supervised Mode?
Supervised Mode represents an agreement between the MDM and the manufacturer that certifies your organization owns the device, and thus gains certain privileges as a result. It gives administrators more control over enterprise devices, allowing them to restrict access to apps, prevent users from removing enrollment, push remote updates, bypass activation locks, and more.
How Does Supervised Mode Work?
Supervision is made possible by utilizing what we call Zero-Touch Enrollment Programs (ZTEP). We like to think of these as free receipt catalogues provided by the manufacturer, proving that you are the original purchaser of a device. Once the device boots, it checks for an enterprise configuration (from the receipt catalogue) and downloads the correct enrollment profile, which then forces the user to complete setup right in the initial setup wizard. ZTEPs are FREE, so we recommend setting them up even if you do not have an MDM, as it will empower you to set one up later with ease.
What Can Supervised Mode Do?
Supervised mode grants additional privileges to administrators, giving them better control and oversight of their enterprise mobile device fleet. While the exact capabilities will vary depending on the device and operating system, here are a few of the many things that can be accomplished through supervised mode:
- Activation lock bypass
- Restrict access to apps or grant access to specific apps
- App lock (Single App Mode) and Kiosk Mode
- Silent app installations and updates
- Enable Lost Mode to track, lock, and/or wipe devices
- Push remote OS updates
- Enable additional restrictions
- Implement geofencing
- Restrict hardware features like the camera or screen capture to protect sensitive data
- Enforce encryption
- Protect data leaks with feature restrictions (i.e. clipboard, cut and paste, and printing )
Pros and Cons of Supervised Mode
Below we have outlined most of the more notable pros / cons of enrolling a device in supervised mode.
Supervised Mode Pros
- Prevent management from being removed from the device.
- Without supervision, the user can navigate into the settings and remove the profile at any time. Supervision prevents this.
- The device is secured in the event of a factory reset; management is required during the initial setup wizard. I.E. Even if the user or a third party wipes the device, it will be like Groundhog Day — they keep wiping it, we keep securing it.
- If you also require users to sign in at time the of enrollment, it will also prevent stolen devices from being used. Bad actors will not be able to proceed past the initial setup screen without company credentials.
- Simplicity via zero-touch enrollment.
- Enables automatic enrollment of devices. One step towards “set it and forget it.”
- Without zero-touch enrollment, the user or an IT Member would need to manually enroll each device via downloading an application to sign in, scanning a QR code, inviting via email / text, etc.
- Activation Unlocks
- Prevents devices from being locked to a user’s Apple ID or Google Account.
- Without supervision, the MDM cannot remove accounts that cause Activation Lock. Supervision allows this.
- Enables devices to be reused consistently.
- Security Management
- If a device is lost or stolen, lost mode can be activated to lock down the device.
- Devices can be remotely shutdown or restarted.
- Application Management
- Applications can be silently pushed or revoked without user intervention.
- Enables application distribution without using an end users App Store account.
- With a higher security goal, it can also remove the need for the App Store altogether – allowing you to block the App Store if desired.
- Supervision also allows you to block or allow certain applications, permitting users to have access to all but certain applications or vice-versa with only specific applications permitted.
- OS Management
- Updates can be delayed, or force deployed to devices.
- Enables Management of OS Compatibility with company applications.
- Additional Restrictions
- Enables More Restriction options that require device supervision.
- Enables more Data Leakage Prevention strategies.
- Enforce Connection to secure company WiFi or VPN
- Policy enforcement.
- Bottom line, without supervision > greater restrictions are not possible.
Supervised Mode Cons
- Current users must wipe the device to enroll into supervised mode.
- If the device is deployed, an IT person (or LINQ) will need to help ensure backup.
- Can cause complications if users bring their own devices.
- Recycling the devices for trade in value or selling/giving devices to employees will take added steps to release devices from the ZTEP.
- Zero-touch is not actually zero-touch for everyone, but it is far more streamlined for users and can be completely zero-touch for the admin.
The Catch – You Have to Begin with the End in Mind
Aside from unlocking supervised mode, zero-touch also enables you to set up automatic enrollment of devices through the initial setup wizard. This means you can only enter supervised mode when you first set up the device, while utilizing a ZTEP. Enrollment through the MDM’s default methods will not yield a supervised device. These non-supervised enrollment methods may include downloading an application to sign in, scanning a QR code, inviting via email / text, etc. Once you set up a ZTEP, all non-supervised devices must be factory reset to enter supervised mode. You can turn on supervision without re-enrolling previously purchased devices, but those previously-issued devices will remain unsupervised until they are re-enrolled. Likewise, you can have supervision turned on without using the MDM’s higher security features.
Typically, we only see non-supervised enrollments as a best practice when the organization does not own the device. Even if your organization is not concerned with some of the features we listed, we still recommend setting up devices with supervision, as the user has ultimate control of the device without it. If you are first setting up your MDM, we urge you to set up supervision from the start. After all, supervision gives you more options, not requirements.
One of your first goals when setting up an MDM should be to achieve supervision by setting up a ZTEP and connecting it to your reseller/ MDM for automatic enrollment. The tools enabled by supervision are key to managing your mobile fleet and if you are currently operating without, this should be a game changer. Supervision is a no-brainer, make sure you are not caught without it.
LINQ Tech Team