When enrolling your iPhones, iPads, and TVs, there are three different states they can be in. Each enrollment type has important repercussions you should consider based on your team's needs.
1 - SUPERVISED (Automated Device Enrollment)
- Devices purchased through Apple eCommerce can be automatically enrolled in support
- Requires an Apple eCommerce storefront & Apple Business Manager
- Ideal device state
- Device owned by your company, not by an individual
- Supervising an existing device requires erasing it
Supervised iOS devices are ones that Apple acknowledges as being owned by your company. These devices are generally purchased via your custom eCommerce storefront (please get in touch with your account manager if you don't have this configured yet), get routed through your Apple Business Manager account, and then automatically enroll in support during initial setup.
Supervised devices are able to benefit from the full spectrum of management profiles and commands since Apple acknowledges that the devices aren't owned by individuals, but rather your company. If you need to move devices from one supervised MDM to another, it's very likely you'll need to erase them before they can be shifted to a different MDM.
2 - UNSUPERVISED (Device Enrollment)
- Most commonly seen when enrolling devices in management when there was no previous management in place
- Less control than on supervised devices
- Devices are considered owned by individuals, not your company
- Enrollment is simple and does not require devices to be erased unless they were previously supervised
Unsupervised devices are ones that Apple considers owned by individuals, not by your company. This distinction means that Apple restricts what we can control on the device. Unsupervised devices can generally have things added to them (password policy, apps, VPN, wifi), but not have things taken away (restrictions to disable certain features, single-app/kiosk mode, block certain apps). Click here for a guide on how to enroll a device as unsupervised.
3 - BYOD (User Enrollment)
- Designed with security & privacy in mind
- Very minimal control over device
- Requires Managed Apple IDs (MAIDs) from Apple Business Manager
- Enrollment is simple and does not require devices to be erased
BYOD devices are ones that offer very minimal management access and control. Only basic profiles can be deployed to these devices, limiting their usefulness in most environments. BYOD enrollment also requires that your organization have Managed Apple IDs configured for any and all users who would enroll a device in this fashion.
Non-invasive profiles that can be pushed to these devices include fonts, wifi settings, some passcode requirements (not all), and web clips. These devices cannot be targeted with remote lock/wipe commands, device information queries (serial number, etc), reports of installed applications, and more.
Deployment Strategy Examples
Knowing all of this, here are some examples of ways your company could proceed:
Supervise All Devices
Plan on enrolling all of your devices as supervised. You'll need to work with your team on finding convenient times to erase your iPads & iPhones using Apple Configurator to get them added to your Apple Business Manager for supervision. This workflow is challenging, but it is the best way to ensure all of your devices are behaving the same way from the start.
Supervise New Devices
We'll work together to ensure that all new device purchases will be automatically supervised via Automated Device Enrollment. Your existing devices, however, will be enrolled as unsupervised to avoid workflow disruptions. If you opt for this method, your devices will not all be treated in a uniform fashion - plan on setting a timeline to replace all of your devices to get them all supervised.
Supervised with BYOD
Devices owned by your company can be supervised, and users who need to access certain company-unique controls may enroll their personally-owned devices using a Managed Apple ID. This can be helpful for pre-deploying assets like Wi-Fi and VPN profiles or custom apps.
Here are some more details on what functions are supported on each enrollment type:
Control |
Supervised |
Unsupervised |
BYOD |
Requires Managed |
- |
- |
✅ |
Deploy Apps |
✅ |
Requires user confirmation |
Requires user confirmation |
Wi-Fi |
✅ |
✅ |
✅ |
VPN |
✅ |
✅ |
✅ |
Passcode Policy |
✅ |
✅ |
Limited |
Remote Wipe |
✅ |
✅ |
❌ |
Remote Lock |
✅ |
✅ |
❌ |
Enable Lost Mode |
✅ |
✅ |
❌ |
Clear Passcode |
✅ |
✅ |
❌ |
Remote Restart/Shutdown |
✅ |
❌ |
❌ |
Rename Device |
✅ |
❌ |
❌ |
Set Wallpaper |
✅ |
❌ |
❌ |
Run Software Updates |
✅ |
❌ |
❌ |
Restrict Applications |
✅ |
❌ |
❌ |
Single-App Mode |
✅ |
❌ |
❌ |
Comments
0 comments
Please sign in to leave a comment.