When a DEP device is setup, the device is supervised. By supervising a device, in Apple wisdom, ownership by the organization is proven and so additional options for limiting what a device can do. For example, supervised iOS devices that are enrolled in an MDM solution by a DEP portal cannot then be unenrolled. Supervision also allows an MDM to escrow a key that can be used to unlock a device locked by Activation Lock. And there are plenty of restrictions and other management options that Apple makes available on a device owned by an organization rather than an individual. It’s understandable given the massive consumer market served and the desire to preserve a fantastic user experience on devices.
If you purchased iOS devices before DEP was available, then you can still enable supervision on those devices. To do so, we’ll use Apple Configurator 2. Before you do anything, know that this process will wipe a device and reactivate the device. There are a number of reasons for this, including Activation Lock escrow, but the important thing to know is that any time you change the Supervision state on a device (going from DEP to non-DEP, going from Supervised to non-supervised via Configurator) that you will wipe the device.
First, plug in a device you’d like to supervise. Once plugged in, right-click on the device.
Click on Prepare… At the contextual menu you can select Automatic or Manual configuration. Automatic uses DEP. Since we’re supervising because DEP isn’t available to us, I’ll assume you want to use Manual in this screen. Choose that and then click on Next.
At the Enroll in MDM Server screen, here we’re not going to automate the enrollment. But if you have an enrollment certificate you’d like to export so that you can automate enrollment during the preparation step, you can use that here. Click Next to proceed.
Now we’re at the important part (for the purposes of this article at least). Here, at the Supervise Devices screen, you can check the box to “Supervise devices”. This comes with a child option to disable the ability for other devices to pair to the device. Let’s check both, which will Supervise the device while also allowing it to synchronize with computers, and then click Next.
When prompted for the Organization information, choose the Organization you configured when setting up Apple Configurator 2, unless you have multiple organizations/certificates.
Finally, select which options during activation that should be used. Here, you can choose to skip various options during the activation process, letting the iOS activation for new devices require less screens (streamlining deployment) while implementing default settings on devices. These screens include Language, Region, Location Services, Set Up, Move from Android, Apple ID, Zoom, Siri, Diagnostics, Passcode, Touch ID, and Apple Pay. I’m going to leave the setting for the setup assistant to “Show all steps” but you can choose to skip any you’d like to skip.
Click Prepare, unlock your device, and watch it get wiped. If the device is supervised by DEP, the process should fail (don’t try it unless you’re committed to wiping the device) unless you erase the device first.
krypted November 5th, 2015
Posted In: Apple Configurator, iPhone
Apple, Apple Configurator 2, dep, device supervision, MAC, supervise devices without DEP