Choose supervision identity
After you’ve associated Profile Manager with either Apple School Manager or Apple Business Manager, you can use Apple Configurator for Mac to configure supervised devices from those programs that have Profile Manager placeholders. This is useful if you want to:
Update the devices to the latest version of iOS or iPadOS
Preload apps, books, and documents
In order to do these, you must use the same supervision identity on both the Mac with Server app running Profile Manager associated with the program, and the Mac computer with Apple Configurator installed.
You need the following to complete the tasks below:
An identity: A certificate and its associated private key are known as an identity. Certificates can be freely distributed, but identities must be kept secure. The freely distributed certificate, and especially its public key, are used for encryption that can be decrypted only by the matching private key. The private key part of an identity is stored in a PKCS12 (.p12) file and encrypted with another key that’s protected by a passphrase.
A supervision identity: A supervision identity is created with Apple Configurator for Mac. It contains the identity and includes the name of your organization—and optionally, a phone number, an email address, and a physical mailing address.
CAUTION: Once you enroll supervised devices with this supervision identity, changing it later requires you to erase, reenroll, and supervise the devices again. The actual name of the identity is often not critical, but you need to standardize on the use of that identity for all instances of mobile device management (MDM) and Apple Configurator for Mac.
Create a supervision identity
You must use Apple Configurator for Mac to create the supervision identity.
Download the latest version of Apple Configurator for Mac from the App Store on a Mac with:
Server app installed
Profile Manager with mobile device management (MDM) enabled
The program token installed
Launch Apple Configurator on the Mac.
Choose Apple Configurator > Preferences from the Apple Configurator menu at the top of your screen.
Click Organizations, then click the Add button to create an organization.
Click Next, enter all information that will appear on the devices, then click Next.
Important: Double-check your information, you won’t be able to change it later.
Do one of the following:
If you don’t have a .p12 file, choose Create a new supervision identity, then click Done.
If you do have a .p12 file you want to use, select “Choose an existing supervision identity,” click Next and choose your identity, then click Done.
Important: Use your own file only if you understand certificate chains and have tested it thoroughly.
Now that you have created the supervision identity, you must export it.
Export a supervision identity from Apple Configurator
In Apple Configurator > Preferences > Organizations, select your organization from the list, click the More button , then choose Export supervision identity to your desktop.
Make sure the format is “Encrypted PKCS12 (.p12).”
Keep the default name or enter a different name for the identity, click Save, then enter a passphrase to encrypt the identity.
You’ll see a file that ends in .p12 on your desktop.
You can now import the supervision identity into the Server app for Profile Manager to use.
Import the supervision identity into the Server app
Open Server app and select Certificates from the list on the left.
Click the Add button , then select Import a certificate identity.
Drag the .p12 file in the window.
Enter the passphrase, click Decrypt, then click Import.
You have now added the identity to the Mac with the Server app installed.
Select the appropriate identity for Profile Manager to use
Now that you’ve added the identity, you must tell Profile Manager to trust it.
In Server app, select Profile Manager from the services list on the left.
Click Configure under Apple School Manager or Apple Business Manager, then click the Supervision tab.
Check “Apple Configurator to configure enrolled devices,” drag the supervision identity into the window, then click Import.
Select the new supervision identity from the pop-up menu and click Done.
Doing so ensures that all devices enrolled with this instance of Profile Manager can be initially configured and supervised with the instances of Apple Configurator that have the same identity installed.
Export the organization identity from Apple Configurator
You can export the organization identity from Apple Configurator to share with other Mac computers with Apple Configurator installed. This spreads out the initial configuration by allowing more than one Mac to configure devices.
Launch Apple Configurator on the Mac.
Choose Apple Configurator > Preferences from the Apple Configurator menu at the top of your screen.
Click Organizations, click the More button , then select Export Organization.
Enter a secure password and click Set Password.
This protects the file from being used by anyone who doesn’t know this password.
Choose a name and location to save the file, then click Save.
Transfer the file to any other Mac with Apple Configurator installed and repeat the task to import the organization.