Automated Device Enrollment
Organizations can automatically enroll iOS, iPadOS, macOS, and tvOS devices in mobile device management (MDM) without having to physically touch or prepare the devices before users get them. After enrolling in one of the services, administrators sign in to the service website and link the program to their MDM solution. The devices they purchased can then be assigned to users through MDM. During the device configuration process, security of sensitive data can be increased by ensuring appropriate security measures are in place. For example:
Have users authenticate as part of the initial setup flow in the Apple device’s Setup Assistant during activation.
Provide a preliminary configuration with limited access and require additional device configuration to access sensitive data.
After a user has been assigned, any MDM-specified configurations, restrictions, or controls are automatically installed. All communications between devices and Apple servers are encrypted in transit through HTTPS (TLS).
The setup process for users can be further simplified by removing specific steps in the Setup Assistant for devices, so users are up and running quickly. Administrators can also control whether or not the user can remove the MDM profile from the device and ensure that device restrictions are in place throughout the lifecycle of the device. After the device is unboxed and activated, it can enroll in the organization’s MDM solution—and all management settings, apps, and books are installed as defined by the MDM administrator.
Apple School Manager and Apple Business Manager
Apple School Manager and Apple Business Manager are services for IT administrators to deploy Apple devices that an organization has purchased directly from Apple or through participating Apple Authorized Resellers and carriers.
When used with an MDM solution, administrators can simplify the setup process for users, configure device settings, and distribute apps and books purchased in Apple School Manager and Apple Business Manager. Apple School Manager also integrates with Student Information Systems (SISs) directly or using SFTP, and Apple School Manager and Apple Business Manager can use System for Cross-domain Identity Management (SCIM) or federated authentication with Microsoft Azure Active Directory (Azure AD) so administrators can quickly create accounts.
Devices with iOS 11 or later and tvOS 10.2 or later can also be added to Apple School Manager and Apple Business Manager after the time of purchase using Apple Configurator 2.
Apple maintains certifications in compliance with the ISO/IEC 27001 and 27018 standards to enable Apple customers to address their regulatory and contractual obligations. These certifications provide our customers with an independent attestation over Apple’s Information Security and Privacy practices for in-scope systems. For more information, see the Apple Support article Apple Internet Services Certifications.
Note: To learn whether an Apple program is available in a specific country or region, see the Apple Support article Availability of Apple programs for education and business.
Device supervision
Supervision generally denotes that the device is owned by the organization, giving them additional control over the device’s configuration and restrictions.
iPhone and iPad devices with iOS 5 or later and Apple TV devices with tvOS 10.2 or later become supervised by:
Using Apple Configurator 2 to supervise the device
During this process, the device is erased and all data is lost.
Enrolling the device in an MDM solution and selecting supervision as part of the enrollment process
Mac computers can be supervised if they:
Are running macOS 11 enrolled in MDM using device enrollment
Are upgraded to macOS 11 and the enrollment in MDM was a user approved MDM enrollment
Are running macOS 10.14.4 or later and:
The devices’ serial numbers appear in Apple School Manager or Apple Business Manager
Are enrolled in an MDM solution using Apple School Manager or Apple Business Manager
The following devices are supervised automatically when enrolled in Apple School Manager or Apple Business Manager:
iPhone and iPod touch with iOS 13 or later
iPad with iPadOS 13.1 or later
Apple TV with tvOS 13 or later
Mac computers with macOS 10.14.4 or later
Important: If the user knows the passcode, iPhone and iPad devices that aren’t supervised can have manually installed configuration profiles removed, even if the option is set to “never.” Manually installed configuration profiles for Mac computers can be removed using the profiles command-line tool, or System Preferences if the user knows an administrator’s user name and password. As of macOS 10.15, like on iOS and iPadOS, profiles installed with MDM must be removed with MDM, or they are removed automatically upon unenrollment from MDM.