Configure Apple Devices in Supervised Mode

Use Apple Configurator 2 to put iOS devices into Supervised Mode, giving you deeper control over device settings. Then deploy a non-removable CleanBrowsing DNS profile to enforce filtering that users cannot disable.

Step 1: Supervised vs Unsupervised Mode

What most administrators don't realize is that by default, what you can control on Apple iOS devices is very limited out of the box. Large enterprises get around this by using Mobile Device Management (MDM) platforms, like Mosyle.

Unfortunately, an MDM for smaller organizations, individuals, or non-profits is often not within reach. The good news is there is an alternative, and it's the same technology that these MDMs are built on — Apple Configurator 2.

Apple Configurator allows you to enable and disable features you might otherwise be unfamiliar with. For instance, if you want to disable the ability to use a VPN on a device, this is the best way to do it. Or maybe limit what a user can do in their network settings — this is where you would do it.

Before you begin, here are the differences between Supervised and Unsupervised Mode. Unsupervised mode gives you limited control, while Supervised mode gives you full control. We recommend supervised mode where possible:

Supervised Devices Unsupervised Devices
Devices can be protected against Factory Reset Devices can be Factory Reset anytime
Airdrop can be restricted Airdrop cannot be restricted
Individual Apple IDs not needed for enrollment Each device needs an Apple ID for enrollment
Unenrollment from MDM is not possible Unenrollment from MDM is possible
Silent App installation is possible App installation requires user confirmation
Web content can be filtered Web content cannot be filtered
App notifications can be controlled App notifications cannot be controlled
The device can be run in Kiosk mode The device cannot be run in Kiosk mode
TouchID can be restricted TouchID cannot be restricted
iMessage can be restricted iMessage cannot be restricted
Screen Time can be restricted Screen Time cannot be restricted
Home screen wallpaper and lock screen message can be configured by Admin User can customize home screen wallpaper and lock screen message
Global HTTP Proxy can be configured Global HTTP Proxy cannot be configured
Game Center Access can be controlled Game Center Access cannot be controlled

Step 2: Put Device in Supervised Mode

The following steps can be used with any iOS device. You will need a Mac with Apple Configurator 2 installed.

  1. Start Apple Configurator 2 on your Mac
  2. Plug the device you want to manage using a USB / USB-C cable into the Mac with Apple Configurator installed
  3. From the Action menu, choose Prepare
  4. Prepare with "Manual Enrollment" and make sure "Supervise Devices" is selected, then click Next. Note: This step will erase the connected device.
  5. Do not enroll in MDM. Click Next.
  6. Create an organization (name it whatever you like). The name you select will appear on the device as "This iPhone is supervised and managed by [organization name]"
  7. IMPORTANT: When setting up the device, do NOT restore from a backup. Instead, set it up as a new device. If you restore from a backup, the device will no longer be in Supervised Mode.

Step 3: Configure the CleanBrowsing Profile

Once the device has been set to supervised mode, you can prepare the CleanBrowsing profile. You will also need iMazing Profile Editor to modify the profile so it cannot be removed by the user.

  1. Log into your CleanBrowsing Dashboard: https://my.cleanbrowsing.org/login
  2. Navigate to the "Your Network" page: https://my.cleanbrowsing.org/dashboard?page=settings&subpage=network
  3. Choose the profile you'd like to work with
  4. Navigate to the CleanBrowsing DNS Servers section
  5. You will find two options, both designed for iOS devices. The iOS Mobile Config file uses DoH and the iOS Mobile Config for T-Mobile uses DoT. Both should work; some networks however require a DoT configuration. Download the file locally on the Mac with Apple Configurator installed.
  6. Open the downloaded .mobileconfig file in iMazing Profile Editor
  7. In the left nav of iMazing Profile Editor, choose "DNS Settings"
  8. In the main pane for those DNS settings, scroll all the way to the bottom and select "Prohibit Disablement"
  9. File > Save to save your changes

Note: You can also create additional profiles for other restrictions, like disabling Find My Friends, etc. There are many settings under the "Restrictions" tab which provide much more fine-grained control than standard Screen Time settings. You can have as many profiles as you like — for example, one generic kids profile with set restrictions for all devices and then an additional CleanBrowsing profile for network-specific restrictions.

Step 4: Deploy the CleanBrowsing Profile to the Device

Now that you have the device in supervised mode and have updated the CleanBrowsing profile to prohibit it from being removed, you can push the profile to your device(s).

  1. With the managed device still plugged in, open Apple Configurator 2
  2. If the device has been properly configured, it should appear under the "Supervised" tab
  3. Double-click the device to open and edit it
  4. Choose the Profiles tab from the right pane
  5. From the menu bar, choose Add > Profile, then select the updated CleanBrowsing profile
  6. Disconnect the device and verify everything is working. You should see three things:
    • Under Settings at the top it should say "This iPhone is supervised and managed by..."
    • Under Settings > General > VPN & Device Management, when you click on the CleanBrowsing profile there should not be a button to "Remove Profile"
    • Under Settings > General > VPN & Device Management, when you click on DNS restrictions, only CleanBrowsing should be listed. You should not be able to select "Automatic"

Step 5: Frequently Asked Questions

Q. What if I already have apps and data on my device? Can I back up, prepare in Supervised Mode, then restore from backup?

Sadly, no. Restoring from an unsupervised backup undoes Supervised Mode. However, this does work if you restore to a different supervised iPad (not the same device that the backup was made on). This is workable if you have two or more iPads to work with.

Q. Can I do this without a Mac?

No. Apple Configurator 2 is only available for macOS.

Q. How is Supervised Mode better?

You can enable features in Apple Configurator that cannot be easily defeated. For example, Single App Mode (under Actions > Advanced) is similar to Guided Access, but it cannot be defeated by simply draining the battery and restarting the device. You can do many additional things with Profiles, similar to how enterprises manage their devices.

Related Guides

iOS Setup

Configure CleanBrowsing DNS on iPhone and iPad.

View Guide
Lock Mobile Settings

Prevent users from changing DNS settings on iOS and Android.

View Guide
Mosyle Integration

Deploy CleanBrowsing via Mosyle MDM with DoH/DoT.

View Guide

Having trouble?

Check our troubleshooting guide or contact support.

Troubleshooting Guide