About DEP Supervision Identities

The Supervision Identity allows pairing with your iOS devices, even if the MDM DEP profile assigned to your devices does not allow pairing with other hosts. The option effectively secures devices while retaining management capabilities with Mobile Access Management.

  • The Supervision Identity is unique to your organization in Mobile Access Management.

  • MAM exports only the "public" component of the supervision; the private key is kept encrypted and is not exportable.

  • Mobile Access Management stores its pairing information in a private database. This operation to permit pairing to MAM does not allow other apps on the same host, such as iTunes or Configurator, to manage the device.

IMPORTANT:

Changes to Supervision Identity profiles can only affect devices during activation.

Therefore, already-activated devices must be erased and reactivated to receive these settings.

This is a imitation of DEP.

The process below preloads MAM's identity to your devices during DEP activation. The identity allows MAM to do more with your DEP devices:

  • Avoids the "Trust this Computer?" prompt. Instead, devices pair automatically with any Launchpad app for your organization, even if your DEP profile prohibits pairing.

  • Set Wallpaper

  • Launch Apps

  • Hide Apps

  • Check In / Check Out

  • Set Restrictions

  • Wait for App Installation

  • Lock or unlock from App

  • Restore a backup, including system settings

  • Removes the "Unpaired. Please reconnect." status message.

Specific instructions for various MDM systems are included below.

NOTE:

These steps are not required for non-DEP ("Manage with Mobile Access Management") deployments.

Step 1: Export the Supervision Identity

  1. In the MAM admin console, navigate to Admin > Supervision Identities.

  2. If your organization does not have a supervision identity, click Create Supervision Identity.

    The supervision identity is created, and indicates its expiry date. Take note of the expiry date for your records.

  3. Click the link to download your supervision identity.

    Click to enlarge

MAM saves a cryptographic file in .cer format. Keep this file for the next step.

Step 2: Import the identity into your MDM

The tasks you perform to import the identity depend on your MDM.

  1. Log into the Workspace ONE Console and ensure you are viewing the correct organization group. Visit Devices > Devices Settings > Apple > Device Enrollment Program. One or more DEP profiles are listed.

    Click to enlarge

  2. Edit the profile which will receive the supervision identity.

  3. Scroll down to the option for Device pairing. Decide whether you want pairing enabled or not.

    Click to enlarge

  4. Click Add and upload the supervision identity file you downloaded from Mobile Access Management in step 1.

  5. Save the profile and exit settings.

    NOTE:

    Imprivata recommends that you re-sync with Apple to ensure Apple has the updated profile. Go to Devices > Lifecycle > Enrollment Status, then click Add > Sync Devices.

    Click to enlarge

NOTE:

The supervision identify for Jamf Pro cannot be exported from the MAM console. Contact Imprivata Support to obtain it.

After you have obtained the supervision identity:

  1. Log in into the Jamf Pro console and navigate to gear icon on upper right hand corner to access All Settings.

  2. Select Device Management > Apple Configurator Enrollment.

    Click to enlarge

  3. Under Supervision Identities, click Edit , then Upload. Upload the .p12 file provided by Imprivata support.

  4. After the file is uploaded, enter the password provided by Imprivata support and click Done, then Save.

    Click to enlarge

  5. From within Settings, go to Global Management > Automated Device Enrollments and select your device enrollment instance. Click to Edit.

  6. Select the Supervision Identity and click Save.

    Click to enlarge

  7. If have more than one instance or site, Navigate to PreStage enrollments and ensure the PreStage enrollment with the applicable instance/site is assigned to the devices that will be used with Mobile Access Management.

    NOTE:

    Imprivata strongly recommends creating a new PreStage enrollment configuration to avoid issues with supervision identity association.

  1. In the Microsoft Intune console, navigate to Device enrollment > Apple Enrollment > Enrollment Program Tokens > Token.

  2. Select your DEP profile, and click Properties > Configure Settings > Sync with computer > select Allow Apple Configurator by Certificate > Upload Certificates.

  3. Upload your supervision identity from Mobile Access Management.

  1. In the Ivanti Endpoint Manager Mobile admin console, click on Devices & Users > Apple DEP to list your DEP connections. Most organizations will have only one DEP connection.

  2. Now list the enrollment profiles by clicking on the number under the column Enrollment Profiles.

    Click to enlarge

  3. Edit the desired enrollment profile. At the bottom of the dialog is a section on Pairing Certificates.

    Click to enlarge

  1. Upload the supervision identity you downloaded in Step 1. Save the profile.

    BEST PRACTICE:

    Imprivata recommends that you re-sync with Apple to ensure Apple has the updated profile. Go to Devices & Users > Apple DEP, then click Check for Updates.

  1. In the Ivanti Neurons console, go to Admin > Device Enrollment Program. This lists the DEP connections (most organization have only one).

  2. Click Actions > Edit DEP Profile. Scroll down to the Certificates section.

    Click to enlarge

  3. Add the .p12 supervision identity you downloaded in Step 1. You may give the identity any name you wish.

    Click to enlarge

  4. Save the profile.

Step 3: Test the Pairing

Pairing records are remembered by the host, and survive device erasures. Testing can easily be contaminated by old data. Follow these steps to make sure you are testing correctly.

Test A (Single Launchpad)

  1. Erase a DEP device and configure it by hand, without using Mobile Access Management. This ensures Mobile Access Management does not grab the pairing record from the erased device.

  2. On your Launchpad choose Reset Launchpad from the File menu (Windows) or Launchpad menu (Mac). This will remove any saved pairing records from that Launchpad. Register the Launchpad when prompted.

  3. Plug in the device to the host. After a few moments, you should see the device show up as “DEP, Limited operations available.” You should not see the trust prompt on the device. This means that Mobile Access Management has successfully paired with the device, without additional prompts.

Test B (Multiple Launchpads)

  1. Begin by resetting the Launchpads on at least two computers. Then register both Launchpads and have the software running.

  2. On computer 1, deploy a DEP-enabled Mobile Access Management workflow to one device. Make sure the device is past all setup screens for the next step.

  3. Plug the configured device into the second computer. After a few moments, you should see the device show up as “DEP, Limited operations available.” You should not see the trust prompt on the device. This means that Mobile Access Management has successfully paired with the device, without additional prompts.

Migrate from an Expiring Supervision Identity

NOTE:

Supported in MAM 7.3 UAT.

In the future, as your supervision identity reaches its expiry date, you must migrate from the expiring one to a new one.

Only create a new supervision identity when the existing one is about to expire. Devices previously provisioned with the existing supervision identity will continue to connect to the Launchpad. Use the new supervision identity to upload into any new or modified MDM enrollment profiles.

NOTE:

Supervision identities cannot be deleted.

Requirements

  • Requires MAM 7.3 and later

  • Requires Launchpads running 7.3 and later. You must upgrade your Launchpads before the existing supervision identity expiration date.

Expected Behavior

The following example describes the scenario:

  • Your organization has an expiring supervision identity. Imprivata notifies you of the pending expiration

  • You create a second supervision identity and add it to your MDM, so that your devices are being supervised by both identities.

  • Over time, the second supervision identity gets pushed to your devices, and eventually all of the devices are supervised by both identities.