Sharing a Supervision Identity Between JSS and Apple Configurator 2

mhayden
New Contributor III

I didn't see a full write-up on this anywhere, so after working my way through this issue I figured I'd post the solution here for others.

Problem: iPads supervised through DEP cannot have certain actions performed on them by Apple Configurator 2. For example, if you try to save the unlock token for clearing the passcode offline in the future, you will get the following error message from AC2:
"Configurator could not perform the requested action because “iPad” is not supervised by an existing organization.
Import an organization with the identity for the device or click 'Prepare' to erase and supervise the device. All content and settings will be erased. This cannot be undone.
"

Solution: JSS and AC2 need to share a common supervision identity in order to both pass management commands to the iPads. You need to create a supervision identity in JSS, pass it along to the devices, and import it into any instances of AC2 that you want to be able to manage your iPads.

Steps:
1. Upgrade JSS to at least 9.82. I was on a previous version, which did not have the ability to export the supervision identity.

  1. Create the supervision identity:
    Per the Casper Admin Guide page 473:

    Creating a Supervision Identity You can create a supervision identity in the JSS for use with Apple Configurator 2. Log in to the JSS with a web browser. In the top-right corner of the page, click Settings . Click Mobile Device Management. On a smartphone or iPod touch, this option is in the pop-up menu. Click Apple Configurator Enrollment . Click the Supervision Identities tab, and then click Edit. Click New. Configure the supervision identity using the fields on the pane. Click Save.
  2. Export/Download the Supervision Identity:
    Quoth the Admin Guide:

    Downloading a Supervision Identity You can download a supervision identity from the JSS and add it to the Apple Configurator 2 workstations that you want your devices with the same supervision identity to trust. Log in to the JSS with a web browser. In the top-right corner of the page, click Settings . Click Mobile Device Management. On a smartphone or iPod touch, this option is in the pop-up menu. Click Apple Configurator Enrollment . Click the Supervision Identities tab. Click View next to the supervision identity you want to download. Click Download. Click Done.

    You now have a p12 file from your JSS.

  3. Set the Supervision Identity on Your Devices
    a. In JSS, go to Settings > Global Management > Device Enrollment Program b. Select DEP Instance > Click Edit > Configure Supervision Identity drop-down menu.

  4. Import the Supervision p12 file into Keychain:
    a. On your AC2 workstation, go to Launchpad > Keychain Access
    b. login keychain
    c. Keys
    d. File > Import Items > select the downloaded p12 file, enter the password you set in JSS
    e. You will now see a key named "JAMF" in your list.
    06beb145828d4ebb8e7b37eb35e69117

  5. Create the Organization in AC2:
    a. Launch Apple Configurator 2
    b. Apple Configurator 2 menu > Preferences > Organizations
    c. Click the plus button to add a new organization
    d. Fill out the organization information; include info to let you know this is from your JSS
    e. On the Supervision Identity step, select Choose an existing supervision identity and Next.
    f. Click the Choose button, and select the "JAMF Identity" certificate, click Choose.
    7bb8cadbfad744b184365c7e30c387af
    g. Click Done. You will now see your JSS in your organization list.

  6. Wipe and re-enroll an iPad through DEP. It will download the new prestage enrollment, with the supervision profile. You can now perform administrative tasks on your DEP iPad through AC2, such as save the unlock token. The first time you connect an iPad, it will ask you permission to access the key file. cfbbd37a961a4f74b518e3ad53f8a590

(Edited to fix typos and formatting)

1 ACCEPTED SOLUTION

mhayden
New Contributor III

Please let me know if you see anything that needs updating.

View solution in original post

6 REPLIES 6

mhayden
New Contributor III

Please let me know if you see anything that needs updating.

View solution in original post

mark_buffington
Contributor

Nice write up!

Here is another resource from JAMF for others looking at this process:

Deploying iOS Devices with the Casper Suite and Apple Configurator 2, Version 9.82 or Later

Oops_wasn_t_me
New Contributor II

Good info, mhayden.
Thank you !

RLR
Valued Contributor

@mhayden Thanks for this! I was looking at setting Supervision Identity up with some shared iPads I'm about to setup. I couldn't get it to work even by following the "Deploying iOS Devices with the Casper Suite and Apple Configurator 2, Version 9.82 or Later" guide.

The bit I was missing was this part of your guide:

Set the Supervision Identity on Your Devices a. In JSS, go to Mobile Devices > PreStage Enrollments. b. Select your PreStage Enrollment, click Edit, and there is a drop-down where you can associate a supervision identity to your devices that use this enrollment.

This did confuse me as I think you have listed the wrong area on JSS to set this. I couldn't find this drop down box on the PreStage Enrollment page so I opened the Casper Admin guide and scrolled through to the Supervision Identity area and found this:

Adding a Supervision Identity to a DEP Instance When you add a supervision identity to a DEP instance, that identity is applied to all devices enrolled using a PreStage enrollment that is configured with the DEP instance. Note: Devices that are already enrolled with the JSS and associated with a DEP instance need to be reenrolled to become associated with the supervision identity for that DEP instance. Log in to the JSS with a web browser. In the top-right corner of the page, click Settings . Click Global Management. On a smartphone or iPod touch, this option is in the pop-up menu. Click Device Enrollment Program . Click the DEP instance you want to add a supervision identity to. Click Edit. Select the supervision identity you want to add from the Supervision Identity for Use with Apple Configurator pop-up menu. Click Save.

The correct area is Settings > Global Management > Device Enrollment Program > Select DEP Instance > Click Edit > Configure Supervision Identity drop-down menu.

Thanks again for this guide!

mhayden
New Contributor III

@RLR - thanks! I mis-remembered that step. I will update the original post to note the correct location.

CasperSally
Valued Contributor II

another thanks to @mhayden for the great write up. Came in handy for us just starting to test shared device workflow with AC2.