How to Set up a Fully Managed Personal iPhone or iPad

Ben

|

Updated September 23, 2025

| Language

If you've ever worked for a company that issued you an iPhone or iPad for corporate use only, you might have noticed that it was configured so that the IT department could manage it remotely. This is referred to as Mobile Device Management where devices are set up as fully managed devices (not just a work profile). Full Device management gives you the most control over setting up restrictions on an iPhone or iPad.

Although managed mode is typically used for businesses, I've gone through the process of setting up my own iPhone as a fully managed device. It's not straightforward at all, so I've created this guide to help others get access to elevated restrictions for personal Apple devices (bring your own devices).

Why Adults Might Consider Managed Mode for Household iPhones and iPads

If you have several different iPhones and iPads in your household that you want to manage, and you prefer to have the advanced controls that an IT department has over corporate devices, full device management can give you the best control over the posture of all your devices. Additionally, mobile device managers tend to work for other operating systems as well. If you aren't a 100% Apple household, you can typically still have a universal management experience.

I originally went down the path of setting up full device management for my personal iPhone & iPad because I wanted to restrict myself from accessing certain websites and apps. Now that I'm a father and the mini IT department of my household, I'm realizing that mitigating the risks posed by each device is a part-time job. 

A few of the devices I'm managing at home

Whether you are considering device management for personal reasons or because you want to mitigate risk within your household, full device management could be an approach you consider.

Here are some of the main reasons why you should manage an iOS device:

• Set device restrictions that cannot be changed from the device itself
• Enable Kiosk mode to turn your iPhone into a "dumb phone" without sacrificing the utility of a smartphone.
  
• Install, delete, or block iPhone apps remotely
• Force the usage of Apple's built-in content filter, which works even with a VPN
• Force DNS settings on any network
• Enforce Parental Controls (screen time) and block access to changing parental control settings (even as an Administrator)

What's the Difference Between Device Management and Supervision?

Managed Mode, which is also called Mobile Device Management, offers similar restrictions to Supervised Mode, although it adds a few more important features:

1. Remote Management: Device Supervision requires physical access to your iPhone connected by cable to your Mac computer, whereas a Managed iPhone can have its settings changed remotely using any web browser logged into your MDM. This allows you to see how the device is being used (like what apps were installed) and to easily push changes (like deleting an installed app). 
2. Profile (rules and settings) Enforcement : After the initial enrollment period, distributed profiles cannot be removed without the use of your Mobile Device Manager.
   
3. Full Feature Unlock: Mobile Device Management has the most control over an iOS device allowed by Apple. Compared to standard and supervised iOS devices, Device Management unlocks more features that you can customize. For example, removing the web browser and enabling the highly restrictive kiosk mode. 
4. Remote App Management: You can see which apps are installed on the managed iPhone in real-time. This means you can easily remove any apps that shouldn't be installed. Furthermore, managing app Allow/Blocklists is fairly tedious using device supervision, but much easier in managed mode. 

Prerequisites

1) Second Apple Device with Apple Configurator

You should have access to either a Mac computer or a second iOS (iPhone, iPad) device that can run Apple Configurator.

Download Apple Configurator from either the iPhone or Mac App Store and make sure your second device can run it.

The app should be available to download from the App Store on an iPhone. You would download this on the second iOS device, not the iOS device you want to fully manage.

You can also install it on a Mac device. We recommend using a Mac.

Please confirm if this can apply to you:

2) Apple Business Manager (ABM) Account 

Apple requires the use of an Apple Business Management (ABM) account in order to use a Mobile Device Manager (MDM). This guide will explain how you can get an ABM account as an individual.

Getting an ABM account can take some time, which is why we recommend Supervising a Device until you get an ABM account approved by Apple.

This is an unfortunate, but necessary requirement imposed by Apple.

Do I need a Business in order to create an Apple Business Manager account?

I've gone through the process of applying as an individual and talked with the ABM support team to get advice for home users who don't have an official business.

You need a DUNS number to get an Apple Business Manager account. This will be addressed in step 1.

3) ManageEngine Account and Free Tier

This setup guide uses the Mobile Device Manager called Manage Engine. The free tier is perfect for home use. The interface is a bit rough, but usable.

Step 1: Get a DUNS Number for Apple Business Manager

A DUNS number is required to get an Apple Business Manager account.

There are two main ways to get a DUNS number:

1. Apply as a business.
2. Pay for one as a developer.

Option 1: Get a free DUNS number by applying as a business

You can obtain a free DUNS number by applying as a business. If you already have a business, this process should be relatively straightforward.

However, you don't actually need a serious business with multiple employees to qualify for an ABM account. A sole proprietorship is an unincorporated business owned and run by one individual. There is no distinction between the business and you (the owner). You don't actually need to create a business or sign any documents to be a sole proprietor.

Option 2: Pay for a DUNS number using the Apple Developer Program

If you can't get a DUNS number applying as a business, your alternative is to pay for Apple Developer Program access. You'll get a DUNS through this process.

Apply for a DUNS Number

For both options, applying for a DUNS Number is very similar.

Apply here and enroll as an individual.

• After several days, I received an email with my DUNS number:

Notice that the business name is just my name. This is common for sole-proprietorships.

Step 2: Apply For an Apple Business Manager Account

Once you've applied for a DUNS number, you will now be able to use the DUNS number to apply for an Apple Business Manager Account.

Enroll in ABM

Verification

Here's what to do when you talk to the Apple representative.

The ABM representatives are very flexible, but are mainly trying to work directly with businesses or individuals who are interested in using ABM for professional reasons.

During my phone call, I literally told the representative:

"I need to lock down my mobile devices for better security and to limit distractions since I work from home".

Step 3: Connect ABM to Manage Engine

Manage Engine is a Mobile Device Manager that you can use to enforce profiles on your iPhone. ManageEngine let's you manage devices on their free tier.

You can assign a specific MDM server to a device that is added to Apple Business Manager. This allows the mobile device manager to control the device.

Sign up for ManageEngine's Free Tier

Connect ABM to ManageEngine

Once you connect Manage Engine to Apple Business Manager, you'll have the option to assign Manage Engine to a device.

Step 4: Back Up Important Data on your iOS Device

ManageEngine will be used to manage settings on your iPhone, but you need to add a device to start.

On the device you would like to connect, you will need to:

1. Hard reset your iOS device
2. Use Apple Configurator to add your device to ABM
3. Sync your ManageEngine and ABM accounts so that ManageEngine can manage the added devices

Supervising an iOS device requires you to hard reset the device. 

Double-check your iCloud sync settings to ensure that you are backing up important data.

Once we start the supervision process and you reset your iPhone for the first time, you won't initially be able restore apps & data during the first-time setup.

You'll select Don't Transfer Apps & Data. 

You'll need to reset your iOS device in order to manage it. You can sign in to iCloud after resetting the device and get access to whatever you sync with iCloud. However, you can't restore a backup during the first-time setup process. 

Ensure that the iOS device you want to manage is syncing with iCloud.

When you sign into iCloud on a newly reset device, you'll have access to these items again.

Disable Activation Lock & Find my iPhone

iOS devices have an activation lock feature, which we temporarily need to disable to manage the device. You will re-link to iCloud after you manage the device.

iOS devices have an activation lock feature, which we temporarily need to disable to supervise the device. You will re-link to iCloud after you supervise the device.

Step 5: Add Device to ABM

(A) Mac Apple Configurator

If you are using a Mac running Apple Configurator as your second device.

To add an iOS device to Apple Business Manager using a Mac computer, you'll need two devices:

• The iOS device you want to manage and add to Apple Business Manager
• A Mac computer that can run Apple Configurator

Get Started:

We'll get started by creating a Wifi profile, which is required so that the MDM can automatically connect and prepare the device once it's reset.

Alternatively, if you plan to use an MDM like Manage Engine, you can copy the enrollment URL from Enrollment > Apple Configurator. You might have to click Configuration Steps and scroll through until you see Enter MDM server and URL.

This process can take a few minutes. You might need to manually connect to WiFi once the device resets.

Login to Apple Business Manager and you should see the device appear after the preparation process finishes.

(B) iPhone Apple Configurator

To add an iOS device to Apple Business Manager using an iPhone, you'll need two iOS devices:

1. The iOS device you want to manage and add to Apple Business Manager
2. A second iOS device that can run Apple Configurator. 

The iPhone on the left is running Apple Configurator. It will be used to add the iPhone on the right to ABM.

Option 1: Scan the image that appears in Setup Assistant.

Apple Configurator scanner on the iPhone

Option 2: Pair Manually

Tap Pair Manually in the lower-left corner of the Setup Assistant, then tap Manual Pairing in Apple Configurator and enter the six-digit code that appears.

Step 6: Sync Added Devices On ABM to ManageEngine

Your Device Should now be visible in Apple Business Manager, but we now need to configure ABM to use ManageEngine.

Your iOS device is set up for management.

Manage Profiles

On Managed iPhones, you will need to enforce restrictions using profiles. These profiles are pushed to your managed devices using ManageEngine.

Create a Device Group in ManageEngine

If you are self-managing, you likely will just need to create one group for your iPhone or iPad. If you are managing for other people, you should create a group for each set of devices that will use the same restrictions.

Create Profile

Profiles are used to configure restrictions on your iPhone remotely. You create these using ManageEngine's interface.

Associate Profile with Device Group

The profile should push to all devices associated with that group within about 2 minutes.

Update and Sync Profile Changes

When making changes to a profile, updates aren't automatically published to devices in your group. Here's how to update profiles so that devices are synced with the latest changes.

Here is another method for upgrading a changed profile:

Your devices should sync with the profile changes.

Recommended Restrictions and Profile Settings

Here are some highlighted configurations that are more useful to home users who want to prevent bypassing filtering/blocking capabilities.

Application restrictions

Consider customizing the following restrictions:

• Users can install unapproved apps (set list of approved apps using MDM)
• Deleting apps
  
• Remove system apps
  
• Download Books content > Erotic content
  

Browser Restrictions

Consider restricting Safari.

Network and Roaming

Connect to Wi-Fi, only if distributed via MDM

Selecting this option will limit the Wi-Fi networks a user can connect to based on the networks you manually define. This is useful if you only want a device to connect to your home internet connection. 

Always on Wi-Fi

Useful if you want to stop a user from switching off of a filter home network connection Wi-Fi to a roaming connection when at home.

Allow users to configure VPN

This setting should be restricted - a VPN should only be configured by the MDM.

Content Ratings

This section isn't as useful, but it's worth showcasing that you can restrict explicit music & podcasts. Note that this setting won't impact third-party apps like Spotify.

Wi-Fi

Optionally, you can configure Wi-Fi settings via the MDM.

For home networks, enter your Wi-Fi name in the Wi-FI SSID field, select WPA/WPA2 security type, then enter your WiFi password.

Combine this with Restrictions > Network & Roaming > Always on Wifi and Connect to Wi-Fi, only if distributed via MDM if you want to significantly restrict internet access to known/filtered internet connections.

Kiosk Mode

Kiosk mode is a powerful profile configuration that lets you narrow down the features a user has access to on the device. You can easily turn your iPhone into a "dumb phone" without sacrificing useful features like maps, camera, email, etc.

After enabling kiosk mode in multi app mode, I've restricted the following iPhone to have access to only a few features.

You can completely customize this as needed using Multi-app mode.

One of the most useful things about Kiosk mode is that you can specifically define what apps a user can see and access. This means that you can set up a filtering app, but make it impossible for the user to access or even see. The app is still running, but it's not visible to the user.

Enable single-app mode if you want to enforce the use of only one kiosk app. This is useful if you are using a parental control kiosk app.

Most commonly: enable multi-app mode to specify exactly what apps the user can see and access.

Hide the MDM app

Content Filtering

You can take advantage of the Screen Time Content Filter built-in to all iPhones.

Allowlist Mode

With the Filter type:Allowlist mode, you can restrict access to all websites except the ones you specify. This is a restrictive approach that is very limiting, but also one of the most thorough ways to narrow down only a few approved websites.

Blocklist Mode

Alternatively, you can toggle on the Filter type: Blocklist and add a list of URLs that should be blocked. 

Manage Apps On Your iPhone or iPad

One of the biggest features that management unlocks on your iPhone is remote management. With remote management, you can:

• Remotely install and enforce apps.
• Force uninstalls a program using your MDM.

Install App Remotely

Remotely force install an app directly on your iOS device without interacting with the device. 

The app should be installed on the device

Block Apps

If you don't see your app in this list, remove any of the applied filters. The default filter just shows the apps that are installed on a device.

Blocked apps will be removed from the device and cannot be reinstalled.

Frequently Asked Questions

How can I prevent an App from getting deleted?

This process varies depending on your goals.

Using Kiosk mode, you can select the apps that the user should have access to. All other apps won't be visible or accessible, but they will still exist on the device.

You can install a filter app that configures your network settings and the user won't be able to delete or stop the app.

In the MDM policy under Restrictions > Applications, you can restrict Deleting apps. 

There's a method for preventing the deletion of apps distributed by MDM, but this requires you to upload an app configuration file. This process is fairly technical right now and I'm working on making it more accessible. 

How do I block VPNs, Proxies, or other apps that configure DNS?

Update the MDM profile Restrictions > Network and Roaming > Allow users to configure VPN:no.

Consider updating the MDM profile to include pre-configured Wi-Fi networks so that the user can only connect to approved Wi-Fi networks.

Using Kiosk mode, you can provide a limited iOS experience without access to all installed apps and capabilities.

Consider configuring the MDM profile Restrictions > Applications > Allow user to download unapproved apps:restrict. This will limit the apps a user can install to a pre-curated list of apps that you've added to Device Mgmt > App Repository.

What are the most restrictive setups?

Kiosk multi-app mode with only the bare essentials enabled or using the single app mode with a parental control kiosk app.

Updating the MDM profile restrictions so that Wi-Fi is always forced on and is limited to the Wi-Fi networks you pre-configured in the MDM profile > Wi-Fi.

Disabling the personal hotspot in the MDM profile >Restrictions > Network and Roaming > Modify Personal Hotspot:No. 

Updating the MDM profile > Web Content Filter and toggling on the Filter type: Allowlistso that only the approved websites can be accessed (everything else is blocked).

Best approach to filtering and blocking content?

Configure the Web Content Filter with websites that should be blocked. Websites added to this blocklist will be blocked even if use iPhone is configured to use a Proxy or VPN. This layer is the hardest one to bypass.

Add a content-filtering app that configures an always-on VPN.

Limit apps that can be downloaded using either multi-app Kiosk mode or by manually maintaining your own app allow/blocklists using the MDM app repository and inventory.