Apple Configurator security
Apple Configurator for Mac features a flexible, secure, device-centric design that lets an administrator quickly and easily configure one or dozens of iOS, iPadOS, and tvOS devices connected to a Mac through USB (or tvOS devices paired through Bonjour) before giving them to users. With Apple Configurator for Mac, an administrator can update software, install apps and configuration profiles, rename and change wallpaper on devices, export device information and documents, and much more.
Apple Configurator for Mac can also revive or restore Mac computers with Apple silicon and those with the Apple T2 Security Chip. When a Mac is revived or restored in this manner, the file containing the latest minor updates to the operating systems (macOS, recoveryOS for Apple silicon, or sepOS for T2) is securely downloaded from Apple servers and installed directly on the Mac. After a successful revive or restore, the file is deleted from the Mac running Apple Configurator. At no time can the user inspect or use this file outside of Apple Configurator.
Administrators can also choose to add devices to Apple School Manager, Apple Business Manager, or Apple Business Essentials using Apple Configurator for Mac or Apple Configurator for iPhone, even if the devices weren’t purchased directly from Apple, an Apple Authorized Reseller, or an authorized cellular carrier. When the administrator sets up a device that has been manually enrolled, it behaves like any other device in one of those services, with mandatory supervision and mobile device management (MDM) enrollment. For devices that weren’t purchased directly, the user has a 30-day provisional period to release the device from one of those services, supervision, and MDM.
Organizations can also use Apple Configurator for Mac to activate iOS, iPadOS, and tvOS devices that have absolutely no internet connection by connecting them to a host Mac with an internet connection while the devices are being set up. Administrators can restore, activate, and prepare devices with their necessary configuration including apps, profiles, and documents without ever needing to connect to either Wi-Fi or cellular networks. This feature doesn’t allow an administrator to bypass any existing Activation Lock requirements normally required during nontethered activation.