When connecting a supervised iOS or iPadOS device to iMazing, you may encounter the following error message:
The pairing between {device name} and this computer is prohibited by its supervisor. Please import the supervising organization in iMazing's library to manage this device.
This happens because the device was configured to only pair with hosts (computers) which can provide the supervision certificate. The solution is to import the supervising organization in iMazing, or create an organization from the supervision identity (.p12 or .pfx file).
1. Locating the supervision identity
If devices are supervised via MDM (Automated Device Enrolment, aka DEP):
The admin in charge of configuring automated enrolment may have manually added a certificate to the enrolment profile. How various MDMs label this property can vary. 'Supervising Host Certificates' and 'Supervision Hosts' are 2 common denominations. You may have to ask your MDM vendor for help.
If no certificate was configured, it will be impossible to connect already enrolled devices to iMazing, Apple Configurator, the Finder or iTunes. Your options at this stage are to:
a) Re-enrol those devices with the appropriate configuration (devices will need to be erased)
OR
b) Disable the restriction which prevents pairing in your MDM (see section 3: Allow Pairing below)
If devices are supervised locally (with iMazing or Apple Configurator):
The admin in charge of configuring supervision must have created or imported a supervising organization in iMazing or Apple Configurator. The organization can be exported from Apple Configurator or iMazing, and easily re-imported. Please refer to the next section for details.
If you cannot locate the organization or supervision certificate (admin no longer working, no internal documentation...), you will need to erase the device and reconfigure it before you can pair it. Backing up to iCloud is the only valid strategy to preserve data in that case.
2. Importing the supervision identity in iMazing
Please refer to the following guide's section 2.3:
https://imazing.com/guides/how-to-manage-supervised-iphone-ipad#import-org
If you need to export the organization from Apple Configurator, learn about that here:
https://support.apple.com/guide/apple-configurator-2/organization-preferences-cade65abdcd/mac
3. Update your MDM configuration to allow pairing
Pairing can be restricted in two different ways:
a) At enrolment time, specifying Allow Pairing = false in the automated enrolment settings (deprecated in iOS 13 but still widely used)
AND / OR
b) Dynamically after enrolment via the Restrictions payload of a configuration profile. Most MDMs will expose this setting directly, usually in a section labelled Restrictions.
If pairing is restricted at enrolment time, it is permanent and cannot be overridden dynamically. Your only option is to erase and re-enrol with appropriate settings. Backing up to iCloud is a valid data preservation strategy in that case.
If pairing is only restricted dynamically via a configured Restrictions preference, you can disable the restriction in your MDM and the device should be allowed to pair with any computer once it will have received the updated configuration. Be mindful when disabling this restriction, and make sure that you are aware of the implications: which devices will be impacted? What are the risks in terms of leaking data for your company? Without the pairing restriction, iOS devices can pair with any Mac or PC (provided that the passcode is known), and a full backup can be performed.
4. Further reading
Apple Support Document on managing pairing
iMazing documentation about supervision and restricted pairing
Comments