How to Lock Down Your Teen's iPhone the Right Way (Step by Step)

The core is two layers, and this guide sets up both:

1. Supervision turns the phone into one you actually control, instead of one that politely asks. You turn it on once, with a Mac.
2. An MDM is the remote control. It's how you send the phone commands (block this app, lock the phone, apply a filter) from anywhere, in seconds. You use it to build your rules: blocked apps, the factory-reset block, and more.

That core gets you a genuinely locked-down phone for about four dollars a month. Then, whenever you're ready (another sitting is completely fine), there are two optional upgrades, both linked at the end:

• The bedtime lock turns the phone off at night with one tap, or on an automatic schedule. This is the one most parents say changed their evenings.
• NextDNS is a heavier web filter that explicitly blocks and logs porn, ads, and malware across every app. Your supervised rules already do basic filtering; this is the stronger layer.

Set up the core below, in order.

You don't need an IT background. Here's every piece of jargon you'll hit, translated once:

• Supervision: a built-in iPhone mode (the same one schools and companies use) that unlocks the real controls. Apple turns most controls off unless a phone is supervised.
• MDM (Mobile Device Management): the service that sends commands to the phone. You'll rent one for about $4/month. I use SimpleMDM.
• Apple Configurator: Apple's free Mac app. It's the only thing that can switch supervision on, and it needs the phone plugged in with a cable.
• Configuration profile (.mobileconfig): a small settings file that carries your rules (blocked apps, the web filter). Your MDM pushes these to the phone.
• DNS / NextDNS: DNS is the internet's phone book that turns a website name into an address. Filter the phone book and you block bad sites everywhere at once, in every app, not just Safari. NextDNS is the service that does it, and it's the optional web-filter add-on at the end.
• ABM (Apple Business Manager): an optional, free Apple account that makes supervision permanent (survives a factory reset). Only needed for a determined teen. More at the end.
• Lost Mode: the MDM command that locks the phone cold, a real lock and not a nudge. This is your nightly shut-off (automating it on a schedule is the bedtime-lock add-on).
• eSIM: the phone's SIM card, but software instead of a physical chip. Matters mostly for the hand-down guide, not here.

Younger or cooperative kid: supervise with Apple Configurator, set up MDM, and skip ABM. No business account, no paperwork. You get all the real controls. The catch is that this path has two ways out if a kid goes looking: a factory reset undoes supervision (and the restrictions step blocks the easy in-Settings version), and removing the management profile in Settings drops your MDM controls (the phone stays supervised, but your rules stop until you re-enroll it). Neither is obvious to a younger kid. ABM closes both, which is the whole point of the determined-teen upgrade below.

Older, determined, or tech-savvy teen: set up ABM first (one to two weeks for approval), then run these same steps with ABM switched on. That makes supervision survive a factory reset and the management profile impossible to remove. Start the approval now, see the note below.

Not sure which path fits? See the three ways side by side, what each one buys you and what it costs, then come back here.

BrianFor my own teenagers I went the full distance, Configurator plus ABM, because I knew I would sleep better at night knowing the phones were fully locked down when I needed them to be. If yours are younger and not likely to factory reset their way out of the controls, the simpler path is plenty.

Thinking about ABM? Decide and start it before you do anything else. ABM is the upgrade that makes supervision survive a factory reset and the management profile impossible to remove. It only goes on during the Configurator erase below (one checkbox), and the account approval takes about one to two weeks, so it has to be ready beforehand. You can't add it after the phone is set up without redoing the whole erase and restore. Not sure? It's perfectly fine to run the common no-ABM path first and see if it's enough for your family, just know that choosing ABM later means doing this once more. If you do want it, jump to the ABM section at the end now, start the approval, and come back here once it's in hand.

What you need: a Mac, a USB cable, and a willingness to erase the phone once (your data comes back from iCloud).

If you take one thing from this: unsupervised controls barely do anything, and your kid can peel them off in Settings in about ten seconds. Supervision is the switch that turns roughly 70 weak settings into 200+ real ones.

Only a supervised phone lets you:

• Block specific apps by name, including ones you already approved.
• Block the factory reset your kid would use to wipe your controls.
• Push a web filter and DNS silently, with no "Allow?" prompt for them to decline.
• Prevent removing apps, adding/removing accounts, and creating a VPN to tunnel around the filter.

That's why every step below starts with supervising the phone. Skip it and none of the rest sticks.

Do these before you erase anything. Each one has personally cost me time.

Setting up the phone your kid already uses? The setup erases it, so the only thing that matters is a complete, current backup. Run a fresh iCloud backup right before you start and confirm it reads "just now." A few things don't ride along in an iCloud backup: authenticator / 2FA app codes, and Signal or WhatsApp history. If your kid uses any of those, migrate them separately first.

1. Confirm you have the kid's Apple ID password. Test it at appleid.apple.com right now.
2. Handle two-factor first. Add a trusted phone number or generate a recovery key, or you can get locked out after the wipe. If the phone's own number is the only trusted number, fix that before you start.
3. Turn off Find My iPhone. Otherwise Activation Lock blocks setup and you're stuck.
4. Confirm iCloud is fully synced (Photos, Messages, etc.) so nothing is lost in the erase.
5. Check for a school profile. A phone can hold only one management profile at a time. If the school already manages it, yours won't install. You'll have to sort that with the school first.

This is the one step that requires the cable and the Mac. What follows is the no-ABM path, the sweet spot for most families: every real control, no Apple business account, no paperwork. Going the ABM route for a determined teen? You'll have set the ABM account up already (see the ABM section at the end), and you simply check Add to Apple Business Manager in the next step instead of leaving it off. Everything else is identical.

1. Connect the phone to your Mac with a USB cable and open Apple Configurator.

2. Select the device, then Actions → Prepare, and choose Manual Configuration.

3. Leave "Add to Apple Business Manager" unchecked for the common no-ABM path. (Going the ABM route? You'd have set up the account already, and you'd check this box instead, see the ABM section at the end.) Keep "Supervise devices" checked. This local path needs no Apple account at all. While you're here, decide on "Allow devices to pair with other computers", unchecking it is the more locked-down choice for a kid's phone, and you can't change it later without re-prepping. I left it checked.

4. Prepare shows an "Enroll in Device Management" screen early on. Choose "Do not enroll in MDM." This is deliberate: you sign up for the MDM and enroll the phone in the steps right after this one, by opening an enrollment link in Safari on the phone. There's nothing to pick here yet, so skip past it.

5. At the Assign to Organization screen, click New Organization (Important note: if you're not using ABM for this walk-through, skip the next screen asking you to sign in to Apple Business/School Manager. If you are using ABM, then you'll sign in on the next screen).

6. On the Create Organization screen, the only field that matters is the organization name: it's just a label that becomes the "Supervised by your name" line at the top of the phone's Settings, so your family name is perfect. Any phone, email, or address fields can be left blank or filled with anything, since there's no Apple verification for a local org.

7. When prompted, choose Generate a new supervision identity. Configurator makes a self-signed one and stores it on your Mac, so reuse the same organization and identity for every phone you set up (changing it later forces another erase).

8. On the Configure iOS Setup Assistant screen with a ton of options to check or uncheck, I just left the defaults. This is what controls the setup screens that will come up when you set up the phone after preparing it for supervision. Nothing here is critical.

9. Click Prepare and let it run. This erases the phone and reinstalls iOS (about 10 to 20 minutes). Keep the Mac awake and plugged in, and don't unplug until Configurator says it's done and the phone is back at the Hello screen. It comes back supervised.

1. When the preparation is complete you'll see a screen with a new iPhone layout on it. You'll also see the welcome screen on the iPhone itself. The iPhone is now ready to get set up and it's in supervised mode. At this point you can unplug the cable and close Configurator.

2. Now you just walk through the Apple Setup Assistant on the phone like you would with any new phone. You'll sign in with the kid's Apple Account, and around that point Setup Assistant offers to bring over your data. Choose Restore from iCloud Backup to bring everything back. (On a brand-new phone, or a test phone with nothing to restore, you can skip this and set it up clean.)

The restore happens during Setup Assistant, not after. When Setup Assistant offers to restore or transfer your data (right around the Apple Account sign-in), choose Restore from iCloud Backup (or Quick Start from the old phone). Signing into iCloud after you've already reached the home screen is not a restore, you'll land on a blank default layout with none of your apps and have to erase and start the whole thing over. Heads up: Apple renames this screen between iOS versions ("Apps & Data," "Transfer Your Apps & Data," "Restore or Transfer Your Data and Apps") and shuffles where it falls relative to signing in, so don't hunt for one exact title. Just take the restore-from-iCloud option whenever it appears.

"iPhone Partially Set Up"? Tap "Continue with Partial Setup," not "Erase and Start Over." This screen is normal right after a Configurator supervise, not a sign anything went wrong. Because the phone was just restored and prepared over the cable, iOS sometimes thinks its setup is half-finished. Continue with Partial Setup lets you finish onboarding with supervision intact. Erase and Start Over wipes the phone and strips the supervision you just applied, dropping you back at square one in Configurator. Unplugging the phone the moment Configurator says it's done makes this less likely to show up.

Congratulations! Your kid's phone is now supervised! Much of the restore process happens in the background, so it may take a while for all of the photos, notes, iMessages and apps to come back, but it will look and feel the same as it did before the supervision, with the added benefit of adding controls in the next steps of this guide. You can open the settings app on the phone to see the supervised message at the top.

1. Create a SimpleMDM account (about $4/month; I landed there after testing Mosyle).
2. SimpleMDM needs an APNs push certificate before it can talk to any device. This is the handshake that lets Apple deliver your commands to the phone. SimpleMDM lays out the steps on a "Just one more step" screen:

3. Click the link to download the certificate signing request file from that screen, then open the Apple Push Certificates Portal and sign in with your Apple ID.

4. Click Create a Certificate, upload the request file you just downloaded, then download the certificate Apple hands back.
5. Back on the SimpleMDM screen, choose that downloaded certificate under Certificate File, type the Apple ID you used (SimpleMDM saves it to remind you at renewal), and click Upload.

BrianOne detail that matters more than it looks: whatever Apple ID you use here, you renew this certificate with the same one every year (SimpleMDM emails you when it's due). Lose access to that Apple ID and you can't renew, and the only fix is a brand-new certificate, which un-enrolls every device on the old one and means re-enrolling the phone from scratch. The good news for a parent: a personal Apple ID you'll keep forever is exactly right here. The "use a dedicated company account" advice you'll see online is for businesses where employees come and go, not for your own family. Just jot down which Apple ID you used.

1. In SimpleMDM, go to Devices → Enrollments. SimpleMDM already created a Default group enrollment, so there's nothing to set up here.

2. Click Default to open it. The Enrollment Info tab shows a QR code and the enrollment link. On the kid's phone, open the Camera app and point it at the QR, then tap the link that appears.

3. The link opens a SimpleMDM page with a Download Enrollment Profile button. Tap it.

4. Tap Allow when the phone asks whether to download a configuration profile.

5. A Profile Downloaded message appears. Tap Close.

6. Open the Settings app. Near the top is a Profile Downloaded row (with a banner noting the phone is supervised and managed). Tap it.

7. Tap Install (top right), enter the phone's passcode if asked, then tap Install again on the Warning screen that explains the MDM can manage the phone. You'll land on Profile Installed.

8. Back in SimpleMDM under Devices → Devices, the phone appears with a green Enrolled status, in the Default device group. (It may briefly read "awaiting enrollment" until it checks in.) Assign the profiles you build next to that group, or to the device directly, and they push automatically.

Once it's enrolled and supervised, restrictions actually enforce.

BrianThis was the moment it clicked for me. I blocked the camera from my laptop and watched the icon disappear off the phone in seconds, then blocked a test domain and saw it fail to load instantly. After months of Screen Time guesswork, seeing a command just land was a little jarring.

This is where supervision turns into actual rules. In SimpleMDM, rules live in profiles (under Configs → Profiles) that you create once and then assign to the phone or to its device group. Here's the whole pattern, using a Block Apps profile as the worked example:

1. Go to Configs → Profiles and click Create Profile. (A new account starts with none.)

2. To block apps, choose the App Restrictions type. Name it (I used "Block Apps"), set Restriction Type to Do not allow listed apps, then use Add Apps to list each one by name or bundle ID (the example blocks Chrome, Apple Games, and TV). Click Save. Notice it requires Supervision, which is exactly why supervising came first.

3. Now assign it. Open Devices → Devices → your iPhone, switch to the Profiles tab, and click Assign Profile.

4. Click Assign next to Block Apps. It pushes to the phone in seconds. (Assigning to the Default group instead applies it to every phone in that group, handy if you set up more than one.)

Build the rest of your rules the same way (most live under the Restrictions profile type). The ones that matter most:

• Blocked apps: block by name, including apps you previously approved.
• Prevent removing apps so they can't delete the ones carrying your controls.
• Prevent "Erase All Content and Settings" (the factory-reset block).
• Prevent VPN creation so they can't tunnel around the web filter.
• Prevent account changes and prevent pairing with a computer, for a determined teen.
• A web content filter (Apple's built-in one; the heavier NextDNS filter is an optional add-on at the end).

Block an app and watch it vanish from the home screen in seconds. Unblock it and watch it come back. That responsiveness is the whole point, and it's night and day from Screen Time. Commands land in seconds when the phone is online; if it's offline they queue and run the moment it reconnects.

To see what Lost Mode can do, you can test it manually using the SimpleMDM dashboard. Open Devices → Devices → your iPhone and click the Actions dropdown and select Enable Lost Mode. Type a message in the dialog (I use "Bedtime") and click Enable Lost Mode. Within a few seconds the iPhone will lock to a single screen displaying Lost iPhone, and whatever message you typed. Lost Mode is a real lock, not a nudge, and it's a supervised-only command.

Once the phone is in Lost Mode, you should see a button to disable Lost Mode on the device details screen. (Note: you may have to refresh the SimpleMDM page for that button to show up.)

Your single best nightly tool is Lost Mode: a real, supervised-only lock that turns the phone into one dark screen with nothing to swipe or open, recoverable in the morning with a single command. You already triggered it by hand from the SimpleMDM dashboard in the test step above, so you know it works.

To make it effortless, one tap on your own phone, or a fully automatic bedtime schedule, follow the first add-on: The bedtime lock. It's the upgrade most parents say did the most for their evenings. (It's a bit fiddly, so it lives in its own walkthrough instead of cluttering this one.)

Your supervised restrictions already include Apple's basic web content filter, so the core setup isn't wide open. For an explicit, logged block on porn, ads, trackers, and malware across every app, add NextDNS as a managed profile.

That's the second add-on: Add a real web filter with NextDNS (coming soon). Free for light use, and it gives you a dashboard of exactly what the phone tried to reach.

This is the optional upgrade for a determined teen, and it's the one piece you have to line up before you begin, not after. With ABM, supervision re-applies itself even after a factory reset and the management profile can't be removed at all. The catch is timing: ABM only goes onto the phone via a checkbox during the Configurator erase, and the account approval takes one to two weeks, so it can't be bolted on once the phone is already set up. Deciding on it later means repeating the whole erase and restore. If you're on the fence, it's completely fine to run the no-ABM path first as a trial and add ABM later if your family needs it, just knowing you'll redo the setup that once.

The barrier sounds bigger than it is. ABM needs a DUNS number (a free business identifier), and you can get one as a sole proprietor under your own name; your SSN is the tax ID, no LLC required. Apple then verifies you, usually with a quick phone call. Budget one to two weeks for approval. One caveat to check first: DUNS may have been dropped for new US Apple Business Manager signups as of around April 2026, so verify Apple's current requirement before you count on it.

BrianI did this myself. The DUNS number and the verification call sounded like a hassle and turned out to be a short, friendly phone call, someone just confirming I was a real person. For a kid who'll try a factory reset, it was absolutely worth it.

Three different "off switches," and people mix them up. The names sound alike, so untangle them once:

Supervision has no off switch in Settings. The only way to remove it is to erase the phone, either Erase All Content and Settings or re-running Configurator's Prepare without supervision. On this no-ABM local path, an erase fully unsupervises the phone, that's the trade-off, and it's also a determined kid's way out, which is exactly why the restrictions step above blocks "Erase All Content and Settings." (Add ABM and an erase re-supervises instead, so there's no escaping it.)

"Leave Remote Management" is the MDM, not supervision. That option only shows up because the phone is enrolled in your MDM, and tapping it drops the management profile (your remote control and the rules you pushed), not supervision itself. On a supervised phone you can set the enrollment to be non-removable so it can't be tapped away.

The ~30-day window belongs to ABM, not local supervision. It's the ABM provisional period: when you add a Configurator-supervised phone to ABM, it's released provisionally for about 30 days, and once that lapses the phone is permanently tied to your org and re-supervises itself through any factory reset. Plain local supervision has no such clock, only the erase escape hatch above.

• It cannot quietly read iMessage. The only method (a finicky desktop sync that needs your teen's constant permission) breaks exactly when you need it. Don't build your plan around catching messages.
• It's not 100 percent bypass-proof against a truly determined, technical teen. A DFU restore from a computer can strip Configurator-only supervision (ABM re-applies it on the next activation). But supervised, plus the factory-reset block, plus ABM locked in past its provisional window, is a very high bar.
• One management profile per phone. A school-managed phone can't also take yours until that's resolved.

None of those change the result for the kid you're actually raising: a phone that sleeps when it should, blocks what you say, and filters the web everywhere. That's the calm I was after.