Using configuration profiles with Apple devices
What are configuration profiles?
A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator 2, or they can be created manually.
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and—with the exception of user names and passwords—prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
Configuration profiles can be removed as follows:
On iOS, iPadOS, and tvOS, the configuration profile can be removed only by wiping the device of all data or by entering the password associated with the configuration profile. Accounts that are configured by a profile, such as Microsoft Exchange accounts, can be removed only by deleting the configuration profile.
On macOS, configuration profiles (depending on how they’re installed) may be able to be removed by an administrator. Profiles downloaded to Mac computers enrolled in Apple School Manager or Apple Business Manager can’t be removed.
Note: Only configuration profiles manually installed need to be signed, encrypted, or locked. Configuration profiles pushed to Apple devices from your MDM solution don’t need to be signed, encrypted, or locked.
Why are there two types of configuration profiles?
Configuration profiles can be sent to users or devices, or groups of users or groups of devices.
You may also want to create separate configuration profiles for specific devices (such as iPhone devices) or a group of users (such as students).
If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, through a link on your own webpage, or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.
Note: You can use Apple Configurator 2 to add device configuration profiles (automatically or manually) to iOS, iPadOS, and tvOS devices. To add device or user configuration profiles containing macOS-specific settings, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.
What is a payload?
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads to require a complex passcode, populate an Exchange account with all the Exchange server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload is exclusive or whether it can be combined with other payloads of the same type
Whether the payload can have duplicates
After payloads are configured, they are saved in a configuration profile.
Configuration profiles that contain certificate and Wi-Fi payloads can also be installed on Apple TV. See How to install a configuration profile on Apple TV.