MDM overview for Apple devices
This reference is designed for IT and MDM administrators. It contains all aspects of mobile device management (MDM) settings as defined by Apple. If you are an Apple developer, you can also refer to Device Management on the Apple Developer website.
What is mobile device management (MDM)?
Mobile device management lets you securely and wirelessly configure devices, whether they’re owned by the user or your organisation. MDM includes updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. Users can enrol their own devices in MDM, and organisation-owned devices can be enrolled in MDM automatically using Apple School Manager or Apple Business Manager.
What is an enrolment profile?
An enrolment profile is a configuration profile with an MDM payload that enrols the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configuration profiles to the device and to query certain aspects of the device. When a user removes an enrolment profile, all configuration profiles, their settings and managed apps based on that enrolment profile are removed with it. There can be only one enrolment profile on a device at a time.
How does MDM work?
After the enrolment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage and configure apps and books purchased through Apple School Manager or Apple Business Manager. Users can install apps, or apps can be installed automatically, depending on the type of app it is, how it’s assigned and whether the device is supervised.
There are a few concepts to understand if you’re going to use MDM, so see next how MDM uses enrolment and configuration profiles, supervision and payloads.
What are configuration profiles?
A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator 2, or they can be created manually.
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and — with the exception of usernames and passwords — prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, via a link on your own web page or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.
Note: You can use Apple Configurator 2 to add configuration profiles (automatically or manually) to iPhone, iPad and Apple TV devices. To add configuration profiles containing macOS-specific settings, use a third-party MDM solution or Profile Manager, part of the macOS Server app.
What channels can configuration profiles be applied to?
Configuration profiles can be applied in two ways:
Profiles that can be sent to devices and device groups
iPhone, iPad and Apple TV have no way to recognise more than one user, so configuration profiles created from iOS, iPadOS and tvOS payloads and settings are always device profiles. Although iPadOS profiles are device profiles, in education iPad devices configured for Shared iPad can support profiles based on the device or the user.
Profiles that can be sent to users and user groups
Mac computers can have multiple users, so payloads and settings for macOS profiles can be based on the device or the user.
What is supervision?
Supervision generally denotes that the device is owned by the organisation, which provides additional control over its configuration and restrictions.
iPhone and iPad devices with iOS 5 or later and Apple TV devices with tvOS 10.2 or later become supervised by:
Using Apple Configurator 2 to supervise the device
During this process, the device is erased and all data is lost.
Enrolling the device in an MDM solution and selecting supervision as part of the enrolment process
Mac computers can be supervised if they:
Are running macOS 11 enrolled in MDM using automated device enrolment
Are upgraded to macOS 11 and the enrolment in MDM was a user-approved MDM enrolment
Are running macOS 10.14.4 or later and:
The devices’ serial numbers appear in Apple School Manager or Apple Business Manager
Are enrolled in an MDM solution using Apple School Manager or Apple Business Manager
The following devices are supervised automatically when enrolled in Apple School Manager or Apple Business Manager:
iPhone and iPod touch with iOS 13 or later
iPad with iPadOS 13.1 or later
Apple TV with tvOS 13 or later
Mac computers with macOS 10.14.4 or later
For information about the Autonomous Single App Mode payload for Mac, see Autonomous Single App Mode payload settings.
Mac computers enrolled in an assigned MDM solution whose serial numbers appear in Apple School Manager or Apple Business Manager can have their supervision reset by using the
profiles command-line tool with this command:
profiles renew -type enrolment, or
profiles -N. If the Mac isn’t connected to the internet during the initial configuration, the user is notified every 2 hours that the Mac has available device enrolment settings, and they can optionally click the notification to begin the enrolment process into MDM. Enrolment into MDM requires an administrator username and password.
Important: If the user knows the passcode, iPhone and iPad devices that aren’t supervised can have manually installed configuration profiles removed, even if the option is set to “never”. Manually installed configuration profiles for Mac computers can be removed using the
profiles command-line tool, or System Preferences if the user knows an administrator’s username and password. As of macOS 10.15, as on iOS and iPadOS, profiles installed with MDM must be removed with MDM, or they are removed automatically upon unenrolment from MDM.
What is a payload?
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads require a complex passcode, populate an Exchange account with all the Exchange server information and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload is exclusive or whether it can be combined with other payloads of the same type
Whether the payload can have duplicates
After payloads are configured, they are saved in a configuration profile.
See the complete payload list. To learn which MDM payloads are supported for your devices, consult your MDM vendor’s documentation.
What are restrictions?
Restrictions can be enabled — or, in some cases, disabled — by administrators to help prevent users from accessing a specific app, service or function of an iPhone, iPad, Mac or Apple TV that’s enrolled in an MDM solution. Restrictions are sent to devices in a restrictions payload, which is part of a configuration profile. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.
Configuration profiles and Shared iPad
If you use Shared iPad, you can install:
Device and device group profiles with your MDM solution
User and user group profiles with your MDM solution
See Shared iPad overview.
How you remove profiles depends on how they were installed. The following sequence indicates how a profile can be removed:
1. All profiles can be removed by wiping the device of all data.
2. If the device was enrolled in MDM using Apple School Manager or Apple Business Manager, the administrator can choose whether the enrolment profile can be removed by the user or whether it can be removed only by the MDM server itself.
3. If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user unenrolling from MDM by removing the enrolment configuration profile.
4. If the profile is installed on a supervised device using Apple Configurator 2, that supervising instance of Apple Configurator 2 can remove the profile.
5. If the profile is installed on a supervised device manually or using Apple Configurator 2 and the profile has a removal password payload, the user must enter the removal password to remove the profile.
6. All other profiles can be removed by the user.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by the Microsoft Exchange Server by issuing the account-only remote wipe command.
Payload interaction with Open Directory
macOS payloads may behave differently when they interact with Open Directory settings as follows:
Managed device–applied user profiles take priority over Open Directory–stored user settings.
Open Directory–stored user settings take priority over managed device–applied device profiles.
Managed device–applied device profiles take priority over Open Directory–stored computer settings.
Manually installed user and device profiles always have the lowest priority over Open Directory–stored or managed device–applied user or device settings.
Supported Apple devices
The following Apple devices have a built-in framework that supports MDM:
iPhone and iPod touch with iOS 5 or later
iPad with iOS 5 or later or iPadOS 13.1 or later
Mac computers with OS X 10.7 or later
Apple TV with tvOS 9 or later
In the rest of this document, the term iPhone refers to both iPhone and iPod touch.
Note: Not all payloads and their respective settings are available in all MDM solutions. Consult your MDM vendor’s documentation to see which payload and settings they support.