Intro to mobile device management profiles
iOS, iPadOS, macOS, tvOS, and watchOS have a built-in framework that supports mobile device management (MDM). MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they’re owned by the user or your organization. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically using Apple School Manager or Apple Business Manager. If you’re using Apple Business Essentials, you can also use the device management that’s built right in.
There are a few concepts to understand if you’re going to use MDM, so read the following sections to understand how MDM uses enrollment and configuration profiles, supervision, and payloads.
How devices enroll
Enrollment in MDM involves enrolling client certificate identities using protocols such as Automated Certificate Management Environment (ACME), or Simple Certificate Enrollment Protocol (SCEP). Devices use these protocols to create unique identity certificates for authenticating an organization’s services.
Unless enrollment is automated, users decide whether to enroll in MDM, and they can disassociate their devices from MDM at any time. Therefore, you want to consider incentives for users to remain managed. For example, you can require MDM enrollment for Wi-Fi network access by using MDM to automatically provide the wireless credentials. When a user leaves MDM, their device attempts to notify the MDM solution that it can no longer be managed.
For devices your organization owns, you can use Apple School Manager, Apple Business Manager, or Apple Business Essentials to automatically enroll them in MDM and supervise them wirelessly during initial setup; this enrollment process is known as Automated Device Enrollment.
MDM and Stolen Device Protection
When Stolen Device Protection is turned on, the user receives an error when trying to:
Manually enroll their device in MDM
Configure a Microsoft Exchange account
Install a passcode or Microsoft Exchange profile
Install a declarative configuration
To perform any of those actions, the user can temporarily turn off Stolen Device Protection. If the device is already enrolled in MDM, they can turn on Stolen Device Protection and MDM operates as usual.
Important: The ability to complete these actions may be delayed by an hour if the user is in an unfamiliar location.
An enrollment profile is one of two main ways users can enroll a personal device into an MDM solution (the other way is to use User Enrollment). With this profile, which contains an MDM payload, the MDM solution sends commands and—if necessary—additional configuration profiles to the device. It can also query the device for information, such as its Activation Lock status, battery level, and name.
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.
After the enrollment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager, Apple Business Manager, or Apple Business Essentials. Users can install apps, or apps can be installed automatically, depending on the type of app it is, how it’s assigned, and whether the device is supervised. For more information, see About Apple device supervision.
A configuration profile is an XML file (ending in .mobileconfig) consisting of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator, or they can be created manually.
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and—with the exception of user names and passwords—prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, through a link on your own webpage, or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.
For more information about profile installation and Lockdown Mode, see the Apple Support article, About Lockdown Mode.
Note: You can use Apple Configurator for Mac to add configuration profiles (automatically or manually) to iOS, iPadOS, and Apple TV devices. For more information, see the Apple Configurator User Guide for Mac.
As an administrator, you can deliver a configuration profile that can change settings for an entire device or for a single user:
Device profiles can be sent to devices and device groups, and apply device settings to the entire device.
iPhone, iPad, Apple TV, and Apple Watch have no way to recognize more than one user, so configuration profiles created from iOS, iPadOS, tvOS, and watchOS payloads and settings are always device profiles. Although iPadOS profiles are device profiles, iPad devices configured for Shared iPad can support profiles based on the device or the user.
User profiles can be sent to users and user groups and apply user settings to just the respective users. Mac computers can have multiple users, so payloads and settings for macOS profiles can be based on the device or the user. The user account created during Setup Assistant is considered managed by the MDM solution and can receive profiles. In macOS 11 or later, an administrator account created by an MDM during enrollment can be optionally managed instead. For Active Directory–bound deployments, the currently logged in network user becomes manageable using MDM.
Device and user settings vary according to where they reside: Settings installed at the system level reside in a device channel. Settings installed for a user reside in a user channel.
How you remove profiles depends on how they were installed. The following sequence indicates how a profile can be removed:
1. All profiles can be removed by wiping the device of all data.
2. If the device was enrolled in MDM using Apple School Manager, Apple Business Manager, or Apple Business Essentials, the administrator can choose whether the enrollment profile can be removed by the user or whether it can be removed only by the MDM server itself.
3. If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user unenrolling from MDM by removing the enrollment configuration profile.
4. If the profile is installed on a supervised device using Apple Configurator, that supervising instance of Apple Configurator can remove the profile.
5. If the profile is installed on a supervised device manually or using Apple Configurator and the profile has a removal password payload, the user must enter the removal password to remove the profile.
6. All other profiles can be removed by the user.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by the Microsoft Exchange Server by issuing the account-only remote wipe command.
Important: If users know the device passcode, they can remove manually installed configuration profiles from iPhone and iPad that aren’t supervised, even if the option is set to “never.” Users on Mac can do the same thing only if the user knows an administrator’s user name and password. They can do this using the
profiles command-line tool, System Settings (in macOS 13 or later), or System Preferences (in macOS 12.0.1 or earlier). In macOS 10.15 or later, as with iOS and iPadOS, profiles installed with MDM must be removed with MDM, or they’re removed automatically upon unenrollment from MDM.
MDM communication requirements
Third-party MDM communication with Apple devices is most likely to be successful when:
The MDM solution is set up, successfully tested, and working properly
The APNs certificate is valid and not expired
The device is powered on
The device is currently enrolled into the MDM
The network the device is connected to has access to the internet (for APNs communication)
The network the device is connected to must be able to access MDM-related Apple hosts
For more information, see the Apple Support article Use Apple products on enterprise networks.
Note: Apple doesn’t control third-party MDM solutions. Additional issues, such as a misconfigured MDM payload, may also cause MDM communication to fail.
Supported Apple devices
The following Apple devices have a built-in framework that supports MDM:
iPhone with iOS 4 or later
iPad with iOS 4.3 or later or iPadOS 13.1 or later
Mac computers with OS X 10.7 or later
Apple TV with tvOS 9 or later
Apple Watch with watchOS 10 or later
Note: Not all options are available in all MDM solutions. To learn which MDM options are available for your devices, consult your MDM vendor’s documentation.