
Payload best practices for Apple devices
Configuration profile and payload planning helps reduce complexity. To make your work easier, follow these mobile device management (MDM) best practices before you begin deploying configuration profiles:
A configuration profile can have more than one payload.
A device can have more than one configuration profile.
On a Mac, you can combine user configuration profiles with device configuration profiles.
If you have multiple configuration profiles containing similar payloads with different settings, the resulting behavior is undefined. On an iPhone or iPad, if there are conflicting restrictions, the more restrictive restriction wins.
Some payloads can have more than one unique payload. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting.
Here are some examples of optimized payload management:
If you want to manage an iPhone, iPad, or Mac, use the same payloads for all the devices.
If you want to manage only iPhone and iPad devices (or users of those devices), focus on iOS and iPadOS payloads.
If you want to manage only Mac computers or users of Mac computers, focus on macOS payloads, then decide if your management should be at the device or user level.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles based on functionality. This will ensure that changes made to one configuration profile don’t inadvertently affect another. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, mail, and calendar. Settings that may change often include VPN, certificates, Web Clips, and Home Screen settings.
Users generally can’t change settings that are defined in a configuration profile. You can also set configuration profiles to expire on a specific date. Accounts configured by a configuration profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a configuration profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app.