Payload best practices
Configuration profile and payload planning helps reduce complexity. Keep the following in mind:
A configuration profile can have more than one payload.
A device can have more than one configuration profile.
On macOS, you can combine user configuration profiles with device configuration profiles.
If you have multiple configuration profiles containing similar payloads with different settings, the resulting behavior is undefined. In iOS and iPadOS, if there are conflicting restrictions, the more restrictive restriction wins.
Some payloads can have more than one unique payload. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting.
Here are some examples of optimized payload management:
If you want to manage iOS, iPadOS, and macOS devices, use the same payloads for all the devices.
If you want to manage only iOS and iPadOS devices or users of iOS and iPadOS devices, focus on iOS and iPadOS payloads.
If you want to manage only macOS devices or users of macOS devices, focus on macOS payloads, then decide if your management should be at the device or user level.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles based on functionality. This will ensure that changes made to one configuration profile don’t inadvertently affect another. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, mail, and calendar. Settings that may change often include VPN, certificates, Web Clips, and Home screen settings.
Users generally can’t change settings that are defined in a configuration profile. You can also set configuration profiles to expire on a specific date. Accounts configured by a configuration profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a configuration profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app.
Important: If the user knows the passcode, iOS and iPadOS devices that aren’t supervised can have configuration profiles removed, even if the option is set to Never in the General settings. macOS configuration profiles can be removed using the
profiles command line tool or System Preferences if the user knows an administrator’s user name and password unless the devices are enrolled in Apple School Manager or Apple Business Manager.
To learn more about payloads, see the complete payload list.