Intro to device management
Apple devices provide a rich set of configuration options through the device management framework. The device management framework allows devices to receive and act on profiles and configurations sent to them using a device management service. A device management service can be linked to an organization’s Apple School Manager or Apple Business Manager.
Devices enroll in a device management service using one of several enrollment methods that are available for organization-owned device and user owned devices. Once enrolled, devices are notified by the Apple Push Notification service (APNs) when a device management service wants to communicate with the device. The device then contacts the device management service and the device management service securely sends profiles, configurations, and apps to the device, which the device acts upon.
Device management services help organizations of any size set up and configure devices quickly and securely. With a device management service, you can send configurations, profiles, and commands to enrolled devices, whether the devices are organization-owned or user-owned.
The device management administrator can use the device management service to install and update software, adjust settings, monitor compliance with organizational policies, check device status, and remotely lock or erase devices. Organizations can automatically enroll devices they own through Apple School Manager or Apple Business Manager and users can enroll their own devices in the device management service.
Declarative device management extends these capabilities. By using declarations and the status channel, devices proactively share their status with the device management service. This two-way communication lets organizations respond more dynamically to changes that may affect security or compliance.
The following sections describe how device management uses enrollment and configuration profiles, supervision, and payloads.
Enrollment methods
Understanding the different types of enrollment methods will help you support users when someone has difficulty getting started with their device. The enrollment method used to enroll a device in device management is generally defined by the device ownership model. A device owned by an organization can be supervised. Supervision generally denotes that the organization owns the device, which provides additional control over its configuration and restrictions. For more information, see About device supervision.
There are two methods for enrolling organization-owned devices:
Automated Device Enrollment: Used for organization-owned devices that appear in Apple School Manager or Apple Business Manager. Automated Device Enrollment provides supervision and the highest level of management for devices. Device management administrators can manage even more settings and see more information than with Device Enrollment or User Enrollment.
Devices manually added to Apple School Manager or Apple Business Manager with Apple Configurator have a 30-day provisional period that begins when the device is first enrolled. During the provisional period the devices behave like any other device already in Apple School Manager with mandatory supervision and device management service enrollment. The device can be shut down and stored until you need it or sent to the user. When you give the device to a user, they have a 30-day provisional period to release the device from Apple School Manager, supervision, and the device management service. This 30-day provisional period begins after successfully assigning and enrolling the device in a device management service that links to Apple School Manager or Apple Business Manager. For more information, see Add devices using Apple Configurator in the Apple School Manager User Guide or Add devices using Apple Configurator in the Apple Business Manager User Guide.
Device Enrollment: Used to enroll existing organization-owned devices that are already in use.
Note: A Mac enrolled using Device Enrollment is supervised, with some limitations. An iPhone or iPad enrolled using Device Enrollment isn’t supervised.
A third enrollment method is used for user-owned devices, sometimes called BYOD—bring-your-own-device:
User Enrollment: Designed to enroll user-owned devices with limited device management options and greater privacy.
Enrollment method | Ownership | Supervised upon enrollment? |
|---|---|---|
Automated Device Enrollment | Organization | Yes |
Device Enrollment | Organization | No (iPhone, iPad) Yes (Mac) |
User Enrollment | User | No |
A device can be enrolled with only one device management service at a time, regardless of the device management or enrollment method used. If your organization migrates from one service to another, see Plan your device management migration and Migrate managed devices to another device management service in Apple Platform Deployment.
Configuration profiles
A configuration profile is an XML file with a .mobileconfig extension consisting of payloads that may contain device settings, restrictions, and credentials for Apple devices. A device management service or Apple Configurator for Mac can create these files, or they can be created manually.
Profile removal
Removing enrollment and configuration profiles from managed devices can lead to loss of security settings, app configurations, and compliance with organizational policies, potentially rendering the device unsupported and vulnerable to threats.
A device management server administrator can manage profile removal by enforcing restrictions that prevent users from removing the device management service’s enrollment profile, thereby maintaining security and compliance and can also release a device from management, which removes the enrollment profile, configuration profiles, and apps. When a device is released it is no longer managed by the device management server.
Managed settings
If a setting on iPhone, iPad, or Mac is managed, it may appear dimmed in Settings or System Settings. The phrase “This setting has been configured by a profile” might also appear. These visual indicators mean the setting has been locked and can be changed only by the device management service.
How to view a configuration profile on an iPhone or iPad
Go to Settings > General > VPN & Device Management > Device Management.
How to view a configuration profile on a Mac
Go to Apple menu > System Settings > General > Device Management or open System Information, and click Software > Profiles in the sidebar.
How to view configuration profile contents on iPhone or iPad
Examine configuration profiles and their contents on the device after they’re installed. Tap on the listed options, such as Apps, Books, Restrictions for information, you can also tap More Details to reveal enrollment profile information.
How to view configuration profile contents on Mac
Examine configuration profiles and their contents on the device after they’re installed. Double click any of the listed profiles on a managed Mac to reveal information that contains a description of the profile, the date of installation, what settings are affected on the Mac, and further information on the specific profile in the details section.
The same information can also be viewed in System Information. In the System Information sidebar under Software, click Managed Client or Profiles to review installed profiles.
The view of a profile’s contents in System Information is formatted differently from the view in Device Management settings.