Configuration profile enforcement
Configuration profiles are the primary way that an MDM solution delivers and manages policies and restrictions on managed devices. If organisations need to configure a large number of devices — or to provide lots of custom email settings, network settings or certificates to a large number of devices — configuration profiles are a safe and secure way to do it.
A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually. Before organisations send a configuration profile to an Apple device, they must enrol the device in the MDM solution using an enrolment profile.
An enrolment profile is a configuration profile with an MDM payload that enrols the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configuration profiles to the device and to query certain aspects of the device. When a user removes an enrolment profile, all configuration profiles, their settings and managed apps based on that enrolment profile are removed with it. There can be only one enrolment profile on a device at a time.
Configuration profile settings
A configuration profile contains a number of settings in specific payloads that can be specified, including (but not limited to):
Passcode and password policies
Restrictions on device features (for example, disabling the camera)
Network and VPN settings
Microsoft Exchange settings
LDAP directory service settings
CalDAV calendar service settings
Credentials and keys
Profile signing and encryption
Configuration profiles can be signed to validate their origin, and encrypted to help ensure their integrity and protect their contents. Configuration profiles for iOS and iPadOS are encrypted using the Cryptographic Message Syntax (CMS) specified in RFC 5652, supporting 3DES and AES128.
Users can install configuration profiles directly on their devices using Apple Configurator for Mac, or they can be downloaded using Safari, sent attached to a mail message, transferred using AirDrop or the Files app in iOS and iPadOS, or sent over the air using a mobile device management (MDM) solution. When a user sets up a device in Apple School Manager or Apple Business Manager, the device downloads and installs a profile for MDM enrolment. For information on how to remove profiles, see Intro to mobile device management in Apple Device Deployment.
Note: On supervised devices, configuration profiles can also be locked to a device. This is designed to prevent their removal or to allow removal only with a passcode. Because many organisations own their iOS and iPadOS devices, configuration profiles that bind a device to an MDM solution can be removed — but doing so also removes all managed configuration information, data and apps.