This user guide is designed for IT and MDM administrators. It contains all aspects of mobile device management (MDM) settings as defined by Apple. If you are an Apple developer, you can also refer to Device Management on the Apple Developer website.
What is mobile device management (MDM)?
The following Apple devices have a built-in framework that supports MDM:
iPhone and iPod touch (iOS 5 or later)
iPad (iOS 5 or later or iPadOS 13.1 or later)
Apple TV (tvOS 9 or later)
Mac computers (OS X 10.7 or later)
MDM lets you securely and wirelessly configure devices, whether they’re owned by the user or your organisation. MDM includes updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. Users can enrol their own devices in MDM, and organisation-owned devices can be enrolled in MDM automatically using Apple School Manager or Apple Business Manager.
After the device is enrolled, you can wirelessly distribute, manage and configure apps and books purchased through Apple School Manager, Apple Business Manager, or enterprise apps developed in-house. Users can install apps themselves, or apps can be installed automatically depending on the type of app it is, how it’s assigned and whether the device is supervised.
There are a few concepts to understand if you’re going to use MDM, so see next how MDM uses configuration profiles and payloads.
How does MDM work?
Mobile device management is enabled when an MDM solution sends a properly configured enrolment profile to an Apple device. After the enrolment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. The settings in the payloads determine how the device will function.
There are three types of MDM enrolment:
User Enrolment: User Enrolment is integrated with Managed Apple ID to establish a user identity on the device. The Managed Apple ID is part of the User Enrolment profile and the user must successfully authenticate in order for enrolment to be completed. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with, and the two don’t interact with each other. User Enrolment is designed for devices owned by the user.
Device Enrolment: Device Enrolment allows organisations to enrol devices and manage many different aspects of device use, including the ability to erase the device. If a user removes the MDM profile, all settings and apps that are being managed by the MDM solution are removed.
Automated Device Enrolment: Automated Device Enrolment lets organisations configure and manage devices from the moment the devices are removed from the box. These devices are known as supervised and the MDM profile can’t be removed by the user. Automated Device Enrolment is designed for devices owned by the organisation.
What are configuration profiles?
A configuration profile is an XML file that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator 2, or they can be created manually.
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and — with the exception of usernames and passwords — prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
Configuration profiles can be removed as follows:
On iOS, iPadOS and tvOS, the configuration profile can be removed only by wiping the device of all data or by entering the password associated with the configuration profile. Accounts that are configured by a profile, such as Microsoft Exchange accounts, can be removed only by deleting the configuration profile.
On macOS, configuration profiles (depending on how they’re installed) may be able to be removed by an administrator. Profiles downloaded to Mac computers enrolled in Apple School Manager or Apple Business Manager can’t be removed.
Note: Only configuration profiles manually installed need to be signed, encrypted or locked. Configuration profiles pushed to Apple devices from your MDM solution don’t need to be signed, encrypted or locked.
Why are there two types of configuration profile?
Configuration profiles can be sent to users or devices, or groups of users or groups of devices.
You may also want to create separate configuration profiles for specific devices (such as iPhone devices) or a group of users (such as students). For information, see Payload best practices.
If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, via a link on your own web page or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.
To learn how to prepare your organisation to deploy Apple devices, see:
Note: You can use Apple Configurator 2 to add device configuration profiles (automatically or manually) to iOS, iPadOS and tvOS devices. To add device or user configuration profiles containing macOS-specific settings, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.
What is a payload?
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads to require a complex passcode, populate an Exchange account with all the Exchange server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload is exclusive or whether it can be combined with other payloads of the same type
Whether the payload can have duplicates
After payloads are configured, they are saved in a configuration profile.