Configuration enforcement
Configurations are the primary way that an MDM solution delivers and manages policies and restrictions on managed devices. If organisations need to configure a large number of devices — or provide lots of custom email settings, network settings or certificates to a large number of devices — configurations are a safe and secure way to do it.
Configurations
A configuration is an XML profile or json-formatted file following a certain structure, and consists of payloads that load settings and authorisation information onto Apple devices. Configurations automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually. Before organisations send a configuration to an Apple device, they must enrol the device in the MDM solution using an enrolment profile.
Note: Apple Configurator for Mac can only be used to manage configuration profiles on iPhone, iPad and Apple TV devices.
Enrolment profiles
An enrolment profile is a configuration with an MDM payload that enrols the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configurations to the device and to query certain aspects of the device. When a user removes an enrolment profile, all configurations, their settings and, depending on the enrolment type and used configuration, managed apps based on that enrolment profile are removed with it. There can be only one enrolment profile on a device at a time.
Example configurations
A configuration contains a number of settings in specific payloads that can be specified, including (but not limited to):
Passcode and password policies
Restrictions on device features (for example, disabling the camera)
Network and VPN settings
Microsoft Exchange settings
Mail settings
Account settings
LDAP directory service settings
CalDAV calendar service settings
Credentials and identities
Certificates
Software updates
Profile signing and encryption
Configuration profiles can be signed to validate their origin, and encrypted to help ensure their integrity and protect their contents. Configuration profiles for iOS and iPadOS are encrypted using the Cryptographic Message Syntax (CMS) specified in RFC 5652, supporting 3DES and AES128.
Profile installation
Configurations can be installed on devices using an MDM solution or manually by the users. Alternatively, Apple Configurator for Mac can be used to deploy configurations to iOS, iPadOS and tvOS devices. Some configurations require the installation using an MDM solution. For information on how to remove profiles, see Intro to mobile device management in Apple Platform Deployment.
Note: On supervised devices, configuration profiles can also be locked to a device. This is designed to prevent their removal or to allow removal only with a passcode.