Plan your configuration profiles for Apple devices
Configuration profile and payload planning helps reduce complexity. To make your work easier, follow these mobile device management (MDM) best practices before you begin deploying configuration profiles.
A configuration profile can have more than one payload.
A device can have more than one configuration profile.
On a Mac, you can combine user configuration profiles with device configuration profiles.
If you have multiple configuration profiles containing the same payloads with different settings, the resulting behaviour is undefined. This doesn’t apply to the restrictions payload. In this case, the more restrictive value for the setting is applied.
Supported installation method: Some payloads can be installed only by an MDM solution.
Supported approval method: Some payloads require a user to approve the configuration profile containing the payload.
Supported operating systems and channels: Some payloads support all Apple operating systems, while some support only specific ones.
Supported enrolment types: Payloads may support one or more of the enrolment types: User Enrolment, Device Enrolment and Automated Device Enrolment. For more information, see Intro to Apple device enrolment types.
Duplicates allowed: Some payloads can have duplicates. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting.
How to optimise payload management
Here are some examples of optimised payload management:
If you want to manage an iPhone, iPad, or Mac, use the same payloads for all the devices.
If you want to manage only iPhone and iPad devices (or users of those devices), focus on iPhone and iPad payloads.
If you want to manage only Mac computers or users of Mac computers, focus on Mac payloads, then decide if your management should be at the device or user level.
You can create a single configuration profile that contains all the payloads you need — for example, for different apps and settings, such as Mail, Safari, Bluetooth and Wi-Fi.
Although you can create a single configuration profile that contains all payloads for your organisation, consider creating separate profiles based on functionality. This helps ensure that changes made to one configuration profile don’t inadvertently affect another. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, mail and calendar. Settings that may change often include VPN, certificates, Web Clips and Home Screen settings.
Users generally can’t change settings that are defined in a configuration profile. You can also set configuration profiles to expire on a specific date. Accounts configured by a configuration profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organisation until the profile is reinstalled. For example, removing a configuration profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app.
Depending on your deployment, your can review payloads for each operating system. In each table, you can click the payload link to view that specific payload’s options.
Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.