Intro to Profile Manager

Manage settings and policies

Profile Manager creates and distributes a configuration profile. You install them on a device to configure the settings. To learn more about configuration profiles, see Plan your configuration profiles for Apple devices in Apple Platform Deployment. When the profile is installed on a user’s device, the settings it defines are applied. If the settings are applied to a user, those settings apply to any device associated with that user. If the settings are applied to a device, those settings are enforced regardless of who uses the device.

Each user, user group, device, and device group can have configuration profiles to provide a base level of settings. Then you can assign additional configuration profiles to customize the settings to meet your needs.

In addition to general configuration settings, Profile Manager lets you enforce organization policies. For example, you can specify password policies, define the types of networks devices can connect to, and enforce restrictions such as preventing the use of cameras and disabling specific system preferences in macOS. If you’re managing the devices remotely, you can install updated policies without user action or notification.

Distribute configuration profiles

After you define the settings for users and their devices, you can distribute the configuration profiles in the following ways:

• Distributed upon activation: Settings can be automatically configured after the device has been activated over the internet.

• Remote device management: You can enable the Profile Manager mobile device management service, which lets you remotely install, remove, and update configuration profiles on enrolled devices.

• User self-service: Users can download and install the settings from the Profile Manager built-in user portal. The user portal ensures that users receive the configuration profiles you assign to them or their group.

• Manual distribution: You can download configuration profiles (.mobileconfig files) from the Profile Manager administration portal and then send them to your users via a mail message or post them to a website you create. When users receive or download the files, they can install them on their device.

Remotely lock or wipe a lost device

You can remotely lock devices that you manage using Profile Manager. On a Mac, locking shuts down the Mac and installs an EFI passcode to prevent it from starting up without providing the passcode. On iPhone, iPad, and iPod touch, locking invokes the Lock screen and enforces the passcode, if any, installed on the device.

Wiping a Mac removes all user data. Wiping an iPhone, iPad, and iPod touch restores it to factory defaults.

For iPhone, iPad, and iPod touch, you can also reset a user’s passcode when the user forgets it. During this process, the device passcode is removed temporarily (for 60 minutes). To unlock the device, the user is immediately required to enter a new passcode that meets the criteria specified by the configuration profiles installed on the device.

Components of Profile Manager

Profile Manager consists of three main parts that work together to let you specify when and how devices are enrolled and configured, and apps and books are distributed.

• Mobile device management (MDM) service: A mobile device management service lets you remotely manage enrolled devices. After a device is enrolled, you can update a configuration over the network and perform other tasks without user interaction. MDM is supported on:

  • iPhone and iPod touch (iOS 4 or later)

  • iPad (iOS 4.3 or later or iPadOS 13.1 or later)

  • Apple TV (tvOS 9 or later)

  • Mac computers (OS X 10.7 or later)

• Wireless configuration of Apple devices: This lets you streamline the configuration of organization-owned devices. To get users up and running quickly, enroll devices in MDM during activation and skip basic setup steps.

• App and book distribution: Distribute apps and books purchased through Apple School Manager or Apple Business Manager and custom apps and books.