Payload best practices for Apple devices
Configuration profile and payload planning helps reduce complexity. To make your work easier, follow these mobile device management (MDM) best practices before you begin deploying configuration profiles. Keep the following in mind:
A configuration profile can have more than one payload.
A device can have more than one configuration profile.
On a Mac, you can combine user configuration profiles with device configuration profiles.
If you have multiple configuration profiles containing similar payloads with different settings, the resulting behaviour is undefined. On an iPhone or iPad, if there are conflicting restrictions, the more restrictive restriction wins.
Some payloads can have more than one unique payload. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting.
Here are some examples of optimised payload management:
If you want to manage an iPhone, iPad or Mac, use the same payloads for all the devices.
If you want to manage only iPhone and iPad devices (or users of those devices), focus on iOS and iPadOS payloads.
If you want to manage only Mac computers or users of Mac computers, focus on macOS payloads, then decide if your management should be at the device or user level.
Although you can create a single configuration profile that contains all payloads for your organisation, consider creating separate profiles based on functionality. This will ensure that changes made to one configuration profile don’t inadvertently affect another. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, mail and calendar. Settings that may change often include VPN, certificates, Web Clips and Home screen settings.
Users generally can’t change settings that are defined in a configuration profile. You can also set configuration profiles to expire on a specific date. Accounts configured by a configuration profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organisation until the profile is reinstalled. For example, removing a configuration profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app.
Important: If the user knows the passcode, iPhone and iPad devices that aren’t supervised can have configuration profiles removed, even if the option is set to Never in the General settings. Configuration profiles for Mac computers can be removed using the
profiles command-line tool or System Preferences if the user knows an administrator’s username and password, unless the devices are enrolled in Apple School Manager or Apple Business Manager.