MDM overview for Apple devices
This reference is designed for IT and MDM administrators. It contains all aspects of mobile device management (MDM) settings as defined by Apple. If you are an Apple developer, you can also refer to Device Management on the Apple Developer website.
What is mobile device management (MDM)?
MDM lets you securely and wirelessly configure devices, whether they’re owned by the user or your organisation. MDM includes updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. Users can enrol their own devices in MDM, and organisation-owned devices can be enrolled in MDM automatically using Apple School Manager or Apple Business Manager.
Supported Apple devices
The following Apple devices have a built-in framework that supports MDM:
iPhone and iPod touch (iOS 5 or later)
iPad (iOS 5 or later or iPadOS 13.1 or later)
Mac computers (OS X 10.7 or later)
Apple TV (tvOS 9 or later)
In the rest of this document, the term iPhone refers to both iPhone and iPod touch.
How does MDM work?
After the enrolment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage and configure apps and books purchased through Apple School Manager or Apple Business Manager. Users can install apps themselves, or apps can be installed automatically depending on the type of app it is, how it’s assigned and whether the device is supervised.
There are a few concepts to understand if you’re going to use MDM, so see next how MDM uses configuration profiles and payloads.
What are configuration profiles?
A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator 2, or they can be created manually.
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and — with the exception of usernames and passwords — prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
Why are there two types of configuration profile?
Configuration profiles can be sent to users or devices, or groups of users or groups of devices.
You may also want to create separate configuration profiles for specific devices (such as iPhone devices) or a group of users (such as students). For information, see Payload best practices.
If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, via a link on your own web page or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.
Note: You can use Apple Configurator 2 to add device configuration profiles (automatically or manually) to iPhone, iPad and Apple TV. To add device or user configuration profiles containing macOS-specific settings, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.
What is a payload?
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads to require a complex passcode, populate an Exchange account with all the Exchange server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload is exclusive or whether it can be combined with other payloads of the same type
Whether the payload can have duplicates
After payloads are configured, they are saved in a configuration profile.
See the Complete payload list. To learn which MDM payloads are supported for your devices, consult your MDM vendor’s documentation.
Configuration profiles and Shared iPad
If you use Shared iPad, you can install:
Device and device group profiles with your MDM solution.
User and user group profiles with your MDM solution.
User-approved MDM enrolment
User-approved MDM enrolment requires users to accept the MDM enrolment profile on their Apple device. Acceptance can’t be completed with remote management (for example, using Apple Remote Desktop). Apple devices that appear in Apple School Manager or Apple Business Manager, don’t require user-approved MDM enrolment. When an MDM enrolment profile is removed, all payloads are removed with it. When a device is re-enrolled, the following user-approved MDM payloads will be rejected if the devices don’t appear in Apple School Manager or Apple Business Manager:
Payload interaction with Open Directory
macOS payloads may behave differently when they interact with Open Directory settings as follows:
Managed device–applied user profiles take priority over Open Directory–stored user settings.
Open Directory–stored user settings take priority over managed device–applied device profiles.
Managed device–applied device profiles take priority over Open Directory–stored computer settings.
Manually installed user and device profiles always have the lowest priority over Open Directory–stored or managed device–applied user or device settings.
How you remove configuration profiles depends on how they were installed. The following sequence indicates how a configuration profile can be removed:
1. All profiles can be removed by wiping the device of all data.
2. If the profile is assigned to the device using Apple School Manager or Apple Business Manager, it can be removed by the MDM solution and, optionally, by the user.
3. If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user unenrolling from MDM by removing the enrolment configuration profile.
4. If the profile is installed on a supervised device using Apple Configurator 2, that supervising instance of Apple Configurator 2 can remove the profile.
5. If the profile is installed on a supervised device manually or using Apple Configurator 2 and the profile has a removal password payload, the user must enter the removal password to remove the profile.
6. All other profiles can be removed by the user.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by the Microsoft Exchange Server by issuing the account-only remote wipe command.