A configuration profile is an XML file that allows an administrator to distribute configuration information to iOS, iPadOS, macOS, and tvOS devices. In iOS, iPadOS, and tvOS, most settings that are defined by an installed configuration profile can’t be changed by the user. If the user deletes a configuration profile, all the settings defined by the profile are also removed. In this manner, administrators can enforce settings by tying policies to Wi-Fi and data access. For example, a configuration profile that provides an email configuration can also specify a device passcode policy. Users won’t be able to access mail unless their passcode meets the administrator’s requirements.
A configuration profile contains a number of settings in specific payloads that can be specified, including (but not limited to):
Passcode and password policies
Restrictions on device features (for example, disabling the camera)
LDAP directory service settings
CalDAV calendar service settings
Credentials and keys
Profile signing and encryption
Configuration profiles can be signed to validate their origin and encrypted to ensure their integrity and protect their contents. Configuration profiles for iOS and iPadOS are encrypted using the Cryptographic Message Syntax (CMS) specified in RFC 3852, supporting 3DES and AES-128.
Users can install configuration profiles directly on their devices using Apple Configurator 2, or they can be downloaded using Safari, sent attached to a mail message, transferred using AirDrop or the Files app on iOS and iPadOS, or sent over the air using a mobile device management (MDM) solution. When a user sets up a device in Apple School Manager or Apple Business Manager, the device downloads and installs a profile for MDM enrollment.
Removing configuration profiles depend on how they were installed. The following sequence indicates how a configuration profile can be removed:
All profiles can be removed by wiping the device of all data.
If the profile is assigned to the device using Apple School Manager or Apple Business Manager, it can be removed by the MDM solution and, optionally, by the user.
If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user unenrolling from MDM by removing the enrollment configuration profile.
If the profile is installed on a supervised device using Apple Configurator 2, that supervising instance of Apple Configurator 2 can remove the profile.
If the profile is installed on a supervised device manually or using Apple Configurator 2 and the profile has a removal password payload, the user must enter the removal password to remove the profile.
All other profiles can be removed by the user.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by the Microsoft Exchange Server by issuing the account-only remote wipe command.
On supervised devices, configuration profiles can also be locked to a device to completely prevent their removal, or to allow removal only with a passcode. Since many enterprise users own their iOS and iPadOS devices, configuration profiles that bind a device to an MDM solution can be removed—but doing so also removes all managed configuration information, data, and apps.