Configuration profile enforcement
Configuration profiles are the primary way that an MDM solution delivers and manages policies and restrictions on managed devices. If organizations need to configure a large number of devices—or to provide lots of custom email settings, network settings, or certificates to a large number of devices—configuration profiles are a safe and secure way to do it.
A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator 2, or they can be created manually. Before organizations send a configuration profile to an Apple device, they must enroll the device in the MDM solution using an enrollment profile.
An enrollment profile is a configuration profile with an MDM payload that enrolls the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configuration profiles to the device and to query certain aspects of the device. When a user removes an enrollment profile, all configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.
Configuration profile settings
A configuration profile contains a number of settings in specific payloads that can be specified, including (but not limited to):
Passcode and password policies
Restrictions on device features (for example, disabling the camera)
Network and VPN settings
Microsoft Exchange settings
LDAP directory service settings
CalDAV calendar service settings
Credentials and keys
Profile signing and encryption
Configuration profiles can be signed, to validate their origin, and encrypted, to help ensure their integrity and protect their contents. Configuration profiles for iOS and iPadOS are encrypted using the Cryptographic Message Syntax (CMS) specified in RFC 5652, supporting 3DES and AES128.
Users can install configuration profiles directly on their devices using Apple Configurator 2, or they can be downloaded using Safari, sent attached to a mail message, transferred using AirDrop or the Files app in iOS and iPadOS, or sent over the air using a mobile device management (MDM) solution. When a user sets up a device in Apple School Manager or Apple Business Manager, the device downloads and installs a profile for MDM enrollment. For information on how to remove profiles, see MDM Overview in MDM Settings for IT Administrators.
Note: On supervised devices, configuration profiles can also be locked to a device. This is designed to prevent their removal or to allow removal only with a passcode. Because many organizations own their iOS and iPadOS devices, configuration profiles that bind a device to an MDM solution can be removed—but doing so also removes all managed configuration information, data, and apps.