Configuration profiles are a fundamental component of all device management strategies. In the simplest terms, they are XML files that allow administrators to distribute configuration information to Apple devices. Consider these profiles the blueprints of your device's behavior and attributes.
As you start to deploy configuration profiles, you'll notice that there is frequently a direct correlation between configuration profile components and the various configurable settings available in System Settings. For example, In System Settings, you can upload an image to become your wallpaper picture. Similarly, you can create a wallpaper configuration profile, upload an image, and then deploy that profile to multiple devices (with supervision).
These profiles can be pushed to devices over the air, giving admins zero-touch control over many parameters for devices en masse, from Wi-Fi settings to wallpapers, application permissions, password policies, and more.
Config profiles are building blocks, and they help get things done.
It's giving mitochondria: the powerhouse of the cell. 🦠
But perhaps you're not quite ready to be transported to ninth-grade science with me today, so let me break it down.
Attributes of configuration profiles
A configuration profile is an XML-based plist file and consists of several components such as payload identifier, UUID, organization identity, payload type, description, scope, and version. The payload content is a critical component, containing the specific settings and commands that the profile will enforce or apply.
payload content = the part that has the stuff that does the things
XML, or Extensible Markup Language, establishes rules for encoding documents in a format intuitive to humans and computers alike. Allowing custom tagging schemes fosters document diversity while delivering a perfect balance of readability and flexibility for data storage and transmission.
Property list (plist)
Plist, a shortened term for "property list," is a data file used across macOS to store user preferences and application data. These files, serializing objects like numbers or strings, typically utilize XML or Binary formats. When written in XML, plist files use this language as a "vessel" for structuring and storing data.
In short, plist is the nature of the data file, and XML is the format that structures that data. Okay, so configuration profiles are XML written in plist format. Cool, I feel smart. 🧠
Plist is the data format, XML is the markup language used for constructing the data, and configuration profiles directly apply these technologies to manage settings on Apple devices. It's like getting from A to B: plist defines the car, XML is the roadmap, and configuration profiles are the destination.
Configuration profile keys
Configuration profile keys encompass those within a configuration profile, including payload dictionary keys and payload-specific property keys. They may also refer to top-level keys defining the profile structure. For instance, PayloadDisplayName and PayloadRemovalDisallowed set the Profile's name and removal permission, respectively.
Each payload contains a set collection of configuration profile keys within the configuration profile, stipulating a device's enforced settings or configurations. The values are set, encoded into a profile, and subsequently take effect when installed.
You keep mentioning payloads…
The configuration profile XML's core content or payload contains managed devices' settings, restrictions, and rules. Each payload has payload-specific keys denoting key settings.
Payload dictionary keys
Every configuration profile contains payloads and dictionaries of key-value pairs. Payload dictionary keys constitute the main payload properties, conveying essential information: PayloadType, PayloadVersion, PayloadIdentifier, and PayloadUUID, for example.
Payload-specific property keys
These apply specifically to individual payloads. Unique to their payload type, they determine actual settings or configurations, like a Wi-Fi payload specifying SSID and password.
Think of configuration profiles as books:
Configuration profile keys are chapters.
Payload dictionary keys serve as chapter titles.
Payload-specific property keys are the detailed content within.
What configuration profiles control
With SimpleMDM, you can use configuration profiles to cater to different business requirements. These include:
1. Wi-Fi profiles: Configure access to Wi-Fi networks, including SSID, security type, and associated passwords. No more wasting time manually entering Wi-Fi credentials on every device.
2. Email profiles: Set up email accounts, including inbound and outbound servers and port numbers. Supports major email providers such as Gmail, Exchange, Yahoo, etc.
3. VPN profiles: Set up VPN configurations, giving employees secure, remote access to your organization's network.
4. Active Directory/LDAP profiles: Integrate your devices with your existing Active Directory or LDAP setups for user authentication.
5. Mobile Device Management (MDM) settings: Control how devices interact with your MDM. This includes Security & Privacy settings, Software Update Delay settings, and MDM removal permissions.
6. Certificate profiles: Deploy private certificates for secure identification and communication.
7. iOS- and macOS-specific profiles: You can create custom profiles specific to the operating system. Examples include Home Screen Layout for iOS and FileVault settings for macOS.
8. Application configuration profiles: You can set predefined settings and data for specific device apps.
9. Passcode configuration profiles: Define passcode complexity requirements, auto-lock settings, and more to ensure device security.
10. Web content filter profiles: Control access to certain websites on the device for a safer browsing environment, especially for education sectors.
11. Device restrictions: Set the policies about what features of their devices personnel can use, like screen capture.
Custom profiles can also be created based on business-specific needs using the Apple Configurator tool and imported to SimpleMDM.
SimpleMDM has introduced support for the "Gatekeeper Policy" profile within the SimpleMDM admin interface. This profile empowers administrators to manage app security on controlled devices. It oversees Gatekeeper settings related to app installation on macOS.
What are custom configuration profiles?
Custom configuration profiles are configuration profiles, but they exist outside the premade profiles your MDM already has available for deployment.
A custom configuration profile for SimpleMDM would be any profile you build out, typically excluding the following list:
Allows you to define...
an app allowlist or denylist to hide undesired apps from iOS. Requires supervision.
an available destination to stream audio and video.
an AirPrint-compatible printer for devices to use.
an Access Point Name. This is also called a cellular payload. Sometimes used in advanced deployments.
a WebDAV or CalDAV calendar account.
a WebDAV or CardDAV contacts account.
deploy custom certificates to devices.
an Exchange, IMAP, or POP-based email account.
requirements around using FileVault full disk encryption. It also supports escrowing and rotating personal recovery keys.
Firewall settings on macOS devices.
Firmware password settings and saves passwords to SimpleMDM.
Global HTTP Proxy
an HTTP proxy that all web traffic on the device will be forced to pass through. Requires supervision.
a Google account to use for email, contacts, and calendaring.
Home Screen Layout
an icon and folder layout on the iOS home screen and dock. Requires supervision.
Kernel Extension Policy
approvals for specific kernel extensions on macOS.
an LDAP account typically used to populate Contacts in iOS.
complexity requirements for passcodes on iOS and macOS, as well as screen lock settings.
accessibility permissions for specific applications on macOS.
a list of iOS functionalities that should be disabled.
Single App Lock
is an app that is forced to run at all times on a device. Requires supervision.
Single Sign-On Account
a Kerberos account to be used to sign into websites and apps.
Software Update Policy for iOS
settings to automatically download/install iOS and tvOS updates. Requires supervision.
Software Update Policy for macOS
settings to configure Software Update preferences and automatically download/install macOS updates.
a calendar subscription. These appear in the device's calendar list.
a VPN account, such as L2TP, PPTP, Cisco, or other popular technologies.
an image to appear in the background of the home and/or lock screen. Requires supervision.
an icon on the home screen that acts as a shortcut to a website.
Web Content Filter
a website allowlist or denylist to control web access in the Safari app. Requires supervision.
a Wi-Fi network that the device can access.
My personal preference is to build a custom profile with iMazing. It's a free download from the App Store and very simple to use.
Our favorite custom configuration profiles
Here are a few custom config profiles you can try out yourself!
1. Conference Room Display [tvOS]
This is one of my favorite configuration profiles, and honestly, Apple TV for enterprise is slept on when you consider features like this!
Once activated, the TV display defaults to displaying AirPlay instructions and wireless network details and remains unmodifiable. In addition, the customizable screen allows organizations to configure the display's branding and messaging to match their corporate identity.
Note: This profile is tvOS only, so check the box for tvOS when deploying this Profile!
2. Disable Find My Activation Lock [macOS]
3. Choose your own adventure!
From Zoom to Chrome, CrowdStrike, or Office, the whole point of custom configurations is endless possibilities!
Our favorite prebuilt profiles
By operating system
We know you want to keep your profile deployment time to a MINIMUM so you can keep your beer time to a MAXIMUM. 🍻 So SMDM has already prebuilt all the super handy ones for you! Here are a few notable ones that you can try out this week:
Web Content Filter
A Web Content Filter profile is a configuration profile applied to devices to manage and control access to specific web content. When a Web Content Filter profile is applied to a device, it can limit or block access to specific websites or categories based on predefined rules or settings. This helps prevent users from accessing inappropriate, unsafe, or unproductive content while using the device.
The app restrictions profile is precisely what it sounds like. This profile allows you to create an allow-list or a deny-list for iOS devices and add applications to that list by searching the App Store or bundle ID.
Single App Lock
To no one's surprise, my go-to Profile favorite for iPads will always be Single App Lock. In our in-depth article, take a peek at this and how to utilize this profile to create Kiosk devices.
This one is a no-brainer! This profile is the first profile you need on each device and the last one you'll ever take off. Unlike most profiles, it's compatible with every OS (macOS, iOS, iPadOS, tvOS) and doesn't require supervision. This profile lets you quickly customize and deploy a preconfigured Wi-Fi network to any device. It's about the most standard profile you can create, but classics are classic for a reason. 😉
SimpleMDM added support for Apple's "Printing" profile in the SimpleMDM admin interface. This profile enables Administrators to configure printing settings and preferences on macOS devices. It manages printing preferences, like default printers, quotas, job permissions, and user group access.
Config profile FAQs
How do I create custom configuration profiles in SimpleMDM?
You can create custom configuration profiles in SimpleMDM by following these steps:
Obtain your XML payload:
Create an XML, copy an existing XML, or configure a custom XML for your purposes using a tool like iMazing.
Add the Profile in SimpleMDM: Go to Profiles > Add Profile> Custom Configuration Profile. Name the Profile.
Add the .mobileconfig:
Click Choose File and upload the .mobileconfig from your computer.
Alternatively, paste the code into the text editor field.
Review the two boxes below the text editor:
"For macOS devices, deploy as a device profile..." — check this box for default device level deployment.
"Enable attribute support" — leave unchecked unless using custom attributes.
Save the Profile:
An error message will appear if there's an issue and prevent you from saving the Profile.
Deploy the Profile:
Assign the Profile to your device groups by checking the box next to the profile name on the Device Group Details page.
How else can I deploy configuration profiles outside of MDM?
Configuration profiles can be deployed through various methods outside MDM, including:
Using Apple Configurator 2: You can utilize Apple Configurator 2, accessible on the App Store.
Via email: Deployment can be achieved by sending the profiles within an email message.
On a webpage: Profiles can also be placed on a webpage for deployment.
Over-the-air configuration: Employ the over-the-air profile delivery and configuration method detailed in Over-the-Air Profile Delivery and Configuration.
Ready to maximize your Mac management? From education to enterprise deployments, SimpleMDM is ready to go!