How To Use Custom Configuration Profiles With Custom Attributes

Last updated October 25, 2019

Configuration profiles are a primary building block of mobile device management. Taking the form of an XML property-list file, these profiles allow you to remotely apply profiles to devices that can be used to configure specific settings, enforce restrictions, set up preferences, and much more.

Many of these profiles can be created quickly using features already available through the SimpleMDM interface. However, some situations may require the flexibility for a custom implementation. For this reason, SimpleMDM includes support for Custom Configuration Profiles. This allows admins to upload their own profiles and edit them within the SimpleMDM interface using a built-in text editor. Custom Attributes can also be inserted into these profiles which provide the ability to inject variable values on a group-level and/or device-level basis.

In this guide, we will walk you through how to use a Custom Configuration Profile and Custom Attributes to specify profile values for individual devices and groups of devices.

Goal of this Guide

Our objective in this tutorial is to display a custom message on the user login screen for macOS devices with the custom “Loginwindow” configuration profile.

As an aside, there are a couple good resources to check first when looking for references of available configuration profiles. One is within Apple’s Configuration Profile Reference. Additionally, the profile docs guide maintained by the MacAdmins community is another great resource.

For our walkthrough, we will assume that you already have a profile (“.mobileconfig” file) available to you – we won’t be covering the steps for creating the initial profile. There are many different sources for creating or obtaining configuration profiles, including but not limited to: Apple Configurator, ProfileCreator, or creating it manually using a text-editor. The MacAdmins documentation above also has links to download generic profile templates.

If you want to follow along with our specific example, you can copy the code for the Loginwindow profile we will be using here:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
		    <key>LoginwindowText</key>
		    <string></string>
			<key>PayloadDescription</key>
			<string>Configures Loginwindow settings</string>
			<key>PayloadDisplayName</key>
			<string>Loginwindow</string>
			<key>PayloadIdentifier</key
			<string>com.github.erikberglund.ProfileCreator.729A188D-D90A-430F-8B4E-24133EDC6E76.com.apple.loginwindow.FD61E78F-B806-4ADD-B328-F0F4580F3809</string>
			<key>PayloadOrganization</key>
			<string>SimpleMDM</string>
			<key>PayloadType</key>
			<string>com.apple.loginwindow</string>
			<key>PayloadUUID</key>
			<string>FD61E78F-B806-4ADD-B328-F0F4580F3809</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Sets text on login window.</string>
	<key>PayloadDisplayName</key>
	<string>LoginWindow</string>
	<key>PayloadIdentifier</key>
	<string>com.github.erikberglund.ProfileCreator.729A188D-D90A-430F-8B4E-24133EDC6E76</string>
	<key>PayloadOrganization</key>
	<string>ProfileCreator</string>
	<key>PayloadScope</key>
	<string>User</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>729A188D-D90A-430F-8B4E-24133EDC6E76</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Creating a Custom Configuration Profile in SimpleMDM

The first part of this process is to add the profile to SimpleMDM. From the Profiles page, click the “Add Profile” button, and then select “Custom Configuration Profile” from the list. On the Custom Configuration Profile settings screen, give the profile a relevant name.

The next step is to add the .mobileconfig – there are two ways to do this:

  1. Next to the “Mobileconfig” field, click “Choose File” and follow the prompts to upload your .mobileconfig from your computer.
  2. Copy and paste the code from your profile into the text-editor field (if you are feeling particularly ambitious, you can type it in manually as well).

Next, we will check both boxes located below the text editor. The first box, “For macOS devices, deploy as a device profile instead of a user profile”, tells MDM whether to install the profile so it applies to the whole system or just to enrolled user accounts. For this example, we want this profile to be applied at the device level. The second box, “Enable attribute support”, will be necessary for steps covered later in this walkthrough.

After adding the profile and checking both boxes, click “Save”. If SimpleMDM detects an issue with the profile contents that would make it invalid, an error message will appear on the profile settings page. If you see this, be sure to check for typos, required keys that might be missing, syntax errors, or other similar issues.

Once the profile has been saved successfully, you have a working custom configuration profile that can be deployed to devices. To deploy the profile, assign it to your device groups as needed by checking the box next to the profile name on the Device Group Details page.

Even though the profile has been deployed to devices, you shouldn’t see any change at this point because we haven’t edited the profile to set the login window text. We will do that now.

Navigate back to Configs > Profiles and click the custom profile name. You should see the XML code from the profile showing in the text editor. Locate the following piece of code in text editor:

This is where we will set the message displayed on the login window. We’ll start by setting this value for all devices with this profile installed. In the text editor, type a new value in between the <string> tags:

<key>LoginwindowText</key>
<string>Property of Example Co.</string>

The profile should be updated on your devices shortly after saving the changes made in the editor. You may need to log in / out to refresh the screen and display the new message.

Adding Attributes & Custom Attributes

Let’s say that you want to have your Macs to display their serial number on the login screen for your admins to easily reference. This can be accomplished by using the “serial_number” attribute, which is one of several attributes supported by default. Edit the configuration profile XML like before, except instead of adding the value you want to display directly, enter the attribute name using the following syntax:

<key>LoginwindowText</key>
<string>{{serial_number}}</string>

You should now see the device serial number appear when logging in and out.

Assigning Values at the Group Level

Note: We will not be covering the full process for creating custom attributes since we have included these steps in previous articles. If you aren’t already familiar with them, you may refer the “Setup: Custom Attributes” section of this blog article as well as this article from our Knowledge Base for guidance.

Going further, let’s assume that all your devices are grouped based on the department they belong to within your organization, and you want your devices to display both their serial number and the name of the department.

Create a custom attribute – we’ll call it “department_name” – under the Attributes section in the SimpleMDM interface. In the Group Details page for each of your groups, click the “Settings” tab and enter the corresponding values you want to use for “department_name”. For example, enter “Marketing Department” for a marketing group, “Engineering Team” for an engineering group, etc.

Update your configuration profile similar to the following:

<key>LoginwindowText</key>
<string>{{serial_number}} - {{department_name}}</string>

Your devices should now display new messages corresponding to the group-level attribute value, such as:

C012ACME902P – Marketing Department

Assigning Values at the Device Level

Finally, if we want to be even more specific and include the device user’s name in this message, we can do this by repeating a similar process except we will set the attribute value at the device level instead of the group level.

Create another attribute such as “device_user_name”. Assign these values for individual devices in the corresponding field under the “Settings” tab of the Device Details page. Then update the configuration profile:

<key>LoginwindowText</key>
<string>{{serial_number}} - {{device_user_name}} - {{department_name}}</string>

Your results should look similar this:

C012ACME902P – Gretchen – Marketing Department

Going Further

There is a wide range of tasks and solutions that can be accomplished using custom configuration profiles and custom attributes. This walkthrough was meant to introduce a fairly simple solution for demonstration purposes, but there are a number of possibilities that exist with varying levels of complexity.

More advanced users might find that this sort of implementation could be an effective strategy for tasks such as setting up Munki profiles and enabling firewall configurations, amongst many others.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How to Enroll an Apple TV in MDM - 3 Methods

    By on January 24, 2019
    Read more
  • How To Sign macOS PKGs for Deployment with MDM

    By on October 4, 2018
    Read more
  • Avoid Kernel Extension and TCC / Access Control issues during macOS Updates

    By on September 6, 2018
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now