Profiles are a core component of Apple’s mobile device management (MDM) framework. MDM profiles are used to enroll devices into management and then to convey configurations to managed devices. As such, there are two types of MDM profiles:
Enrollment profiles; and
Configuration profiles.
Enrollment Profiles
As the name implies, enrollment profiles are used to enroll devices into your MDM system. Accompanied by certificates that attest to their provenance, enrollment profiles prepare devices to receive commands, install software, and accept configuration profiles from your MDM solution. Additionally, an enrollment profile allows your MDM to check the status of the enrolled device, including details such as its name, its Activation Lock status, and its battery level.
Configuration Profiles
Configuration profiles are XML files (ending with the extension .mobileconfig) that contain payloads defining the configurations of devices. While configuration profiles are most often installed after the installation of an enrollment profile, they do not require an enrollment profile to be installed. For example, you can provide VPN and email account information as part of a configuration profile without requiring that the devices using those profiles be enrolled in your MDM.
Payload options and requirements vary by device. For example, an AirPlay Security profile can be added only to an Apple TV, whereas Certificates profiles can be installed on any Apple device. In most cases, if a payload is not supported on the device, the device will ignore it.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
Profiles are most commonly created and deployed by MDM solutions. That process is largely invisible to admins and users. However, it is possible to create configuration profiles manually.
Creating a configuration profile manually
The most common way to create configuration profiles manually is with Apple Configurator. To do so:
In Apple Configurator, choose File > New Profile. A new configuration profile document window will appear.
In the General settings pane, fill in the Name and Identifier fields.
To add a payload, select it from the list on the left, click Configure, then enter its settings; required values are marked with an icon. If the payload type allows multiple payloads, click the Add Payload button in the upper-right corner of the payload settings pane to add another.
If you want to sign the profile, choose File > Sign Profile, choose your certificate from the pop-up menu, then click OK.
Choose File > Save, name the profile, choose where to save it, then click Save.
Editing a configuration profile
In Apple Configurator , choose File > Open, then locate the configuration profile on your Mac.
If the configuration profile is signed, choose File > Unsign Profile.
You then have the option of removing or adding a payload. To remove, select that option then click Remove Payload in the upper-right corner. To add, select that option, then edit the settings.
If you want to sign the profile, choose File > Sign Profile, choose your certificate from the pop-up menu, then click OK.
After you’ve finished editing the profile, choose File > Save.
Removing an MDM Profile
Depending on how the device was enrolled, end-users may be able to remove profiles from their devices. Otherwise, only admins can. Removal can have different consequences, depending on the type of profile and the settings it configures.
What Happens When You Remove an MDM Profile
If you remove an enrollment profile, any configuration profiles installed when the device was enrolled will be removed too, but the associated configurations may not be changed.
So, for example, if your enrollment profile adds an email account to the user device and sets a requirement for the user to set a multi-character passcode, three things will happen if you remove it:
Both configuration profiles will also be removed;
The email account will be removed;
The passcode requirement will be removed, but the passcode does not revert to its prior state. If the user wants to change to a simpler passcode, they will need to change their passcode settings manually in the Settings App.
How to Remove an MDM Profile
Profiles on supervised devices can not be removed by the end user, unless the device is wiped or the admin configured them to be removable. (Even in those cases, the profile may include a removal password payload, in which case the user must enter that password to remove the profile.) Otherwise, profiles can be removed by the MDM solution alone.
If the profile is installed by an MDM solution, it can be removed by that solution or by unenrolling the device.
In other cases, profiles can be removed by the user.
Watch the virtual event recap from our latest product announcement. Kandji unveils new assignment features and automations that make administration easy and efficient regardless of scale and complexity.
Device Management
Endpoint Detection & Response
macOS Device Management
iOS Device Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Customer Login
Kandji Status
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
