Intro to mobile device management

iOS, iPadOS, macOS, and tvOS have a built-in framework that supports mobile device management (MDM). MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they’re owned by the user or your organization. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically using Apple School Manager or Apple Business Manager.

There are a few concepts to understand if you’re going to use MDM, so read the following sections to understand how MDM uses enrollment and configuration profiles, supervision, and payloads.

How devices enroll

Enrollment in MDM typically leverages the Simple Certificate Enrollment Protocol (SCEP). Devices use this protocol to create unique identity certificates for authenticating an organization’s services.

Unless enrollment is automated, users decide whether or not to enroll in MDM, and they can disassociate their devices from MDM at any time. Therefore, you should consider incentives for users to remain managed. For example, you can require MDM enrollment for Wi-Fi network access by using MDM to automatically provide the wireless credentials. When a user leaves MDM, their device attempts to notify the MDM solution that it can no longer be managed.

For devices your organization owns, you can use Apple School Manager or Apple Business Manager to automatically enroll them in MDM and supervise them wirelessly during initial setup, which is known as Automated Device Enrollment. When using Automated Device Enrollment, you can optionally mark the MDM enrollment as nonremovable by the user on a device.

Enrollment profiles

An enrollment profile is a configuration profile with an MDM payload that enrolls the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configuration profiles to the device, and to query certain aspects of the device. When a user removes an enrollment profile, all configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.

After the enrollment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager or Apple Business Manager. Users can install apps, or apps can be installed automatically, depending on the type of app it is, how it’s assigned, and whether the device is supervised. For more information, see About Apple device supervision.

Configuration profiles

A configuration profile is an XML file (ending in .mobileconfig) that consists of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator, or they can be created manually.

Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and—with the exception of user names and passwords—prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.

If your MDM solution supports it, you can distribute configuration profiles as a mail attachment, through a link on your own webpage, or through the MDM solution’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they’re prompted to begin configuration profile installation.

Note: You can use Apple Configurator for Mac to add configuration profiles (automatically or manually) to iOS, iPadOS, and Apple TV devices. For more information, see the Apple Configurator User Guide.

As an administrator, you can deliver a configuration profile that can change settings for an entire device or for a single user:

  • Device profilescan be sent to devices and device groups, and apply device settings to the entire device.

    iPhone, iPad, iPod touch, and Apple TV have no way to recognize more than one user, so configuration profiles created from iOS, iPadOS, and tvOS payloads and settings are always device profiles. Although iPadOS profiles are device profiles, iPad devices configured for Shared iPad can support profiles based on the device or the user.

  • User profilescan be sent to users and user groups, and apply user settings to just the respective users.

    Mac computers can have multiple users, so payloads and settings for macOS profiles can be based on the device or the user.

    Important:User profiles like Mail, Exchange ActiveSync, or CalDAV get installed only if they don’t contain sensitive information such as a passcode or password, which require the profile to be encrypted.

Device and user settings vary according to where they reside: Settings installed at the system level reside in a device channel. Settings installed for a user reside in a user channel.

Payloads

A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads require a complex passcode, populate an Exchange account with all the Exchange server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:

  • The operating system or systems that the payload supports

  • The channel that does the payload work

  • Whether the payload requires the Apple device to be supervised

  • Whether the payload is exclusive or whether it can be combined with other payloads of the same type

  • Whether the payload can have duplicates

After payloads are configured, they are saved in a configuration profile.

For more information, see the complete MDM payload list.

Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.

Payload rules

There are specific rules when applying iOS, iPadOS, and macOS payloads.

If the top-level PayloadIdentifier in the profile matches that of an already installed profile, then the profile being installed is considered an “update” to the existing profile. If the top-level PayloadIdentifier is different, then the incoming profile is considered different and the installation results in two profiles being installed.

Identifiers must be unique for each payload in a profile. iOS 15, iPadOS 15, and macOS 12.0.1 enforce this requirement. In macOS, any payload within the profile is matched up using their PayloadUUID. If two payloads share the same PayloadUUID, then the payload in the incoming profile is considered an “update” to the existing payload. If the installed profile has a payload with a PayloadUUID that doesn’t match an incoming payload, that payload is removed. iOS and iPadOS use the PayloadIdentifier value instead of the PayloadUUID value to match up corresponding payloads.

To minimize disruption, always preserve the PayloadUUID value when pushing out an update to an existing payload.

Restrictions

Restrictions can be enabled—or in some cases, disabled—by administrators to help prevent users from accessing a specific app, service, or function of an iPhone, iPad, iPod touch, Mac, or Apple TV that’s enrolled in an MDM solution. For example, a restriction can be added that prevents an iPhone, iPad, or Mac from using the camera to take pictures or videos. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.

For developer information, see Restrictions on the Apple Developer website.

Note: Not all restrictions are available in all MDM solutions. To learn which MDM restrictions are available for your devices, consult your MDM vendor’s documentation.

Configuration profiles and Shared iPad

If you use Shared iPad, you can use your MDM solution to install both:

  • Device and device group profiles

  • User and user group profiles

For more information, see MDM payloads for Shared iPad.

Profile removal

How you remove profiles depends on how they were installed. The following sequence indicates how a profile can be removed:

1. All profiles can be removed by wiping the device of all data.

2. If the device was enrolled in MDM using Apple School Manager or Apple Business Manager, the administrator can choose whether the enrollment profile can be removed by the user or whether it can be removed only by the MDM server itself.

3. If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user unenrolling from MDM by removing the enrollment configuration profile.

4. If the profile is installed on a supervised device using Apple Configurator, that supervising instance of Apple Configurator can remove the profile.

5. If the profile is installed on a supervised device manually or using Apple Configurator and the profile has a removal password payload, the user must enter the removal password to remove the profile.

6. All other profiles can be removed by the user.

An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by the Microsoft Exchange Server by issuing the account-only remote wipe command.

Important: If users know the device passcode, they can remove manually installed configuration profiles from iPhone, iPad, and iPod touch devices that aren’t supervised, even if the option is set to “never.” Users on macOS can do the same using the profiles command-line tool, or using System Preferences only if the user knows an administrator’s user name and password. In macOS 10.15 or later, as with iOS and iPadOS, profiles installed with MDM must be removed with MDM, or they are removed automatically upon unenrollment from MDM.

Supported Apple devices

The following Apple devices have a built-in framework that supports MDM:

  • iPhone and iPod touch with iOS 4 or later

  • iPad with iOS 4.3 or later or iPadOS 13.1 or later

  • Mac computers with OS X 10.7 or later

  • Apple TV with tvOS 9 or later

Note: Not all options are available in all MDM solutions. To learn which MDM options are available for your devices, consult your MDM vendor’s documentation.

Source: Apple Support