Kandji Raises $100M to Advance Apple in the Enterprise | Learn More

Skip to content

What is an MDM profile?

Profiles are a core component of Apple’s mobile device management (MDM) framework. MDM profiles are used to enroll devices into management and then to convey configurations to managed devices. As such, there are two types of MDM profiles:

  • Enrollment profiles; and
  • Configuration profiles.

Enrollment Profiles

As the name implies, enrollment profiles are used to enroll devices into your MDM system. Accompanied by certificates that attest to their provenance, enrollment profiles prepare devices to receive commands, install software, and accept configuration profiles from your MDM solution. Additionally, an enrollment profile allows your MDM to check the status of the enrolled device, including details such as its name, its Activation Lock status, and its battery level.

Configuration Profiles

Configuration profiles are XML files (ending with the extension .mobileconfig) that contain payloads defining the configurations of devices. While configuration profiles are most often installed after the installation of an enrollment profile, they do not require an enrollment profile to be installed. For example, you can provide VPN and email account information as part of a configuration profile without requiring that the devices using those profiles be enrolled in your MDM.

Payload options and requirements vary by device. For example, an AirPlay Security profile can be added only to an Apple TV, whereas Certificates profiles can be installed on any Apple device. In most cases, if a payload is not supported on the device, the device will ignore it.

See Kandji in Action

Experience Apple device management and security that actually gives you back your time.

Get Started Contact Us

How to Create an MDM Profile

Profiles are most commonly created and deployed by MDM solutions. That process is largely invisible to admins and users. However, it is possible to create configuration profiles manually.

Creating a configuration profile manually

The most common way to create configuration profiles manually is with Apple Configurator. To do so:

  1. In Apple Configurator, choose File > New Profile. A new configuration profile document window will appear.
  2. In the General settings pane, fill in the Name and Identifier fields.
  3. To add a payload, select it from the list on the left, click Configure, then enter its settings; required values are marked with an icon. If the payload type allows multiple payloads, click the Add Payload button in the upper-right corner of the payload settings pane to add another.
  4. If you want to sign the profile, choose File > Sign Profile, choose your certificate from the pop-up menu, then click OK.
  5. Choose File > Save, name the profile, choose where to save it, then click Save.

Editing a configuration profile

  1. In Apple Configurator , choose File > Open, then locate the configuration profile on your Mac.
  2. If the configuration profile is signed, choose File > Unsign Profile.
  3. You then have the option of removing or adding a payload. To remove, select that option then click Remove Payload in the upper-right corner. To add, select that option, then edit the settings.
  4. If you want to sign the profile, choose File > Sign Profile, choose your certificate from the pop-up menu, then click OK.
  5. After you’ve finished editing the profile, choose File > Save.

Removing an MDM Profile

Depending on how the device was enrolled, end-users may be able to remove profiles from their devices. Otherwise, only admins can. Removal can have different consequences, depending on the type of profile and the settings it configures.

What Happens When You Remove an MDM Profile

If you remove an enrollment profile, any configuration profiles installed when the device was enrolled will be removed too, but the associated configurations may not be changed.

So, for example, if your enrollment profile adds an email account to the user device and sets a requirement for the user to set a multi-character passcode, three things will happen if you remove it:

  1. Both configuration profiles will also be removed;
  2. The email account will be removed;
  3. The passcode requirement will be removed, but the passcode does not revert to its prior state. If the user wants to change to a simpler passcode, they will need to change their passcode settings manually in the Settings App.

How to Remove an MDM Profile

Profiles on supervised devices can not be removed by the end user, unless the device is wiped or the admin configured them to be removable. (Even in those cases, the profile may include a removal password payload, in which case the user must enter that password to remove the profile.) Otherwise, profiles can be removed by the MDM solution alone.

If the profile is installed by an MDM solution, it can be removed by that solution or by unenrolling the device.

In other cases, profiles can be removed by the user.