Introduction to mobile device management profiles (2023)

Introduction to mobile device management profiles (1)

iOS, iPadOS, macOS, and tvOS all have a built-in framework that supports mobile device management (MDM). MDM allows you to securely and wirelessly configure devices by sending profiles and commands to the device, whether owned by the user or by your organization. MDM capabilities include updating device settings and software, monitoring compliance with corporate policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and corporate devices can be automatically enrolled in MDM using Apple School Manager or Apple Business Manager. If you use Apple Business Essentials, you can also use built-in device management.

When using MDM, you need to understand a few concepts. Therefore, read the following sections to understand how MDM uses configuration and enrollment profiles, monitoring, and payloads.

How devices enroll

MDM enrollment involves the enrollment of client certificate identities using protocols such as Automated Certificate Management Environment (ACME) or Simple Certificate Enrollment Protocol (SCEP). Devices use these protocols to create unique identity certificates to authenticate an organization's services.

Unless enrollment is automated, users choose whether or not to enroll in MDM and can unenroll their devices from MDM at any time. Therefore, you should consider incentivizing users to stay managed. For example, you can apply for MDM enrollment toW-LANNetwork access via MDM to automatically provide wireless credentials. When a user signs out of MDM, their device tries to notify the MDM solution that it can no longer be managed.

For devices owned by your organization, you can use Apple School Manager, Apple Business Manager, or Apple Business Essentials to automatically enroll in MDM and monitor them wirelessly during initial setup; This registration process is known asAutomated device registration.

Declarative device management

Declarative device management is an update to the existing device management protocol that can be used in combination with the capabilities of the existing MDM protocol. This allows the device to apply settings asynchronously and report status to the MDM solution without constant polling.

Status reports allow a device to share information about its current status, and if there are any changes, the server can be proactively informed without polling the device for updates. In addition to device properties, presence status and passcode compliance, accounts, and MDM app installation progress and information are now reported.


There are four types of statements, which are payloads that the server defines, sends to devices, and represents the policy that an organization wants to enforce on devices.

declaration type



The configurations are similar to existing MDM profile payloads; B. Accounts and Settings and Restrictions. See Declarative Settings in the MDM Settings section.

financial assets

Assets consist of reference data required by configurations for large data elements and user data; Assets have a one-to-many relationship with configurations. SeeAuthentication data and configuration of identity assets.


Activations are a set of settings that are atomically applied to the device and can include predicates such as "device type is iPad" or "OS version greater than".iPad OS 16.1.” There is a many-to-many relationship between activations and configurations. Activations can use extended predicate syntax, including state elements, to support complex predicate expressions.

In addition, a management property declaration allows servers to set arbitrary properties on the device that can be used directly in activation predicates.


Management is used to communicate overall management status to the device, detailing the organization and capabilities of the MDM solution.

status channel

The status channel is a new communication channel in which the device proactively updates the server with new information about itself. Device status updates are sent to the server in a status report. The server can subscribe to certain status items so that it only receives updates for changes that are important to it. State elements can also be used as expressions in activation predicates, allowing the device to function independently based on state changes. For more information, seeDeclarative status Berichte.

(Video) What is MDM? | Mobile Device Management for Beginners| Virtua Consulting Group

Enrollment Profiles

Alogin profileit's one of the two main ways users can enroll a personal device in an MDM solution (the other way is through an organization's account). With this profile, which contains an MDM payload, the MDM solution sends commands and, if necessary, additional configuration profiles to the device. You can also check your device for information such as activation lock status, battery level, and name.

When a user deletes an enrollment profile, all configuration profiles, their settings, and managed applications that are based on that enrollment profile are also deleted. There can only be one enrollment profile on a device at a time.

(Video) Setting up Mobile Device Management (MDM) for iOS

Once the enrollment profile is approved, either by the device or by the user,configuration profilescontaining user data are sent to the device. Then you can wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager, Apple Business Manager, or Apple Business Essentials. Users can install apps, or apps can be installed automatically, depending on the type of app, how it's assigned, and whether it's a device.supervised. For more information, seeInformation about monitoring Apple devices.

configuration profiles

Aconfiguration profileis an XML file (ending in .mobileconfig) consisting of payloads that load settings and authorization information to Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution orapple configurator, or they can be created manually.

Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and prevent anyone from changing settings except usernames and passwords. You can also mark a configuration profile as blocked for the device.

If your MDM solution supports it, you can distribute configuration profiles as an email attachment, via a link on your own website, or through the MDM solution's built-in user portal. When users open the email attachment or download the configuration profile using a web browser, they are prompted to start installing the configuration profile.

For more information on installing profiles and blocking mode, see the Apple Support article,About lock mode.

Use:You can useapple configuratorfor Mac to add configuration profiles (automatically or manually) to iOS, iPadOS andApple TVDevices. For more information, seeApple Configurator for Mac User Guide.

As an administrator, you can implement a configuration profile that can change settings for an entire device or for an individual user:

  • device profilesit can be sent to devices and device groups and apply device settings to the entire device.

    iPhone, iPad yApple TVthey do not have the ability to recognize more than one user, so configuration profiles created from iOS, iPadOS, and tvOS payloads and configurations are always device profiles. Although iPadOS profiles are device profiles, iPad devices are configured toShared iPadit can support profiles based on the device or the user.

    (Video) Introduction to MDM and Configuration Profiles - Rich Trouton

  • user profileit can be sent to users and user groups and apply the user configuration only to the respective users.

    Mac computers can have multiple users, so macOS payloads and profile settings can be device- or user-based.

Device and user settings vary depending on where they reside: settings installed at the system level reside on a device channel. The configuration installed for a user resides in a user channel.

delete profile

The way to remove the profiles depends on how they were installed. The following sequence shows how a profile can be deleted:

1. All profiles can be deleted by deleting all data on the device.

2. If the device is enrolled in MDM through Apple School Manager, Apple Business Manager, or Apple Business Essentials, the administrator can choose whether to use theinscriptionThe profile can be deleted by the user or it can only be deleted by the MDM server itself.

3. If the profile is installed by an MDM solution, it can be removed by that specific MDM solution or by the user who opts out of MDM by removing the enrollment configuration profile.

4. If the profile is installed on a monitored deviceapple configurator, the supervisor ofapple configuratoryou can delete the profile.

5. When the profile is manually installed or used on a supervised deviceapple configuratorand the profile has a delete password payload, the user must enter the delete password to delete the profile.

(Video) AirWatch Overview - Device Profiles

6. The user can delete all other profiles.

An account installed from a configuration profile can be removed by deleting the profile. A Microsoft Exchange ActiveSync account, including one installed through a configuration profile, can be removed from the Microsoft Exchange Server by issuing the account-only remote wipe command.

Important:If users know the device passcode, they can remove manually installed configuration profiles from iPhone and iPad that are not monitored, even if the option is set to never. macOS users can do the same, only if the user knows the username and password of an administrator. You can do this using theProfileCommand Line Tool, System Preferences (inMac OS 13or higher) or System Preferences (inmacOS 12.0.1or before). Inmac OS 10.15or later, as with iOS and iPadOS, profiles installed with MDM must be removed with MDM, or they will be automatically removed when you opt out of MDM.

Compatible Apple Devices

The following Apple devices have a built-in framework that supports MDM:

  • iPhone coniOS 4or after

  • what ipadiOS 4.3or later oriPad 13.1 operating systemor after

  • mac computer withOS X 10.7or after

  • Apple TVcontvOS 9or after

Use:Not all options are available in all MDM solutions. To find out what MDM options are available for your devices, see your MDM provider's documentation.

(Video) Get started with Advanced Mobile Management for Google Workspace - Part 1

See alsoAprovisionar dispositivos con Apple School Manager, Apple Business Manager o Apple Business EssentialsChoose an MDM solutionApple website at workapple and education


1. [Lesson 17] Mobile Device Management - Jamf 100 Course
2. Create Intune MDM policy for IOS and Android Step by Step
(Carson Cloud)
3. Module 1 - Android Device Management Overview
(Intune for Education Customer Acceleration Team)
4. What Is Microsoft Intune? (Microsoft Endpoint Manager)
(Harry Lowton)
5. What is Mobile Device Management? #apple #iPad #iPhone
(Rooted Consulting)
6. What is Mobile Device Management?
(AT&T Business)
Top Articles
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated: 04/11/2023

Views: 6213

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.