Intro to device management profiles
A device management service lets an administrator securely and remotely configure devices by sending configurations, profiles, and commands to the device, whether the user or your organization owns it. Capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in a device management service, and organizations can automatically enroll organization-owned devices using Apple School Manager or Apple Business Manager.
There are a few concepts to understand if you’re going to use a device management service, so read the following sections to understand how a device management service uses enrollment and configuration profiles, supervision, and payloads.
Supported Apple devices
The following Apple devices have a built-in framework that supports device management:
iPhone with iOS 4 or later
iPad with iOS 4.3 or later or iPadOS 13.1 or later
Mac computers with OS X 10.7 or later
Apple TV with tvOS 9 or later
Apple Watch with watchOS 10 or later
Apple Vision Pro with visionOS 1.1 or later
How devices enroll
Enrollment in a device management service involves enrolling client certificate identities using protocols such as Automated Certificate Management Environment (ACME) or Simple Certificate Enrollment Protocol (SCEP). Devices use these protocols to create unique identity certificates for authenticating an organization’s services.
Unless enrollment is automated, users decide whether to enroll their device, and they can disassociate their devices from the service at any time. Therefore, you want to consider incentives for users to remain managed. For example, you can require enrollment for Wi-Fi network access by using the device management service to automatically provide the wireless credentials. When a user leaves the service, their device attempts to notify the device management service that it can no longer be managed.
For devices your organization owns, you can use Apple School Manager or Apple Business Manager to automatically enroll them in a device management service and supervise them wirelessly during initial setup; this enrollment process is known as Automated Device Enrollment.
Device management and Stolen Device Protection
When Stolen Device Protection is turned on, if the user is in an unfamiliar location, the operating system delays the following actions by an hour:
Manually enrolling their device in a device management service
Manually installing a passcode profile or configuration
Configuring a Microsoft Exchange account in Settings, or with a profile or configuration
Enrollment profiles
An enrollment profile is one of two main ways users can enroll a device in a device management service (the other way is to use User Enrollment or account-driven Device Enrollment). With this profile, which contains a payload, the service sends commands and—if necessary—additional configuration profiles to the device. It can also query the device for information, such as its Activation Lock status, battery level, and name.
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.
After the enrollment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager or Apple Business Manager. Users can install apps, or apps can be installed automatically, depending on the type of app it is, how it’s assigned, and whether the device is supervised. For more information, see About Apple device supervision.
Configuration profiles
A configuration profile is an XML file (ending in .mobileconfig) consisting of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. A device management service can create these files, or you can create them manually or with Apple Configurator for Mac. For more information on using Apple Configurator for Mac to create and install configuration profiles on iPhone, iPad, and Apple TV devices, see Create and edit configuration profiles in the Apple Configurator for Mac User Guide.
Because you can encrypt and sign configuration profiles, you can restrict their use to a specific Apple device and—with the exception of user names and passwords—prevent anyone from changing the settings. You can also mark a configuration profile as being locked to the device.
If your device management service supports it, you can distribute configuration profiles as a mail attachment, through a link on your own webpage, or through the service’s built-in user portal. When users open the mail attachment or download the configuration profile using a web browser, they receive a prompt to begin configuration profile installation.
You can deliver a configuration profile that can change settings for an entire device or for a single user:
Device profiles: You can send device profiles to devices and device groups, and apply device settings to the entire device.
iPhone, iPad, Apple TV, Apple Watch, and Apple Vision Pro have no way to recognize more than one user, so configuration profiles created for supported Apple devices are always device profiles. Although iPadOS profiles are device profiles, iPad devices configured for Shared iPad can support profiles based on the device or the user.
User profiles: You can send user profiles to users and (if the device management service supports them) user groups, and apply user settings to just the respective users. Mac computers can have multiple users, so you can base payloads and settings for macOS profiles on either the device or the user. The user account that Setup Assistant creates is considered managed by the device management service and can receive profiles. For a Mac with macOS 11 or later, an administrator account that a device management service creates during enrollment can be optionally managed instead. For Active Directory–bound deployments, the currently logged-in network user becomes a managed user.
Device and user settings vary according to where they reside: Settings installed at the system level reside in a device channel. Settings installed for a user reside in a user channel.
For more information about profile installation and Lockdown Mode, see the Apple Support article, About Lockdown Mode.
Profile removal
How you remove profiles depends on how they were installed. The following sequence indicates how you can remove a profile:
1. You can remove all profiles by wiping the device of all data.
2. If the device enrolled in a device management service linked to Apple School Manager or Apple Business Manager, the administrator can choose whether the user can remove the enrollment profile, or whether only the device management service can remove it.
3. If a device management service installs the profile, that service can remove it or the user can remove it by unenrolling from the service (by removing the enrollment configuration profile).
4. If Apple Configurator installs the profile, that supervising instance of Apple Configurator can remove the profile.
5. If Apple Configurator installs the profile or you install it manually on a supervised device and the profile has a removal password payload, the user needs to enter the removal password to remove the profile.
6. The user can remove all other profiles.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by Microsoft Exchange Server by issuing the account-only remote wipe command.
Important: If users know the device passcode, they can remove manually installed configuration profiles from iPhone and iPad that aren’t supervised, even if the option is set to “Never.” Users on Mac can do the same thing only if the user knows an administrator’s user name and password. They can do this using the profiles command-line tool, System Settings (in macOS 13 or later), or System Preferences (in macOS 12.0.1 or earlier). For a Mac with macOS 10.15 or later, as with iOS and iPadOS, if a device management service installs a profile, that service can remove it, or the operating system automatically removes it upon unenrollment from the service.
Device management service communication requirements
Device management service communication with Apple devices is most likely to be successful when:
The device management service sets up the device, successfully tests it, and ensures it’s working properly
The APNs certificate is valid and not expired
The device is powered on
The device is currently enrolled in the service
The network the device is connected to has access to the internet (for APNs communication)
The network the device is connected to needs to be able to access service-related Apple hosts
For more information, see the Apple Support article Use Apple products on enterprise networks.
Note: Apple doesn’t control third-party device management services. Additional issues, such as a misconfigured payload, may also cause communication to fail.