Plan your configuration profiles for Apple devices
Payload basics
Configuration profile and payload planning helps reduce complexity. To make your work easier, follow these mobile device management (MDM) best practices before you begin deploying configuration profiles:
A configuration profile can have more than one payload.
A device can have more than one configuration profile.
On a Mac, you can combine user configuration profiles with device configuration profiles.
If you have multiple configuration profiles containing the same payloads with different settings, the resulting behavior is undefined.
Payload support
Supported installation method: Some payloads can be installed only by an MDM solution.
Supported approval method: Some payloads require a user to approve the configuration profile containing the payload.
Supported operating systems and channels: Some payloads support all Apple operating systems, some support only specific ones.
Supported enrollment types: Payloads may support one or more of the enrollment types: User Enrollment, Device Enrollment, and Automated Device Enrollment. For more information, see Intro to Apple device enrollment types.
Duplicates allowed: Some payloads can have duplicates. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting.
How to optimize payload management
Here are some examples of optimized payload management:
If you want to manage iPhone, iPad, and Mac devices, use the same payloads for all the devices.
If you want to manage only iPhone and iPad devices (or users of those devices), focus on iPhone and iPad payloads.
If you want to manage only Mac computers or users of Mac computers, focus on Mac payloads, then decide if your management should be at the device or user level.
You can also create a single configuration profile that contains all the payloads you need—for example, for different apps and settings, such as Mail, Safari, Bluetooth®, and Wi-Fi.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles based on functionality. This helps ensure that changes made to one configuration profile don’t inadvertently affect another. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, Mail, and Calendar. Settings that may change often include VPN, certificates, Web Clips, and Home Screen settings.
Users generally can’t change settings that are defined in a configuration profile. You can also set configuration profiles to expire on a specific date. Accounts configured by a configuration profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a configuration profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app.
Payload lists
Depending on your deployment, your can review payloads for each operating system. In each table, you can click the payload link to view that specific payload’s options.
Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.