Work with configuration profiles in macOS Server
Configuration profiles are XML files consisting of payloads that load settings and authorization information onto Apple devices such as iPhone, iPad, iPod touch, Apple TV, and Mac computers.
The settings and authorization information can contain:
Device security policies and restrictions
VPN configuration information
Wi-Fi settings
Mail and calendar accounts
Authentication credentials that permit iPad, iPhone, iPod touch, Apple TV, and Mac computers to work with enterprise systems and school networks
Because configuration profiles can be encrypted and signed, you can restrict their use to a specific Apple device and—with the exception of user names and passwords—prevent anyone from changing the settings. You can also mark a profile as being locked to the device, so after it’s added, the profile can be removed only by wiping the device of all data or by entering the password associated with the profile. Accounts that are configured by a profile, such as Microsoft Exchange accounts, can be removed only by deleting the profile.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles that are defined by settings that rarely change and by settings that may change often. Settings that rarely change may include device restrictions, Wi-Fi, security and privacy, LDAP, mail, and calendar. Settings that may change often include VPN, certificates, Web Clips, and Home screen settings.
You can use Apple Configurator for Mac to add device configuration profiles to iPhone, iPad, iPod touch and Apple TV. To add device or user configuration profiles containing macOS-specific settings, use Profile Manager, in Server or a third-party mobile device management (MDM) solution.
Note: Apple Configurator for Mac installs device configuration profiles automatically. After you’ve enrolled in Profile Manager or a third-party MDM solution, updated configuration profiles can be sent to devices.
Except for changing passwords, users generally can’t change settings that are defined in a configuration profile. Accounts configured by a profile can be removed only by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app. You can also supervise iOS, iPadOS, and tvOS devices, to prevent any user from removing the configuration profile.
Important: If the user knows the passcode, iOS and iPadOS devices that aren’t supervised can have profiles removed, even if the option is set to Never in the General settings. macOS profiles can be removed if the user knows an administrator’s name and password.
User and device profiles
You create configuration profiles for users or devices, or groups of users and devices. Profile Manager tailors the profile’s payloads depending on which you choose, and the settings apply at that level. For example, settings that apply only to devices aren’t available when you’re creating a user configuration profile.
If you’re using Profile Manager or third-party MDM solution, you can distribute configuration profiles as a mail attachment, through a link on your own webpage, or Profile Manager’s or the MDM’s built-in user portal. When users open the mail attachment or download the profile using a web browser, they’re prompted to begin profile installation.