VSA 10 MDM: Apple MDM profiles

NAVIGATION   Administration > Configuration > Profiles > New Profile > Apple MDM Applications (Device Configuration) profile type

NAVIGATION   Administration > Configuration > Profiles > New Profile > Apple MDM Restrictions (Device Configuration) profile type

NAVIGATION   Administration > Configuration > Profiles > New Profile > Apple MDM Networking (Device Configuration) profile type

NAVIGATION   Administration > Configuration > Profiles > New Profile > Apple MDM Security (Device Configuration) profile type

NAVIGATION   Administration > Configuration > Profiles > New Profile > Apple MDM System Configuration (Device Configuration) profile type

NAVIGATION   Administration > Configuration > Policies

SECURITY   Administrator

Using any of the Apple MDM types of Device Configuration profiles, you have the ability to automate the setup of mobile device user accounts, networking settings, security policies, and hardware, operating system, and application restrictions from the moment the device is enrolled. This powerful feature eliminates the need for administrators to manually onboard every MDM endpoint in your environment, saving you time and ensuring that all devices are configured consistently.

To learn how to enroll a device in MDM, refer to VSA 10 MDM: enrollment.

For a comprehensive overview of how profiles and policies work in VSA 10, refer to Policies overview.

Overview

With MDM profiles, you can create predefined setup templates for supported Apple devices and associate them with management policies. When VSA 10 detects a client that meets the criteria of one or more of the associated policy rules, it will automatically apply the corresponding profile to the device via the Apple Push Notification Service.

Supported hardware

The following devices support management via MDM profiles:

Notebooks Desktops Mobile Other
MacBook Air, Macbook Pro iMac, Mac mini, Mac Studio, Mac Pro iPad, iPhone Apple Watch, Apple TV

Capabilities

MDM profiles support the following applications and system settings:

Category Description Applications and settings
Networking Manage network configuration, including WiFi, Ethernet, and VPNs.

WiFi, Ethernet, cellular, firewall, DNS, proxy, VPN, AirPlay, AirPrint
Security Control sensitive security-related device settings.

Authentication, certificates, parental controls, encryption, passcodes
Restrictions Manage hardware, operating system, and application restrictions.

Bluetooth, camera, Game Center App Store, lock screen, user creation, startup, authentication
System Configuration Enable or disable interface elements, manage login behavior, control system updates.

Login behavior, user experience, preferences, software catalog
Applications Deploy apps to devices automatically, automate app updates, and track installation and update statuses for managed apps. App deployment, updates, and update status

Apple MDM Profile Configuration Settings

The Apple MDM Applications profile allows you to provision, install, and update software from the Apple App Store through VSA 10 on iOS, iPadOS, and macOS devices. Applications added to this profile will be installed and kept up to date on targeted devices.

When choosing between whether to use the App Store or Apps and Books configuration, consider the following: 

  • Installing apps using the App Store configuration requires an active App Store account on the device from an unmanaged Apple ID account.
  • Installing apps using the Apps and Books configuration does not require an active App Store account, and can be used with a managed Apple ID account present on the device. Additionally, it will not show any prompts users on supervised devices.
  • In order to start using Apps and Books applications, applications must first be added to Apple Business Manager, even if the apps being installed are free.

NOTE  Devices are checked for uninstalled/out of date apps on a 24 hour cycle, so if a user uninstalls and app manually it will be reinstalled within a day.

NOTE  This profile will work with non-supervised devices.

To configure this profile, follow the instructions below depending on which configuration you want to apply: 

  1. Select App Store from the menu on the left.
  2. Click Add Application in the upper right.

  3. Use the drop-down for App Store Country to select the country where the requested app resides.
  4. Type in the Application field to search the App Store. Click to select the application you wish to configure.
  5. For the selected application, check or uncheck the necessary boxes to choose which of the following settings you want applied: 
    • Update the application to the latest version automatically: Checking this option will keep the app up to date on targeted devices.
    • Delete the app when the device is unenrolled from MDM: Checking this option will force the application to be removed from the any targeted devices if they are unenrolled from MDM.
    • Prevent the backup of app data: Checking this option will omit the app and app data from being backed up when a phone is backed up with a service such as iCloud
  6. Click Add to add the app configuration to the profile.

  7. Repeat this process for all apps you want to add to the profile, and then click Create to save the profile.

  1. Select Apps and Books from the menu on the left.
  2. Click Add Application in the upper right.

  3. Use the Connector dropdown to select your connector. Refer to Apps and Books if one needs to be configured.
  4. Select one of the applications from the Application dropdown.
  5. Enter in the application configuration settings in the Configuration field. Refer to the application vendor's documentation for directions on configuring these settings in the proper format.
  6. For the selected application, check or uncheck the necessary boxes to choose which of the following settings you want applied: 
    • Update the application to the latest version automatically: Checking this option will keep the app up to date on targeted devices.
    • Delete the app when the device is unenrolled from MDM: Checking this option will force the application to be removed from the any targeted devices if they are unenrolled from MDM.
    • Prevent the backup of app data: Checking this option will omit the app and app data from being backed up when a phone is backed up with a service such as iCloud
  7. Click Add to add the app configuration to the profile.

  8. Repeat this process for all applications you want to add to the profile, and then click Create to save the profile.

Application installation behavior

When using the Apple MDM Applications profile to deploy applications, different conditions will impact the installation process. Please see the below table for details.

Enrollment Type Application Type Known App (previously installed) Unknown App (not installed before)  User-installed app (outside of MDM)
Supervised App Store application Installs silently in the background. Installs with prompt if device is unlocked; stays uninstalled if locked. Silently becomes managed.
Apps And Books (VPP) application Installs silently (no App Store account needed). Installs silently (no App Store account needed). Silently becomes managed.
Non-Supervised App Store application Installs with user prompt. If rejected, application stays uninstalled. Installs with user prompt. If rejected, application stays uninstalled. Becomes managed with user prompt. If rejected, stays unmanaged
Apps And Books (VPP) application Installs with user prompt. If rejected, application stays uninstalled. Installs with user prompt. If rejected, application stays uninstalled. Becomes managed with user prompt. If rejected, stays unmanaged

Status Definitions

  • ManagedButUninstalled: The app was managed, but the device user deleted it. If the device user installs the app again, the app will be managed.
  • UserRejected: Indicates the device user canceled a managed app installation.
  • ManagementRejected: Indicates the device user tapped Cancel when prompted to convert the app to managed.

Key Takeaways

  • Supervised devices allow for background installation and management of apps without user interaction, but only for VPP and previously installed Appstore Apps.
  • Non-supervised devices require user approval for installation and management.
  • VPP apps benefit from silent installation when possible, avoiding App Store authentication.
  • If an app is installed by a user, it can be managed automatically in supervised scenarios but requires user confirmation in non-supervised cases.
  • Full silent install is available only for Supervised devices with VPP.

The Apple MDM Restrictions profile allows you to allow or restrict functions on iOS, iPadOS, and macOS devices.

To configure this profile: 

  1. Click Add Configuration in the upper right.

  2. Change the Payload Display Name if desired.

  3. Select which items you wish to be allowed or restricted by clicking the sliders. Items that will only work on supervised devices will have an eye icon next to their label.

    NOTE  To learn more about restrictions settings, click the Learn more link at the top of the configuration.

  4. Once finished configuring the profile, click Create in order to save your changes and create the profile.

The Apple MDM Networking profile allows you to configure network settings for the different types of network interfaces that macOS, iOS, and iPadOS can connect to.

For each interface, you can configure various settings based on the interface type. For example, the below image is from the 802.1X: First Active Ethernet configuration.

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that interface.

To configure this profile: 

  1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left.

  2. Click Add Configuration in the upper right.

  3. Configure the section as desired.

  4. Repeat the process if you want to add more sections to the profile.

  5. Once finished configuring the profile, click Create in order to save your changes and create the profile.

NOTE  You can have multiple network interface configurations in one profile.

The Apple MDM Security profile allows you to configure security settings and certificates for macOS, iOS and iPadOS devices.

For example, this profile allows you to configure, among other things: 

  • Passcode requirements
  • Guest Account availability
  • Active Directory Certificate settings
  • Parental Controls

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that configuration.

To configure this profile: 

  1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left.
  2. Click Add Configuration in the upper right.
  3. Configure the section as desired.
  4. Repeat the process if you want to add more sections to the profile.
  5. Once finished configuring the profile, click Create in order to save your changes and create the profile.

NOTE  You can have multiple security configurations in one profile.

The Apple MDM System Configuration profile allows you to configure system settings for MacOS, iOS and iPadOS devices.

For example, this profile allows you to configure, among other things: 

  • Accessibility settings
  • Associated Domains
  • Time Machine settings
  • Web Content Filters

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that configuration.

To configure this profile: 

  1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left
  2. Click Add Configuration in the upper right.
  3. Configure the section as desired.
  4. Repeat the process if you want to add more sections to the profile.
  5. Click Create to safe the configuration and create the profile.

NOTE  You can have multiple system configurations in one profile.

How to...

To create an MDM profile, complete the following steps:

  1. In your VSA instance, navigate to Administration > Configuration > Profiles.
  2. The Profiles page will load. At the top of the Folders list, click All Profiles.
  3. In the Profiles pane, click New Profile.
  4. The Create New Profile page will load.
  5. In the Details section, enter a name and a brief description for the profile
  6. In the Policy Type section, make the following selections:
    • Policy Type: Device Configuration
    • Configuration Type: Any Apple MDM configuration type
  7. Click Next.
  8. Select a configuration section from the Not Configured Sections list. Then, click Add Configuration.
  9. You'll notice that the selected configuration moves into the Configured Sections list. Complete all applicable fields.
  10. To add additional configuration sections, click Add Configuration. To remove a section, click the Remove link next to its name.
  11. When you've finished customizing the profile, click Create.

NOTE  For more details on how to configure different Apple MDM profile types, refer to Apple MDM Profile Configuration Settings.

Next, you'll need to create a policy that defines the devices to which you'd like to automatically apply your configuration. Complete the following steps:

  1. Navigate to Configuration > Policies. Create a new policy or edit an existing policy.
  2. Click Assign Profile.
  3. Locate the profile you'd like to use. Select it by clicking the radio button next to its name.

    EXAMPLE  

  4. Click Assign.
  5. VSA 10 will begin enforcing the selected profile immediately. You can view it in effect at Configuration > Policies.

EXAMPLE