VSA 10 MDM: Apple MDM profiles

The Apple MDM Applications profile allows you to provision, install, and update software from the Apple App Store through VSA 10 on iOS, iPadOS, and macOS devices. Applications added to this profile will be installed and kept up to date on targeted devices.

When choosing between whether to use the App Store or Apps and Books configuration, consider the following: 

• Installing apps using the App Store configuration requires an active App Store account on the device from an unmanaged Apple ID account.
• Installing apps using the Apps and Books configuration does not require an active App Store account, and can be used with a managed Apple ID account present on the device. Additionally, it will not show any prompts users on supervised devices.
• In order to start using Apps and Books applications, applications must first be added to Apple Business Manager, even if the apps being installed are free.

NOTE  Devices are checked for uninstalled/out of date apps on a 24 hour cycle, so if a user uninstalls and app manually it will be reinstalled within a day.

NOTE  This profile will work with non-supervised devices.

To configure this profile, follow the instructions below depending on which configuration you want to apply: 

App Store

1. Select App Store from the menu on the left.
2. Click Add Application in the upper right.
   
   
3. Use the drop-down for App Store Country to select the country where the requested app resides.
   
4. Type in the Application field to search the App Store. Click to select the application you wish to configure.
   
5. For the selected application, check or uncheck the necessary boxes to choose which of the following settings you want applied: 
   • Update the application to the latest version automatically: Checking this option will keep the app up to date on targeted devices.
   • Delete the app when the device is unenrolled from MDM: Checking this option will force the application to be removed from the any targeted devices if they are unenrolled from MDM.
   • Prevent the backup of app data: Checking this option will omit the app and app data from being backed up when a phone is backed up with a service such as iCloud
6. Click Add to add the app configuration to the profile.
   

7. Repeat this process for all apps you want to add to the profile, and then click Create to save the profile.

Apps and Books

1. Select Apps and Books from the menu on the left.
2. Click Add Application in the upper right.
   
   
3. Use the Connector dropdown to select your connector. Refer to Apps and Books if one needs to be configured.
   
4. Select one of the applications from the Application dropdown.
   
5. Enter in the application configuration settings in the Configuration field. Refer to the application vendor's documentation for directions on configuring these settings in the proper format.
   
6. For the selected application, check or uncheck the necessary boxes to choose which of the following settings you want applied: 
   • Update the application to the latest version automatically: Checking this option will keep the app up to date on targeted devices.
   • Delete the app when the device is unenrolled from MDM: Checking this option will force the application to be removed from the any targeted devices if they are unenrolled from MDM.
   • Prevent the backup of app data: Checking this option will omit the app and app data from being backed up when a phone is backed up with a service such as iCloud
7. Click Add to add the app configuration to the profile.
   
   

8. Repeat this process for all applications you want to add to the profile, and then click Create to save the profile.

Application installation behavior

When using the Apple MDM Applications profile to deploy applications, different conditions will impact the installation process. Please see the below table for details.

Status Definitions

• ManagedButUninstalled: The app was managed, but the device user deleted it. If the device user installs the app again, the app will be managed.
• UserRejected: Indicates the device user canceled a managed app installation.
• ManagementRejected: Indicates the device user tapped Cancel when prompted to convert the app to managed.

Key Takeaways

• Supervised devices allow for background installation and management of apps without user interaction, but only for VPP and previously installed Appstore Apps.
• Non-supervised devices require user approval for installation and management.
• VPP apps benefit from silent installation when possible, avoiding App Store authentication.
• If an app is installed by a user, it can be managed automatically in supervised scenarios but requires user confirmation in non-supervised cases.
• Full silent install is available only for Supervised devices with VPP.

The Apple MDM Restrictions profile allows you to allow or restrict functions on iOS, iPadOS, and macOS devices.

To configure this profile: 

1. Click Add Configuration in the upper right.
   

2. Change the Payload Display Name if desired.
   

3. Select which items you wish to be allowed or restricted by clicking the sliders. Items that will only work on supervised devices will have an eye icon next to their label.
   

   NOTE  To learn more about restrictions settings, click the Learn more link at the top of the configuration.
   

4. Once finished configuring the profile, click Create in order to save your changes and create the profile.

The Apple MDM Networking profile allows you to configure network settings for the different types of network interfaces that macOS, iOS, and iPadOS can connect to.

For each interface, you can configure various settings based on the interface type. For example, the below image is from the 802.1X: First Active Ethernet configuration.

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that interface.

To configure this profile: 

1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left.

2. Click Add Configuration in the upper right.

3. Configure the section as desired.

4. Repeat the process if you want to add more sections to the profile.

5. Once finished configuring the profile, click Create in order to save your changes and create the profile.

NOTE  You can have multiple network interface configurations in one profile.

The Apple MDM Security profile allows you to configure security settings and certificates for macOS, iOS and iPadOS devices.

For example, this profile allows you to configure, among other things: 

• Passcode requirements
• Guest Account availability
• Active Directory Certificate settings
• Parental Controls

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that configuration.

To configure this profile: 

1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left.
2. Click Add Configuration in the upper right.
3. Configure the section as desired.
4. Repeat the process if you want to add more sections to the profile.
5. Once finished configuring the profile, click Create in order to save your changes and create the profile.

NOTE  You can have multiple security configurations in one profile.

The Apple MDM System Configuration profile allows you to configure system settings for MacOS, iOS and iPadOS devices.

For example, this profile allows you to configure, among other things: 

• Accessibility settings
• Associated Domains
• Time Machine settings
• Web Content Filters

NOTE  There is a Learn more link at the top of each section that links back to Apple developer documentation on the device management profile for that configuration.

To configure this profile: 

1. Using the search bar or scrolling through the list manually, select which section you wish to configure using the list on the left
2. Click Add Configuration in the upper right.
3. Configure the section as desired.
4. Repeat the process if you want to add more sections to the profile.
5. Click Create to safe the configuration and create the profile.

NOTE  You can have multiple system configurations in one profile.

To create an MDM profile, complete the following steps:

1. In your VSA instance, navigate to Administration > Configuration > Profiles.
2. The Profiles page will load. At the top of the Folders list, click All Profiles.
   
3. In the Profiles pane, click New Profile.
4. The Create New Profile page will load.
   
5. In the Details section, enter a name and a brief description for the profile
6. In the Policy Type section, make the following selections:
   • Policy Type: Device Configuration
   • Configuration Type: Any Apple MDM configuration type
7. Click Next.
8. Select a configuration section from the Not Configured Sections list. Then, click Add Configuration.
9. You'll notice that the selected configuration moves into the Configured Sections list. Complete all applicable fields.
10. To add additional configuration sections, click Add Configuration. To remove a section, click the Remove link next to its name.
11. When you've finished customizing the profile, click Create.
    

NOTE  For more details on how to configure different Apple MDM profile types, refer to Apple MDM Profile Configuration Settings.

Next, you'll need to create a policy that defines the devices to which you'd like to automatically apply your configuration. Complete the following steps:

1. Navigate to Configuration > Policies. Create a new policy or edit an existing policy.
2. Click Assign Profile.
3. Locate the profile you'd like to use. Select it by clicking the radio button next to its name.

   EXAMPLE  
   

4. Click Assign.
5. VSA 10 will begin enforcing the selected profile immediately. You can view it in effect at Configuration > Policies.
   

EXAMPLE