Article

Using Configuration Profiles

Create and deploy configuration profiles to users within your organization.

Overview

Configuration profiles streamline the process of setting up a large number of devices. Custom calendar and email settings, network settings (like WiFi and VPN settings), certificates, and device restrictions, are some of the properties you can configure using configuration profiles.

You have several options for deploying configuration profiles:

  • Using Apple Configurator 2, available in the App Store.

  • In an email message.

  • On a webpage.

  • Using over-the-air configuration as described in Over-the-Air Profile Delivery and Configuration.

  • Over the air using a Mobile Device Management server.

Define a Profile

Configuration profiles are stored in a property list format, which any XML tool can read and write.

The configuration property list contains the properties listed in the TopLevel object. These properties describe the profile and the rules for deploying it. Specific configuration values are stored in an array of payloads in the PayloadContent property.

Each payload's contents contain profile-specific keys (see Profile-Specific Payload Keys) and keys that are common to all payloads (see the following list of key definitions).

PayloadType (String)

The payload type, specified on each payload domain's reference page.

PayloadVersion (Integer)

The version of this specific payload.

PayloadIdentifier (String)

The reverse-DNS-style identifier for the payload. This identifier is usually the same as the TopLevel value, with an additional component appended.

PayloadUUID (String)

The globally unique identifier for the payload. The actual content is unimportant, but must be globally unique. In macOS, use uuidgen to generate UUIDs.

PayloadDisplayName (String)

The human-readable name for the profile payload. The name is displayed on the Detail screen and doesn't have to be unique.

PayloadDescription (String)

The human-readable description of this payload. This description is shown on the Detail screen.

PayloadOrganization (String)

The human-readable string containing the name of the organization that provided the profile. This value doesn't need to match the organization payload value in the enclosing dictionary.

Encrypt and Sign a Profile

Both iOS and macOS support using encryption to protect the contents of profiles from unauthorized access. The encrypted profile can only be decrypted using a private key previously installed on a device. To encrypt a profile:

  1. Remove the PayloadContent array and serialize it as a property list. Note that the top-level object in this property list is an array, not a dictionary.

  2. CMS-encrypt the serialized property list as enveloped data.

  3. Serialize the encrypted data in DER (Distinguished Encoding Rules) format.

  4. Set the serialized data as the value of as a data property list item in the profile, using the EncryptedPayloadContent key. 


Signing a profile guarantees data integrity. To sign a profile, place the XML property list in a DER-encoded, CMS Signed Data structure.

Example SCEP Configuration Profile

The listing below shows the contents of an example profile, containing a Simple Certificate Enrollment Protocol (SCEP) payload.

<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC ”-//Apple Inc//DTD PLIST 1.0//EN” ”http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
   <dict>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadUUID</key>
      <string>Ignored</string>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadIdentifier</key>
      <string>Ignored</string>
      <key>PayloadContent</key>
      <array>
         <dict>
            <key>PayloadContent</key>
            <dict>
               <key>URL</key> 
               <string>https://scep.example.com/scep</string> 
               <key>Name</key> 
               <string>EnrollmentCAInstance</string> 
               <key>Subject</key>

               <array> 
                  <array> 
                     <array>
                        <string>O</string>
                        <string>Example, Inc.</string>
                     </array>
                  </array>
                  <array>
                     <array>
                        <string>CN</string>
                        <string>User Device Cert</string>
                     </array>
                  </array>
               </array>
               <key>Challenge</key>
               <string>...</string>
               <key>Keysize</key>
               <integer>1024</integer>
               <key>KeyType</key>
               <string>RSA</string>
               <key>KeyUsage</key>
               <integer>5</integer>
            </dict>

            <key>PayloadDescription</key>

            <string>Provides device encryption identity</string> 
            <key>PayloadUUID</key> 
            <string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string> 
            <key>PayloadType</key> 
            <string>com.apple.security.scep</string> 
            <key>PayloadDisplayName</key> 
            <string>Encryption Identity</string> 
            <key>PayloadVersion</key> 
            <integer>1</integer> 

            <key>PayloadOrganization</key> 

            <string>Example, Inc.</string> 
            <key>PayloadIdentifier</key> 
            <string>com.example.profileservice.scep</string> 
         </dict>
      </array>
   </dict>
</plist>

See Also

Configuration Profiles

Profile-Specific Payload Keys

Use the appropriate payload for your configuration needs.