alotofpeople - Fotolia
Apple provides a protocol for mobile device management on its devices that run iOS 4.0 and later, but the way that IT admins can enroll and manage Apple mobile devices has changed significantly since then.
The mobile device management (MDM) protocol included in modern versions of iOS allows IT admins to install and remove configuration profiles. Configuration profiles apply the numerous settings that users' iOS devices need.
IT admins who manage iOS devices in the enterprise should learn how configuration profiles work and how to deploy them for a large group of iOS devices at the same time.
How do iOS configuration profiles work?
An iOS configuration profile is simply an XML file that contains payloads and the .mobileconfig extension. A payload is a group with unique settings that IT can customize to match its needs. These payloads enable IT to load customized settings and authorizations on iOS devices, including basic settings, accounts, restrictions and credentials. Within an iOS configuration profile, the different payloads contain the configuration data for each managed setting. Every payload, however, has the same structure and is defined with the same properties -- also known as keys.
Payloads can be divided into two categories: those that require the iOS devices to be supervised and those that do not. Tagging iOS devices as supervised generally indicates that those devices are owned by an organization, rather than by the user. Supervised devices provide additional configuration options to many payloads in a configuration profile.
Some payloads require supervised devices, so these controls aren't available in BYOD or other personally owned mobile device scenarios. IT can configure devices to be in a supervised state with Apple Configurator 2 or Apple Business Manager (ABM):
- Apple Configurator 2 is a macOS application that loads configuration profiles onto physically connected iOS devices.
- ABM simplifies the initial setup of iOS devices and automatically enrolls the devices into the required MDM platform to load configuration profiles. Starting with iOS 13 and later, every device added to ABM is automatically supervised.
How to deploy an iOS 14 configuration profile
IT admins can use multiple methods to deploy configuration profiles to iOS devices. The two preferred methods for iOS configuration profile deployment are Apple Configurator 2 and an MDM platform. Both methods ensure that the configuration profile is either set up by the IT administrator or pushed out automatically by the MDM platform. Therefore, both methods are easy for the end users of the iOS devices.
From an administrative perspective, the easiest method to load configuration profiles onto many iOS devices is with an MDM platform. The platform simplifies the number of required actions for the IT administrator. There is no need to physically touch all iOS devices. IT can use an enrollment profile to enroll iOS devices into an MDM platform. An enrollment profile is a configuration profile with an MDM payload that connects the device to the specified MDM platform.
One element of the configuration requirements for iOS devices should stand out to IT admins: the Apple Push Notification service (APNs). The APNs is required to maintain persistent communication with iOS devices across any network. That communication channel requires a certificate to talk to the iOS devices regardless of the MDM platform it connects to. Therefore, every MDM platform needs to add a certificate to use the APNs, and the platform vendors must renew these certificates annually. Once IT configures the APNs certificate, they can set up the enrollment profile that connects the iOS devices to the MDM platform. After enrollment, the MDM platform can load any available configuration profile and payload to those iOS devices.
When working with configuration profiles, remember these key setup rules:
- A configuration profile can contain more than one payload.
- An iOS device can have more than one configuration profile.
- An iOS device can only have a single enrollment profile.
- When an iOS device has multiple conflicting configurations, the most restrictive configuration overrides the other(s).
There are also multiple methods for enrolling an iOS device into an MDM platform. The most common methods are manual enrollment performed by the user -- which is typical for personal devices -- and an automatic enrollment via ABM -- which is often used for company devices. ABM requires an MDM integration to point the iOS devices to the correct location for enrollment. The manual enrollment relies on specific actions by the user, as in the example below.
With Microsoft Endpoint Manager, formerly Intune, the device's user must download the Company Portal app to initiate the enrollment. Microsoft's Company Portal app guides the user through the enrollment process, but at some point during that process the user must manually switch to the Settings app and tap the specific configuration profile to download it onto the device. Apple introduced this option with iOS 12.2 and it is applicable for any MDM platform.