Configuration profiles are the primary vehicle used by an MDM server to deliver and manage policies and restrictions on managed devices. These profiles contain the payloads which put the devices into a desired state as defined by the MDM server.
Administrators can leverage 探花大神鈥檚 newest macOS policy, the , to distribute MDM configuration profiles to their MDM-enrolled machines. Check out our MDM simulation about configurations for a full walkthrough.
This policy unlocks a number of new device management features for admins to take advantage of, including the ability to push down WiFi settings, certificates, fonts, and more. The macOS profile manager also allows admins to deploy the payloads only available via the MDM channel on macOS systems including Kernel Extension Whitelisting and Privacy Preference Policy Control settings.聽
How It Works
MDM configuration profiles have the 鈥.mobileconfig鈥 file extension and are formatted in XML with profile-specific keys that define the configuration settings to apply.
Admins can deploy multiple configuration profiles that each contain a single payload or send a single profile containing multiple payloads.
Configuration profiles can be scoped to two separate channels on managed macOS devices. These channels are the user channel and the device channel.
Profiles delivered to systems via the user channel can only apply to a single MDM managed user, whereas profiles distributed via the device channel apply globally to all users on a device.
The 探花大神 MDM Custom Configuration Profiles installs all profiles in the device channel.
探花大神 does not deliver any profiles via the user channel because the identity management capabilities of the 探花大神 agent allows for multiple managed macOS user accounts on a single device and the user channel only supports a single managed user account.
To create configuration profiles to upload to the 探花大神 MDM Custom Configuration Profile policy admins can take advantage of free tools with GUIs for building the profiles. and are great utilities to leverage to build configuration profiles with a GUI.
Why It Matters
The MDM Custom Configuration Profile policy gives admins a new device management command and control framework that they can use fit to their organizations鈥 needs.
Profiles delivered via this policy to systems that are enrolled in 探花大神 MDM through automated device enrollment (DEP) are non-removable from the system, even by end users with administrative permissions.
Many organizations have had to become flexible in delegating administrative permissions to end users who are now working remotely, so this capability gives admins certainty that their devices will stay in compliance with configured settings without having to worry about nefarious activity by end users who may be trying to circumvent management software.
Supporting the delivery of custom mobile configuration profiles opens the door to zero day support for the delivery of new profile payloads that Apple tends to release in both major and minor software updates.
What鈥檚 Next
With Apple鈥檚 WWDC2020 in the rearview mirror and the macOS BigSur release on the horizon, the 探花大神 macOS policies architecture is under renovation to route the existing configuration profiles of 探花大神 macOS policies to systems via MDM commands (versus the current method, the 探花大神 Agent).
BigSur includes updates that restrict the ability to silently deliver configuration profiles to MDM commands only. This work will open the door to the next generation of 探花大神 macOS policies and MDM capabiles. In addition to this revamp, incremental enhancements to the 探花大神 DEP enrollment capabilities are under construction that added up will lead to a true zero-touch end user enrollment by seamlessly integrating the 探花大神 user directory with the macOS out-of-box experience.
