Overview
Configuration profiles (.mobileconfig) are the primary mechanism for pushing settings to managed Macs via MDM solutions like Jamf Pro, Mosyle, or Kandji. This article covers common profile types and best practices.
Common Profile Payloads
Restrictions Payload
Prevents users from modifying system settings, installing apps from unidentified developers, or changing network configurations. Applied scope: Device or User channel.
Wi-Fi Payload
Pushes corporate Wi-Fi SSID, security type (WPA2/WPA3-Enterprise), and EAP settings including RADIUS certificates. Removes the need for manual Wi-Fi setup on new devices.
VPN Payload
Configures IKEv2 or Cisco AnyConnect VPN profiles. Supports Per-App VPN tunnelling for routing only specific apps through the corporate tunnel.
Certificate Payload
Deploys Root CA and intermediate certificates to the System Keychain, enabling trusted HTTPS inspection and 802.1X authentication without user prompts.
Login Window Payload
Customises the login screen banner message, disables user list display, and enforces password policies including complexity, length, and expiry intervals.
Deployment Tips
Always scope profiles to a test group first. Use the Device Channel for machine-level settings (Network, Certificates, FileVault) and the User Channel for per-user preferences. Avoid overlapping payloads from multiple profiles to prevent conflicts.
Profile templates are available in the Apple_Mac repository.