Mobile Device Configuration Profiles

Configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and restrictions for devices, computers, and users.

You can use Jamf Pro to create a configuration profile or you can upload a configuration profile that was created using third-party software, for example, Apple's Profile Manager or Apple Configurator.

Before creating a configuration profile, you should have basic knowledge of configuration profile payloads and settings. For more information, see the following Apple documentation:

Some configuration profile payloads and settings available in Jamf Pro may differ from their implementation in Apple’s tools. For more information on these settings, see the Configuration Profile Payload Settings Specific to Jamf Pro Knowledge Base article.

When you create a mobile device configuration profile, you must specify the level at which to apply the profile—device level or user level. Each level has a unique set of payloads and a few that are common to both.

Note: User-level profiles apply to iPads enabled as Shared iPad only.

There are two different ways to distribute a configuration profile to an iOS device—install it automatically (requires no interaction from the user) or make it available in Jamf Self Service. For tvOS devices, configuration profiles must be distributed by installing automatically. You can also specify the mobile devices and users to which the profile should be applied (called “scope”).

Note: Removing a device from the scope of the profile also removes the settings applied by the profile the next time the device checks in with Jamf Pro. For user-level profiles, you can remove the profile from the iPad for each user by removing the device from the scope of the profile or deleting the profile from Jamf Pro. Each user must log in to the iPad for the profile to be removed from the device for that user.

A configuration profile will deploy containing both the iOS and tvOS selected options to all devices in scope. Devices will ignore the options that do not pertain to their device type.

Note: Mobile device configuration profiles cannot be distributed to personally owned mobile devices enrolled using a Personal Device Profile.

User-Level Profiles for Shared iPad

You can apply mobile device configuration profiles at the user level for iPads enrolled with Jamf Pro with Shared iPad enabled. This feature enhances Shared iPad workflows in your environment by enabling you to distribute configuration profiles directly to a user that logs in to the iPad. For example, you can create a configuration profile with a Web Clip payload that enables users to access a specific webpage. When each user logs in to the iPad, the profile is installed on the device for that user allowing the user to access the webpage directly from their Home Screen. User-level profiles can only be distributed using the “Install Automatically” method and cannot be made available in Self Service.

iPads must be enrolled with Jamf Pro and have Shared iPad enabled. You can use a Mobile Device PreStage enrollment to enable Shared iPad during enrollment. For more information, see Mobile Device PreStage Enrollments.

Note: The following payloads are available to apply at the user level as of Jamf Pro 10.24.1:

  • Single Sign-On Extensions

  • Web Clip

After the profile is installed on the iPad, you can view the Managed Apple ID for each user that the profile was installed for. This information is available in the Profile category in the mobile device inventory information. For more information, see Mobile Device Inventory Information Reference.

Note: When you redistribute a user-level profile to a user that is currently logged in to their device, the user must log out and log back in to the iPad to have the profile re-installed on their device. For profiles that were created using Jamf Pro 10.24.1-10.25.0, you must edit and re-save the profile to redistribute it to users.

Payload Variables for Configuration Profiles

There are several payload variables that you can use to populate settings in a configuration profile with attribute values stored in Jamf Pro. This allows you to create payloads containing information about each mobile device, computer, and user to which you are distributing the profile.

To use a payload variable, enter the variable into any text field when creating a profile in Jamf Pro. When the profile is installed, the variable is replaced with the value of the corresponding attribute in Jamf Pro.

Variable

Inventory Information

$DEVICENAME

Mobile Device Name

$ASSET_TAG

Asset Tag

$SITENAME

Site Name

$SITEID

Site ID

$SERIALNUMBER

Serial Number

$UDID

UDID

$USERNAME

Username

$FULLNAME or $REALNAME

Full Name

$EMAIL

Email Address

$PHONE

Phone Number

$ROOM

Room

$POSITION

Position

$DEPARTMENTNAME

Department Name

$DEPARTMENTID

Department ID

$BUILDINGNAME

Building Name

$BUILDINGID

Building ID

$MACADDRESS

MAC Address

$JSSID

Jamf Pro ID

$PROFILEJSSID

Jamf Pro ID of the Configuration Profile

$EXTENSIONATTRIBUTE_#

Extension Attribute ID Number

Note: The ID number is found in the extension attribute URL. In the example URL below, "id=2" indicates the extension attribute ID number:
https://instancename.jamfcloud.com/mobileDeviceExtensionAttributes.html?id=2&o=r

For more information, see Mobile Device Extension Attributes.

General Requirements

To install a configuration profile on a device, you need a push certificate in Jamf Pro. For more information, see Push Certificates.

Manually Creating a Configuration Profile

You can create a configuration profile using Jamf Pro.

Beginning with Jamf Pro 10.13.0, you can configure some payloads using a redesigned flow. Use switches to include the settings that will be sent to deployment targets. In the summary view, only the included or configured settings are displayed in the Jamf Pro interface. The operating system manages settings on the device level. Some enforced settings that do not change default values will not be visible on the device. For more information on the default settings, see this documentation from the Apple Developer website.

Note: When upgrading to Jamf Pro 10.13.0 or later, any previously configured payloads that have been redesigned are automatically migrated. Review the settings in the Jamf Pro user interface. The migrated payloads are not redeployed to deployment targets.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/download/thumbnails/81922824/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the profile, including the level at which to apply the profile and the distribution method. If you chose to make the profile available in Jamf Self Service, choose a Security setting.
    Only payloads and settings that apply to the selected level are displayed for the profile.

  6. Use the rest of the payloads to configure the settings.

  7. Click the Scope tab and configure the scope of the profile.
    To distribute user-level profiles, ensure you add iPads to the scope that have Shared iPad enabled. This allows the profile to be installed on the device for each potential user of that device. When each user logs in, the profile is then installed on the device.

    Note: If a user is logged in to an iPad prior to a profile being saved in Jamf Pro, the user must log out and log back in to the iPad for the profile to be installed on the device.

    For more information, see Scope.

    Note: For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username field must be populated in the mobile device's inventory.

  8. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure Self Service settings for the profile.

  9. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The profile is distributed to deployment targets in the scope the next time they contact Jamf Pro.

Uploading a Configuration Profile

You can create a configuration profile by uploading a profile that was built using Apple’s software, for example, Profile Manager or Apple Configurator .

Note: Some payloads and settings configured with third-party software are not displayed in Jamf Pro. Although you cannot view or edit these payloads, they are still applied to the deployment targets.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.

  4. Click Upload and upload the configuration profile (.mobileconfig).

  5. Use the General payload to configure basic settings for the profile, including a distribution method. If you chose to make the profile available in Jamf Self Service, choose a Security setting.

  6. Use the rest of the payloads to configure or edit settings as needed.

  7. Click the Scope tab and configure the scope of the profile.
    For more information, see Scope.

    Note: For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username field must be populated in the mobile device's inventory.

  8. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self Service settings for the profile.

  9. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The profile is distributed to deployment targets in the scope the next time they contact Jamf Pro.

Downloading a Configuration Profile

If you want to view the contents of a configuration profile for troubleshooting purposes, you can download the profile (.mobileconfig) from Jamf Pro.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.

  4. Click the configuration profile you want to download.

  5. Click Download images/download/thumbnails/80748286/download-1.png .

The profile downloads immediately.

Viewing the Status of a Configuration Profile

For each configuration profile, you can view the number of the deployments targets with a status of Complete, Remaining, or Failed for the profile installation.

Note: Depending on your system configuration, status data may not be available for profiles installed using Jamf Pro 9.63 or earlier.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.
    A list of configuration profiles is displayed.
    For each profile, you can view the number of the deployment targets for which the profile installation has a Completed, Remaining, or Failed status.

    Note: If a device becomes unmanaged after a profile is successfully distributed to it, the profile will continue to be displayed in the Completed column.

  4. To view a list of deployment targets with a status of Complete, Remaining, or Failed for the profile installation, click the number displayed in the corresponding column. Then click Back images/download/thumbnails/80748248/DONE_cropped.png in the top-left corner of the pane.

  5. To view logs for a configuration profile, click View in the corresponding row. For a different date range, specify the starting and ending dates using the Date Range pop-up calendars.

  6. Click Back images/download/thumbnails/80748248/DONE_cropped.png in the top-left corner of the pane.

Related Information

For related information, see the following sections in this guide:

For related information, see the following Knowledge Base article:

Distributing Apps to Mobile Devices with App Store Restrictions After Upgrading to Jamf Pro 9.5 or Later
Learn about the steps necessary to redistribute mobile device configuration profiles that contain App Store restrictions so that you can distribute apps to mobile devices with restrictions after upgrading from Jamf Pro 9.4 or earlier.

For related information, see the following technical paper:

Enabling Jamf Pro as SCEP Proxy
Learn how to enable Jamf Pro as SCEP Proxy for distributing certificates via configuration profiles.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.