About profiles and payloads
Configuration profiles are XML files consisting of payloads that load settings and authorization information onto Apple devices such as iPhone, iPad, iPod touch, Mac, and Apple TV. Profile Manager can create and install profiles on any of these devices.
The settings and authorization information can contain:
Device security policies and restrictions
VPN configuration information
Mail and calendar accounts
Authentication credentials that permit iPad, iPhone, iPod touch, and Mac to work with enterprise systems and school networks
Configuration profiles can be encrypted and signed, which lets you restrict their use to a specific Apple device and, with the exception of user names and passwords, prevents anyone from changing the settings. You can also mark a profile as being locked to the device, so after it’s installed, the profile can be removed only by wiping the device of all data or by entering the password associated with the profile. Accounts that are configured by a profile, such as Microsoft Exchange accounts, can be removed only by deleting the profile.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles that are defined by settings that rarely change, and settings that may change often. Examples of settings that rarely change are: network, security and privacy, LDAP, mail, calendar, and software update. Examples of settings that may change often include: VPN, certificates, web clips, login items, Dock, and printer.
You create configuration profiles for users and devices, or groups of users and devices. Profile Manager tailors the profile’s payloads depending on which you choose, and the settings apply at that level. For example, settings that apply only to devices aren’t available when you’re creating a user configuration profile.
You may also want to create separate profiles for specific devices or a group of users. For information, see Payload best practices.
You can distribute configuration profiles as a mail attachment, through a link on your own webpage, or with Profile Manager’s built-in user portal. When users open the mail attachment or download the profile using a web browser, they’re prompted to begin profile installation. You can also use Profile Manager as a mobile device management server, which lets you send new and updated profiles to users after they enroll their device.
Except for passwords, users generally can’t change settings that are defined in a configuration profile. Accounts configured by a profile can only be removed by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app. On iOS devices, you can mark a profile as being locked to the device, so when it’s installed it can be removed only by wiping the device of all data (or by entering a passcode).
In iOS 9 or later, configuration profiles with Certificate or Wi-Fi payloads installed during Setup Assistant automatically become managed if the device is supervised and enrolled in MDM.
Important: iOS devices that are not supervised can have profiles removed if the user knows the passcode even if the option is set to Never in the General settings. OS X profiles can be removed if the user knows an administrator’s name and password.