What is an MDM profile?

A Mobile Device Management (MDM) profile is a configuration file containing rules and settings installed on mobile devices (such as iPhones, iPads, MacBooks, or Apple TVs) through a device management system (such as SimpleMDM).

TL;DR: The MDM profile enrolls the device into management and then tells it how to behave.

Profiles consist of settings, known as payloads, that configure various device aspects, such as Wi-Fi settings, VPN configurations, security restrictions, and app installation rules. These profiles enable administrators to control and manage devices remotely.

MDM profiles are key components of MDM architecture and are used across various platforms, including Apple, Windows, and Android.

In the Apple ecosystem (iOS, macOS, iPadOS, tvOS), MDM profiles are designed to operate within the Apple MDM Protocol. This protocol defines how MDM servers talk to Apple devices to send configuration profiles, issue commands, and retrieve status information. The profiles must be compatible with Apple’s MDM architecture and follow Apple’s security guidelines.

What do MDM profiles do?

An MDM profile allows MacAdmins to:

Enforce security protocols like encryption and password policies
For instructions on where to start with security profiles, see:
- How do you secure your company's iOS devices with configuration profiles?
- How to secure your company's macOS devices — with configuration profiles
Control which apps can be installed or removed
For an installation guide, see: How to install iOS apps silently
Manage network settings (Wi-Fi, VPN configurations)
For more on enterprise network management, see: Navigating the channel width conundrum: An 802.1x headache with PDQ IT
Enforce device restrictions (e.g., blocking features like camera or file sharing)
For a guide on iOS app restrictions, see: How to block or hide any iOS app
Ensure compliance with data protection regulations (e.g., HIPAA, GDPR)
What do all these acronyms mean? Brush up on your compliance literacy with:
- How to be HIPAA compliant with mobile device management
- What is the macOS Security Compliance Project?

MDM profiles are the go-to for securing corporate data on company-owned and personal devices (BYOD — bring your own device) and managing device access to company networks.

How do MDM profiles work?

MDM profiles are created and deployed via an MDM platform (like SimpleMDM 💅). The MDM talks to every enrolled device over a secure channel and remotely configures it.

Note: MDM profiles can also be created manually through Apple Configurator.

How to deploy an MDM profile

Create profile: Administrators build profiles in the MDM interface.
Deploy profile: The profile is pushed to devices via OTA updates, eliminating manual setup.
Ensure device compliance: The MDM system ensures policies are applied and profiles remain installed.
Manage profiles: Profiles can be updated, edited, or deleted at any time. Admins can also remotely lock or wipe a device if lost or stolen.

For more on lifecycle management of Apple devices, see our guide on how to manage Activation Lock for enterprise environments.

Types of MDM profiles

On a high level, MDM profiles include:

Enrollment profiles
Configuration profiles

Enrollment profiles

The enrollment profile registers the device and initiates the connection between the device and the MDM server, allowing it to receive policies, configurations, and security settings.

To learn more about enrollment, see:

Configuration profiles

Configuration profiles are XML files that distribute configuration information to Apple devices, serving as behavioral blueprints.

Configuration profiles tend to be prebuilt in most MDM solutions, so you don't have to build them yourself!

Standard prebuilt profiles may include:

Wi-Fi settings
VPN settings
Email settings
Security policies
Network restrictions
App installations or restrictions
Software updates

If you're willing to put in the work, you can also create a custom configuration profile outside of the prebuilt options available in your MDM solution through iMazing or Apple Configurator. For next steps in creating a custom configuration profile, see our guides:

Why should I use MDM profiles?

Security and compliance
MDM profiles enforce security policies, like password requirements, FileVault, and remote lock, which are essential for protecting data on devices accessing corporate networks. They also help ensure compliance with industry regulation standards.
Centralized control
MDM profiles allow admins to gain centralized control over all enrolled devices and ensure uniform policies across multiple devices. This makes it easier to manage large mobile fleets, especially if you have a remote workforce.
App management
With MDM profiles, IT can control which apps are available on the device, push software updates, remove outdated or unauthorized apps, and enforce app-related restrictions. This prevents the risk of malware or data leaks from unauthorized apps.
Remote troubleshooting
MDM profiles make it a lot easier for admins to troubleshoot and resolve device issues remotely without physically accessing the device.

MDM profiles FAQs

Can MDM profiles be used on personal devices (BYOD)?

Yes. MDM profiles can be applied to both company-owned and personal devices. This is useful in bring your own device (BYOD) policies, where employees must use personal devices but follow company policies.

Are MDM profiles secure?

Yep! MDM profiles are deployed and managed over secure channels, and they can enforce encryption and other security measures to protect supersecret sensitive information. 😎

Can an MDM profile be removed?

Yes, but removal often requires admin permissions. With supervised devices, the end user typically can’t remove profiles.

Looking to add a little enchantment to your fleet management? Discover the magic of MDM profiles with a flick of the wrist and a pinch of SimpleMDM! 🐇🎩