Intro to mobile device management payloads
Payloads can be used on various operating systems, and with users and devices (in some cases, they work only on devices that are supervised).
Payloads
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads require a complex passcode, populate an Exchange account with all the Exchange Server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload can have duplicates
After payloads are configured, they’re saved in a configuration profile.
For more information, see the complete MDM payload list.
Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.
Payload rules
There are specific rules when applying payloads.
If the top-level PayloadIdentifier in the profile matches that of an already installed profile, then the profile being installed is considered an “update” to the existing profile. If the top-level PayloadIdentifier is different and the payload type supports it, then the incoming profile is considered different and the installation results in two profiles being installed.
Identifiers must be unique for each payload in a profile. Devices with iOS 15, iPadOS 15, macOS 12.0.1, visionOS 1.1, or later, enforce this requirement.
There are key differences in operating systems when duplicate payloads occur.
For a Mac, any payload within the profile is matched up using their
PayloadUUID. If two payloads share the samePayloadUUID, then the payload in the incoming profile is considered an “update” to the existing payload. If the installed profile has a payload with aPayloadUUIDthat doesn’t match an incoming payload, that payload is removed.iPhone, iPad, and Apple Vision Pro devices use the
PayloadIdentifiervalue instead of thePayloadUUIDvalue to match up corresponding payloads correctly.
To minimize disruption, always preserve the PayloadUUID value when pushing out an update to an existing payload.
The Restrictions payload
You can use the Restrictions payload to help users access certain apps, services, and functions on an Apple device enrolled in an MDM solution. In some cases, you can prevent users from accessing those same apps and services.
For example, you can add a restriction that prevents an iPhone, iPad, or Mac from using the camera to take pictures or videos. And certain restrictions on an iPhone can be mirrored on a paired Apple Watch.
For IT-based information, see Review MDM restrictions. For developer information, see Restrictions on the Apple Developer website.
Note: Not all restrictions are available in all MDM solutions. To learn which MDM restrictions are available for your devices, consult your MDM vendor’s documentation.