Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright
Intro to mobile device management payloads
Payloads can be used on various operating systems, and with users and devices (in some cases, they work only on devices that are supervised).
Payloads
A payload can be configured to manage specific settings on Apple devices. For example, you can have different payloads require a complex passcode, populate an Exchange account with all the Exchange Server information, and add a VPN configuration to a device. Even though each payload has its own unique settings, all payloads are defined by the following:
The operating system or systems that the payload supports
The channel that does the payload work
Whether the payload requires the Apple device to be supervised
Whether the payload can have duplicates
After payloads are configured, they’re saved in a configuration profile.
For more information, see the complete MDM payload list.
Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.
Payload rules
There are specific rules when applying payloads.
If the top-level PayloadIdentifier
in the profile matches that of an already installed profile, then the profile being installed is considered an “update” to the existing profile. If the top-level PayloadIdentifier
is different and the payload type supports it, then the incoming profile is considered different and the installation results in two profiles being installed.
Identifiers must be unique for each payload in a profile. Devices with iOS 15, iPadOS 15, macOS 12.0.1, visionOS 1.1, or later, enforce this requirement.
There are key differences in operating systems when duplicate payloads occur.
For a Mac, any payload within the profile is matched up using their
PayloadUUID
. If two payloads share the samePayloadUUID
, then the payload in the incoming profile is considered an “update” to the existing payload. If the installed profile has a payload with aPayloadUUID
that doesn’t match an incoming payload, that payload is removed.iPhone, iPad, and Apple Vision Pro devices use the
PayloadIdentifier
value instead of thePayloadUUID
value to match up corresponding payloads correctly.
To minimize disruption, always preserve the PayloadUUID
value when pushing out an update to an existing payload.
The Restrictions payload
You can use the Restrictions payload to help users access certain apps, services, and functions on an Apple device enrolled in an MDM solution. In some cases, you can prevent users from accessing those same apps and services.
For example, you can add a restriction that prevents an iPhone, iPad, or Mac from using the camera to take pictures or videos. And certain restrictions on an iPhone can be mirrored on a paired Apple Watch.
For IT-based information, see Review MDM restrictions. For developer information, see Restrictions on the Apple Developer website.
Note: Not all restrictions are available in all MDM solutions. To learn which MDM restrictions are available for your devices, consult your MDM vendor’s documentation.