Configuration profiles are the primary vehicle used by an MDM server to deliver and manage policies and restrictions on managed devices. These profiles contain the payloads which put the devices into a desired state as defined by the MDM server.
Administrators can leverage JumpCloud’s newest macOS policy, the MDM Custom Configuration Profile policy, to distribute MDM configuration profiles to their MDM-enrolled machines.
This policy unlocks a number of new device management features for admins to take advantage of, including the ability to push down WiFi settings, certificates, fonts, and more. It also allows admins to deploy the payloads only available via the MDM channel on macOS systems including Kernel Extension Whitelisting and Privacy Preference Policy Control settings.
How It Works
MDM configuration profiles have the “.mobileconfig” file extension and are formatted in XML with profile-specific keys that define the configuration settings to apply.
Admins can deploy multiple configuration profiles that each contain a single payload or send a single profile containing multiple payloads.
Configuration profiles can be scoped to two separate channels on managed macOS devices. These channels are the user channel and the device channel.
Profiles delivered to systems via the user channel can only apply to a single MDM managed user, whereas profiles distributed via the device channel apply globally to all users on a device.
The JumpCloud MDM Custom Configuration Profiles installs all profiles in the device channel.
JumpCloud does not deliver any profiles via the user channel because the identity management capabilities of the JumpCloud agent allows for multiple managed macOS user accounts on a single device and the user channel only supports a single managed user account.
To create configuration profiles to upload to the JumpCloud MDM Custom Configuration Profile policy admins can take advantage of free tools with GUIs for building the profiles. Apple Configurator and ProfileCreator are great utilities to leverage to build configuration profiles with a GUI.
Why It Matters
The MDM Custom Configuration Profile policy gives admins a new device management command and control framework that they can use fit to their organizations’ needs.
Profiles delivered via this policy to systems that are enrolled in JumpCloud MDM through automated device enrollment (DEP) are non-removable from the system, even by end users with administrative permissions.
Many organizations have had to become flexible in delegating administrative permissions to end users who are now working remotely, so this capability gives admins certainty that their devices will stay in compliance with configured settings without having to worry about nefarious activity by end users who may be trying to circumvent management software.
Supporting the delivery of custom mobile configuration profiles opens the door to zero day support for the delivery of new profile payloads that Apple tends to release in both major and minor software updates.
With Apple’s WWDC2020 in the rearview mirror and the macOS BigSur release on the horizon, the JumpCloud macOS policies architecture is under renovation to route the existing configuration profiles of JumpCloud macOS policies to systems via MDM commands (versus the current method, the JumpCloud Agent).
BigSur includes updates that restrict the ability to silently deliver configuration profiles to MDM commands only. This work will open the door to the next generation of JumpCloud macOS policies and MDM capabiles. In addition to this revamp, incremental enhancements to the JumpCloud DEP enrollment capabilities are under construction that added up will lead to a true zero-touch end user enrollment by seamlessly integrating the JumpCloud user directory with the macOS out-of-box experience.