Deploying Custom Configuration Profiles to MDM-Enrolled macOS Systems using a JumpCloud Policy




Configuration profiles are the primary vehicle used by an MDM server to deliver and manage policies and restrictions on managed devices. These profiles contain the payloads which put the devices into a desired state as defined by the MDM server. 

Administrators can leverage JumpCloud’s newest macOS policy, the MDM Custom Configuration Profile policy, to distribute MDM configuration profiles to their MDM-enrolled machines. 

This policy unlocks a number of new device management features for admins to take advantage of, including the ability to push down WiFi settings, certificates, fonts, and more. It also allows admins to deploy the payloads only available via the MDM channel on macOS systems including Kernel Extension Whitelisting and Privacy Preference Policy Control settings. 

How It Works

MDM configuration profiles have the “.mobileconfig” file extension and are formatted in XML with profile-specific keys that define the configuration settings to apply. 

Admins can deploy multiple configuration profiles that each contain a single payload or send a single profile containing multiple payloads.

Configuration profiles can be scoped to two separate channels on managed macOS devices. These channels are the user channel and the device channel

Profiles delivered to systems via the user channel can only apply to a single MDM managed user, whereas profiles distributed via the device channel apply globally to all users on a device.

The JumpCloud MDM Custom Configuration Profiles installs all profiles in the device channel.

JumpCloud does not deliver any profiles via the user channel because the identity management capabilities of the JumpCloud agent allows for multiple managed macOS user accounts on a single device and the user channel only supports a single managed user account.

To create configuration profiles to upload to the JumpCloud MDM Custom Configuration Profile policy admins can take advantage of free tools with GUIs for building the profiles. Apple Configurator and ProfileCreator are great utilities to leverage to build configuration profiles with a GUI.

Why It Matters

The MDM Custom Configuration Profile policy gives admins a new device management command and control framework that they can use fit to their organizations’ needs. 

Profiles delivered via this policy to systems that are enrolled in JumpCloud MDM through automated device enrollment (DEP) are non-removable from the system, even by end users with administrative permissions.

Many organizations have had to become flexible in delegating administrative permissions to end users who are now working remotely, so this capability gives admins certainty that their devices will stay in compliance with configured settings without having to worry about nefarious activity by end users who may be trying to circumvent management software.

Supporting the delivery of custom mobile configuration profiles opens the door to zero day support for the delivery of new profile payloads that Apple tends to release in both major and minor software updates. 

What’s Next

With Apple’s WWDC2020 in the rearview mirror and the macOS BigSur release on the horizon, the JumpCloud macOS policies architecture is under renovation to route the existing configuration profiles of JumpCloud macOS policies to systems via MDM commands (versus the current method, the JumpCloud Agent). 

BigSur includes updates that restrict the ability to silently deliver configuration profiles to MDM commands only. This work will open the door to the next generation of JumpCloud macOS policies and MDM capabiles. In addition to this revamp, incremental enhancements to the JumpCloud DEP enrollment capabilities are under construction that added up will lead to a true zero-touch end user enrollment by seamlessly integrating the JumpCloud user directory with the macOS out-of-box experience.


Related Posts
JumpCloud MDM has zero day support for macOS Big Sur with unique ways for admins to securely manage devices. Try JumpCloud Free.

Blog

JumpCloud’s Zero Day macOS Big Sur Support Gives Admins Options & Advantages

JumpCloud MDM has zero day support for macOS Big Sur with unique ways for admins to securely manage devices. Try JumpCloud Free.

Find out if it’s right for your organization to deploy macOS Big Sur on day one, or delay end users from updating. Try JumpCloud Free.

Blog

When Should You Deploy the Latest macOS Update, Big Sur?

Find out if it’s right for your organization to deploy macOS Big Sur on day one, or delay end users from updating. Try JumpCloud Free.

In JumpCloud’s recent webinar, Preparing for Big Sur: What Admins Need to Know About Apple® MDM and the Future of […]

Blog

Your Top Big Sur and MDM Questions, Answered

In JumpCloud’s recent webinar, Preparing for Big Sur: What Admins Need to Know About Apple® MDM and the Future of […]