Deploying Custom Configuration Profiles to MDM-Enrolled macOS Systems using a JumpCloud Policy

Written by Scott Reed on August 4, 2020

Share This Article

Configuration profiles are the primary vehicle used by an MDM server to deliver and manage policies and restrictions on managed devices. These profiles contain the payloads which put the devices into a desired state as defined by the MDM server. 

Administrators can leverage JumpCloud’s newest macOS policy, the MDM Custom Configuration Profile policy, to distribute MDM configuration profiles to their MDM-enrolled machines. Check out our MDM simulation about configurations for a full walkthrough.

This policy unlocks a number of new device management features for admins to take advantage of, including the ability to push down WiFi settings, certificates, fonts, and more. The macOS profile manager also allows admins to deploy the payloads only available via the MDM channel on macOS systems including Kernel Extension Whitelisting and Privacy Preference Policy Control settings. 

How It Works

MDM configuration profiles have the “.mobileconfig” file extension and are formatted in XML with profile-specific keys that define the configuration settings to apply. 

Admins can deploy multiple configuration profiles that each contain a single payload or send a single profile containing multiple payloads.

Configuration profiles can be scoped to two separate channels on managed macOS devices. These channels are the user channel and the device channel

Profiles delivered to systems via the user channel can only apply to a single MDM managed user, whereas profiles distributed via the device channel apply globally to all users on a device.

The JumpCloud MDM Custom Configuration Profiles installs all profiles in the device channel.

JumpCloud does not deliver any profiles via the user channel because the identity management capabilities of the JumpCloud agent allows for multiple managed macOS user accounts on a single device and the user channel only supports a single managed user account.

To create configuration profiles to upload to the JumpCloud MDM Custom Configuration Profile policy admins can take advantage of free tools with GUIs for building the profiles. Apple Configurator and ProfileCreator are great utilities to leverage to build configuration profiles with a GUI.

Why It Matters

The MDM Custom Configuration Profile policy gives admins a new device management command and control framework that they can use fit to their organizations’ needs. 

Profiles delivered via this policy to systems that are enrolled in JumpCloud MDM through automated device enrollment (DEP) are non-removable from the system, even by end users with administrative permissions.

Many organizations have had to become flexible in delegating administrative permissions to end users who are now working remotely, so this capability gives admins certainty that their devices will stay in compliance with configured settings without having to worry about nefarious activity by end users who may be trying to circumvent management software.

Supporting the delivery of custom mobile configuration profiles opens the door to zero day support for the delivery of new profile payloads that Apple tends to release in both major and minor software updates. 

What’s Next

With Apple’s WWDC2020 in the rearview mirror and the macOS BigSur release on the horizon, the JumpCloud macOS policies architecture is under renovation to route the existing configuration profiles of JumpCloud macOS policies to systems via MDM commands (versus the current method, the JumpCloud Agent). 

BigSur includes updates that restrict the ability to silently deliver configuration profiles to MDM commands only. This work will open the door to the next generation of JumpCloud macOS policies and MDM capabiles. In addition to this revamp, incremental enhancements to the JumpCloud DEP enrollment capabilities are under construction that added up will lead to a true zero-touch end user enrollment by seamlessly integrating the JumpCloud user directory with the macOS out-of-box experience.

Scott Reed

Scott Reed is a Product Manager on the Devices team at JumpCloud. Prior to joining the Product team, he led the Solution Architecture team at JumpCloud. In fact, Scott is the original author of the JumpCloud PowerShell module. Scott’s background is in Corporate IT. Outside of work Scott loves to seek out fresh air and adventure with his wife, two young sons, and their black lab Lucy.

Continue Learning with our Newsletter