Creating enrollment profiles

When a device is enrolled through automated device enrollment, an enrollment profile is downloaded to the device. The enrollment profile contains general settings such as whether a device can be shared between two users or if users can delete MDM profiles from the device. The enrollment profile also contains settings that determine details of the initial device setup experience, such as whether users are asked to create an Apple ID, set up biometrics or set up a passcode. It also allows you to disable options such as FileVault, location services and restore from backup.

To configure enrollment profiles, you must use automated device enrollment. For more information, see Automated device enrollment.

Enrollment profiles are specific to a single server token. You can create multiple enrollment profiles for the same server token and select a default. The default enrollment profile is installed on all newly enrolled devices. When you change the default enrollment profile, all new devices receive the new default profile when they enroll. You cannot use the same enrollment profile on more than one server token. However, you can use an enrollment profile from one server token as the starting point for a new profile for the same or different token.

Select the default profile before you begin enrolling devices. Even when only one enrollment profile exists for a server token, it is not automatically selected as the default profile. Enrollment profiles are retrieved by a device when the device is added to the server token. You cannot push out a new or updated enrollment profile to a device that is already enrolled unless you wipe the device. For the steps to select the default enrollment profile, see Select a default enrollment profile.

Before you begin

Before you can add an enrollment profile, you must import a device token from your Apple enrollment system into Maintenance. See Upload server tokens from an Apple enrollment system.

Add an enrollment profile

From the Maintenance menu, click Apple Device Enrollment.
From the list of available tokens, click a token name.
Click Enrollment Profiles and then click Create.
In the Summary section, enter a Name for the new enrollment profile and an optional Description.
(Optional) If you have an existing enrollment profile, you can use that profile as the starting point for a new profile. Select Start from existing profile, and then select an existing profile.
(Optional) In the Organization Information section, enter the Name and other information to help identify your organization.
In the General Settings section, select Disable or Enable for each setting.
In the Setup Assistant section, select the checkbox for each setting you want to configure. Click Show to display the setting to the user during device setup or Skip to hide the setting during setup.
Use the Supported On dropdown list to filter settings by operating system.
(Optional) In the Devices section, from the list of serial numbers of unenrolled devices, select any devices you want to assign to the new profile.
Click Create.

View and edit enrollment profiles

From the Maintenance menu, click Apple Device Enrollment.
From the list of available tokens, click a token name and then click Enrollment Profiles.
Select the checkbox for the enrollment profile you want to edit.
Click Edit , update the profile information or settings, and click Save .

Select a default enrollment profile

The default enrollment profile is configured on each new device that enrolls with Maintenance. When you change the default profile, all new devices receive the new profile when they enroll. Devices that are already enrolled are not affected.

From the Maintenance menu, click Apple Device Enrollment.
From the list of tokens, click a token name and then click Enrollment Profiles.
Select the checkbox for the enrollment profile you want to set as the default and then click Set as Default.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.