What is Profile and Device Management for iOS?

David Ruddock
|
Try Esper for Free
Learn about Esper mobile device management software for Android and iOS

Profile and device management is a feature of iOS devices — including the iPhone and iPad, among others — that allows a company or other organization to control the settings, content, and security on those devices. In practice, an organization deploys a device management profile to a device like an iPad, and that profile defines the various settings, applications, and content that iPad is allowed to access.

Next-Gen MDM Software

What Is a Device Management Profile?

Device management profile is the term Apple uses to describe a centrally managed and distributed “blueprint” for an iOS, iPadOS, tvOS, or WatchOS device. This “blueprint” can do things like restrict the settings, behavior, and content on an iOS device like an iPhone or iPad. A device management profile is usually implemented by the IT organization in an enterprise computing environment, be that a corporation, educational institution, or government agency.

Device management profiles can restrict the websites, applications, and device settings available to the user of an iPhone or iPad. For example, a profile could disable access to iMessage or the App Store on an iPhone, or force an iPad to only display a single application at all times (single app mode). Device management profiles may even allow an organization to remotely access and control an iPad or iPhone when used in combination with an iOS MDM (Mobile Device Management) solution, a kind of management software layer.

There are effectively two types of iOS device management profiles — those that are enrolled at setup by an organization that owns the device and cannot be removed (“supervised mode” profiles), and those that a user voluntarily enrolls their own device in, and can be removed by that user at any time. Typically, a device management profile that cannot be removed will come with far more restrictive settings, as they’re employed on devices with specifically defined organizational uses. Removable profiles are frequently used for “BYOD” (Bring Your Own Device) scenarios that allow a user to securely access corporate email, intranet resources, or enterprise apps while remaining in compliance with the managing organization’s security policies.

On the iPhone or iPad, you can find out if your device is enrolled with a device management profile by opening the Settings app, tapping on “General,” and then tapping on “VPN & Device Management.” If no profile is listed, your device is not enrolled in device management or MDM. (If you can’t access the settings app on the iPhone or iPad, there’s a strong chance that it is enrolled in device management.)

Why Use a Device Management Profile on the iPhone or iPad?

There are many reasons an organization might want to enroll an iPhone or iPad with a device management profile. Some example use cases:

  • Restrict student iPads to specific apps and websites
  • Monitor location of corporate-owned iPads or iPhones
  • Lock iPad to a point of sale or other kiosk application for use by customers in a public space
  • Require employee iPhones to adhere to specific security policies (screen timeout, password length, VPN, etc.)
  • Restrict conference room Apple TV to specific apps
  • Enable remote location, control, and factory reset of iPad or iPhone using MDM
  • Deploy large numbers of iPhones and iPads for any of the above scenarios

These are just a few examples of the use cases or features you may be able to implement using device management profiles.

Is Device Management Profile the Same as MDM?

No. A device management profile is the mechanism by which an MDM (Mobile Device Management) is enabled on iOS devices like the iPhone and iPad. An MDM is a higher-order software tool that allows you to manage large numbers of iOS devices and device management profiles (referred to as blueprints) as an enterprise or other organization. If you were to imagine your iPhones and iPads as taxis in a taxi fleet, an MDM is the central dispatch station. It tells each car where to go, monitors fleet status, and ensures taxis stay in service. That makes the device management profile the radio in the car — it’s how central dispatch (your MDM) communicates with each taxi (iOS device) in your fleet.

Technically, you don’t need an MDM to distribute a device management profile. This process can be implemented manually using the Apple Configurator tool, though this isn’t very common. Without an MDM, you’ll need physical access to a device to update its device management profile, you’ll have effectively no visibility into a device’s ongoing status, and no control over it in the field. For very small, highly localized deployments of iOS devices, this arrangement could be viable — for example, you own a restaurant with a single location and need two iPads, one for front of house, and the other for point of sale. You’ll always be close to the devices, and it’s unlikely you’ll need to make many changes to them once deployed. Generally speaking, though, device management profiles require the use of an MDM to scale beyond very, very limited device counts.

What Are the Features of Device Management Profiles for iOS?

Device management profiles have a large number of features to configure the behavior, layout, and appearance of an iPhone or iPad. Some common device management profile features include:

  • Lock an iPad or iPhone to a single application (single app or “kiosk” mode), including after reboot
  • Set the wallpaper (background) on an iPad or iPhone
  • Disable apps on an iPad or iPhone (e.g., iTunes, Messages, Camera, Settings, App Store)
  • Restrict access to websites on an iPad or iPhone
  • Enforce security policies on an iPad or iPhone (e.g., require lock screen password, auto lock timeout, automatic erase after failed passcode entries, require VPN)
  • Disable access to volume controls
  • Force screen brightness to maximum
  • Enroll in trust certificates for access to internal systems
  • Force app or system updates to install
  • Remotely erase an iPad or iPhone (with MDM)
  • Remotely locate an iPad or iPhone (with MDM)
  • Remotely viewl an iPad or iPhone (with MDM)

This is a very limited list. Apple has a full list of the features that can be configured on device management profiles with MDM here.

What Does It Mean if My iPhone or iPad Has a Device Management Profile?

If your iPad or iPhone has a device management profile, it means that device has some settings or content that can be remotely defined by an organization. If you installed this profile yourself and the option to “Remove Management” appears in the device profile settings, that profile can be deleted from the device if you so choose. However, if you remove a profile, you may no longer be able to access the content or apps that profile was set up to enable (for example, an exchange email account, or a corporate VPN). If there is no option to remove a device management profile, that means the device is under the management (and likely, ownership) of an organization, and cannot be unenrolled from the device profile without that organization’s explicit approval.

A device management profile does not necessarily mean that the owner of that profile can “spy” on your iPad or iPhone, or that they can view it remotely. However, if you are not the owner of that iPad or iPhone, the presence of such a profile is at least an indicator that remote viewing of and other types of access to that device may be possible. If you installed a device management profile yourself, it’s important to look at the content and restrictions associated with that profile. Never install a device management profile from an organization or source you are not familiar with or do not otherwise have a high degree of trust in.

Can I Remove a Device Management Profile From My iPhone or iPad?

Yes — if the “Remove Management” option appears below the device management profile on your iPhone or iPad’s Settings app. 

If no “Remove Management” option appears, or you cannot access the Settings app on your iPhone or iPad at all, that management profile cannot be removed without the organization’s authorization. This requires removing the iPad or iPhone from supervised mode, which can only be done via the owner organization’s MDM platform or the Apple Configurator tool (and then, only by an authorized user inside the organization). Factory resetting an iPad or iPhone that is in supervised mode, even from the recovery UI, will not disable supervised mode or the association with the owner organization. There are no “workarounds” — this is an enterprise-grade security feature designed to maintain the integrity of corporate and government assets containing sensitive information, and it is highly robust.

Do I Need MDM To Use Device Management Profiles?

Technically, no. You can deploy device management profiles by creating blueprints in the Apple Configurator tool, published by Apple. When you apply a blueprint to a device (or otherwise set a device to supervised mode), a device management profile will be deployed to that device. However, ongoing management, monitoring, and updating of managed iPads and iPhones requires an iOS MDM. Without an MDM, you’ll be unable to make any changes to your managed devices unless you can physically access them, which is a tedious, manual, and labor-intensive process at all but the smallest scale.

Next-Gen MDM Solutions

FAQ

No items found.
The best video invention since DVDs
Joe Saavedra, Infinite Objects
Learn about Esper mobile device management software for Android and iOS
David Ruddock
David Ruddock

David's tech experience runs deep. His tech agnostic approach and general love for technology fueled the 14 years he spent as a technology journalist, where David worked with major brands like Google, Samsung, Qualcomm, NVIDIA, Verizon, and Amazon, reviewed hundreds of products, and broke dozens of exclusive stories. Now he lends that same passion and expertise to Esper's marketing team.

David Ruddock

Esper is Modern Device Management

For tablets, smartphones, kiosks, point of sale, IoT, and other business-critical edge devices.
MDM Software

Kiosk mode

Hardened device lockdown for all devices (not just kiosks)

App management

Google Play, Apple App Store, private apps, or a mix of all three

Device groups

Manage devices individually, in user-defined groups, or all at once

Remote tools

Monitor, troubleshoot, and update devices without leaving your desk

Touchless provisioning

Turn it on and walk away — let your devices provision themselves

Reporting and alerts

Custom reports and granular device alerts for managing by exception