Deploy configuration profiles to multiple computers

This section explains how to deploy mobile configuration profiles to multiple computers by using a group policy setting (Install mobileconfig Profiles).

Note:   You can create mobile configuration profiles in a number of ways, for example by using the iPhone Config utility or OS X Server Profile Manager. This document assumes that you have already created a profile that you want to deploy, but does not show you how to do so.

You can deploy either computer or user profiles. For computer profiles, this feature requires OS X 10.7 or higher. For user profiles, this feature requires OS X 10.9 and higher.

The process for deploying a mobile configuration profile is as follows:

  1. Create the mobile configuration profile.
  2. Create a subdirectory in SYSVOL on the domain controller and copy the mobile configuration profile file to this directory. SYSVOL is a well-known shared directory on the domain controller that stores server copies of public files that must be shared throughout the domain.
  3. Enable the “Install mobileconfig Profiles” group policy and specify the name of the file that you copied to SYSVOL.
  4. The mapper script for the group policy runs on each Mac computer controlled by the GPO (when a user logs in or runs adupdate), downloads the profiles from the Active Directory server, and installs them in the Profiles system preference.

To create a subdirectory in SYSVOL:

  1. Log in to the domain controller.
  2. Change to the SYSVOL directory.

    For example, go to this directory:

    C:\Windows\SYSVOL\domain
  3. Create a new folder named mobileconfig.

    Note:   Be certain that the name of the folder is exactly as shown in the step above. The group policy setting allows you to specify the name of the file but the location in which it looks is always SYSVOL\mobileconfig. Likewise, do not create sub-folders — the group policy does not look in sub-folders.

To copy configuration files to SYSVOL on the domain controller:

  1. In the Finder on the Mac computer navigate to the folder that contains the profile to copy.
  2. Select the file, for example, settings_for_all.mobileconfig and copy it to the desktop. When prompted, enter your administrator password to copy the file.
  3. On the desktop, change the file permissions for settings_for_all.mobileconfig as follows, so you can copy it to SYSVOL:
    1. Select the file and click File > Get Info.

    2. In the dialog box, expand Sharing & Permissions, then click the lock icon and provide administrator credentials for making changes. Set the permissions for everyone to Read only.

    3. Reset the lock and close the open dialog.

  4. On the Mac computer, copy the file from the desktop to SYSVOL on the Windows domain controller. If you are connected to the domain, you should see the domain controller in the Finder. If the domain controller is not visible in the Finder, connect to it:

    1. Click Go > Connect to Server and select the domain controller.

    2. When prompted select SYSVOL; for example:

    3. Navigate to the mobileconfig directory you created, for example by clicking acme.com then mobileconfig.

    4. Drag the settings_for_all.mobileconfig file to mobileconfig.

To configure the “Install MobileConfig Profiles” group policy:

  1. On the Windows domain controller, open the Group Policy Management Editor and select the GPO that is used to manage Mac computers.
  2. Navigate to Computer Configuration > Policies > Mac OS X Settings > Custom Settings and double-click Install MobileConfig Profiles to install a machine profile.

    To install a user profile, navigate to User Configuration > Policies > Mac OS X Settings > Custom Settings and double-click Install MobileConfig Profiles.

  3. Select Enabled.

  4. Click Add, then enter the name of the file that you copied to SYSVOL, for example, settings_for_all.mobileconfig.

    Be certain to include the .mobileconfig suffix.

  5. Click OK to add the settings_for_all.mobileconfg file.

  6. Click OK to enable the policy.

    This group policy will copy the settings_for_all.mobileconfg file, and install the profile, on every computer to which the GPO applies and that is joined to the domain. Note that after the profile is installed, it is deleted from the Mac computer.

  7. Run the adgpupdate command on each target Mac computer to trigger an update of group policies and execute the new Install MobileConfig Profiles policy settings.

    By default, group policies are updated automatically every 90 minutes, so you can skip this step and wait for the automatic update if you wish.

Note the following about this process:

  • If you add a profile file to SYSVOL, but do not specify it in the group policy setting, the profile will not be installed. Likewise, if you specify a file in the group policy that does not exist in SYSVOL, the profile will not be installed.
  • If you add new files to the existing list in the group policy, those profiles will be installed — existing profiles will not be touched.
  • If you remove a file from the group policy list (after the profile for the file was installed), the profile for that file will be uninstalled from the managed Mac computers.
  • If you modify a file, the corresponding profile will be reinstalled.
  • If two or more profile files have the same payloadIdentifier attribute, only one of them will be installed.
  • If you change the group policy to “Disabled” or “Not Configured”, all existing profiles that were installed previously by the group policy will now be uninstalled from the managed Mac computers.

Note:   The "Install MobileConfig Profiles" group policy only supports macOS 10.15 and lower.