Deploy configuration profiles to multiple computers
This section explains how to deploy mobile configuration profiles to multiple computers by using a group policy setting (Install mobileconfig Profiles).
Note: You can create mobile configuration profiles in a number of ways, for example by using the iPhone Config utility or OS X Server Profile Manager. This document assumes that you have already created a profile that you want to deploy, but does not show you how to do so.
You can deploy either computer or user profiles. For computer profiles, this feature requires OS X 10.7 or higher. For user profiles, this feature requires OS X 10.9 and higher.
The process for deploying a mobile configuration profile is as follows:
- Create the mobile configuration profile.
- Create a subdirectory in
SYSVOLon the domain controller and copy the mobile configuration profile file to this directory.
SYSVOLis a well-known shared directory on the domain controller that stores server copies of public files that must be shared throughout the domain.
- Enable the “Install mobileconfig Profiles” group policy and specify the name of the file that you copied to
- The mapper script for the group policy runs on each Mac computer controlled by the GPO (when a user logs in or runs
adupdate), downloads the profiles from the Active Directory server, and installs them in the Profiles system preference.
To create a subdirectory in SYSVOL:
- Log in to the domain controller.
- Change to the
For example, go to this directory:
Create a new folder named
Note: Be certain that the name of the folder is exactly as shown in the step above. The group policy setting allows you to specify the name of the file but the location in which it looks is always
SYSVOL\mobileconfig. Likewise, do not create sub-folders — the group policy does not look in sub-folders.
To copy configuration files to SYSVOL on the domain controller:
- In the Finder on the Mac computer navigate to the folder that contains the profile to copy.
- Select the file, for example,
settings_for_all.mobileconfigand copy it to the desktop. When prompted, enter your administrator password to copy the file.
- On the desktop, change the file permissions for
settings_for_all.mobileconfigas follows, so you can copy it to
Select the file and click File > Get Info.
In the dialog box, expand Sharing & Permissions, then click the lock icon and provide administrator credentials for making changes. Set the permissions for everyone to Read only.
Reset the lock and close the open dialog.
On the Mac computer, copy the file from the desktop to
SYSVOLon the Windows domain controller. If you are connected to the domain, you should see the domain controller in the Finder. If the domain controller is not visible in the Finder, connect to it:
To configure the “Install MobileConfig Profiles” group policy:
- On the Windows domain controller, open the Group Policy Management Editor and select the GPO that is used to manage Mac computers.
- Navigate to Computer Configuration > Policies > Mac OS X Settings > Custom Settings and double-click Install MobileConfig Profiles to install a machine profile.
To install a user profile, navigate to User Configuration > Policies > Mac OS X Settings > Custom Settings and double-click Install MobileConfig Profiles.
Click Add, then enter the name of the file that you copied to
SYSVOL, for example,
Be certain to include the
Click OK to add the
Click OK to enable the policy.
This group policy will copy the
settings_for_all.mobileconfgfile, and install the profile, on every computer to which the GPO applies and that is joined to the domain. Note that after the profile is installed, it is deleted from the Mac computer.
adgpupdatecommand on each target Mac computer to trigger an update of group policies and execute the new Install MobileConfig Profiles policy settings.
By default, group policies are updated automatically every 90 minutes, so you can skip this step and wait for the automatic update if you wish.
Note the following about this process:
- If you add a profile file to
SYSVOL, but do not specify it in the group policy setting, the profile will not be installed. Likewise, if you specify a file in the group policy that does not exist in
SYSVOL, the profile will not be installed.
- If you add new files to the existing list in the group policy, those profiles will be installed — existing profiles will not be touched.
- If you remove a file from the group policy list (after the profile for the file was installed), the profile for that file will be uninstalled from the managed Mac computers.
- If you modify a file, the corresponding profile will be reinstalled.
- If two or more profile files have the same
payloadIdentifierattribute, only one of them will be installed.
- If you change the group policy to “Disabled” or “Not Configured”, all existing profiles that were installed previously by the group policy will now be uninstalled from the managed Mac computers.
Note: The "Install MobileConfig Profiles" group policy only supports macOS 10.15 and lower.