Skip to main content
macOSintermediate

How to Create and Deploy a Configuration Profile (.mobileconfig) on macOS

Learn how to create, sign, and deploy macOS configuration profiles (.mobileconfig) using Apple Configurator 2, iMazing Profile Editor, or hand-written XML.

7 min readUpdated April 2026

Want us to handle this for you?

Get expert help →

Configuration profiles are the Apple-sanctioned way to configure macOS settings at scale. This guide covers what profiles are, how to create them with GUI tools or by hand, how to sign them, and how to deploy them manually or through an MDM.

What Is a Configuration Profile?

A configuration profile is an XML property list (plist) file with the extension .mobileconfig. Each profile contains a top-level dictionary with metadata (identifier, UUID, organization, description) and an array of payloads — self-contained dictionaries that each configure a specific subsystem.

Common payload types include:

Payload TypePurposeMDM Required?
com.apple.wifi.managedWi-Fi networks and credentialsNo
com.apple.vpn.managedVPN configurationsNo
com.apple.security.pkcs1 / .pkcs12Root or client certificatesNo
com.apple.applicationaccessRestrictions (camera, App Store, iCloud)No
com.apple.MCX.FileVault2FileVault enforcement and recovery key escrowYes (device)
com.apple.TCC.configuration-profile-policyPrivacy Preferences Policy Control (PPPC)Yes
com.apple.syspolicy.kernel-extension-policyKernel extension allow-listYes
com.apple.system-extension-policySystem extension allow-listYes
com.apple.notificationsettingsPer-app notification settingsYes

Profiles are scoped with the PayloadScope key: User profiles apply to a single account, while System (device) profiles apply to the entire Mac and all users.

Creation Method 1: Apple Configurator 2

Apple Configurator 2 is free in the Mac App Store and offers a GUI for building profiles.

  1. Install Apple Configurator 2 from the Mac App Store
  2. Open it and choose File > New Profile
  3. Fill in the General tab — name, identifier (reverse-DNS, e.g. com.example.restrictions), organization, and description
  4. Select a payload category from the left sidebar (for example, Restrictions) and click Configure
  5. Set the payload options you want to enforce
  6. Choose File > Save and give the file a .mobileconfig extension

Apple Configurator is the official tool but its payload coverage lags behind newer macOS releases.

Creation Method 2: iMazing Profile Editor

iMazing Profile Editor is a free, more flexible alternative that tracks Apple's schema closely and exposes many payloads Apple Configurator omits (PPPC, system extensions, managed login items). Download it from the iMazing website and use the same general workflow — pick payloads, fill in values, save as .mobileconfig. It is the preferred tool for most Mac admins today.

Creation Method 3: Hand-Writing XML

Any .mobileconfig is just a plist, so you can write one by hand or generate it programmatically. Here is a minimal working profile that disables the built-in camera at the device level:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadType</key>        <string>Configuration</string>
  <key>PayloadVersion</key>     <integer>1</integer>
  <key>PayloadScope</key>       <string>System</string>
  <key>PayloadIdentifier</key>  <string>com.example.restrictions</string>
  <key>PayloadUUID</key>        <string>6F2A0E6A-1C1F-4D6D-9B7C-5AE8C6C8F111</string>
  <key>PayloadDisplayName</key> <string>Disable Camera</string>
  <key>PayloadOrganization</key><string>Example Corp</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>       <string>com.apple.applicationaccess</string>
      <key>PayloadVersion</key>    <integer>1</integer>
      <key>PayloadIdentifier</key> <string>com.example.restrictions.camera</string>
      <key>PayloadUUID</key>       <string>8B5C9D10-2F3A-4E1C-AA77-9D3F0D8F2222</string>
      <key>PayloadDisplayName</key><string>Camera Restriction</string>
      <key>allowCamera</key>       <false/>
    </dict>
  </array>
</dict>
</plist>

Each PayloadUUID must be a unique UUID — generate one with uuidgen in Terminal.

Signing the Profile

Unsigned profiles show a yellow "Profile is not signed" warning on install. To sign, you need a code-signing identity already in your login keychain (Developer ID Application or an internal CA certificate):

security cms -S -N "Developer ID Application: Example Corp" -i profile.mobileconfig -o profile-signed.mobileconfig

The -N flag takes the exact common name of the signing certificate. The resulting profile-signed.mobileconfig is a CMS-wrapped version of the original XML. Verify with:

security cms -D -i profile-signed.mobileconfig

which prints the original plist if the signature is valid.

Deployment Method 1: Manual Install

On macOS 12 Monterey and earlier, double-clicking the .mobileconfig opens System Preferences > Profiles directly and prompts to install.

On macOS 13 Ventura and later, Apple deliberately broke this flow to prevent drive-by installs:

  1. Double-click the .mobileconfig — nothing visible happens
  2. Open System Settings
  3. Go to General > VPN & Device Management
  4. Click Downloaded Profile (must be done within 8 minutes)
  5. Review the payloads and click Install
  6. Authenticate with an admin password

Manual installation only works for payloads that do not require MDM.

Deployment Method 2: MDM Push

For any production fleet, push profiles through an MDM — Jamf Pro, Microsoft Intune, Kandji, Mosyle, SimpleMDM, or Addigy. MDM deployment is the only way to install PPPC, kernel extension, system extension, and FileVault-with-escrow payloads, and it provides inventory, scoping, and revocation.

Most MDMs let you upload a .mobileconfig directly as a custom profile or build the same payloads in their own GUI. Custom uploads are useful when the MDM's native UI lags behind a new macOS feature.

Troubleshooting

Profile won't install

Check that the file is a valid plist with plutil -lint profile.mobileconfig. Confirm every PayloadUUID is unique and that the top-level PayloadType is exactly Configuration.

"Profile is not signed" warning

The profile has no CMS signature. Sign it with security cms -S using a trusted certificate, or accept the warning if this is a test environment.

"Profile could not be installed because of an unexpected error"

Usually a payload conflict — the Mac already has a profile with the same PayloadIdentifier. Remove the existing profile from System Settings > General > Device Management, or bump the identifier.

PPPC or kernel extension payload rejected

These payloads cannot be installed manually. Enroll the Mac in an MDM and push the profile from there.

Signed profile shows "unverified"

The signing certificate chain is not trusted by the Mac. Either use a publicly trusted Developer ID certificate or pre-install the internal CA root as a separate certificate payload.

Frequently Asked Questions

Find answers to common questions

A macOS configuration profile is a signed XML property list (.mobileconfig) that contains one or more payloads describing settings to apply to a Mac. Payloads can configure Wi-Fi, VPN, certificates, restrictions, FileVault, Privacy Preferences Policy Control (PPPC), and dozens of other subsystems. Profiles can be scoped to a specific user or to the entire device and are the Apple-sanctioned mechanism for managing Mac settings at scale.

Signing is not strictly required, but unsigned profiles display a "Profile is not signed" warning when installed, which can alarm end users and trigger help-desk tickets. Signing with a code-signing certificate (Developer ID or internal CA) using security cms -S produces a trusted profile that shows the signer's name in System Settings. Signed profiles are strongly recommended for any production deployment.

User profiles apply settings to a specific macOS user account — useful for per-user Wi-Fi credentials, email accounts, or user-level restrictions. Device profiles apply at the system level and affect every user on the Mac — required for things like FileVault, kernel extensions, and system-wide privacy controls. The PayloadScope key in the top-level dictionary (User or System) controls this.

Payloads that grant broad system privileges — Privacy Preferences Policy Control (PPPC), kernel extension allow-lists, system extension allow-lists, and certain notification settings — can only be installed through an MDM. Apple blocks manual installation of these payloads because they would otherwise let any user bypass TCC (Transparency, Consent, and Control) protections. You must enroll the Mac in Jamf, Intune, Kandji, Mosyle, or another MDM to push these payloads.

On macOS 13 and later, double-clicking a .mobileconfig file does not immediately open the installer. Instead, the profile is queued and you must open System Settings > General > VPN & Device Management > Downloaded Profile within 8 minutes to review and install it. On macOS 12 and earlier, the installer opens directly in System Preferences. This change was introduced to prevent drive-by profile installations.

No. Modifying a signed profile invalidates the signature. You must edit the unsigned source .mobileconfig, regenerate a new PayloadUUID and PayloadIdentifier if the payload semantics changed, and re-sign the file with security cms -S. Always keep the unsigned source under version control so you can iterate without losing history.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Capture and Analyze Network Traffic on macOS With tcpdump and Wireshark

Learn how to capture and analyze network traffic on macOS using the built-in tcpdump command, the pktap pseudo-interface, and Wireshark for deep packet inspection.

Read More →

How to Use the macOS Firewall (pf) to Restrict Network Access

Learn how to configure both the macOS Application Firewall and the low-level pf packet filter to restrict inbound and outbound network access on macOS.

Read More →

How to Enable FileVault Full-Disk Encryption on macOS

Learn how to enable FileVault full-disk encryption on macOS using System Settings or the command line, manage recovery keys, and verify encryption status.

Read More →
Back to macOS