Best practise with deploying custom config files

expand collapsive

Hey guys, could you give an idea on what exctly is the use and the best way to create and distribute config profiles to macs?

All Replies

  • Hello @ann-christin, thank you for reaching out to us!

    Hexnode UEM provides many policies that can be specified and associated with your devices. However, with Custom Configuration profiles, you can configure specific settings, enforce restrictions and set up preferences for managed Apple devices even outside the scope of what we currently support.

    To create and customize configuration profiles, you can use tools like Apple Configurator, Profile Manager or manually create them using text editors. Use non-encrypted .mobileconfig, .xml, or plist files to deploy profiles across iOS/iPadOS, macOS and tvOS devices. You can view the deployed configuration profiles at the Profiles section in Device Settings.

    While creating profiles, you can use dynamic variables (Wildcards supported by hexnode) for commonly used device and user fields instead of entering them manually. Dynamic variables automatically fetch the requisite information from the enrollment details when the configuration profile is sent to devices or assigned to a user.

    Use Apple’s Configuration profile documentation to see what payloads you may include in a configuration profile. You can also check out the profile reference documentation maintained by the MacAdmins community for reference and generic profile templates.

    Once you’ve created the profiles, log in to the Hexnode portal and follow the below steps to distribute them to the devices.

    1. Start by going to Policies and navigating to Deploy Custom Configuration under Configurations within the macOS tab.
    2. Now select Configure and Choose File to select a configuration profile from your device by clicking Upload. If the file has already been added to the Hexnode console, you can select it directly.
    3. Click OK.
    4. Finally, navigate to Policy Targets and associate devices/device groups/users/user groups/domains to the policy and click OK.
    5. Save the policy.

    Check out deploying custom configuration profiles to macOS devices for further information.

    Hope this answer suits your requirements.

    Emma Jones
    Hexnode UEM

  • Hi @ann-christin, Glad to hear we could help out!

    To configure a Wi-Fi profile using Apple Configurator, please follow along:

    1. Log in to your Mac and launch Apple Configurator 2.
    2. Click on File > New Profile to open a blank configuration profile.
    3. The first window you see is the General settings pane. Provide the profile name and fill in the Identifier field. You can also set security permissions to allow/deny profile removal.
    4. Since you need to configure a Wi-Fi profile, navigate to Wi-Fi from the payload list on the left and click Configure.
    5. Now, you need to configure details such as SSID, Security type, password, and various other settings.
    6. Once completed, you can sign the profile by selecting File > Sign profile. Choose the certificate from the drop-down and click OK. Please keep in mind that signing profiles lets devices know that the profile is safe to be installed.
    7. If you don’t want to sign the profile, you can directly choose File > Save and name the file, select the location to save it and click Save.

    Hope this answers your query.

    Emma Jones
    Hexnode UEM

  • Participant



    Used config profile to set a passwrd policy. But when I checked the action history it showed 2 statuses as failed. Showing msg “Failed to apply action to the device. The profile “Password policy” may require a passcode change but the passcode cannot be modified.”

    also error “Profile installation failed. The profile “Password policy Config profile” may require a passcode change but the passcode cannot be modified.”

    You guys got any idea why this might be happening?

  • Hello @mikaela, thanks for reaching out!

    You have encountered this error due to a conflict between the password policy set using Hexnode and the one configured using a custom configuration profile. In such cases, the action returns the ‘Failed’ status. Please ensure that you apply the required password policy using only one method to avoid such cases.

    Quick tip: By default, if the restrictions you’ve configured using Hexnode and configuration profiles conflict with each other, the most restrictive action will be implemented.

    As a best practice, use custom configuration profiles to deploy only the payloads not available in Hexnode. Furthermore, it is advised that you apply the custom configurations on a single device and verify how it works before applying them to your production environment.

    Hope this answer helps you.

    Emma Jones
    Hexnode UEM

  • Participant



    need to configure many settings via payloads in my devices. Before i do that just wanted a second opinion is it better to put all the payloads within a single profile or is it better to have only one payload per profile?
    All suggestions/ideas are welcome.

  • Participant



    Hi @mikaela personally I find putting all the payloads within a single profile saves so much time… I mostly use config profiles for applying certain device restrictions and since I don’t have to change that very often doing it all in one go is the best way to go about it.

  • Participant



    Hey @mikaela I think it is better that you create separate profiles for diff payloads. I used to do it all in one profile like @thomas-fred mentioned but after a few months it was kinda hectic and confusing when I had to change or remove some vpn and certificates payloads. So I’d say go with one payload per profile. Definitely makes your work easier in the long run!

  • Hello folks, thank you all for being such an active part of our community!

    To answer your query @mikaela, even though it is possible to create a single configuration profile with all your necessary payloads, it is recommended that you create distinct profiles based on functionality. This way, you can rest assured that modifications made to one configuration profile do not affect another inadvertently.

    Nevertheless, if your settings rarely change, you can add them all within a single configuration profile at your convenience.

    A quick tip: Device restrictions, Wi-Fi, mail, calendar, LDAP, security and privacy are settings that might not be prone to frequent changes. On the other hand, settings that may change often include Home Screen settings, VPN, certificates and Web Clips.

    Try it out, and keep me posted on any updates.

    Emma Jones
    Hexnode UEM

  • Hey @ann-christin, great to see you again!

    The answer to your query is, unfortunately, no. When a custom configuration profile, including macOS payloads, is applied to a device that runs on a different platform, such as iOS or tvOS, the status on the Action History page of the Hexnode portal will show Success. However, only macOS devices will have the policy applied to them.

    Looking forward to hearing from you again.

    Emma Jones
    Hexnode UEM