Configuration profiles are XML files made up of payloads that load settings and authorization information onto iOS or OS X devices.
Configuration profiles contain client security policies and restrictions, VPN configuration information, network settings, mail and calendar accounts, authentication credentials that permit a Mac to work with your organization’s systems, and several other types of settings.
A configuration profile contains one or more payloads. A payload is a collection of settings, such as VPN specifications. Some payloads are for use only with iOS devices, some are only for OS X, and some are for both.
You create configuration profiles for users and devices, or groups of users and devices. Profile Manager tailors the profile’s payloads depending on which you choose, and the settings apply at that level. For example, settings that apply only to users aren’t available when you’re creating a device configuration profile.
Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles that are defined by settings that rarely change, and settings that may change often. Examples of settings that rarely change are: network, security and privacy, LDAP, mail, calendar, and software update. Examples of settings that may change often include: VPN, certificates, web clips, login items, Dock, and printer.
You may also want to create separate profiles for specific devices or a group of users. For information, see Payload best practices.
You can distribute configuration profiles as a mail attachment, through a link on your own webpage, or with Profile Manager’s built-in user portal. When users open the mail attachment or download the profile using a web browser, they’re prompted to begin profile installation. You can also use Profile Manager as a mobile device management server, which lets you send new and updated profiles to users after they enroll their device.
Except for passwords, users generally can’t change settings that are defined in a configuration profile. Accounts configured by a profile can only be removed by deleting the profile. Doing so may prevent the device from being used in your organization until the profile is reinstalled. For example, removing a profile may prevent the user from accessing the network, receiving mail, and creating events using their Calendar app. On iOS devices, you can mark a profile as being locked to the device, so when it’s installed it can be removed only by wiping the device of all data (or by entering a passcode).