Apple Configurator 2 provides full end-to-end deployment/management of iOS-based devices on a one-to-one or a one-to-many basis. In addition to upgrading devices to the latest versions of iOS, you can use Apple Configurator 2 to create configuration profiles that contain one or more settings payloads that can be distributed to client devices remotely.

I’ll go through the step-by-step process of configuring two commonly used payloads as examples: one for securing passcodes on iOS devices and the other for configuring Wi-Fi access using WPA2 Enterprise for corporate wireless networks.


  • Apple computer running MacOS 10.11 or later
  • Apple Configurator 2 app (available in the Mac App Store)
  • Method of deploying profiles: web server, MDM, or email/SMS
  • first- or third-party SSL Certificate (optional, though required if signing profiles)
  • Trust Certificates (optional, though required if configuring secured access profiles, such as WPA/WPA2 Enterprise, SCEP, or MIME/S, for example)

With that out of the way, let’s begin configuring our first profile.

SEE: How to update to iOS 10 using Apple Configurator 2

Configuring the passcode restriction profile

1. Launch Apple Configurator 2 from the Applications folder. Click File | New Profile to launch the Untitled.mobileconfig template (Figure A).

Figure A

2. All profiles begin with the General tab, as that is required in order for the profile to meet certain requirements, such as a Name and Unique Identifier. Also included are Descriptions and Consent Messages that will be seen by end users and describes what the profile does for transparency (Figure B).

Figure B

3. Also included in the General tab is the Security section, which is very important in that it controls how the profile is to be handled by end users and if it expires

Regardless of the additional payloads selected, the General payload is required and should always take into account the desired end result of the configuration and how it impacts the device and the end user. In other words, some profiles may be required on certain devices and may need to be enforced across the board; for these profiles, you may wish to prevent unauthorized removal. However, other profiles may be optional and may be set to auto-expire after a set number of hours or days, for example (Figure C).

Figure C

4. Next, we move down to the Passcode tab and click the Configure button to open the payload editing screen (Figure D) (Figure E).

Figure D

Figure E

5. By modifying the payload settings, you can prevent the use of simple values (or the default 4-pin passcode) to something more robust and secure, such as requiring alphanumeric values with a minimum length of 8 characters. Additional settings are available to further strengthen the passcodes required of end users and should be set according to your users’ needs with respect to the data they access as classified by management (Figure F).

Figure F

6. When the settings have been configured, go to File | Save… to name the profile and save the file to a directory (Figure G) (Figure H).

Figure G

Figure H

The .mobileconfig file is the standard used by Apple for remotely configuring and managing profiles used on iOS-based devices, which includes iPods, iPhones, iPads, and late-model Apple TVs. The profile may be deployed OTA via MDM servers, email, or SMS or saved to a public or private directory on a web server where it may be downloaded by users, as needed.

Configuring the enterprise Wi-Fi profile

1. In the second example, we configure a Wi-Fi profile that uses WPA2 Enterprise to connect authorized devices to a company’s wireless network. Authentication is handled via Radius server to allow tighter control over network access. From Apple Configurator 2, go to File | New Profile and enter the necessary identifiers for naming the profile (Figure I).

Figure I

2. Next, go to the Wi-Fi tab to configure the settings as they pertain to your wireless network’s configuration (Figure J) (Figure K).

Figure J

Figure K

3. Under Enterprise Settings, the Trust tab is used to import Trusted Certificates that will provide, among other things, naming and security-related settings to the device so that it can identify the Radius server and configure it to authenticate network access against the server prior to allowing a device on the corporate network. Additionally, the Trusted Server Certificate Names should be entered as required when importing Trust Certificates (Figure L).

Figure L

4. As in step #6 above, go to File | Save… to save the settings to a .mobileconfig file for deployment. Apple Configurator 2 can digitally sign profiles for enhanced security; any signing certificates that have been imported to Apple Configurator 2 will appear in the drop-down list when selecting File | Sign…. This allows the administrator to sign the profile that provides a higher level of security and trust when deploying profiles to devices (Figure M).

Figure M

Note: Signed profiles, while secure, cannot be edited after they have been signed. These profiles will need to be recreated in the event that changes need to be made or the need to be resigned in the future. It is a good practice to make a separate “template-only” version of these files and store them securely until they are needed in the future.

As you can tell, there are multiple payload types supported for use in creating Profiles. From Restrictions, which allow or disallow specified apps or features from being used, to VPN configurations to Mail settings and even directory server account settings–there is a lot to choose from when locking down and securing iOS devices. And its modular framework allows for multiple configuration profiles to be created and used to provide settings and enhanced security when and where it is needed to most (Figure N) (Figure O).

Figure N

Figure O