Citrix Endpoint Management

Import iOS & macOS Profile device policy

You can import device configuration XML files for iOS and macOS devices into Endpoint Management. The file contains device security policies and restrictions that you prepare with the Apple Configurator 2 or Profile Creator. The configuration XML file can contain macros. For more information, see Macros.

Use cases

Import the following configurations created outside of Endpoint Management for macOS devices using Profile Creator:

  • System Policy Control: The policy identifies apps signed by the certified Apple developers and lets users download verified apps from the Mac App Store.

    When configuring the policy:

    • Select Enable Gatekeeper to ensure that users run only verified and trusted software.
    • Select Allow Identified Developers to ensure that users install apps only signed by certified Apple developers.
  • Privacy Preferences Policy Control: The policy lets you grant or restrict cross-application access to certain files or features, such as location services, camera, and screen capture.

    Configure the settings you plan to deploy. For more information, see Privacy Preferences Policy Control payload settings.

  • Kernel Extensions Policy: The policy lets the users install app extensions that extend the native capabilities of the operating system. Kernel extensions run at the kernel level.

    Configure the settings you plan to deploy. For more information, see Kernel Extension Policy payload settings.

  • Ethernet Settings Policy: The policy lets you manage the Ethernet network connection.

    Configure the settings you plan to deploy. For more information, see Ethernet settings.

Use either the Apple Configurator 2 or Profile Creator to configure the following policies for macOS and iOS devices:

  • Wi-Fi Policy: The policy lets you manage how users connect their devices to a Wi-Fi network.

    When configuring the policy:

    • Add the target SSID to the top of the priority list.
    • Choose the connection mode to use when the user joins a network. If you select System, the device uses the system credentials to authenticate the user. If you select Login window, the device uses the same credentials entered at the login window to authenticate the user.

    For more information, see Wi-Fi settings.

  • Restrictions Policy: The policy allows or restricts the use of certain features on user devices.

    Configure the settings you plan to deploy. For more information, see Restrictions overview.

  • VPN Policy: The policy provides a device-level encrypted connection to private networks.

    Configure the settings you plan to deploy. For more information, see VPN overview.

Create a configuration profile using the Apple Configurator 2

  1. Install the Apple Configurator 2 from Apple App Store.
  2. Start the Apple Configurator 2 and go to File > New Profile. A new configuration window appears.
  3. In the General settings pane, type a name and an identifier for your profile, then add any additional payload options.
  4. On the left pane, select a payload, click Configure, and enter the settings. Don’t sign your profile, as signed profiles are not supported.

    To add multiple payloads within a single profile, select a payload and click the Add Payload button in the upper-right corner.

  5. Go to File > Save, choose a name and location to save the XML file, and click Save.

Create a configuration profile using Profile Creator

  1. Install the Profile Creator from GitHub.
  2. Start the Profile Creator and go to File > New. A new configuration window appears.
  3. In the General settings pane, type a name and description for your profile, then add any additional payload options.
    • Recommendation: Select Prevent users from removing this profile.
    • Set Payload Scope to System or User.
  4. On the left pane, choose the policy, configure the settings, and click Add in the upper-right corner.

    To configure multiple policies within a single profile, select a policy and click the Add button.

  5. Go to File > Export, choose a name and location to save the XML file, and click Save.

To import a configuration file for the iOS and macOS Profile device policy in the Endpoint Management console, go to Configure > Device Policies. For more information, see Device policies.

iOS and macOS settings

Device Policies configuration screen

  • iOS configuration profile or macOS configuration profile: To select the configuration file to import, click Browse and then navigate to the file location.

Import iOS & macOS Profile device policy