You can't manually harden 1,000 Macs—MDM configuration profiles give you centralized, tamper-resistant enforcement of security settings: Firewall, FileVault, Gatekeeper, TCC pre-approvals, and much more. This lesson teaches you to create profiles with 'Security Configurator' or 'iMazing Profile Editor', deploy them via Jamf/Mosyle, and understand the profile signing and scoping that prevents users from bypassing them.
A configuration profile is an XML plist (typically signed) containing payloads for various domains: com.apple.security.firewall, com.apple.MCX, com.apple.TCC.configuration-profile-policy, etc. Each payload type enforces a specific setting. Profiles can be scoped to users or devices. Device profiles apply system-wide and cannot be removed by the user; user profiles apply per-user and can be removed if allowed. For security settings, always prefer device-level profiles.
<!-- Sample PPPC profile snippet to allow Zoom access to Camera -->
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>Services</key>
<dict>
<key>kTCCServiceCamera</key>
<array>
<dict>
<key>Identifier</key>
<string>us.zoom.xos</string>
<key>CodeRequirement</key>
<string>identifier "us.zoom.xos" and anchor apple generic ...</string>
<key>Allowed</key>
<true/>
</dict>
</array>
</dict>
</dict>
</array>This XML, when signed and pushed via MDM, pre-authorizes Zoom for Camera access, eliminating the user prompt.
Apple's free 'Apple Configurator' app (on Mac) or 'Security Configurator' (command line) can generate profiles. The Profile Editor in Configurator provides a GUI to set security and restrictions payloads: disable iCloud services, enforce FileVault, set a firmware password, etc. After creating, export the .mobileconfig file, sign it, and upload to your MDM. Test on a small group before broad deployment.
💡 Use the 'Restrictions' payload to disable 'Allow Erase All Content and Settings' and 'Allow modifying Touch ID/Face ID' to prevent certain local attacks.
| Payload Type | Example Setting | Security Impact |
|---|---|---|
| com.apple.security.firewall | Enable Firewall, block all incoming | Stops unsolicited inbound connections |
| com.apple.MCX | Restrict System Preferences panes | Prevents users from disabling security controls |
| com.apple.TCC.configuration-profile-policy | Pre-approve FDA for EDR agent | Ensures security tools have necessary access |
| com.apple.SubmitDiagInfo | Disable diagnostic submission | Prevents sensitive data leakage |
Profiles can be signed using a code signing certificate from Apple's Developer Enterprise Program. Signing prevents tampering. Scoping determines which devices/users receive the profile. For security, scope critical profiles to all managed devices and set them to 'non-removable'. Regularly review installed profiles via System Preferences → Profiles or 'profiles -C -v' command to detect unauthorized profiles (a common adware technique).
⚠️ A malicious profile can install a rogue root certificate and intercept TLS traffic. Only allow MDM-pushed profiles and disable user ability to install profiles via Restrictions payload.
Verify exercises to earn ★ 160 XP and unlock next lab level.