Computer Configuration Profiles
- Use up/down arrow keys to navigate, Esc to collapse.
- Last UpdatedJul 31, 2025
- 9 minute read
Configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and restrictions for devices, computers, and users.
You can use Jamf Pro to create a configuration profile or you can upload a configuration profile that was created using third-party software.
When you create a computer configuration profile, you must specify the level at which to apply the profile—computer-level or user-level. Each level has a unique set of payloads and a few that are common to both. User-level profiles may not apply until the MDM-enabled user logs out of the computer and logs back in, or when the computer is restarted.
There are two different ways to distribute a configuration profile: install it automatically (requires no interaction from the user) or make it available in Self Service.
You can use payload variables to populate configuration profile settings with computer, mobile device, or user attribute values stored in Jamf Pro. This allows you to deploy settings specific to each device or user. For example, you can display the unique serial number on the Lock Screen for an iPad.
$VARIABLE is replaced with the value of the corresponding attribute in Jamf Pro.Payload variables are case-sensitive.
Variable | Inventory Information |
|---|---|
| Device management ID assigned by Jamf Pro |
$COMPUTERNAME | Computer Name |
$SITENAME | Site Name |
| Site ID |
| UDID |
| Serial Number |
| Username associated with the computer in Jamf Pro (computer-level profiles only) Username of the user logging in to the computer (user-level profiles only) |
| Full Name |
| Email Address |
| Phone Number |
| Position |
$DEPARTMENTNAME | Department Name |
$DEPARTMENTID | Department ID |
| Building Name |
| Building ID |
| Room |
| MAC Address |
| Jamf Pro ID |
| Jamf Pro ID of the Configuration Profile |
| Extension Attribute ID Number Note: The ID number is found in the extension attribute URL. In the example URL below, "id=2" indicates the extension attribute ID number: For more information, see Computer Extension Attributes. |
To install a configuration profile on a computer, you need:
A push certificate in Jamf Pro. For more information, see Push Certificates.
The Enable certificate-based authentication and Enable push notifications settings configured in Jamf Pro. For more information, see Security Settings.
(User-level profiles only) Computers that are bound to a directory service or local user accounts that have been MDM-enabled. For information, see Directory Bindings and MDM-Enabled Local User Accounts.
In the summary view, only the included or configured settings are displayed in the Jamf Pro interface.
Some enforced settings that do not change default values will not be visible on the computer. For more information on the default settings, see Profile-Specific Payload Keys from the Apple Developer website.
If you distribute a configuration profile to a computer and also deploy a blueprint with a payload that contains conflicting keys, unexpected behavior may occur. For example, if keys within the Restrictions payload conflict, the most restrictive setting will take precedence. For more information, see Blueprint Builder in the Jamf Pro Blueprints Configuration Guide.
Before creating a configuration profile, you should have basic knowledge of configuration profile payloads and settings. For more information, see Plan your configuration profiles for Apple devices in Apple Platform Deployment.
Some configuration profile payloads and settings available in Jamf Pro may differ from their implementation in Apple's tools.
The profile is distributed to the deployment targets in the scope the next time they contact Jamf Pro.
You can upload a complete configuration profile (.mobileconfig) directly to Jamf Pro.
If the <UUID> (universally unique identifier) field of a configuration profile matches an existing configuration profile in Jamf Pro, the profile cannot be uploaded.
Some payloads and settings configured with third-party software are not displayed in Jamf Pro. Although you cannot view or edit these payloads, they are still applied to the deployment targets.
If Jamf Pro encounters an unknown key in certain payloads, an alert displays in the Jamf Pro user interface. The alert does not necessarily indicate an invalid profile, but signals that further review is needed. The approach to resolve unknown keys depends on whether the profile is signed or unsigned; however Jamf recommends downloading the profile before making modifications.
| Type of Profile | Considerations |
|---|---|
| Signed | Signed configuration profiles are not modified during the import or deployment processes. If the After uploading a signed configuration profile, Jamf Pro will alert administrators that the profile is read-only and cannot be edited unless the signature is removed. If you click Remove Signature, Jamf Pro will attempt to import the contents of the profile and allow administrators to edit it. If the configuration profile contains unknown keys, you can download the profile and verify the contents or fix any errors (e.g., incorrect formatting, invalid keys, etc.). Then, sign the profile and upload it again. Note: Signed configuration profiles cannot use configuration profile variables available in Jamf Pro. You can create a signing certificate using Jamf Pro's built-in certificate authority (CA). This enables you to sign profiles using Jamf Pro. Configuration profiles can be signed using the certificate of your choice, but creating a signing certificate generated by the Jamf Pro CA provides the following benefits:
For step-by-step instructions, see the Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and Packages article. |
| Unsigned | Jamf Pro attempts to import all of the file's values to associate with known settings within the Jamf Pro console and allow further editing. If the Note: Unsigned profiles with payload types and key-value pairs known to Jamf Pro should deploy as intended. |
- In Jamf Pro, click Computers in the sidebar.
- Click Configuration Profiles in the sidebar.
- Click Upload and upload the configuration profile (.mobileconfig).
- Use the General payload to change or configure basic settings for the profile, including a distribution method.
- Click the Scope tab and specify the computers and users to which the profile should be applied.
- (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self Service settings for the profile.
- Click Save .
You can also use the Application & Custom Settings payload to customize a configuration profile. For more information, see the Deploying Custom Computer Configuration Profiles Using the Application & Custom Settings Payload article.
The configuration profile is queued for distribution to the targets in scope based on the selected redistribution option.
If you want to view the contents of a configuration profile for troubleshooting purposes, you can download the profile (.mobileconfig) from Jamf Pro.
- In Jamf Pro, click Computers or Devices in the sidebar.
- Click Configuration Profiles in the sidebar.
- Click the configuration profile you want to download.
- Click Download .
The profile downloads immediately.
For each configuration profile, you can view the number of the deployment targets with a status of Complete, Remaining, or Failed for the profile installation.
Depending on your system configuration, status data may not be available for profiles installed using Jamf Pro 9.63 or earlier.
If a profile fails to install on a compatible computer, Jamf Pro will automatically retry the deployment every six hours. To manually force the attempt, use the “Send blank push” management command. To access this feature, navigate to the Management tab in the inventory of a computer and click Management Commands.
If a profile fails to install on an incompatible computer (e.g., when the profile includes settings that require User Approved MDM), the computer must first meet the profile requirements for the retry attempt to happen.
Adding a computer configuration profile to the Jamf Pro Dashboard helps you monitor its status and progress. For example, you can determine which computers have received restrictions or settings, which computers are pending receiving the configuration profile, and if any profiles have failed to deploy and require troubleshooting.
If you have configured a restriction or system setting configuration profile, you can track its deployment progress by adding it to the Jamf Pro Dashboard. This would allow you to view all Completed, Pending, and Failed statuses for the configuration profile.
- In Jamf Pro, click Computers at the top of the sidebar.
- Click Configuration Profiles in the sidebar.
- Click the computer configuration profile you want to add to the Jamf Pro Dashboard.
- Select the Show in Jamf Pro Dashboard checkbox.
- Click Dashboard in the sidebar.
- Navigate to the macOS Configuration Profile Distribution Statuses area of the Jamf Pro Dashboard and find the widget for the computer configuration profile you added.
- Click any item in the widget to view the details.