This article will help you understand what "mobile profiles" are and why you may want to use them.
On the surface, a mobile profile is simply a profile that has a local username and home directory associated with it. From Apple:
What this means is if for whatever reason, your mac cannot connect to your Active Directory/OpenDirectory/LDAP server, you can still login and do work without any trouble. Now system administrators are also able to "enforce" some policies on these mobile profiles using Mobile Configurations. These are simply configurations that allow/disallow users with mobile profiles from doing things that would violate certain policies when not online (meaning connected to the AD/OD/LDAP server). These policies are generally referred to as "profiles", but for the sake of sanity, we'll refer to them as "configs" or "configurations".
Creating and Modifying
There are many ways to create a mobile profile, we recommend using Apple's "Apple Configurator 2", available in the App Store. This tool provides a nice and intuitive GUI (Graphical User Interface) for creating, managing, and deploying configurations. For this document, we're going to only use it to create/modify configurations. To create a new configuration, launch the Configurator and click on "File" → "New". You should be given a new window with many and many options. The only one that is mandatory is under "General" and it's the "Name" field. Beyond that, everything can be left the way it is, although you'll probably want to configure some options.
To modify an existing configuration, simply open the configurator and click on "File" in the menu bar then "Open" and select the file to open (should have the extension .mobileconfig).
As mentioned above, we're only going to be using the Apple Configurator 2 tool for creation and modification of profiles. This means for these next steps, you'll need a terminal open.
To open a terminal:
- Hold command and hit spacebar (⌘+_), this will open "Spotlight Search"
- Type "terminal"
- Hit enter/return
From here, you'll be using a tool call "profiles" and you'll need "sudo" access (login as an administrative user).
To install a new configuration, you'll need to know the full path to the configuration file. This path might look something like this: /Users/example/Documents/example.mobileprofile
Once you have that path, run one of the following commands in your terminal:
This will install the configuration into the mobile profile of the user and begin enforcing the policy.
You can list the contents of the configuration using the following command in the terminal:
If you're wanting to dump the output to a file in the form of an Apple XML PList, you can run one of the following:
To remove a configuration from a user's profile, use the following commands: