Profiles are configurations that are sent to our devices in Workspace ONE UEM to configure our devices.

They’re very small in size usually, and contain information that the device Operating System can understand to effect changes.

The important part to note here is that we are typically bound by what the vendor makes available via their APIs as to what we can configure. To put it more simply, the capability to make changes to settings needs to be made available by the vendor – then we can push a profile to configure it.

Seeing our environment is configured to enroll iOS devices, Android Enterprise Devices, and Windows 10 devices I’ll cover some basics of profiles that are relevant to all.

Its pretty straight forward to add a profile. In the Workspace ONE UEM Console you can go to Add -> Profile 

Now we’re given an option as to which OS we want to create a profile for.

Let’s look at the fundamentals of a Profile on the General Tab.

Name: Pretty self explantory, but I like to prefix mine with the OS its for and its payload (what it does) eg. iOS – Passcode Profile – When you have a lot profiles configured it makes it easier to know what to look for.

Version: This increments every time a change is made.

Description: Use it if you need to eg. who created it etc.

Deployment:  Managed means the Console will send it based on some rules, Manual means only an Administrator an send it to a device by manually assigning it to one device at a time.

Assignment Type: Always means assigned by rules, Optional means a user can self assign it using the Self Service Portal and Compliance means it can be used in, and assigned by, a Compliance Policy.

Managed By: Where in your Hierarchy it was created and can be changed.

Smart Groups: OK so this is a VERY powerful part of our platform and I won’t give it justice here. But this is the group of devices that the profile will apply to. You can click in the Search area to create a new Smart Group. You can then get very granular about which devices it will apply to. Its also smart enough to filter out devices that it can’t apply the profile to. Eg. if you select an Active Directory Security Group (of users) for an iOS profile, it won’t try to deploy it to any Android devices those users may have.

Update: It was suggested I do an article on Smart Groups so here it is:

Introduction to Organisation Groups and Smart Groups

Exclusions: You can also use a Smart Group to exclude devices from the profile. Maybe you want this profile to go to every device except Executives. You could then select an Executives Active Directory Security Group (as an example).

Additional Assignment Criteria: Install only on devices in selected areas will use Geofencing rules. This can be GPS locations (accurate up to about 1km) or iBeacons [iOS only] (Bluetooth devices that iOS devices can detect/not detect)

Scheduling allows devices to be installed and removed based on a time profile. Maybe you want to block access to the camera during school hours. Note that this is based on the timezone of your Workspace ONE Console, not the device – the device also needs to have internet access to have it installed and removed.

Removal Date: This schedule can be set to expire a profile and remove it after a date and time.

You can now create a profile to push any settings you want down to a device.

The last thing I’ll add from experience is don’t add every configuration into a single profile. Each time you need to make a change to a setting (we call it a payload) in the profile and you save it, the entire profile is removed and re-added. So as an example if you put email settings, restrictions and passcode in a single profile and you needed to change the passcode from 6 digits to 8 digits, once you made the change in the Console it would ask the user to make a more secure passcode but would remove all restrictions before reapplying them again but then would remove the email account, removing all mail, contacts and calendars before pushing the settings again. Not ideal!