Managing configuration profiles for managed mobile devices
Using configuration profiles, you can remotely configure managed Apple and Android mobile devices, though there is an important difference between the two:
- You can manage Apple devices by using multiple profiles. You must create and install additional profiles (or remove installed profiles) using commands to add new rules or remove existing ones.
- You can manage Android devices by using a single profile. You can replace the profile with a different profile to modify the way that the devices are managed. The Android profile affects all Android devices that are currently controlled by the profile.
The following BMC Client Management video (3:34 min) provides information about managing profiles for Apple devices:
A configuration profile is a group of settings, which are known as payloads. For example, a Wi-Fi payload is a group of settings required to configure a Wi-Fi connection. Similarly, the Mail payload is a group of settings required to configure an email account on a managed mobile device.
In a configuration profile, you can configure multiple payloads including passcode, restrictions, Wi-Fi, and so on. Some payloads can have multiple instances, and others can be configured just once per profile. The Passcode and Restrictions payloads can each have a single instance, while all other payloads can have multiple instances. The user interface indicates whether or not a payload can have multiple instances.
For example, in a configuration profile, you can configure two instances of Wi-Fi to set two separate Wi-Fi connections, but you can only ever have a single Passcode payload.
One payload can be consumed by another payload. For example, the signing certificate configured in the Certificates payload can be used in the Mail payload.
BMC Client Management supports the following payloads:
|Passcode||Configure a passcode on device.|
|Restrictions||Configure restrictions on device in terms of using applications, mobile device functionality and media content.|
|Wi-Fi||Configure Wi-fi access with necessary authentication information.|
|Configure mails on device and define settings for POP and IMAP email accounts.|
|Certificates||Configure multiple certificates on device.|
|SCEP||Configure SCEP and define settings to obtain certificates from SCEP servers.|
|LDAP||Configure LDAP parameters.|
|Web Clips||Configure web clips.|
Configure system settings such as VPN, Global HTTP Proxy, and system update.
Configure restrictions and cross-profile policies.
Configure password policies at the device and work levels.
Configure SSL certificates that can later be used in network configuration payloads.
Configure Wi-Fi connections.
Configure application policies such as authorized and forbidden mobile device applications.
Configure the actions to take when the device is not compliant with one or more defined policies.
Personal Usage Policy
Configure additional policies for corporate-owned devices with authorized personal usage.
For Apple devices, you install the configuration profiles using mobile commands. By using different commands, you can install a configuration profile on different target mobile devices. For example, you can create a security configuration profile with restrictions. You can then create and assign two separate mobile commands to install the security configuration profile on the mobile devices used by the development team and by the quality team.
For Android devices, you use a single profile. You replace that profile with a different profile to modify the way that the devices are managed. The Android profile affects all Android devices that are currently controlled by the profile.
The following screenshot shows the list of configuration profiles, payloads, the number of instances of a payload, and configuration parameters for the restriction payload:
To create the configuration profiles and install them on the mobile devices, see the following procedures:
To create and configure a configuration profile
- In the left pane, select Mobile Device Management.
Right-click Profiles, and select Create Mobile Profile.
You can create multiple folders under Profiles to organize your mobile profiles.
In the Properties dialog box, choose the platform, Apple or Android.
- Specify the following:
- For Apple profiles:
- Profile name
- Automatic date of removal (optional)
- For Android profiles:
- Profile name
- Enterprise name
- For Apple profiles:
- And Click OK.
- In the left pane, select the newly created profile.
In the right pane, under the Configuration tab, configure the payloads.
The number next to a payload indicates the number of instances of that particular payload.
Click Savein the toolbar to save the profile.
Next, you can assign the profile to the target mobile devices. For more information, see To install a configuration profile on Apple mobile devices, or To manage configuration profiles on Android mobile devices.
To install a configuration profile on Apple mobile devices
You can assign commands to push a mobile configuration profile to target devices, device groups, users, or user groups.
- In the left pane, select Mobile Device Management > Profiles.
- Right-click profileName and select Create Mobile Command
The Command Wizard is displayed. .
- In the Command page, enter the details as required and click Next.
By default, the profile name, command type (Install Configuration profile), and priority (Medium) are populated.
- In the Command Options page, click Next.
The profile name is selected by default.
In the Command Assignment page, assign the command to either devices, device groups, users, or user groups and click Finish.
The command is assigned to the target mobile devices. When the command is executed, the configurations are set in the target mobile devices. You can view all the commands created for a profile in the Commands tab. For more information on commands, see Performing remote operations on managed mobile devices.
To manage configuration profiles on Android mobile devices
For Android, when you enroll a device, you enroll it into a profile, and each profile belongs to an enterprise. Changes to the profile, when saved in BMC Client Management, are sent to the Android API, and applied to that device, and all other Android devices that are enrolled in the profile.
If you have configured more than one profile, you can change the profile in which a device or devices are enrolled. However, the profile must be part of the same enterprise.