Generate production-ready Apple Configuration Profiles validated against the official device-management schema. Wi-Fi, VPN, restrictions, certificates — built right, every time.
Stop guessing payload keys and value types. Build profiles that are correct by construction.
Every key is checked against Apple's official YAML schema definitions — required fields, types, allowed values, and ranges. No more silent misconfigurations.
Schemas are fetched directly from github.com/apple/device-management. When Apple adds new keys or payload types, you get them immediately.
Optionally sign profiles with your X.509 certificate for production MDM deployment. Devices trust signed profiles without warning dialogs.
Combine Wi-Fi, restrictions, certificates, and more in a single profile — the Apple-standard way. Each payload gets its own deterministic UUID.
Once schemas are cached locally, the entire workflow runs offline. Perfect for air-gapped environments or CI/CD pipelines.
Same input always produces the same UUIDs and output. Safe for version control, diffing, and re-deployment without changing device state.
Three scripts, one clean workflow.
Download all ~127 Apple profile schemas from the official repository. Cached locally for offline use.
Explore available payload types, check required keys and allowed values, then write your spec file.
Generate the .mobileconfig with strict validation. Optionally sign it for production deployment.
Push via MDM, share over AirDrop, or install manually. The profile is ready for any deployment method.
From zero to a validated profile in under a minute.
# Fetch Apple's official profile schemas python3 scripts/fetch_schema.py # See what keys a Wi-Fi profile needs python3 scripts/inspect_payload.py com.apple.wifi.managed --os macOS --required-only # Build a profile from a spec file python3 scripts/build_mobileconfig.py assets/examples/wifi_guest.json \ -o guest-wifi.mobileconfig \ --validate-strict # Output: Unsigned profile written to guest-wifi.mobileconfig # Optional: sign for production python3 scripts/build_mobileconfig.py assets/examples/wifi_guest.json \ -o guest-wifi.mobileconfig \ --sign-cert cert.pem --sign-key key.pem
Simple JSON input — the builder handles the rest.
// assets/examples/classroom_ipad.json { "meta": { "PayloadIdentifier": "com.example.classroom.ipad", "PayloadDisplayName": "Classroom iPad Profile", "PayloadDescription": "Wi-Fi + restrictions for student iPads", "PayloadOrganization": "Example School" }, "payloads": [ { "PayloadType": "com.apple.wifi.managed", "SSID_STR": "School-Net", "EncryptionType": "WPA2", "AutoJoin": true }, { "PayloadType": "com.apple.applicationaccess", "allowAppInstallation": false, "allowExplicitContent": false, "allowInAppPurchases": false } ] }
All 127+ Apple payload types are supported. Here are the most common ones.
| Use Case | PayloadType |
|---|---|
| Wi-Fi | com.apple.wifi.managed |
| VPN | com.apple.vpn.managed |
| Mail Account | com.apple.mail.managed |
| Exchange ActiveSync | com.apple.eas.account |
| Restrictions (iOS/iPadOS) | com.apple.applicationaccess |
| Restrictions (macOS) | com.apple.applicationaccess.new |
| Certificate (PKCS#12) | com.apple.security.pkcs12 |
| FileVault | com.apple.MCX.FileVault2 |
| Software Update | com.apple.SoftwareUpdate |
| Privacy / TCC Permissions | com.apple.TCC.configuration-profile-policy |
Built profiles work with every Apple deployment method.
Import directly into Jamf Pro, Kandji, Mosyle, Microsoft Intune, or Apple Profile Manager for fleet-wide deployment.
Load profiles onto devices via USB using Apple Configurator 2 for supervised device setup and provisioning.
Share via AirDrop, email, or web download. Users install with a few taps in Settings (iOS) or System Settings (macOS).