White Labeling the OTA Enrollment profile and MDM profile

Getting Started

It is possible to white label the OTA enrollment profile, the MDM profile, and the Web Clip for the App Portal. These profiles are the ones used while enrolling an Apple device. White Labeling the MDM profile also allows customizing the information displayed for the profile in the Settings iOS app.

The process of White Labeling these profiles consists of copying template files located on the MDM server to the correct location and editing them with a plain text editor. These files are read by the MDM server and persist server upgrades.

All templates are located in the following directory on the server:

In the "user_templates" directory, you will see the following templates that can be used as reference point when making your customizations:

In order to customize the profile, find the file "xxxx.example.plist". Copy the file to another one in the same directory removing ".example" from the name, e.g. copy "xxxx.example.plist" to "xxxx.plist"). You can then edit the file in a text editor.

For the purpose of demonstrating the feature, we will use the fake company name "Argon5".

OTA enrollment profile

The OTA enrollment profile is used during the first step of MDM enrollment. The information it contains is displayed by the OS while the enrollment is in progress. There are 2 files you can customize:

These files are plists that look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
<!--
Note: define your values to substitute the OTA enrolment profile here.
Values present on the enrolment profile and not here will not be substituted.
Every key/value set here is final: they will be present on the enrolment profile.
-->
 
<plist version="1.0">
    <dict>
        <key>PayloadIdentifier</key>
        <string>com.argonfive.mobileconfig.profile-service</string>
        <key>PayloadDisplayName</key>
        <string>Argon 5 Inc.</string>
    </dict>
</plist>

To customize the profile, replace the strings with the value that you would like to see displayed. If you don't want to customize any key, it can safely be removed from the .plist file. This will cause the default value (with FileWave theming) to be sent instead. 

The result can be seen while enrolling an iOS device:

MDMProfileWebclipWB-installprofile.png

Apple TV Enrollment Profile

The file enrollment_ios.plist is also used to customize the profile to enroll Apple TVs with Apple Configurator.

MDMProfileWebclipWB-enrolliosdevice.png

MDM profile

Basic customization

The MDM profile template file is "mdm_profile.example.plist". You can replace any keys in the same way as explained in the previous section.


Sample customized MDM profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
<!--
Note: define your values to substitute the MDM profile here.
Values present on the MDM profile and not here will not be substituted.
Every key/value set here is final: they will be present on the MDM profile.
-->
 
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>Name</key>
                <string>Argon5 SCEP</string>
                <key>Subject</key>
                <array>
                    <array>
                        <array>
                            <string>O</string>
                            <string>Argon5 SCEP</string>
                        </array>
                    </array>
                    <array>
                        <array>
                            <string>CN</string>
                            <string>argonfivemdm</string>
                        </array>
                    </array>
                </array>
            </dict>
        </dict>
        <dict>
            <key>PayloadDescription</key>
            <string>Installs the Root certificate for the Argon5 MDM solution.</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>This profile allows this device to be securely managed by the Argon5 MDM Server.</string>
    <key>PayloadDisplayName</key>
    <string>Argon5 MDM Configuration</string>
</dict>
</plist>

Which is displayed in iOS like this:

MDMProfileWebclipWB-profileconfig.png

An additional key that you might want to add is "ConsentText". When this key is defined, iOS and macOS display a consent text during the enrollment process. The consent text must be explicitly accepted by the user. This can be used to request the user to accept terms and conditions before continuing with the enrollment. If this key is missing, this step will be skipped.

Here is an example of how to add the ConsentText at the end of the MDM profile:

...
    <key>ConsentText</key>
    <dict>
        <key>default</key>
        <string>Please be aware that by installing this profile, you agree to the terms and conditions of the Argon5 license.</string>
    </dict>
</dict>
</plist>

MDMProfileWebclipWB-consent.png

Related Content


Revision #6
Created 22 June 2023 21:33:55 by Josh Levitsky
Updated 29 May 2024 14:15:33 by Josh Levitsky