Skip to main content

White Labeling the OTA Enrollment profile, MDM profile, and App Portal webclip

Getting Started

It is possible to whitebox the OTA enrollment profile, the MDM profile, and the webclip for the App Portal. These profiles are the ones used while enrolling an Apple device. WhiteboxingWhite Labeling the MDM profile also allows customizing the information displayed for the profile in the Settings iOS app.

The process of whiteboxingWhite Labeling these profiles consists of copying template files located on the MDM server to the correct location and editing them with a plain text editor. These files are read by the MDM server and persist server upgrades.

All templates are located in the following directory on the server:

  • macOS and Linux: /usr/local/filewave/django/user_templates

In the "user_templates" directory, you will see the following templates that can be used as reference point when making your customizations:

  • app_portal_profile.example.plist
  • enrolment_ios.example.plist
  • enrolment_macos.example.plist
  • mdm_profile.example.plist

In order to customize the profile, find the file "xxxx.example.plist". Copy the file to another one in the same directory removing ".example" from the name, e.g. copy "xxxx.example.plist" to "xxxx.plist"). You can then edit the file in a text editor.

For the purpose of demonstrating the feature, we will use the fake company name "Argon5".

OTA enrollment profile

The OTA enrollment profile is used during the first step of MDM enrollment. The information it contains is displayed by the OS while the enrollment is in progress. There are 2 files you can customize:

  • "enrolment_ios.example.plist", for iOS
  • "enrolment_macos.example.plist", for macOS

These files are plists that look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
<!--
Note: define your values to substitute the OTA enrolment profile here.
Values present on the enrolment profile and not here will not be substituted.
Every key/value set here is final: they will be present on the enrolment profile.
-->
 
<plist version="1.0">
    <dict>
        <key>PayloadIdentifier</key>
        <string>com.argonfive.mobileconfig.profile-service</string>
        <key>PayloadDisplayName</key>
        <string>Argon 5 Inc.</string>
    </dict>
</plist>

To customize the profile, replace the strings with the value that you would like to see displayed. If you don't want to customize any key, it can safely be removed from the .plist file. This will cause the default value (with FileWave theming) to be sent instead. 

The result can be seen while enrolling an iOS device:

MDMProfileWebclipWB-installprofile.png

Apple TV Enrollment Profile

The file enrollment_ios.plist is also used to customize the profile to enroll Apple TVs with Apple Configurator.

MDMProfileWebclipWB-enrolliosdevice.png

MDM profile

Basic customization

The MDM profile template file is "mdm_profile.example.plist". You can replace any keys in the same way as explained in the previous section.


Sample customized MDM profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
<!--
Note: define your values to substitute the MDM profile here.
Values present on the MDM profile and not here will not be substituted.
Every key/value set here is final: they will be present on the MDM profile.
-->
 
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>Name</key>
                <string>Argon5 SCEP</string>
                <key>Subject</key>
                <array>
                    <array>
                        <array>
                            <string>O</string>
                            <string>Argon5 SCEP</string>
                        </array>
                    </array>
                    <array>
                        <array>
                            <string>CN</string>
                            <string>argonfivemdm</string>
                        </array>
                    </array>
                </array>
            </dict>
        </dict>
        <dict>
            <key>PayloadDescription</key>
            <string>Installs the Root certificate for the Argon5 MDM solution.</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>This profile allows this device to be securely managed by the Argon5 MDM Server.</string>
    <key>PayloadDisplayName</key>
    <string>Argon5 MDM Configuration</string>
</dict>
</plist>

Which is displayed in iOS like this:

MDMProfileWebclipWB-profileconfig.png

Consent text

An additional key that you might want to add is "ConsentText". When this key is defined, iOS and macOS display a consent text during the enrollment process. The consent text must be explicitly accepted by the user. This can be used to request the user to accept terms and conditions before continuing with the enrollment. If this key is missing, this step will be skipped.

Here is an example of how to add the ConsentText at the end of the MDM profile:

...
    <key>ConsentText</key>
    <dict>
        <key>default</key>
        <string>Please be aware that by installing this profile, you agree to the terms and conditions of the Argon5 license.</string>
    </dict>
</dict>
</plist>

This consent text will be displayed by iOS like this:

MDMProfileWebclipWB-consent.png

App Portal webclip

The webclip for the iOS App Portal can also be customized. There are two files to customize in this case:

  • "app_portal_icon.example.png": this is the icon of the webclip
  • "app_portal_profile.example.plist": this contains the payload of the webclip profile. Replace the keys in the same way as in previous sections. The most important key is "Label", which is the one that defines the label that will be shown below the webclip icon in the Home Screen.

Sample webclip profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Icon</key>
            <data></data>
            <key>IsRemovable</key>
            <false/>
            <key>Label</key>
            <string>Argon5 Store</string>
            <key>PayloadDescription</key>
            <string>Argon5 MDM Portal</string>
            <key>PayloadDisplayName</key>
            <string>Argon5 Store</string>
            <key>PayloadIdentifier</key>
            <string>com.argonfive.appportal.webclip1</string>
            <key>PayloadOrganization</key>
            <string>Argon5</string>
            <key>PayloadType</key>
            <string>com.apple.webClip.managed</string>
            <key>PayloadUUID</key>
            <string>AE13076B-DD85-4D2E-BA14-44F5D11673EF</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>URL</key>
            <string>https://mdm.argonfive.com:20443/portal</string>
            <key>FullScreen</key>
            <true/>
        </dict>
 
    </array>
    <key>PayloadDescription</key>
    <string>Argon5 Store</string>
    <key>PayloadDisplayName</key>
    <string>Argon5 Store</string>
    <key>PayloadIdentifier</key>
    <string>com.argonfive.appportal</string>
    <key>PayloadOrganization</key>
    <string>Argon5</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>39419197-1D8B-468D-A179-07CE4FFE4C3C</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

After customizing it, we can see the webclip has been labeled as "Argon5 Store":

MDMProfileWebclipWB-homescreen.png

Back to top