Guest Posts: Intune & iOS – Building A Custom Profile

MicrosoftIntuneThe following five guest posts are written by David Colville, with some light editing by me. I first met David online in 2015 when I was exploring Microsoft PowerBI and its suitability for educational analytics at St Andrew’s College. David connected me with Datacom New Zealand and their BI Team and the rest, as they say, is history. Since the initial introduction, our paths have crossed digitally many times, yet only once in person! Recently we chatted online about using Intune to manage iOS devices in educational contexts and from there the idea of a series of blog posts emerged. We have decided to split these reasonably technical and lengthy posts into the following five topics:

  1. Intune & iOS – Setting Up
  2. Intune & iOS – Adding iOS Devices Using Device Enrollment Program (DEP)
  3. Intune & iOS – Assign Applications To Devices
  4. Intune & iOS – Setting Up Profiles
  5. Intune & iOS – Building A Custom Profile

I am really thrilled to have David share his expertise in these posts and it highlights the value of building a Professional Learning Network (PLN) online, as without our initial virtual engagements, I would not have had access to his knowledge and skills. So I extend a huge thanks to David and strongly encourage you to connect with him on Twitter.

What Is The Need For A Custom Profile?

There are a lot of different Mobile Device Management (MDM) solutions available on the market and they all differentiate themselves through the various features that they can control or restrict on the end device. Intune has a growing list of settings within the “Device Configuration” blade, however it is virtually impossible to provide all of the available settings contained in Apple’s XML configuration keys.

This is where the creation of Custom Profiles works best. ICT administrators can quickly create a Custom Profile to add unique control requirements onto an iPad. During a conversation I had with Sam McNeill, he pointed out that one of the Profiles mentioned in the Configuration Profile Reference note was this one designed to prevent end users from removing Apps installed on the iPad:

Blog 0

This is virtually a requirement for any school setting, as you can imagine how keen mischievous students would be to “accidentally” remove Apps they needed! Unfortunately, the current “Device Configuration” settings in Intune does not have a GUI setting for this particular configuration.

This configuration does however appear in the Apple Configurator Restriction section and it is relatively easy to create a new “Custom Profile” for these settings in Apple Configurator 2 and then import into Intune’s Custom Profile area.

Creating A Custom Profile In Apple Configurator:

Launch Apple Configurator and from the “File” menu create a New Profile:

Blog 1

Give the Profile a meaningful name in the “General Section” such as “Disable App Removal.” Note: this is what it will show up and be identified as in the System Preferences on the iPad:

Blog 2

Next, navigate into the “Restrictions” section and in the “Functionality Section” you can turn off the “Allow Removing Apps” checkbox:

Blog 3

This Profile can then saved. In my example here I put this on the Desktop of my MacBook and called it “Disable App Removal”

Blog 4

These Profile files show up as a “Config” file which can be opened up with virtually any Text Editor (in this case, I used Apple’s “Xcode” because it is aware of the correct formatting and will apply colour coding for ease of reading).  As mentioned earlier, this is really just an XML text file containing a large number of various settings because the one Configuration Profile includes the entire “Restrictions” section we saw in the Apple Configurator earlier (see above):

Blog 5

Because the Configuration Profile is simply XML, we can easily go through and trim it down to only include the “AllowAppRemoval” section or “Key”, and we’ll import this configuration into Intune. This is an important step to take as it will prevent you from accidentally importing other restrictions onto the iPad that you don’t actually intend to apply. In this example, we are simply trying to prevent the end user removing Apps from the iPad so the key configuration key is highlighted below:

Blog 6

Importing & Assigning The Custom Profile Into Intune:

Once the XML has been trimmed it can be uploaded into Intune. To do this, you need to navigate to the “Device Configuration” blade we have been to frequently throughout these tutorials, but in this instance we’ll create a new “Custom Profile”:

Blog 7

You will be prompted to upload the custom (trimmed/edited) Configuration Profile that we saved earlier on our Desktop:

Blog 8

Once the Custom Profile is uploaded to Intune, you will need to assign this to the required iPads in a similar process to that of assigning Apps to the iPads. First select the “Assignments” menu on the left hand side:

Blog 9

Then select the Group(s) you want to assign this new Custom Profile to:

Blog 10

Once this is pushed out to an iPad you will be able to see the Restrictions applied on through the “Settings: General: Profiles” section. Look for the name of the MDM (in our case, Intune) in the list provided and you can drill down to the “Restrictions” being enforced by the MDM.

Here we can see the App Removal restriction created earlier:

Blog 11

With this restriction in place, if a user attempts to remove an App the iPad interface will only allow them to move icons around on the home screen (icons wobble), but not delete any Apps (there is no “x” beside the icon to remove the App).

Over time Microsoft may add this Configuration key to Restrict App Removal directly into the Intune GUI features, and thus remove the need to build a Custom Profile configuration. However, there are always extra Configuration Keys being added by Apple so it’s always useful to be able to upload Custom Profiles (another example is adding a WPA2 Pre-Shared Key as a Custom Profile for wireless settings, so that end users do not need to enter (or even know) the WiFi password).


Over the last five blog posts we have covered off in significant detail how to use Microsoft Intune to manage iOS devices (iPads and iPhones). These same principals can be applied to using Intune to manage MacBook laptops (MacOS), Android devices and, of course, Windows 7-10 devices. The five steps we have demonstrated are:

Intune is a very powerful MDM and demonstrates how you can use modern deployment methods to manage and protect both company/school owned devices as well as BYOD options as well. It is 100% Azure cloud hosted and very scalable for large organisations or School Districts.

I trust you’ve found this series helpful and I do encourage you to connect with David Colville who authored the vast majority of these blog posts. Feel free to drop comments or questions in the comments section below and thanks for reading!

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d bloggers like this: