Introduction: Mastering Custom Profile Configuration in Workspace ONE
After implementing Workspace ONE across hundreds of organizations over the past decade, I can confidently say that custom profile configuration is where the platform truly shines. While the built-in profiles handle most common use cases, it’s the custom profiles that allow you to address those unique organizational requirements that make or break a deployment.
If you’re a Workspace ONE administrator looking to go beyond the standard configurations, this comprehensive guide will walk you through everything you need to know about creating, deploying, and managing custom profiles. We’ll cover the technical foundations, practical implementation strategies, and real-world examples that will help you leverage the full power of Workspace ONE’s configuration capabilities.
Understanding Custom Profiles in Workspace ONE
What Are Custom Profiles?
Custom profiles in Workspace ONE are XML-based configuration payloads that allow you to configure device settings, applications, and behaviors that aren’t covered by the platform’s built-in profile templates. These profiles give you direct access to the underlying configuration frameworks of each operating system, enabling precise control over device behavior.
Key Characteristics of Custom Profiles:
- Platform-Specific: Each operating system (iOS, Android, Windows, macOS) has its own custom profile format
- XML-Based: Most custom profiles use XML configuration syntax
- Granular Control: Access to low-level system settings and configurations
- Flexible Deployment: Can be deployed to specific devices, users, or organizational groups
- Version-Dependent: Configuration options may vary based on operating system versions
When to Use Custom Profiles
Based on my experience, custom profiles are most valuable in several specific scenarios:
Addressing Configuration Gaps:
- Missing Built-in Options: When Workspace ONE doesn’t have a built-in profile for your specific requirement
- Advanced Settings: Accessing advanced configuration options not exposed in the standard UI
- New OS Features: Configuring newly released OS features before Workspace ONE adds native support
- Vendor-Specific Requirements: Configuring third-party applications or hardware-specific settings
Organizational Requirements:
- Compliance Mandates: Meeting specific regulatory or compliance requirements
- Security Policies: Implementing organization-specific security configurations
- Workflow Optimization: Customizing device behavior to match specific business processes
- Legacy Integration: Supporting legacy systems or applications with specific configuration needs
The Custom Profile Ecosystem
Understanding how custom profiles fit into the broader Workspace ONE ecosystem is crucial for effective implementation.
Profile Hierarchy and Precedence:
- Profile Priority:
- Custom profiles can be assigned different priority levels
- Higher priority profiles override conflicting settings in lower priority profiles
- Built-in profiles and custom profiles follow the same priority rules
- Device-level assignments typically take precedence over user-level assignments
- Conflict Resolution:
- Workspace ONE automatically resolves conflicts between overlapping profiles
- Administrators can review and manage profile conflicts through the console
- Proper planning and testing help minimize configuration conflicts
- Documentation of profile interactions is essential for troubleshooting
Platform-Specific Custom Profile Implementation
iOS Custom Profiles
iOS custom profiles leverage Apple’s Configuration Profile format, providing access to a wide range of device settings and behaviors.
Creating iOS Custom Profiles:
- Access the Custom Profile Creation Interface:
- Navigate to Devices → Profiles & Resources → Profiles
- Click Add → Add Profile
- Select Apple iOS as the platform
- Choose Custom Settings from the payload list
- Configure the Custom Payload:
- Enter a descriptive name for your custom settings payload
- Paste your XML configuration into the Custom Settings field
- Validate the XML syntax using the built-in validator
- Configure deployment settings and target assignments
Common iOS Custom Profile Use Cases:
Example 1: Configuring Advanced Wi-Fi Settings
Here’s an example of configuring enterprise Wi-Fi with advanced security settings:
<dict>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.wifi.enterprise</string>
<key>PayloadDisplayName</key>
<string>Enterprise Wi-Fi Configuration</string>
<key>SSID_STR</key>
<string>CompanyWiFi</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>AutoJoin</key>
<true/>
<key>EncryptionType</key>
<string>WPA2</string>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>25</integer>
</array>
<key>EAPFASTUsePAC</key>
<true/>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>TLSTrustedServerNames</key>
<array>
<string>radius.company.com</string>
</array>
</dict>
</dict>Example 2: Configuring App-Specific VPN
This example shows how to configure per-app VPN for specific applications:
<dict>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayervpn</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.vpn.perapp</string>
<key>PayloadDisplayName</key>
<string>Per-App VPN Configuration</string>
<key>UserDefinedName</key>
<string>Company VPN</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<key>RemoteAddress</key>
<string>vpn.company.com</string>
<key>LocalIdentifier</key>
<string>company.com</string>
<key>RemoteIdentifier</key>
<string>vpn.company.com</string>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>CERTIFICATE-UUID-HERE</string>
</dict>
<key>VPNUUID</key>
<string>VPN-UUID-HERE</string>
<key>SafariDomains</key>
<array>
<string>intranet.company.com</string>
<string>internal.company.com</string>
</array>
<key>AssociatedDomains</key>
<array>
<string>company.com</string>
</array>
</dict>Android Custom Profiles
Android custom profiles use a different approach, leveraging Android’s managed configuration framework and various device administration APIs.
Creating Android Custom Profiles:
- Access Android Custom Settings:
- Navigate to Devices → Profiles & Resources → Profiles
- Click Add → Add Profile
- Select Android as the platform
- Choose Custom Settings from the available payloads
- Configure Custom Settings:
- Select the appropriate Android management framework (Android Enterprise, Legacy, etc.)
- Enter your custom configuration XML or JSON
- Configure targeting and deployment options
- Test the configuration with pilot devices
Common Android Custom Profile Use Cases:
Example 1: Configuring Advanced Wi-Fi Settings
Android Wi-Fi configuration using the managed configuration framework:
<wap-provisioningdoc>
<characteristic type="Wi-Fi">
<characteristic type="CompanyWiFi">
<parm name="SSID" value="CompanyWiFi"/>
<parm name="SecurityType" value="WPA2-Enterprise"/>
<parm name="EapType" value="PEAP"/>
<parm name="Phase2" value="MSCHAPV2"/>
<parm name="CaCertificate" value="CERTIFICATE_ALIAS"/>
<parm name="Identity" value="%USERNAME%"/>
<parm name="AnonymousIdentity" value="anonymous@company.com"/>
<parm name="Password" value="%PASSWORD%"/>
<parm name="Hidden" value="false"/>
<parm name="AutoConnect" value="true"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>Example 2: Configuring App-Specific Restrictions
This example shows how to configure managed app configurations:
{
"kind": "androidenterprise#managedConfiguration",
"productId": "com.company.businessapp",
"managedProperty": [
{
"key": "server_url",
"valueBool": false,
"valueString": "https://api.company.com",
"valueInteger": 0,
"valueStringArray": []
},
{
"key": "enable_offline_mode",
"valueBool": true,
"valueString": "",
"valueInteger": 0,
"valueStringArray": []
},
{
"key": "sync_interval",
"valueBool": false,
"valueString": "",
"valueInteger": 300,
"valueStringArray": []
},
{
"key": "allowed_domains",
"valueBool": false,
"valueString": "",
"valueInteger": 0,
"valueStringArray": [
"company.com",
"partner.com"
]
}
]
}Windows Custom Profiles
Windows custom profiles leverage various Windows management frameworks, including Group Policy, CSP (Configuration Service Provider), and PowerShell.
Creating Windows Custom Profiles:
- Access Windows Custom Settings:
- Navigate to Devices → Profiles & Resources → Profiles
- Click Add → Add Profile
- Select Windows Desktop as the platform
- Choose from available custom configuration options (Custom Settings, PowerShell, etc.)
- Configure Custom Settings:
- Select the appropriate configuration method (OMA-URI, PowerShell script, etc.)
- Enter your custom configuration details
- Configure execution context and deployment settings
- Test thoroughly before production deployment
Common Windows Custom Profile Use Cases:
Example 1: Configuring Advanced Security Settings via OMA-URI
This example configures Windows Defender settings using OMA-URI:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
Data Type: Integer
Value: 1
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowBehaviorMonitoring
Data Type: Integer
Value: 1
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowCloudProtection
Data Type: Integer
Value: 1
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/SubmitSamplesConsent
Data Type: Integer
Value: 1Example 2: PowerShell Script for Custom Configuration
This PowerShell script configures custom registry settings:
# Configure custom application settings
$registryPath = "HKLM:SOFTWARECompanyBusinessApp"
# Create registry path if it doesn't exist
if (!(Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
# Set application configuration values
Set-ItemProperty -Path $registryPath -Name "ServerURL" -Value "https://api.company.com" -Type String
Set-ItemProperty -Path $registryPath -Name "EnableOfflineMode" -Value 1 -Type DWord
Set-ItemProperty -Path $registryPath -Name "SyncInterval" -Value 300 -Type DWord
Set-ItemProperty -Path $registryPath -Name "LogLevel" -Value "INFO" -Type String
# Configure Windows Firewall rule for the application
New-NetFirewallRule -DisplayName "Company Business App" -Direction Inbound -Program "C:Program FilesCompanyBusinessAppapp.exe" -Action Allow -Profile Domain,Private
# Log configuration completion
Write-EventLog -LogName Application -Source "Workspace ONE" -EventId 1001 -Message "Custom configuration applied successfully"macOS Custom Profiles
macOS custom profiles use Apple’s Configuration Profile format, similar to iOS but with macOS-specific payloads and settings.
Creating macOS Custom Profiles:
- Access macOS Custom Settings:
- Navigate to Devices → Profiles & Resources → Profiles
- Click Add → Add Profile
- Select Apple macOS as the platform
- Choose Custom Settings from the payload options
- Configure Custom Payload:
- Enter a descriptive name for your custom settings
- Paste your macOS configuration XML into the custom settings field
- Validate the configuration syntax
- Configure deployment and targeting options
Common macOS Custom Profile Use Cases:
Example 1: Configuring Advanced Energy Saver Settings
This example configures detailed power management settings:
<dict>
<key>PayloadType</key>
<string>com.apple.MCX</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.energysaver</string>
<key>PayloadDisplayName</key>
<string>Energy Saver Configuration</string>
<key>mcx_preference_settings</key>
<dict>
<key>com.apple.PowerManagement</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ACPower</key>
<dict>
<key>System Sleep Timer</key>
<integer>0</integer>
<key>Disk Sleep Timer</key>
<integer>10</integer>
<key>Display Sleep Timer</key>
<integer>15</integer>
<key>Wake On LAN</key>
<integer>1</integer>
</dict>
<key>Battery Power</key>
<dict>
<key>System Sleep Timer</key>
<integer>15</integer>
<key>Disk Sleep Timer</key>
<integer>10</integer>
<key>Display Sleep Timer</key>
<integer>5</integer>
</dict>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>Example 2: Configuring Custom Dock Settings
This example configures detailed Dock behavior and appearance:
<dict>
<key>PayloadType</key>
<string>com.apple.dock</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.dock</string>
<key>PayloadDisplayName</key>
<string>Dock Configuration</string>
<key>orientation</key>
<string>bottom</string>
<key>tilesize</key>
<integer>48</integer>
<key>size-immutable</key>
<true/>
<key>position-immutable</key>
<true/>
<key>autohide</key>
<false/>
<key>autohide-immutable</key>
<true/>
<key>magnification</key>
<false/>
<key>minimize-to-application</key>
<true/>
<key>show-process-indicators</key>
<true/>
<key>static-only</key>
<true/>
<key>persistent-apps</key>
<array>
<dict>
<key>tile-data</key>
<dict>
<key>file-data</key>
<dict>
<key>_CFURLString</key>
<string>/Applications/Safari.app</string>
<key>_CFURLStringType</key>
<integer>0</integer>
</dict>
</dict>
</dict>
<dict>
<key>tile-data</key>
<dict>
<key>file-data</key>
<dict>
<key>_CFURLString</key>
<string>/Applications/Microsoft Outlook.app</string>
<key>_CFURLStringType</key>
<integer>0</integer>
</dict>
</dict>
</dict>
</array>
</dict>Best Practices for Custom Profile Development
Planning and Design
Successful custom profile implementation requires careful planning and design to ensure reliability and maintainability.
Requirements Analysis:
- Document Requirements Clearly:
- Clearly define what you’re trying to achieve with the custom profile
- Identify the specific settings or behaviors that need to be configured
- Document any dependencies or prerequisites
- Consider the impact on user experience and device performance
- Research Configuration Options:
- Research the available configuration options for your target platform
- Review official documentation and developer resources
- Check for existing examples or community solutions
- Understand the limitations and constraints of each approach
Design Considerations:
- Modularity and Reusability:
- Design custom profiles to be modular and reusable across different scenarios
- Avoid creating monolithic profiles that are difficult to maintain
- Consider how profiles will interact with existing configurations
- Plan for future modifications and updates
- Error Handling and Validation:
- Include appropriate error handling and validation in your configurations
- Consider what happens if the configuration fails to apply
- Plan for rollback scenarios and recovery procedures
- Implement logging and monitoring where possible
Development and Testing
Thorough development and testing are essential for reliable custom profile deployment.
Development Process:
- Start with Simple Configurations:
- Begin with simple, well-understood configurations
- Test each component individually before combining them
- Build complexity gradually as you gain confidence
- Document your development process and decisions
- Use Version Control:
- Maintain version control for all custom profile configurations
- Document changes and the rationale behind them
- Tag stable versions for production deployment
- Maintain backup copies of working configurations
Testing Strategy:
- Comprehensive Testing:
- Test custom profiles on representative devices and OS versions
- Test both successful application and failure scenarios
- Verify that profiles can be removed cleanly
- Test interactions with other profiles and configurations
- Pilot Deployment:
- Deploy custom profiles to a small pilot group first
- Monitor pilot devices closely for issues or unexpected behavior
- Gather feedback from pilot users about the impact on their experience
- Refine the configuration based on pilot results
Documentation and Maintenance
Proper documentation and maintenance procedures are crucial for long-term success with custom profiles.
Documentation Requirements:
- Configuration Documentation:
- Document the purpose and functionality of each custom profile
- Include the complete configuration XML or script
- Document any dependencies or prerequisites
- Include troubleshooting information and common issues
- Deployment Documentation:
- Document the deployment process and target assignments
- Include rollback procedures and recovery steps
- Document testing procedures and validation steps
- Maintain change logs and version history
Maintenance Procedures:
- Regular Review and Updates:
- Regularly review custom profiles for continued relevance and effectiveness
- Update configurations as operating systems and applications evolve
- Monitor for deprecated settings or APIs
- Plan for migration to built-in Workspace ONE features when available
- Monitoring and Alerting:
- Monitor custom profile deployment success and failure rates
- Set up alerting for profile deployment issues
- Track device compliance with custom profile requirements
- Monitor for unexpected side effects or conflicts
Advanced Custom Profile Techniques
Dynamic Configuration with Variables
Workspace ONE supports various variables that can make custom profiles more flexible and dynamic.
Available Variables:
- User Variables: {Username}, {EmailAddress}, {FirstName}, {LastName}
- Device Variables: {DeviceId}, {SerialNumber}, {UDID}, {DeviceName}
- Organization Variables: {OrganizationGroupName}, {OrganizationGroupId}
- Custom Variables: Custom attributes defined in your environment
Example: Dynamic VPN Configuration
This example shows how to use variables for dynamic VPN configuration:
<dict>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.vpn.{OrganizationGroupName}</string>
<key>PayloadDisplayName</key>
<string>{OrganizationGroupName} VPN</string>
<key>UserDefinedName</key>
<string>{OrganizationGroupName} Corporate VPN</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<key>RemoteAddress</key>
<string>vpn-{OrganizationGroupName}.company.com</string>
<key>LocalIdentifier</key>
<string>{EmailAddress}</string>
<key>RemoteIdentifier</key>
<string>vpn-{OrganizationGroupName}.company.com</string>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>SharedSecret</key>
<string>{CustomAttribute1}</string>
</dict>
</dict>Conditional Logic and Smart Groups
Combining custom profiles with Workspace ONE’s Smart Groups allows for sophisticated conditional deployment.
Smart Group-Based Deployment:
- Create Conditional Smart Groups:
- Navigate to Groups & Settings → Groups → Assignment Groups
- Create Smart Groups based on device attributes, user properties, or custom criteria
- Use complex logic to target specific device populations
- Test Smart Group membership before deploying profiles
- Deploy Profiles to Smart Groups:
- Assign custom profiles to appropriate Smart Groups
- Use different profiles for different device types or user roles
- Implement progressive deployment strategies
- Monitor deployment success across different groups
Integration with Workspace ONE APIs
Advanced custom profile management can leverage Workspace ONE’s REST APIs for automation and integration.
API-Based Profile Management:
- Automated Profile Creation:
- Use APIs to programmatically create and update custom profiles
- Integrate with external systems for dynamic configuration generation
- Implement automated testing and validation workflows
- Create self-service portals for profile management
- Monitoring and Reporting:
- Use APIs to monitor profile deployment status and compliance
- Generate custom reports on profile effectiveness
- Implement automated alerting for profile issues
- Create dashboards for profile management visibility
Troubleshooting Custom Profiles
Common Issues and Solutions
Based on my experience, here are the most common custom profile issues and their solutions.
Profile Deployment Issues:
- Profile Not Deploying:
- Check device enrollment status and connectivity
- Verify Smart Group membership and assignment rules
- Review profile syntax and validation errors
- Check for conflicting profiles or settings
- Profile Deployment Failures:
- Review device logs for specific error messages
- Check operating system compatibility and version requirements
- Verify that required certificates or dependencies are present
- Test profile deployment on a known-good device
Configuration Issues:
- Settings Not Applied:
- Verify that the configuration syntax is correct for the target platform
- Check for case sensitivity and formatting issues
- Ensure that the target application or service supports the configuration
- Review profile priority and conflict resolution
- Unexpected Behavior:
- Review the complete configuration for unintended side effects
- Check for interactions with other profiles or system settings
- Test the configuration in isolation to identify the root cause
- Consult platform documentation for configuration limitations
Debugging and Diagnostics
Effective debugging requires understanding the tools and techniques available for each platform.
iOS/macOS Debugging:
- Console and Log Analysis:
- Use Console.app on macOS to view device logs
- Filter logs for configuration profile-related messages
- Look for specific error codes and messages
- Use Xcode’s Devices window for iOS device debugging
- Profile Validation:
- Use Apple Configurator 2 to validate profile syntax
- Test profiles manually before deploying through Workspace ONE
- Use the command line
profilestool for detailed analysis - Check profile installation status and conflicts
Android Debugging:
- Device Log Analysis:
- Use ADB (Android Debug Bridge) to access device logs
- Filter logs for device administration and policy-related messages
- Check for specific error codes and stack traces
- Use Android Enterprise diagnostic tools
- Configuration Validation:
- Validate XML syntax and structure
- Check for Android version compatibility
- Verify that the device supports the required management APIs
- Test configurations on different Android versions and manufacturers
Windows Debugging:
- Event Log Analysis:
- Check Windows Event Logs for MDM and policy-related events
- Look for specific error codes and descriptions
- Use Event Viewer to filter and analyze relevant events
- Check both System and Application event logs
- PowerShell and Registry Analysis:
- Use PowerShell to test script execution and validate results
- Check registry settings to verify configuration application
- Use PowerShell execution policies and security settings
- Validate OMA-URI configurations using Windows diagnostic tools
Conclusion: Mastering Custom Profile Configuration
Custom profile configuration in Workspace ONE is both an art and a science. It requires technical expertise, careful planning, and thorough testing, but the results can be transformative for your organization’s device management capabilities. After implementing custom profiles across hundreds of deployments, I can confidently say that mastering this capability is what separates good Workspace ONE administrators from great ones.
Key Success Factors
Organizations that succeed with custom profiles share several common characteristics:
- Methodical Approach: They approach custom profile development systematically, with proper planning and testing
- Documentation Focus: They maintain comprehensive documentation for all custom configurations
- Continuous Learning: They stay current with platform changes and new configuration options
- User-Centric Design: They consider the impact on user experience in all configuration decisions
Looking Forward
As operating systems and applications continue to evolve, custom profiles will remain an essential tool for addressing unique organizational requirements. The key is to use them judiciously—leveraging built-in Workspace ONE features whenever possible and reserving custom profiles for truly unique requirements.
Remember that custom profiles are a powerful tool, but with great power comes great responsibility. Always test thoroughly, document comprehensively, and consider the long-term maintenance implications of your custom configurations. When done right, custom profiles can unlock the full potential of Workspace ONE and provide your organization with precisely the device management capabilities it needs.
The investment in mastering custom profile configuration pays dividends through improved device compliance, enhanced security posture, and the ability to address unique organizational requirements that would otherwise be impossible to meet. As you continue to develop your expertise in this area, you’ll find that custom profiles become an indispensable part of your Workspace ONE toolkit.