profiles —
Profiles Tool for macOS.
profiles is used to handle various profile
types on macOS. Starting with macOS 11.0 (profiles tool 8.0 or later), this
tool cannot be
used to install configuration profiles. You should add your profiles using
the System Settings Profiles
preference pane. Additionally, startup profiles are no longer supported.
Each command verb is listed with its description and optional
individual arguments. Most commands use the -type option to determine which
kind of profile should be used in the command. For those commands, if no
type is specified, the default will be to use the configuration profile
type.
- help
-
Shows abbreviated help
- list
- -type
profile_type -user
user_name -output
output_path
List profiles for a user or when running as root, the device.
- show
- -type
profile_type -user
user_name -output
output_path -cached
Show expanded information for profiles. If the type is set to enrollment,
this will instead show the current server DEP configuration. Obtaining the
enrollment information may be rate limited to 10 times every 23 hours, at
which point it will try to display the information from the local cache.
Should this occur, a note will be displayed with the enrollment
information. If the -cached option is set, the enrollment information will
only be obtained from the local cache.
- remove
- -type
profile_type -user
user_name -identifier
identifier -uuid
uuid -path
file_path -forced
-all
Remove profiles. Attempting to remove a configuration profile requring a
removal password without the correct password will fail.
- status
- -type
profile_type
Display status of the profiles installed on this client. When displaying the
enrollment type status, if the MDM enrollment was user approved, the
status output will show "(User Approved)".
- sync
- -type configuration
For configuration profiles, synchronize current installed set of profiles
with the local users and remove any configuration profiles that belong to
users that no longer exist on this computer.
- renew
- -type
profile_type -identifier
identifier -output
output_path
For configuration profiles, renews any certificates for the specified
profile. For Device Enrollment Program (DEP) enrollments, retry to obtain
the device enrollment configuration, and re-enable the user notification
if enrollment wasn't completed. With enrollments, this call may be rate
limited to 10 times every 23 hours, though it should try to enroll with
cached information if it is available.
- validate
- -type
profile_type -path
file_path
For provisioning profiles, validate the provisioning profile located at the
file_path. For enrollments, re-validate the installed DEP server
information and update any local information, displaying any major
changes. If this information is different from the current enrolled
server, this will not unenroll the client from the current server. This
call may be rate limited to 10 times every 23 hours.
- version
-
Displays current tool version.
-type
profile_type- The profile_type can be one of either: "configuration",
"provisioning", "bootstraptoken", or
"enrollment" (DEP). If a command requires a profile type and
none is specified, "configuration" will be used.
-path
file_path- A file path or "-" to represent stdout. When used by the remove
command for startup profiles, this should only contain the file name of
the profile.
-user
user_name- An OD short user name. In most cases if no user was specified, then the
current user will be used. If no user option was specified and the process
runs as root, the computer/device profiles will be used in the
command.
-uuid
profile_uuid- A canonical form UUID to specify a profile's PayloadUUID, such as
5A15247B-899C-474D-B1D7-DBD82BDE5684. Only used by the remove provisioning
profile command.
-identifier
profile_identifier- A profile identifier (PayloadIdentifier) to specify a profile.
-output
output_path- The output path location. The output_path argument must be specified to
use this option, Use 'stdout' to send this informaton to the console. File
output will be written as an XML plist file, or you can use 'stdout-xml'
to write XML to the console. The toplevel key of the dictionary will
contain either the user name, or _computerLevel for device or provisioning
profile information.
-password
password- An optional password used when removing a configuration profile which
requires the password removal option.
-forced- This will prevent confirmation requests, and when trying to remove all
configuration profles for a user, it will ignore any errors during
removal.
-all- For configuration profiles, when running as root, the use of this option
with the list or show commands will display all profiles installed on the
system. When removing profiles, using this option will remove all profiles
for that user (or device).
-cached- A flag to indicate that information should only be obtained from the local
cache. This is currently used for the show command's enrollment
option.
-verbose- Display additional information.
- configuration
- A configuration profile.
- provisioning
- A provisioning profile.
- enrollment
- A device enrollment program (DEP) or mobile device management (MDM)
enrollment profile or feature.
- bootstraptoken
- Bootstrap Token options. Requires MDM supervised client.
- profiles remove -path /profiles/testfile2.mobileconfig
- Removes the configuration profile file '/profiles/testfile2.mobileconfig'
into the current user.
- profiles list -type provisioning
- Displays a list of installed provisioning profiles.
- profiles list -all
- When running as root, this will list all configuration profiles on the
system.
- profiles show
- Displays extended information for installed configuration profiles for the
current user.
- profiles status -type startup
- Displays information on whether or not startup profiles are set up.
- profiles remove -identifier com.example.profile1 -password pass
- Removes any installed profiles with the identifier com.example.profile1 in
the current user and using a removal password of 'pass'.
- profiles show -type enrollment
- Displays the current DEP configuration information.
- profiles renew -type enrollment
- Re-enables the DEP user notification enrollment messages.
- profiles install -type bootstraptoken
- Creates or updates the Bootstrap Token APFS record and escrows the
information to the server.
- profiles show -type enrollment -cached
- Displays the cached information of an existing DEP enrollment
configuration.