Apple's Device Management Glossary
In this guide we will help you understand the various acronyms and terminology used in the Apple device management ecosystem.
As some terminology is changing or has already been modified by Apple, you may find different generations of acronyms in the technical documentation of different MDM vendors. This guide will try to clear this up by pointing out what legacy terminology is known as today.
- MDM (Mobile Device Management)
- Apple Configurator
- iMazing Configurator
- iMazing Profile Editor
- Apple Business Manager (ABM)
- Apple School Manager (ASM)
- Apple Business Essentials (ABE)
- Automated Device Enrollment (ADE)
- Apps and Books
- Apple Developer Program
- Apple Enterprise Developer Program
- Custom Enterprise App
- Configuration Profile (.mobileconfig)
- Provisioning Profile (.mobileprovision)
- Managed Apple IDs
- User Enrollment (BYOD)
- Device Enrollment
- Organization / Supervising Identity / Supervising Host Certificate
- Public Key Infrastructure (PKI)
- Remote Management
- Volume Purchasing
- Device Enrollment Program (DEP)
- Volume Purchase Program (VPP)
- Student Information System (SIS)
- macOS Server
MDM (Mobile Device Management)
Mobile Device Management (MDM) is a system used by organizations to manage fleets of computers and devices remotely, without the need to have physical access to them. More specifically, MDM solutions allow managing provisioning, deployment and security of devices used by an organization. It encompasses various aspects including setup, configuration, policy implementation, authentication methods, and app licensing and distribution, among others.
In other words, MDM allows IT teams to provide employees with devices that are "ready for use" – saving employees time on configuration of their assigned devices and giving organizations control on what their devices and users can do.
In Apple's ecosystem, MDM applies not only to mobile devices but also to computers (so both Mac laptops and desktops as well as iPhone, iPad and Apple TV devices). For historical reasons it retains the 'mobile' moniker but is taken to simply mean 'remote' management of devices.
Apple has long been offering a vast protocol for third parties to build both internal and commercial MDM services upon, and has recently started offering its own MDM service known as Apple Business Essentials.
For more information please visit the MDM section of our Understanding Supervision, MDM, ADE (DEP), and Volume Purchasing (VPP) guide.
- Wikipedia: Mobile device management
Apple Configurator is the name of two device configuration applications developed by Apple, one runs on macOS and the other on iOS.
Apple Configurator for macOS (formerly known as Apple Configurator 2 - AC2) is available for free on the Mac App Store. It allows editing and installing configuration profiles, installing apps, supervising and can automatically enroll devices in an MDM solution locally. It also allows applying blueprints (template of configurations) to iOS, iPadOS, and tvOS devices to easily configure devices in bulk.
The app was originally launched in 2012 at version 1.0. Later with version 2.0 the app was renamed Apple Configurator 2 to hail major changes that came with that version as well to mark a departure from its predecessor, iPhone Configuration Utility. In 2021 however, the app was renamed back to Apple Configurator with version 2.15.1.
In 2021, Apple launched Apple Configurator for iOS, which is available for free on the App Store. This app is specifically meant for helping IT administrators register iPhone and iPad devices, as well as Mac computers with Apple Silicon or with an Apple T2 Security Chip, in ABM and ASM.
For more information please visit the Apple Configurator page.
iMazing Configurator is a set of tools designed to help administrators configure and provision Apple mobile devices locally, as well as automate backup/erase/update tasks. Like Apple Configurator it can supervise and enroll devices in an MDM solution as well as install volume-purchased apps, and it offers creating, editing and applying blueprints to a large number of devices simultaneously.
It was developed in response to growing requests from our enterprise customers for a solution that could handle preparing and configuring both company and BYOD iOS devices whilst being mindful of the data they may contain. Compared to Apple Configurator, it also offers more control and advanced options for local provisioning and deployment of fleets of iOS, iPadOS and Apple TV devices.
iMazing Configurator is packaged within the macOS version of our iOS data management app iMazing. There is no separate download – the feature is unlocked via activation of iMazing with an iMazing Configurator Edition license code.
For more information please visit the iMazing Configurator product page.
iMazing Profile Editor
iMazing Profile Editor (IPE) is an application that allows you to create, edit, and sign Apple configuration profiles. It is designed to easily define settings, ready to be deployed locally or via MDM on fleets of iPhones, iPads, Macs and other Apple devices.
A convenient and intuitive user interface generates standards-compliant configuration profiles, eliminating the need to manually code XML files.
Configuration profiles generated with iMazing Profile Editor are compatible with Apple devices and any compliant software or service, including MDM services that support profiles. iMazing Profile Editor also supports export of configured payloads for MDM services that only accept domain-specific Plist files.
iMazing Profile Editor is available both with iMazing as an embedded app and as stand-alone download. It can work in conjunction with iMazing Configurator.
For more information please visit the iMazing Profile Editor product page.
Apple Business Manager (ABM)
Apple Business Manager is a web portal for IT administrators that works in conjunction with third-party mobile device management (MDM) solutions.
It allows organizations to automatically supervise and enroll devices in MDM, and make volume purchases of apps as well as books for assignment in MDM.
In order for devices to be eligible for automatic supervision and MDM enrollment (a technology known as Automated Device Enrollment – ADE), they need to be added to ABM. This can be done after purchase using Apple Configurator (Add devices from Apple Configurator to Apple Business Manager), however devices purchased through Apple, an authorized reseller, or a cellular carrier can be added before shipping.
Finally, ABM allows IT administrators to create and manage the organization's Managed Apple IDs, which are necessary in some corporate environments where employees cannot use personal Apple IDs.
The technologies mentioned above used to exist as separate programs and in 2018 were combined to create Apple Business Manager as one consolidated service.
Here is an example of the portal view:
For more information about ABM please visit:
Apple School Manager (ASM)
Apple School Manager (ASM) is a version of Apple Business Manager specifically adapted for educational institutions.
In addition to features already available in ABM, ASM also allows school IT administrators to manage classes (for Classroom and Schoolwork) and shared iPads, and is integrated with student information systems (SIS) for quickly creating student and staff accounts and for easily deploying class related content.
Purchases made through ASM are entitled to Apple's educational discounts.
For more information about ASM please visit:
Apple Business Essentials (ABE)
Apple Business Essentials (ABE) is an entry-level mobile device management (MDM) service from Apple which enables organizations to configure and manage their user mobile devices.
ABE provides basic MDM functionality such as users onboarding, configuration management, application management, and restrictions.
In addition, ABE differs from traditional MDM offerings in that the plan also includes iCloud space for device backups, and integration with AppleCare+ for device repairs.
For more information visit the Apple Business Essentials product page.
Automated Device Enrollment (ADE)
Automated Device Enrollment (ADE, formerly Device Enrollment Program – DEP) is a technology designed to help businesses easily deploy and configure Apple devices. It automates out-of-the-box supervision and enrollment in MDM and simplifies the initial configuration of devices handed out to users.
The technology is available as part of ABM and ASM, and applies for devices that are added to these portals. Using ADE, devices automatically acquire supervision and MDM enrollment during setup after they have been connected to internet for the first time.
This saves IT departments the need to have devices shipped to them for initial setup before distribution to users. It also ensures that company-owned devices remain locked into MDM for ongoing management, even after they are restored to factory settings.
For more information about ADE please visit:
- Automated Device Enrolment and MDM
- Use Automated Device Enrollment
- Automated Device Enrolment MDM payload list
As described in Organization / Supervising Identity / Supervising Host Certificate, supervision expresses a company or institution's ownership of a device. This ownership is enforced by a digital certificate, the supervision identity.
Once a device is supervised, the supervising organization is granted far greater control over it: new restrictions on the device's behavior become available, end-users passcode/password can be reset, device can be erased and in general user consent is no longer necessary to push configurations. Consequently, supervision should only be used on company owned devices and never in a BYOD context.
The process of supervising a device is generally part of device enrollment. Applying supervision can be done locally with Apple Configurator or iMazing Configurator for iOS, iPadOS, and tvOS devices, or remotely using Automated Device Enrollment for the same type of devices as well as for macOS ones in addition.
For more information please visit the Supervision section of our Understanding Supervision, MDM, ADE (DEP), and Volume Purchasing (VPP) guide.
Apps and Books
Apps and Books (sometimes known as Volume Purchasing, formerly Volume Purchase Program – VPP) is a section of the ABM and ASM portals which allows organizations and schools to purchase applications and digital books licenses in bulk, to be deployed and managed silently on devices through MDM, Apple Configurator, or iMazing Configurator.
Thousands of volume-purchasing-enabled applications are available from the App Store or Mac App Store in a wide range of categories. A selection of books from the Apple Books Store is also available for purchase through the section.
Custom applications developed to meet your organization’s specific business needs can also be purchased. Once authorized, they can be deployed in bulk similarly. More information about these is available on Apple's Learn about Custom Apps in Apple Business Manager page.
Volume purchasing allows organizations to use several payment methods. It also provides license portability between organization users and devices as well as centralized billing.
For more information on Volume Purchasing visit Apple's Intro to purchasing content in Apple Business Manager.
Apple Developer Program
The Apple Developer Program is a comprehensive membership program designed to provide resources, tools and support for developers and organizations to create, test and distribute applications for Apple's platforms, including iOS, iPadOS, macOS, watchOS and tvOS.
The program grants access to beta software, developer forums, technical support and the ability to submit apps to the App Store for distribution to end users.
In addition, the program also provides access to features such as Apple Pay, Game Center and In-App Purchases that can be used to monetize the developed apps.
The program is available at different levels such as individual and organizational, with each level offering different capabilities and benefits to members. A similar program called the Apple Enterprise Developer Program offers even more capabilities specifically needed by enterprise developers.
For more information please head over to the Apple Developer Program page.
Apple Enterprise Developer Program
The Apple Enterprise Developer Program is a specialized membership program designed for businesses and organizations to develop, test and distribute proprietary iOS, iPadOS, macOS, watchOS and tvOS applications to their internal employees.
The program grants access to beta software, developer forums, technical support and the ability to distribute apps via a mobile device management (MDM) system, outside of the App Store.
This program is offered exclusively for organizations and is designed to meet the needs of large companies and organizations that require the development and distribution of internal proprietary applications to their employees. A similar program called the Apple Developer Program is available for all other developers.
For more information please head over to the Apple Enterprise Developer Program page.
Custom Enterprise App (In-House)
Custom enterprise apps, also known as in-house apps, are proprietary software applications developed and distributed specifically for use by a particular organization or business.
They are not available on the public app store, but are intended for internal use by employees, members or partners of the organization.
These apps are designed to meet the specific needs of the organization, improve work efficiency, automate internal processes, or provide specialized functionality not available in standard apps. Common examples of internal applications are internal HR tools, inventory management systems, or company-specific communication platforms.
Specially designed for macOS, iOS or iPadOS and to allow organizations to create apps that can be installed on these OSs without passing App Review (which is a requirement for any other type of apps).
These applications are deployed through a mobile device management (MDM) solution and are only accessible to members of the organization, ensuring data security and privacy.
Configuration Profile (.mobileconfig)
Apple Configuration profiles are small data files that are used to apply certain configurations to macOS iOS, iPadOS and tvOS devices. They can contain various settings, restrictions, certificates, and other content that enable or disable functionality on the device.
The profiles allow a device owner to load sets of predefined settings to their device with minimal or no interaction at all, instead of having to enter the settings manually on the device itself. They include some of the most common settings found in the Settings app on the device. Among them are settings to configure Wi-Fi networks, email accounts, desired passcode behavior, pop notifications, VPNs and more.
Configuration profiles can also include settings that are not available through the Settings app, such as what certificates should be provided on the device, what web clips should the device show on the home screen, and they can also for instance install custom fonts on the device.
Furthermore, through configuration profiles a device owner can set certain restrictions on the device such as disabling the cameras, turning off iCloud or other Apple services, forcing encryption and passcode, and more.
Organizations that manage hundreds of devices or more, typically use configuration profiles to load all of their necessary organizational settings into a certain device in one go, and to place restrictions according to their compliance and data protection policy.
Configuration profiles can be encrypted in order to protect sensitive settings, and can be digitally signed to authenticate their issuer.
Apple Configuration Profiles can be created and edited with iMazing Profile Editor.
For more information please read our Configuration Profiles guide.
Provisioning Profile (.mobileprovision)
Provisioning profiles are used to distribute apps. It enables macOS, iOS, iPadOS, and tvOS devices to run applications that were developed by the owner of a profile, without having to download the app from the App Store.
They are typically used by app developers during the development process to load apps into development or test devices, which will otherwise not run apps not digitally-signed by Apple.
Provisioning profiles are issued by Apple for developers on a per-device basis. This means that a single provisioning profile is good only for the device it was issued for.
For more information please read Apple's documentation:
- Create a development provisioning profile
- Create an ad hoc provisioning profile (iOS, tvOS, watchOS)
Managed Apple IDs
A managed Apple ID is a specially created and controlled Apple account that is assigned to employees, students or members of an organization, for use in place of personal Apple IDs. These accounts are managed by an administrator with ABM or ASM and provide access to Apple services such as iCloud Drive, Contacts, Calendars, etc. However, unlike with traditional Apple IDs, they cannot make content purchases on the App Store, on the iTunes Store, or on Apple Books.
Administrators have the ability to set specific access permissions and restrictions on the use of these accounts. This allows organizations to enforce their policies and compliance requirements. In addition, they can also configure managed accounts for federated authentication which allows streamlined access to different resources in the organization.
For more information please read Apple's documentation:
User Enrollment (BYOD)
User enrollment is designed for BYOD - or bring-your-own-device - deployments. This means that the user, not the organization, owns the device.
User enrollment requires managed Apple IDs. These are owned and managed by an organization and allow employees to access certain Apple services.
User Enrolment is integrated with Managed Apple IDs to establish a user identity on the device. However, the Managed Apple ID can be used in conjunction with the personal Apple ID that the user has already signed in with: the two do not interact with each other.
There are two main ways for users to enroll a personal device in User Registration:
- User enrollment through an account
- User enrollment by installing manually an MDM enrollment configuration profile
Once the user registration is complete, a separate volume is automatically created on the device. This volume contains the software related to the professional use of the device.
Follow this link for more information about User Enrollment methods.
Device Enrollment allows an organization to enforce its ownership on a device. It means the enrollment is applied at the device level rather than at the user one. The device is enrolled to an MDM or a local management tool solution before the user receives the device.
Device Enrollment usually implies supervising the device with a supervising identity to enforce the organization ownership.
Device enrollment allows applying a broader set of configuration profile payloads and settings to a device. For situations where the user has left the organization or forgot their passcode/password, the supervising identity allows for resetting it as well as for erasing the device.
Device enrollment can be done locally with Apple Configurator or iMazing Configurator, or remotely using Automated Device Enrollment.
Follow this link for more information about Device Enrollment.
Organization / Supervising Identity / Supervising Host Certificate
In the context of mobile device management an Organization (also known as the Supervision Identity or the Supervising Host Certificate), is a digital certificate containing metadata about the owning organization (name, department, address, etc...). The certificate is used during supervision to establish a privileged link between iOS/iPadOS devices and their supervising host, and later to allow the host to make any privileged modifications to the device.
When supervising locally, a host is typically a computer running iMazing Configurator or Apple Configurator. In this scenario the applications used to manage supervision allow users to generate organizations and save them to the computer certificate store (Keychain on macOS and Certificate Store on Windows). When supervising using Automated Device Enrollment via ABM or ASM, the host is typically the MDM server assigned to the supervised device, and the certificate is stored by that server.
Since the certificate is required to make privileged changes to supervised devices, some MDM vendors allow exporting MDM-generated certificates and importing externally-generated ones.
For more information please read our Organization & Supervision guide.
A blueprint in the context of device management is a template containing a set of configurations and actions. MDM solutions or tools such as Apple Configurator or iMazing Configurator can apply blueprints to multiple devices to prepare and configure them. A blueprint can contain a list of configuration profiles, a list of apps that need to be installed and some actions such as erasing the device, updating the OS, supervising the device with a supervising identity, restoring a backup, etc.
A certificate is an electronic document that contains information about an entity, such as a person or organization, and is often issued by a trusted third party called a certificate authority (CA). Certificates can be used for encrypting and signing data, authenticating users and devices, and establishing trust between different parties.
In Apple's mobile device management (MDM) context, certificates are used to establish trust and secure communication between the MDM server and the managed devices. They are used to ensure that only authorized devices can communicate with the server and to authenticate users and secure data on the devices.
For importing and exporting supervising identities, Apple uses the PKCS #12 file format, which is specifically designed to store a private key and its associated certificate(s) securely in one file. It is protected by a password or passphrase and can also be used to store multiple private keys and certificates.
The file format is binary and the file extension is usually .p12 or .pfx. From a historical point of view, the PKCS #12 format is a successor to the PFX format used by Microsoft. However, the terms PKCS #12 and PFX are sometimes used interchangeably. This format is widely supported by many different applications and platforms including Windows and macOS.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a collection of tools and processes used to establish a secure method of exchanging digital information over the internet. At the heart of PKI is the use of a pair of cryptographic keys, one public and one private, to encrypt and decrypt data. This allows for secure communication without the need for a shared secret key.
PKI also includes the use of a trusted third party, known as a certificate authority (CA), which is responsible for issuing digital certificates. These certificates are used to confirm the identity of the certificate holder, as well as to link a public key with the identity of an individual, organization, or device.
PKI is widely used in various applications, such as secure email, online transactions, virtual private networks, digital signatures, and more.
Apple's PKI page lists many of the company's root and intermediate certificates, as those are required in order to establish trust in documents, websites, and files signed with certificates that the company issues.
Remote Management in the context of Apple mobile device management (MDM) and ABM or ASM refers to the ability to remotely configure and control a fleet of Apple devices, including iPhones, iPads, and Macs, using an MDM server.
IT administrators can use the server to manage the devices by enrolling them, configuring settings, and installing apps. They can also use the server to monitor the devices, including their location, battery level, and compliance with security policies.
Additionally, Remote Management allows IT administrators to remotely wipe or lock a device if it is lost or stolen, or if it is not in compliance with security policies, to protect company data and ensure compliance with company policies.
Overall, Remote Management feature allows IT administrators to have a central control over organizations' Apple devices and ensure data security and compliance with company policies.
You can easily see this when you receive a device pre-configured by ABM/ASM and an MDM, when the Remote Management screen appears during setup and displays the name of the organization that manages it:
Volume Purchasing is the ability for organizations to purchase content from Apple in bulk from inside of the ABM or ASM portals, where it is found under the section named Apps and Books.
Device Enrollment Program (DEP) (legacy)
Device Enrollment Program (DEP) was originally an independent program that was later merged into ABM and ASM, and is today known as Automated Device Enrollment.
Volume Purchase Program (VPP) (legacy)
Volume Purchase Program (VPP) was originally an independent platform that was later merged into ABM and ASM, and is today known as Apps and Books.
Student Information System (SIS)
A student information system (SIS) is a software solution that allows educational institutions to digitize and therefore manage student information more efficiently.
It is a system that allows educational institutions to make all student information, such as course materials and class schedules, available online.
For more information about SIS in Apple device management context, please visit Apple's Student Information System page.
macOS Server (legacy)
macOS Server, also known as Mac OS X Server (first version was named 10.1 Puma Server) and later OS X Server, was provided as the server operating system for the Xserve rack-mounted server computers designed by Apple. It was also optionally preinstalled on the Mac Mini and Mac Pro. It used to also be sold separately for use on any Macintosh computer that met the minimum system requirements.
Starting with Mac OS X 10.7 Lion, macOS Server was offered as an add-on package, distributed through the Mac App Store and installable over the conventional Mac operating system.
In April 2022, Apple announced that it had discontinued macOS Server and that the most popular features (caching server, file sharing server, and Time Machine server) were already included in every copy of macOS High Sierra (or later versions), so users could still access them.
The macOS server allowed the use of different Apple services such as Profile Manager, Open Directory or Xsan. It also allowed a Mac to take on several of the popular server roles such as Firewall, VPN, Radius, DHCP, DNS, etc.
Current macOS Server customers today can still download and use the application with macOS up to and including Monterey.