Profiles Tool. Install, remove or list configuration profiles, install provisioning profiles.
Some commands only work with elevated privileges, or for the current user.
Syntax profiles [[-I | -R | -i] [-F file_path_to_profile | -]] [[-L] [-U username]] [[-r] [-p profile_id] [-u uuid] [-o output_file_path]
[-Y shortname]] [-PHDdCchfvxVzYeN] Key -C List all device configuration profile information for the computer. -c List all provisioning profile information. -D Delete existing device configuration profiles (requires root privileges) -d Delete existing provisioning profiles (requires root privileges) -e Print the Device Enrollment configuration, if any, for the computer. Can be combined with the -o option to write output to a plist. -I Install a configuration profile for a particular user from a profile file. -i Install a provisioning profile from a profile file. -L List configuration profile information for a particular user, or the current user if no Username was specified. -f Automatically confirm any questions, or when used with -s, will retry startup profiles at each startup until successfully installed. -F filenamepath Specify the file path to the profile file. Use '-' as the file path to input the configuration profile (not provisioning profile) XML plist via stdin. -h Display help. -H Returns whether configuration profiles are installed. -N Re-enable the user notifications for DEP enrollment. -o path The output file path for profile information (-L, -P, -C, -c) as a plist file. The path argument must be specified to use this option, Use 'stdout' to send this informaton to the console. File output will be written as an XML plist file, or you can use 'stdout-xml' to write XML to the console. The toplevel key will contain the user name, or _computerLevel for device or provisioning profile information. -P List configuration profile information for everyone. Profiles must have unique toplevel PayloadUUIDs in order for them to be distinguished as different profiles, so different users with the same toplevel PayloadUUIDs will be treated as the same payload for display purposes. -p profile A profile identifier used to locate the configuration or provisioning profile.(only used for removal) -r Remove a provisioning profile given a identifier and uuid. -R Remove a configuration profile for a particular user from a profile file. -s filenamepath Set filenamepath as a startup profile. (Requires root privileges) -S Sync up and remove any configuration profiles that aren't assigned to any current local user. Requires root privileges. -u A uuid identifier used to locate the provisioning profile. The uuid must be in its canonical 36 character form. -U Specify the short username (destination). If installing or removing a profile as root (or sudo), the designated user must be logged in. -v Enable verbose mode. A 'pass' or 'fail' indicator may also be displayed based on the command return status to stdout. -V Verify a provisioning profile from a profile file. -W Attempt to renew the certificates in an installed profile. -x Display tool version number. The version is in the format x.yy, where x will change if new or incompatible commands are added. The version initially starts at 2.00 -Y Specify the shortname of a local user that will be enrolled with MDM if the configuration profile being installed contains an MDM payload. Will only be used if the profile is being installed as root. -z The profile removal password. If not specified and the profile requires a removal password, you will be prompted.
Certain configuration profiles may be marked as a device profile (system) using the PayloadScope key. However, the profiles tool will ignore the PayloadScope key and install the profile based on how the profile is installed; either a user profile if installed from a user, or a device profile if installed from root (or sudo).
If you are installing a profile as root, you may use the -U parameter to install or remove the profile for that active user.
Specific payload dictionary information is not available since it may contain sensitive information. Non-sensitive information can be viewed using the System Report.
Because this command line tool was not designed to ask for missing information, some profiles may fail to install properly. The only recourse is to insert the missing information before installing the configuration profile. The System Preferences application's Profiles pane is designed to handle the querying of missing information.
Configuration profiles installed to the wrong user domain (user vs system) may not behave in the way you expect since the information may not be useful to that particular domain. For example, adding a Mail payload to the system domain will not do anything since Mail payloads must have a user account. Additionally, since profiles are stored by the user shortname and only stored on the local client, care should be taken to not install a profile that could be used by a same named local user.
The profiles tool should only be used from the /usr/bin folder since certain operations are privileged and may fail if moved.
Install the profile file 'testfile.mobileconfig' into current user.
$ profiles -I -F /testfile.configprofile
Remove the profile file '/profiles/testfile2.mobileconfig' into the current user.
$ profiles -R -F /profiles/testfile2.configprofile
Install the application provisioning profile 'foo.mobileconfig' into current user:
$ profiles -i -F /myprofiles/foo.mobileconfig
Remove a provisioning profile:
$ profiles -r -p com.example.123 -u 00000000-0000-0000-0000-000000000000'
Return whether or not configuration profiles are installed on the system:
$ profiles -H
Display information on all installed configuration profiles on the system:
$ profiles -P
Display information for installed profiles for the current user:
$ profiles -L
Display information for installed profiles for the current user and sends the output as a dictionary to /outputfile.plist
$ profiles -L -o /outputfile
Display extended information for installed configuration profiles for the current user:
$ profiles -Lv
Remove any installed profiles with the identifier com.example.profile1 in the current user and using a removal password of
$ profiles -R -p com.example.profile1 -z pass
Set up the profile as a startup profile to be triggered at the next system startup time. If the profile can't be installed,
it will try again at next startup time:
$ profiles -s -F /startupprofile.mobileconfig -f
Install the configuration profile read in from stdin. The stdin data must be a fully formed XML plist containing the
configuration profile information:
$ profiles -I -F - < /configprofile.mobileconfig
“ I would look at my profile and be like, 'Look at this girl! She has, like, the most perfect life!' and I would feel so guilty for not feeling blessed all the time” ~ Alexis Ren
Related macOS commands:
createhomedir - Create and populate home directories on the local computer.
dscl - Directory Service command line utility.
diskutil - Disk utilities.
sysadminctl - Administer system user accounts.
Apple Support - Use secure token, bootstrap token and volume ownership in deployments.