People don't realize they can implement enterprise-grade security on their iPhone without expensive MDM (Mobile Device Management) solutions.
While these profiles don't provide the remote management capabilities of a true MDM solution, they deliver the same security hardening that enterprises use to protect their devices. It's not as controlled as a corporate deployment, but you get the exact same security settings and restrictions. Think of it as bringing enterprise security to your personal device.
Configuration Profiles - why?
Configuration profiles are XML files that tell your iPhone how to behave. They can enforce password policies, restrict network connections, disable vulnerable features, and much more. The beauty is that once installed, these settings persist even if you forget to manually enable them each time.
I've created two profiles:
- Balanced Security Profile - Maintains usability while significantly improving security
- Maximum Security Profile - Extreme protection that sacrifices convenience for security
Before You Begin: Essential Configuration Steps
Setting Up Your Wi-Fi Network
Both profiles include Wi-Fi security settings that need to be customized with your network information. Here's how to modify them:
- Copy the code into your iOS text editor as a .mobileconfig file (I use Runstone on the App Store)
- Find this line:
<string>CONFIGURE_YOUR_NETWORK_HERE</string> - Replace
CONFIGURE_YOUR_NETWORK_HEREwith your actual Wi-Fi network name (SSID)- Example:
<string>MyHomeNetwork</string>
- Example:
- Save the file maintaining the .mobileconfig extension
Optional: Adding VPN Configuration
If you use a VPN service, you can integrate it into the profile. The Maximum Security profile includes a VPN template section. To configure it:
- Locate the VPN Configuration section in the XML (look for "com.apple.vpn.managed")
- If you don't use VPN, delete the entire VPN dict section (from
<dict>to</dict>for that payload) - If you use VPN, you'll need to modify these fields:
<string>IKEv2</string>- Change to your VPN type (IKEv2, IPSec, L2TP)- Add server address:
<key>RemoteAddress</key><string>your.vpn.server.com</string> - Add authentication details per your VPN provider's specifications
For most users, I recommend removing the VPN section entirely and using your VPN provider's app instead, as they handle configuration automatically.
Making Profiles Non-Removable
Unfortunately, without supervised mode or DEP enrollment, there's no way to completely prevent profile removal on a standard iPhone. However, you can add password protection to make removal more difficult:
For password-protected removal:
- In the profile's General section, look for the Security settings
- Add these lines before
</dict>:
<key>PayloadRemovalDisallowed</key> <false/> <key>RemovalPassword</key> <string>YourPasswordHere</string>- This requires entering a password to remove the profile
Note on limitations: True non-removable profiles require either supervised mode (which wipes your device) or DEP enrollment through an organization. For personal use, password protection is the best available option.
Profile 1: Balanced Security Configuration
This profile is what I recommend for most users. It significantly improves your security while maintaining day-to-day usability.
What This Profile Does:
Network Protection:
- Blocks auto-joining unknown Wi-Fi networks
- Disables personal hotspot modification
- Requires WPA2 encryption minimum
Authentication:
- 6-character alphanumeric passcode minimum
- 365-day password expiration
- Auto-lock after 5 minutes
- Device wipe after 10 failed attempts
Privacy Features:
- Blocks diagnostic data submission
- Disables location-based ads
- Restricts ad tracking
- No AirDrop (prevents unwanted file sharing)
What Remains Functional:
- iCloud backup and Keychain sync work normally
- Face ID/Touch ID for App Store purchases
- All apps continue to work
- Safari with JavaScript enabled
- Email and messaging apps
- Screenshots and screen recording
Installing the Balanced Security Profile:
Save this as BalancedSecurity.mobileconfig:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<!-- Passcode Policy -->
<dict>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.passcode</string>
<key>PayloadUUID</key>
<string>7D45A528-4B8C-4E6A-9F3E-2C8B5A4D9E11</string>
<key>PayloadDisplayName</key>
<string>Passcode Policy</string>
<key>PayloadDescription</key>
<string>Enforces strong passcode requirements</string>
<key>minLength</key>
<integer>6</integer>
<key>requireAlphanumeric</key>
<true/>
<key>minComplexChars</key>
<integer>1</integer>
<key>maxPINAgeInDays</key>
<integer>365</integer>
<key>maxInactivity</key>
<integer>5</integer>
<key>maxGracePeriod</key>
<integer>0</integer>
<key>maxFailedAttempts</key>
<integer>10</integer>
<key>pinHistory</key>
<integer>2</integer>
</dict>
<!-- Restrictions -->
<dict>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.restrictions</string>
<key>PayloadUUID</key>
<string>8E56B729-5C9D-4F7B-A1E2-3D9C6B5E8F22</string>
<key>PayloadDisplayName</key>
<string>Security Restrictions</string>
<key>PayloadDescription</key>
<string>Balanced security restrictions</string>
<!-- Network Security -->
<key>allowAutoJoin</key>
<false/>
<key>allowPersonalHotspotModification</key>
<false/>
<!-- AirDrop and Sharing -->
<key>allowAirDrop</key>
<false/>
<!-- Privacy Settings -->
<key>allowDiagnosticSubmission</key>
<false/>
<key>forceLimitAdTracking</key>
<true/>
<!-- Safari Security -->
<key>safariForceFraudWarning</key>
<true/>
<key>safariAllowPopups</key>
<false/>
<!-- Lock Screen -->
<key>allowLockScreenControlCenter</key>
<false/>
<key>allowAssistantWhileLocked</key>
<false/>
<!-- USB Security -->
<key>allowUsbAccessoryWhileDeviceLocked</key>
<false/>
<!-- Authentication -->
<key>allowFingerprintUnlock</key>
<true/>
<key>allowFaceIDUnlock</key>
<true/>
</dict>
<!-- Wi-Fi Configuration -->
<dict>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.wifi</string>
<key>PayloadUUID</key>
<string>9F67C839-6D8E-5G8C-B2F3-4E0D7C6F9G33</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi Security Settings</string>
<key>AutoJoin</key>
<false/>
<key>EncryptionType</key>
<string>WPA2</string>
<key>SSID_STR</key>
<string>CONFIGURE_YOUR_NETWORK_HERE</string>
</dict>
</array>
<!-- Profile Metadata -->
<key>PayloadDisplayName</key>
<string>Balanced Security Profile</string>
<key>PayloadDescription</key>
<string>Security configuration that maintains usability while significantly improving protection</string>
<key>PayloadIdentifier</key>
<string>com.secure.balanced.profile</string>
<key>PayloadOrganization</key>
<string>Personal Security Configuration</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4A56D892-7B9C-5E8D-C3F4-6E1D8C7F0A44</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Profile 2: Maximum Security Configuration
This profile is for situations where security is paramount and you're willing to sacrifice significant convenience. I use this when traveling to high-risk countries or handling extremely sensitive data.
Major Functionality Lost:
- No JavaScript in Safari (most websites won't work)
- No USB connectivity (wireless charging only)
- No Mail app
- No Siri or dictation
- No cookies (constant re-authentication)
- No widgets or Today View
- No screenshots
- 1-minute auto-lock
- No Spotlight search
What This Profile Protects Against:
Network Attacks:
- DNS hijacking (forces encrypted DNS)
- Wi-Fi exploits (blocks auto-join, requires WPA3)
- Bluetooth attacks when locked
- Man-in-the-middle attacks
Physical Access Attacks:
- Cellebrite and similar forensic tools (USB completely disabled)
- Lock screen bypass attempts
- Camera-based exploits
- Quick Reply phishing
Remote Exploits:
- JavaScript-based attacks
- Cookie tracking
- Background app exploits
- Zero-day vulnerabilities (forces immediate updates)
Installing the Maximum Security Profile:
Save this as MaximumSecurity.mobileconfig:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<!-- Passcode Policy -->
<dict>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.passcode</string>
<key>PayloadUUID</key>
<string>7D45A528-4B8C-4E6A-9F3E-2C8B5A4D9E11</string>
<key>PayloadDisplayName</key>
<string>Passcode Policy</string>
<key>minLength</key>
<integer>6</integer>
<key>requireAlphanumeric</key>
<true/>
<key>minComplexChars</key>
<integer>1</integer>
<key>maxPINAgeInDays</key>
<integer>365</integer>
<key>maxInactivity</key>
<integer>1</integer>
<key>maxGracePeriod</key>
<integer>0</integer>
<key>maxFailedAttempts</key>
<integer>10</integer>
<key>pinHistory</key>
<integer>2</integer>
</dict>
<!-- Maximum Security Restrictions -->
<dict>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.restrictions</string>
<key>PayloadUUID</key>
<string>8E56B729-5C9D-4F7B-A1E2-3D9C6B5E8F22</string>
<key>PayloadDisplayName</key>
<string>Maximum Security Restrictions</string>
<!-- Complete Network Lockdown -->
<key>allowAutoJoin</key>
<false/>
<key>forceWiFiToBeOn</key>
<false/>
<key>allowPersonalHotspotModification</key>
<false/>
<key>allowCellularPlanModification</key>
<false/>
<key>allowGlobalBackgroundFetchWhenRoaming</key>
<false/>
<key>allowBackgroundFetch</key>
<false/>
<key>allowBluetoothModification</key>
<false/>
<!-- Complete Sharing Lockdown -->
<key>allowAirDrop</key>
<false/>
<key>forceAirDropUnmanaged</key>
<false/>
<key>allowActivityContinuation</key>
<false/>
<key>allowHandoff</key>
<false/>
<key>allowUniversalClipboard</key>
<false/>
<!-- Safari Maximum Security -->
<key>safariAllowAutoFill</key>
<false/>
<key>safariForceFraudWarning</key>
<true/>
<key>safariAllowJavaScript</key>
<false/>
<key>safariAllowPopups</key>
<false/>
<key>safariAcceptCookies</key>
<integer>0</integer>
<key>safariAllowInlineVideo</key>
<false/>
<!-- Complete Lock Screen Lockdown -->
<key>allowLockScreenControlCenter</key>
<false/>
<key>allowLockScreenNotificationView</key>
<false/>
<key>allowLockScreenTodayView</key>
<false/>
<key>allowAssistantWhileLocked</key>
<false/>
<key>allowPassbookWhileLocked</key>
<false/>
<key>allowCameraOnLockScreen</key>
<false/>
<key>allowNotificationModification</key>
<false/>
<!-- App Restrictions -->
<key>allowInAppPurchases</key>
<false/>
<key>allowAutomaticAppDownloads</key>
<false/>
<key>allowAppClips</key>
<false/>
<key>allowEnterpriseAppTrust</key>
<false/>
<!-- Complete USB Lockdown -->
<key>allowUSBRestrictedMode</key>
<false/>
<key>allowUsbAccessoryWhileDeviceLocked</key>
<false/>
<key>allowUSBDriveAccess</key>
<false/>
<!-- Disable All Voice Features -->
<key>allowAssistant</key>
<false/>
<key>allowAssistantWhileLocked</key>
<false/>
<key>allowDictation</key>
<false/>
<key>allowSiriSuggestions</key>
<false/>
<key>allowSpotlight</key>
<false/>
<!-- Complete Analytics Lockdown -->
<key>allowDiagnosticSubmission</key>
<false/>
<key>allowDiagnosticSubmissionModification</key>
<false/>
<key>allowAppAnalytics</key>
<false/>
<key>allowCrashReporting</key>
<false/>
<!-- Authentication -->
<key>allowFingerprintUnlock</key>
<true/>
<key>allowFaceIDUnlock</key>
<true/>
<key>allowTrustedSSLCertificates</key>
<false/>
<key>forceEncryptedBackup</key>
<true/>
<!-- Location Lockdown -->
<key>allowLocationServices</key>
<true/>
<key>allowLocationServicesModification</key>
<false/>
<key>allowSystemLocationServices</key>
<false/>
<key>allowLocationBasedAds</key>
<false/>
<!-- Anti-Forensics -->
<key>allowScreenCapture</key>
<false/>
<key>allowScreenRecording</key>
<false/>
<key>allowWidgets</key>
<false/>
<key>allowTodayView</key>
<false/>
<!-- Disable Mail -->
<key>allowMail</key>
<false/>
<key>allowMailDrop</key>
<false/>
<!-- Disable Shortcuts -->
<key>allowShortcuts</key>
<false/>
<key>allowShortcutsModification</key>
<false/>
<!-- Privacy -->
<key>forceLimitAdTracking</key>
<true/>
<!-- Force Updates -->
<key>forceAutomaticSoftwareUpdates</key>
<true/>
<key>forceAutomaticAppUpdates</key>
<true/>
<!-- Messaging Security -->
<key>allowQuickReply</key>
<false/>
<!-- DNS Security -->
<key>forceEncryptedDNS</key>
<true/>
</dict>
<!-- Wi-Fi Configuration -->
<dict>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.secure.profile.wifi</string>
<key>PayloadUUID</key>
<string>9F67C839-6D8E-5G8C-B2F3-4E0D7C6F9G33</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi Maximum Security</string>
<key>AutoJoin</key>
<false/>
<key>CaptiveBypass</key>
<false/>
<key>DisableAssociationMACRandomization</key>
<false/>
<key>EncryptionType</key>
<string>WPA3</string>
<key>SSID_STR</key>
<string>CONFIGURE_YOUR_NETWORK_HERE</string>
</dict>
</array>
<!-- Profile Metadata -->
<key>PayloadDisplayName</key>
<string>Maximum Security Profile</string>
<key>PayloadDescription</key>
<string>Extreme security with major usability impacts. For high-risk situations only.</string>
<key>PayloadIdentifier</key>
<string>com.secure.maximum.profile</string>
<key>PayloadOrganization</key>
<string>Maximum Security Configuration</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5B67D902-8C9E-6F9H-C4G5-7F2E9D8G1H55</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Installation Instructions
The installation process is the same for both profiles:
Method 1: Direct Installation (Easiest)
- Download the text editor of your choice on iOS, App Store
- Save the XML content to a text file with the
.mobileconfigextension - Apply the customization required for Wi-Fi and save this file to your iCloud Drive
- Start the files application
- Open the file from Files on your iPhone - it will automatically open in Settings
- Tap "Install" in the top-right corner
- Enter your device passcode when prompted
- Review the changes and tap "Install" again
- Tap "Install" a third time on the warning screen
- Tap "Done" to complete installation
Method 2: Using Apple Configurator 2 (Mac Only)
- Download Apple Configurator 2 from the Mac App Store (free)
- Connect your iPhone to your Mac via USB
- Open the .mobileconfig file in Apple Configurator 2
- Select your device and click "Add" → "Profiles"
- Select the profile and click "Add"
Verifying Installation
After installation, verify the profile is active:
- Open Settings
- Go to General → VPN & Device Management
- You should see the profile listed under "Configuration Profile"
- Tap on it to see all active restrictions
Removing a Profile
If you need to remove a profile:
- Settings → General → VPN & Device Management
- Tap on the profile
- Tap "Remove Profile"
- Enter your device passcode
- Tap "Remove" to confirm
Note: If you added password protection to the profile, you'll need to enter that password as well.
Which Profile Should You Use?
Use the Balanced Security Profile if:
- You want better security without major inconvenience
- You use your phone for work and personal tasks
- You need all apps to function normally
- You're security-conscious but not paranoid
Use the Maximum Security Profile if:
- You're handling extremely sensitive data
- You're traveling to high-risk countries
- You suspect your device might be targeted
- You can tolerate significant usability restrictions
- You have a second device for normal use
Important Considerations
- These profiles cannot be pushed remotely - Unlike true MDM solutions, you must manually install them on each device
- Updates require reinstallation - To modify settings, you need to remove the old profile and install a new one
- Some apps may break - Particularly with the Maximum Security profile, some apps may not function correctly
- Test before deploying - Always test profiles on a non-critical device first
- Keep a backup profile - Save the XML files somewhere safe in case you need to reinstall
Conclusion
I've been using variations of these profiles for years, switching between them based on my security needs. The Balanced Security profile is my daily driver - it's stopped numerous security issues without getting in my way. The Maximum Security profile is my "going to DefCon" configuration - when I absolutely cannot afford any compromise.
Remember, security is about layers. These profiles are one layer in a comprehensive security strategy that should also include:
- Strong, unique passwords (use a password manager)
- Two-factor authentication everywhere
- Regular iOS updates
- Careful app selection
- Security awareness
Don't let the lack of an enterprise MDM solution stop you from securing your device. With these profiles, you can implement professional-grade security on your personal iPhone today.
Troubleshooting
Profile won't install:
- Ensure the XML is properly formatted (no extra spaces or characters)
- Check that you haven't modified required fields incorrectly
Can't remove profile:
- If you set a removal password and forgot it, you may need to reset your device
- Some profiles can only be removed by performing a factory reset if they're installed with certain restrictions
Apps not working after Maximum Security profile:
- This is expected - the profile disables many features
- Consider using the Balanced Security profile instead
- Remove the profile if you need full functionality temporarily