Blueprint Overview
What is a Blueprint
A Blueprint is a collection of configuration settings that defines how a device should behave. Think of it as a policy template — you create one Blueprint with your desired settings (passcode policy, Wi-Fi profiles, restrictions, etc.) and assign it to one or more device groups. Every device in that group automatically receives the same configuration.
Blueprints are the primary mechanism for managing device settings at scale. Instead of configuring each device individually, you define the policy once and let the system propagate it.
How to Create a Blueprint
- Navigate to Configuration Management > Blueprints.
- Click Create Blueprint.
- Give it a name and an optional description.
- Configure the settings you need (see available types below).
- Save the Blueprint.
Once saved, the Blueprint is ready to be assigned to groups.
Available Configuration Types
iOS / iPadOS / tvOS
| Type | Description |
|---|---|
| Passcode | Require a device passcode with configurable complexity, minimum length, and lockout rules. |
| Restrictions | Block or allow device features (camera, app store, in-app purchases, etc.). |
| WiFi | Deploy Wi-Fi network profiles (SSID, security type, certificates). |
| VPN | Configure VPN connections (IKEv2, IPSec, PPTP, or per-app VPN). |
| Content Filter | Filter web content by URL allow/block lists or plug-in-based filtering. |
| Certificate | Install PKCS12 or PEM certificates for identity and trust. |
| SCEP | Deploy Simple Certificate Enrollment Protocol profiles for automated certificate issuance. |
| Configure Exchange ActiveSync or IMAP/POP email accounts. | |
| Exchange | Full Exchange account setup with calendar, contacts, and reminders sync. |
| LDAP | Configure LDAP directory server connection for contact lookup. |
| CalDAV | CalDAV calendar account configuration. |
| CardDAV | CardDAV contact account configuration. |
| Subscribed Calendar | Subscribe to a read-only calendar via URL. |
| Web Clip | Add a web shortcut to the home screen with a custom icon. |
| Single App Mode | Lock a device to a single app (kiosk mode). |
| Global HTTP Proxy | Route all HTTP traffic through a proxy server. |
| DNS Settings | Configure custom DNS servers and search domains. |
| Domains | Mark email domains and managed Safari domains. |
| AirPrint | Pre-configure AirPrint printers by IP or hostname. |
| Home Screen Layout | Define the exact app layout on the home screen and dock. |
| Notifications | Configure notification settings (banners, badges, sounds) per app. |
macOS
| Type | Description |
|---|---|
| Login Window | Customize the macOS login window (banner text, power controls, auto-login). |
| Dock | Pin apps, folders, and recent items in the Dock. |
| Energy Saver | Configure sleep, display-off, and wake timings. |
| Software Update | Enforce OS update behavior (deferrals, automatic updates, beta enrollment). |
| FileVault | Enable full-disk encryption with personal or institutional recovery keys. |
| Firewall | Enable the application firewall and configure stealth mode. |
| Privacy Preferences | Grant specific apps access to privacy-sensitive services (camera, microphone, accessibility). |
| System Extensions | Allow and configure system extensions (network, endpoint security, driver kit). |
| Kernel Extensions | Allow specific kernel extensions by team ID and bundle ID. |
| Login Items | Specify apps and scripts that launch at user login. |
Cross-Platform
| Type | Description |
|---|---|
| Custom Configuration | Upload a raw plist (Apple Property List) for any unsupported or custom configuration profile payload. |
| VPP App Assignments | Assign Volume Purchase Program apps to devices with license management (device-based or user-based). |
Assigning Blueprints to Groups
After creating a Blueprint, assign it to one or more device groups:
- Open the Blueprint detail page.
- Click Assign to Groups.
- Select the target groups from the list.
- Confirm the assignment.
A group can have only one Blueprint assigned at a time. Assigning a new Blueprint to a group replaces the previous one.
Viewing Assigned Groups as Badges
On the Blueprint list page, each Blueprint shows a badge count of how many groups it is currently assigned to. Clicking the badge navigates to the assignment view for that Blueprint.
Blueprint Sync Process
When a Blueprint is created or updated, the system processes the changes as follows:
- Profile generation — The system compiles the Blueprint settings into Apple Configuration Profile format (XML plist).
- Push notification — An APNs push notification is sent to each enrolled device in the assigned groups, signaling a configuration update.
- Device check-in — The device checks in with the MDM server and downloads the updated profile.
- Installation — The device installs the profile and applies the new settings.
This process is asynchronous. Changes typically propagate within minutes, depending on device connectivity and APNs delivery.
