The Apple Configuration and Certificate Controls Policy manages how configuration profiles and certificates are installed and trusted on Apple devices. It is designed to:
Prevent users from manually installing configuration profiles or certificates (for example, via browser download, AirDrop, or Settings/System Preferences).
Enforce strict handling of untrusted HTTPS certificates so users cannot bypass security warnings.
This policy helps ensure that Apple devices in your organization are configured only through approved management channels (such as MDM) and that only trusted certificates are used for secure network connections.
Important: When this policy is assigned to a device, new Swif MDM profiles cannot be installed while the policy remains in effect. In addition, the policy blocks all manual certificate installations (both single and multiple certificates). If you need to deploy new profiles or certificates, you must first remove or disable this policy, complete the installation, and then re‑enable the policy.
Key Capabilities
When enabled and configured, this policy:
Locks configuration to MDM
Prevents users from installing their own configuration profiles or certificates, reducing the risk of:Users weakening security settings.
Installing rogue Wi‑Fi, VPN, or root certificates.
Circumventing organizational controls.
Enforces strict certificate validation for HTTPS
Automatically rejects untrusted HTTPS certificates without showing the usual “untrusted certificate” prompt, so users cannot “click through” certificate warnings.
Supported Platforms and Requirements
Supported platforms:
macOS
iOS
iPadOS
Minimum OS versions (overall policy):
macOS: 10.15+
iOS: 6.0+
iPadOS: 6.0+
Note: Individual settings within the policy may have higher minimum OS requirements. See each field section below for details.
Ownership / Scope:
Owned and enforced by your organization (company-managed devices only).
Policy Settings
The policy exposes two main controls:
Each setting is a boolean (true/false) value that you configure per policy.
Allow Manual Configuration Profile Installation
Field name: allowUIConfigurationProfileInstallation
Display name: Allow Manual Configuration Profile Installation
Type: Boolean (true / false)
Default value: true
What this setting does
This setting controls whether users can interactively install configuration profiles and certificates on their devices.
When set to
false:Users cannot install configuration profiles or certificates via:
Browser downloads (e.g., Safari downloading a
.mobileconfigfile).AirDrop (received profile or certificate files).
Settings / System Preferences UI.
Devices can only be configured through your MDM or other automated management processes.
This significantly reduces the risk of users:
Adding unauthorized Wi‑Fi, VPN, or email configurations.
Installing custom root or intermediate CA certificates that could intercept or weaken encrypted traffic.
Changing device behavior in ways that conflict with your security policies.
When set to
true:Users are allowed to manually install configuration profiles and certificates via the system UI.
This can be useful in less restrictive environments or for testing, but it increases the risk of misconfiguration or abuse.
Interaction with Swif MDM profiles and certificates
Because this setting blocks interactive profile and certificate installation when false:
New Swif MDM profiles cannot be installed while the policy is active on the device.
All manual certificate installations (single or multiple certificates) are blocked.
If you need to deploy new profiles or certificates:
Remove or disable this policy on the target device(s).
Install the required Swif MDM profiles and/or certificates.
Re‑enable the policy once installation is complete.
Minimum OS requirements
macOS: 13.0+
iOS: 6.0+
iPadOS: 6.0+
Supervision requirement (iOS/iPadOS):
On iOS and iPadOS, preventing manual profile installation typically requires a supervised device. Supervision is usually established via Apple Business Manager or Apple Configurator and is standard for fully managed corporate devices.
Recommended configuration
For most corporate-managed devices:
Set to
falseto:Enforce MDM-only configuration.
Prevent end users from installing any unmanaged profiles or certificates.
You might leave it as true only for test devices, developer devices, or special cases where manual profile installation is explicitly required and closely controlled.
Allow Untrusted HTTPS Certificate Prompt
Field name: allowUntrustedTLSPrompt
Display name: Allow Untrusted HTTPS Certificate Prompt
Type: Boolean (true / false)
Default value: true
What this setting does
This setting controls how the device behaves when it encounters an untrusted HTTPS (TLS) certificate.
When set to
false:The system automatically rejects untrusted HTTPS certificates.
No prompt is shown to the user.
Users cannot override the security check by tapping “Continue,” “Trust,” or similar.
Only certificates that are trusted by the system (or your deployed certificate trust store) are accepted.
When set to
true:The system may show a prompt when it encounters an untrusted certificate.
Users can choose to proceed (e.g., by trusting or ignoring the warning), which introduces potential risk:
Users might connect to misconfigured or malicious servers.
Man-in-the-middle attacks are easier if users habitually bypass certificate warnings.
Minimum OS requirements
macOS: 10.15+
iOS: 5.0+
iPadOS: 5.0+
Recommended configuration
For security‑sensitive or corporate environments:
Set to
falseto:Prevent users from bypassing certificate warnings.
Ensure that all HTTPS traffic uses certificates trusted by your approved trust stores.
Reduce exposure to misconfigured services and potential man‑in‑the‑middle attacks.
You might leave it as true in special, controlled scenarios (such as test environments or labs) where temporary acceptance of untrusted certificates is necessary and risk is low.
Example Use Cases
High‑Security Corporate Environment
Allow Manual Configuration Profile Installation:
falseAllow Untrusted HTTPS Certificate Prompt:
false
Effects:
Users cannot install their own Wi‑Fi, VPN, or custom CA certificates.
All device configuration changes must go through MDM.
Any untrusted HTTPS certificate is silently rejected, and users cannot override it.
New Swif MDM profiles or manual certificates require temporarily disabling this policy.
Flexible / Test Environment
Allow Manual Configuration Profile Installation:
trueAllow Untrusted HTTPS Certificate Prompt:
true
Effects:
Admins and testers can manually install profiles for development or QA.
Users (or testers) can bypass HTTPS certificate warnings when needed.
Security posture is weaker and should not be used for production user populations.
Best Practices
Plan profile deployments around this policy:
If you need to push new Swif MDM profiles or manually install certificates, schedule a temporary window to remove or relax this policy, complete the changes, and then re‑enable it.Pair with MDM certificate management:
Distribute your organization’s root and intermediate certificates via MDM. Then set:Manual profile installation to
false.Untrusted TLS prompts to
false.
This ensures users can still access internal resources while blocking unapproved certificates.
Apply to supervised, corporate-owned devices:
For shared or bring‑your‑own‑device (BYOD) scenarios, consider whether these restrictions are appropriate, as they may limit user autonomy.Monitor for connection errors after tightening controls:
When you first disable untrusted certificate prompts, be prepared for:Some legacy or misconfigured services to stop working.
The need to fix those endpoints or deploy missing CA certificates officially.