Skip to main content

Creating a Custom macOS Policy in Swif

Upload any .mobileconfig profile or paste your own XML/PList payload—no waiting for Swif’s pre-built policy catalogue.

Updated today

Why use a custom policy?

  • Add Apple settings that aren’t yet exposed in Swif’s built-in policy list.

  • Re-use a vendor-supplied .mobileconfig (for DNS-filtering, 802.1X, kernel extensions, etc.).

  • Prototype a setting quickly, then roll it out fleet-wide with Swif’s smart-targeting, versioning, and rollback.

1 │ Start the wizard

  1. Device Management → Policies → New Policy.

  2. You’ll land on Basic configurations (step 1 of 4).

2 │ Fill Basic configurations

Field

What to enter

Tips

Policy Name

Friendly title (e.g. “Zoom PPPC profile”).

Shown in the Swif console & reports.

Policy Description

Optional notes for other admins.

Markdown supported.

Type

Mac/iOS/iPadOS.

Switch to Windows to deliver a .json CSP or script instead.

Config Method

Upload .mobileconfig – drag-and-drop a signed or unsigned profile • Write Policy Script – paste raw XML/PList

Use Write Policy Script for small tweaks or to build from scratch.

Identifier

Reverse-DNS string unique in your org (e.g. com.acme.dnsfilter).

Required only for Write Policy Script; Swif auto-reads it from uploaded files.

Payload Content (Write Policy Script)

Your <array>…</array> of payload dictionaries.

No outer <plist> wrapper—Swif adds it. Press Copy to reuse later.

Heads-up: Keep the overall profile ≤ 300 KB and < 64 payloads to stay within Apple MDM limits.

Click Continue.

3 │ Select devices

Target individual Macs or device groups. (Mix-and-match: you can push one profile to all Finance laptops and a different version to Dev laptops.)

4 │ Select device groups

Optional second filter—handy if you first chose “All devices” but need to exclude, say, lab Macs.

5 │ Review & create

Swif shows a diff-style summary:

  • Policy metadata

  • Payload hash & size

  • Target scope

Hit Create and Swif immediately queues a InstallProfile MDM command. Online Macs apply the profile within seconds; offline devices receive it on next check-in.

Updating or removing the custom policy

  1. Policies → open the policy → Edit to upload a new .mobileconfig or update XML.

  2. Swif auto-increments the version, pushes a RemoveProfile followed by an InstallProfile, and keeps previous versions for rollback.

  3. To retire a profile, set Status → Disabled. Swif removes it on next device sync.

Frequently asked questions

Question

Answer

Do I need to sign the .mobileconfig?

No—Swif signs the final profile with its MDM certificate before delivery. If you do sign it, Swif preserves your signature.

Can a bad payload brick Macs?

Swif validates XML syntax and checks for Apple-reserved keys. Malformed profiles are rejected pre-flight.

What about profile conflicts?

Apple applies the most recent payload with the same PayloadUUID. Use unique IDs (or let Swif generate them) to layer settings safely.

Can I mix iOS and macOS payloads?

Yes—choose Mac/iOS/iPadOS and include both payload dictionaries; each device installs only what it supports.

Example minimal PPPC payload (paste into Payload Content)

<array>
    <dict>
        <key>PayloadType</key>
        <string>com.apple.TCC.configuration-profile-policy</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadIdentifier</key>
        <string>com.acme.camera-deny</string>
        <key>PayloadUUID</key>
        <string>{{uuid}}</string>
        <key>PayloadEnabled</key>
        <true/>
        <key>Services</key>
        <dict>
            <key>Camera</key>
            <dict>
                <key>Authorization</key>
                <string>Deny</string>
            </dict>
        </dict>
    </dict>
</array>

Paste, set Identifier =com.acme.camera-deny.profile, deploy to your target Macs—done.

Review Execution Report

If there is an error in the custom policy, the error information is an async process. The policy installation process does not give Swif the error directly. After a custom policy is installed on a device, it returns an error message to Swif. For example, if a requested field is missing in a profile, it will not be installed on the device.

You can view such custom policy execution reports on the Policy > Report tab.

Next steps

  • Need inspiration? Apple’s sample .mobileconfig library → developer.apple.com.

  • Scripting large profiles? Check out profilebuddy or mcxToProfile.

With Swif’s Custom macOS Policy workflow, you can ship any Apple profile across your fleet in minutes—no Jamf-only hacks, no Terminal gymnastics.

Swif Policy glossary – see All Apple policies article instead of creating a custom one.

Related Articles
macOS FileVault Encryption Policy
macOS Application Blocking Policy
Deploying Swif Silently on Mac/macOS Machines
Managing BYOD Enrollment for macOS in Swif
Install/Uninstall SentinelOne Agent (macOS & Windows)
Did this answer your question?