Forge Home


Puppet type/provider to manage macOS profiles


1,358 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.1.0 (latest)
  • 1.0.1
  • 1.0.0
released Nov 12th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 7.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'vanagandr42-mac_profile', '1.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add vanagandr42-mac_profile
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install vanagandr42-mac_profile --version 1.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



vanagandr42/mac_profile — version 1.1.0 Nov 12th 2020


TravisCI Build Status codecov FOSSA Status

Table of Contents

  1. Description
  2. Setup - The basics of getting started with mac_profile
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.


This module provides basic functionality for macOS profiles via the mobileconfig format. A mobileconfig which is created in Puppet (e.g. with a template) can be used to install, update and remove a profile on a macOS client.


What mac_profile affects

Apart from (obviously) installing and removing profiles, this module writes the mobileconfig files to the Puppet cache directory (e.g. /opt/puppetlabs/puppet/cache/mobileconfigs). These files can be used to install a profile manually if the install verb of the profiles command is not supported by macOS anymore (starting with Big Sur).

Beginning with mac_profile

The basic step to install a profile is to provide the profile name and the mobileconfig string (e.g. using a template) as follows:

mac_profile { 'com.acme.wifi' }
  ensure       => present,
  mobileconfig => epp('profile/module/com.acme.wifi.mobileconfig.epp'),


One issue with profiles is that the original content of the mobileconfig file cannot be extracted again completely from the client. It is obvious why when you consider passwords and keys which can be configured using profiles.

Therefore a workaround is needed to find out if the profile currently installed on the client is the same one as in the mobileconfig in the Puppet catalog. This module diverts the PayloadUUID in the mobileconfig to achieve that: If both are the same the profile is considered to be up-to-date, if they do not match the profile will be updated with the values in the mobileconfig.

There are three ways to manage the UUID:

  • It can be defined in the mobileconfig as PayloadUUID (like it is normally done.)
  • It can be defined in the Puppet resource using the uuid parameter. In this case PayloadUUID must be removed from the mobileconfig.
  • It can be neither defined in the Puppet resource nor as PayloadUUID in the mobileconfig. Here the UUID is generated automatically from a checksum of the mobileconfig. This is the recommended method because changes in the mobileconfig are picked up automatically.

This module can be used both in priviliged and unprivileged mode:

  • If Puppet runs in priviliged mode, this type manages device profiles.
  • If Puppet runs in unprivileged mode, it manages user profiles.

If the mobileconfig contains secrets like a password, it is a good idea to use the Sensitive data type:

mac_profile { 'com.acme.wifi' }
  ensure       => present,
  mobileconfig => Sensitive(epp('profile/module/com.acme.wifi.mobileconfig.epp')),

If there is a suitable certificate in the client's keychain (public & private key), this can be used to sign the mobileconfig:

mac_profile { 'com.acme.wifi' }
  ensure       => present,
  mobileconfig => epp('profile/module/com.acme.wifi.mobileconfig.epp'),
  certificate  => 'My Certificate',

Even encryption can be done:

mac_profile { 'com.acme.wifi' }
  ensure       => present,
  mobileconfig => Sensitive(epp('profile/module/com.acme.wifi.mobileconfig.epp')),
  certificate  => 'My Certificate',
  encrypt      => true,


This module relies on the macOS profiles command, which defines eventually the user experience. An update might run depending on the environment:

  • totally silent,
  • require some user interaction like providing a password
  • or fail altogether because a verb is no longer supported (e.g. in Big Sur)

The only fully automated way to manage profiles is through an MDM. Possibly the create/update/delete methods of the Puppet provider can be adapted to use a vendor specific MDM API instead of the macOS profiles command.