About App Configs and Managed Preferences
As I work on building out my JAMF Github Repo I am constantly looking at sharing some of the configurations that have worked for me and saved me time and effort. Many of these came from the JAMF Library, but some I wrote specifically due to tools and workflows that I had to tackle in my very own ecosystem.
The following iOS App Configs were helpful in automating the configuration of key iOS apps. Some of these were a direct result of the AppConfig Generator, if you are unfamiliar with this amazing tool I highly recommend checking it out as it offers a lot of good templates for specific app configurations.
It also allow you to upload App Configurations from specific developers websites. A good example of this here is ZOOM for iOS which has a great support article on the topic that shows you sample configuration key pair values and XML examples to try right in JAMF.
Outlook iOS
Microsoft Outlook is one of those apps that has a great support article outlining how to take advantage of an app config. Using the configuration below I was able to preconfigure the iOS app to ensure that users had to put in the minimal amount of information before using it.
Notice I am using Microsoft Authenticator which is why I called out “ModernAuth” specifically.
<dict>
<key>com.microsoft.outlook.EmailProfile.AccountType</key>
<string>ModernAuth</string>
<key>com.microsoft.outlook.EmailProfile.EmailAddress</key>
<string>$EMAIL</string>
<key>com.microsoft.outlook.EmailProfile.EmailUPN</key>
<string>$EMAIL</string>
<key>com.microsoft.outlook.Mail.FocusedInbox</key>
<false/>
<key>com.microsoft.outlook.Mail.OrganizeByThreadEnabled</key>
<true/>
<key>com.microsoft.outlook.Mail.DefaultSignatureEnabled</key>
<true/>
<key>IntuneMAMAllowedAccountsOnly</key>
<string>Disabled</string>
</dict>Teams iOS
This one took some research. Yes you can use the AppConfig Generator but I specifically only wanted to allow limit logins. Thanks so much fot palmna a contributer on JAMF Nation that posted here.
<dict>
<key>IntuneMAMAllowedAccountsOnly</key>
<string>Enabled</string>
<key>IntuneMAMUPN</key>
<string>$EMAIL</string>
</dict>ZOOM iOS
I already mentioned that ZOOM for iOS has a great support page. I only wanted to force SSO this AppConfig works great for that but there are so many other options you can set depending on your requirements.
<dict>
<key>ForceLoginWithSSO</key>
<true/>
<key>ForceSSOURL</key>
<string><SSO Short Name></string>
</dict>Box iOS
I Used the AppConfig Generator to generate this AppConfig. Using the ID: com.box.mdmios/current I was able to generate this appconfig that works great. You must get your Public ID from your CSM.
<dict>
<key>Public ID</key>
<string><From Client Success Team></string>
<key>Management ID</key>
<string>$UDID</string>
<key>com.box.mdm.oneTimeToken</key>
<string>$UDID</string>
<key>User Email Address</key>
<string>$EMAIL</string>
<key>Billing ID</key>
<string/>
</dict>ZOOM macOS
Now were shifting into the world of maOS managed preferences. ZOOM has a great article Mass-deploying with preconfigured settings for macOS. Unlike AppConfigs that you deploy via the App configuration itself, for macOS preferences you will upload these PLIST files directly as a configuration profile on computers with the app that you wish to configure.
In this case we are saying, no facebook, or google is allowed to login to ZOOM. the article shows the full list of key value pairs that you can use in your configuration.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NoFacebook</key>
<true />
<key>NoGoogle</key>
<true />
<key>PayloadDisplayName</key>
<string>Zoom</string>
<key>PayloadIdentifier</key>
<string>us.zoom.config.290336AE-AB44-42F9-A54D-1EDD457C19FC</string>
<key>PayloadType</key>
<string>us.zoom.config</string>
<key>PayloadUUID</key>
<string>290336AE-AB44-42F9-A54D-1EDD457C19FC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>ZOOM Preferences</string>
<key>PayloadIdentifier</key>
<string>7F13E4DE-C754-4EC2-88AE-6272EA33B368</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B3397A0D-94B9-4996-A80E-75397AAB8118</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>OneDrive macOS
Just like with ZOOM, Microsoft has a great article Deploy and configure the OneDrive sync app for Mac which outlines the configurations that you can use with OneDrive.
Here I am disabling the PersonalSync, Tutorial, and ensuring that we hide the dock icon and launch at login. Launch at login is something that lots of admins struggle with, with OneDrive specifically so I hope this helps some of you out there!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisablePersonalSync</key>
<false/>
<key>DisableTutorial</key>
<true/>
<key>AutomaticUploadBandwidthPercentage</key>
<integer>0</integer>
<key>UploadBandwidthLimited</key>
<integer>0</integer>
<key>DownloadBandwidthLimited</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>OpenAtLogin</key>
<true/>
<key>SharePointOnPremFrontDoorUrl</key>
<string/>
<key>SharePointOnPremPrioritizationPolicy</key>
<integer>0</integer>
<key>SharePointOnPremTenantName</key>
<string><NAME GOES HERE></string>
<key>SharePointOnPremPrioritzationPolicy</key>
<integer>0</integer>
<key>DefaultToBusinessFRE</key>
<false/>
<key>EnableAddAccounts</key>
<true/>
<key>FilesOnDemandEnabled</key>
<true/>
<key>IsHydrationToastAllowed</key>
<false/>
<key>HydrationDisallowedApps</key>
<string/>
<key>EnableODIgnore</key>
<array/>
<key>EnableSyncAdminReports</key>
<integer>0</integer>
<key>EnableAllOcsiClients</key>
<false/>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>DisableHydrationToast</key>
<false/>
<key>BlockExternalSync</key>
<true/>
<key>KFMOptInWithWizard</key>
<string/>
<key>KFMSilentOptIn</key>
<string>true</string>
<key>KFMSilentOptInDesktop</key>
<true/>
<key>KFMSilentOptInDocuments</key>
<true/>
<key>KFMSilentOptInWithNotification</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>0</integer>
<key>KFMBlockOptOut</key>
<false/>
</dict>
</plist>Conclusion
I hope you enjoyed these snippets and that they help you in your environment. These have worked well for me and I hope we can contribute and enhance the capabilities of the AppConfig Generator as well as start the conversation around pre-configuring software for macOS and iOS.
If you found this post useful, Follow me and comment with questions, or feedback. As always here are the sources I referenced throughout this blog post.
Sources
- JAMF Github Repo
- AppConfig Generator
- ZOOM for iOS AppConfig
- Outlook for iOS AppConfig
- Teams for iOS Discussion re: AppConfig
- Mass-deploying with preconfigured settings for macOS
- Deploy and configure the OneDrive sync app for Mac
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.23 · Moderate AI Influence
Summary
This is a summary of the content.
Related Posts
Scoring AI Influence in Jekyll Posts with Local LLMs
There’s a moment that kind of sneaks up on you when you’ve been writing for a while, especially if you’ve started using AI tools regularly. You stop asking whether AI was used at all, and instead start wondering how much it actually shaped what you’re reading. That shift is subtle, but once you notice it, you can’t really unsee it.
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
Leaving Flickr: Migrating 20,000+ Photos to Synology and Taking Back Control
There’s a certain kind of friction you start to notice when you’ve been using a service for a long time. Not enough to make you leave immediately, but enough to make you pause. Flickr had been that kind of service for me. It quietly held years of photos, uploads from old phones, albums I hadn’t looked at in ages, and a massive "Auto Upload" collection that had grown into something I didn’t fully understand anymore.
Exploring the Apple Business Manager API: A Hands-On Playground
If you’ve ever tried to talk directly to the **Apple Business Manager (ABM) API**, you already know the process can feel like deciphering a secret code. Between private keys, encrypted certificates, ES256 signatures, and OAuth2 flows... there’s a lot going on under the hood. This complexity is what makes direct communication with ABM so challenging, requiring a deep understanding of its intricacies to navigate successfully.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
Keeping Jamf Security Cloud Current for Microsoft 365: Updated Routing Policies
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN. This straightforward objective remains unchanged, as the complexities of network configurations can often lead to frustrating issues that hinder productivity.
Ensuring Jamf Trust VPN Stays Connected with Jamf Pro
Keeping your organization's VPN always connected is crucial—especially with Zero Trust Network Access (ZTNA) frameworks like **Jamf Trust**. One of the challenges with **Jamf Trust** is that it does *not* automatically open or reconnect on startup or login by default. However, with a combination of Jamf Pro policies, a custom script, and an extension attribute, you can ensure your users stay securely connected at all times, even when their devices are restarted or logged out. This setup helps maintain continuous access to network resources while adhering to the security standards...
Troubleshooting Standard Routing Policies in JAMF Security Cloud
As a fairly new administrator of JAMF Security Cloud, it was the ease of which its administration that admittedly drew me in. Quite an elegant solution for securing the various apps on business workstations with premade app-based VPN routing rules built right in, I was hooked. The concept is simple: turn on the policies, create your enrollment, and deploy – and you're done. This straightforward approach has made it easy to integrate into our existing workflow, allowing us to focus on more critical tasks.
Enrolling M1-M4 Devices into Automox with JAMF with secure tokens
Managing Secure Tokens on macOS has long been a challenge for administrators using JAMF and Automox. In my previous post, Managing the macOS Secure Token with JAMF Pro, I discussed a script-based approach to grant Secure Tokens to additional users. However, this method required administrators to manually pass usernames and passwords into the JAMF configuration—an approach that, while effective, was not ideal from a security or usability perspective. This manual process introduced unnecessary risks and added complexity to the overall management of Secure Tokens.
