Mobile Device Management (MDM) profiles represent one of the most powerful yet underutilized tools for privacy-conscious users. While MDM is often associated with enterprise environments, the underlying technology provides individual users with granular control over device security, app permissions, and data sharing behaviors. This guide walks through setting up MDM profiles specifically for personal privacy enhancement, targeting developers and power users who want deeper control than standard OS settings provide.
Understanding MDM Profiles
An MDM profile is a configuration file that, when installed on your device, instructs the operating system to enforce specific policies. On iOS, these are known as Configuration Profiles. On Android, Enterprise Device Management APIs serve a similar purpose through device owner or profile owner modes.
The key distinction for personal use involves understanding what these profiles can actually control:
- iOS Configuration Profiles: Can manage VPN settings, certificate authorities, app restrictions, network configurations, and MDM enrollment itself.
- Android Device Owner/Profile Owner: Provides far more extensive control including app installations, device settings, and work profile management.
For personal privacy, the goal is not enterprise surveillance but rather self-imposed restrictions that prevent data leakage, limit tracking, and harden the device against unauthorized access.
iOS: Creating and Installing a Configuration Profile
Apple devices support Configuration Profiles through the Settings app. You can create one programmatically using a property list (plist) file or manually through Apple’s Configurator tool.
Creating a Profile Programmatically
A basic MDM profile for privacy purposes uses XML plist format:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Privacy Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.theluckystrike.privacy.restrictions</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>YOUR-UUID-HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowDictation</key>
<false/>
<key>allowCamera</key>
<true/>
<key>forceEncryptedBackup</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Personal Privacy Profile</string>
<key>PayloadIdentifier</key>
<string>com.theluckystrike.privacy</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>YOUR-ROOT-UUID-HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Save this as privacy.mobileconfig and transfer it to your iOS device via AirDrop, email, or a web server. When opened, iOS prompts you to install the profile in Settings → General → VPN & Device Management.
Practical iOS Privacy Restrictions
Consider these specific restrictions for personal privacy hardening:
- Disable Siri Dictation: Prevents voice data from being sent to Apple’s servers
- Force Encrypted Backups: Ensures iTunes/Finder backups are encrypted (not optional)
- Limit Ad Tracking: While available in Settings, a profile can enforce
allowADTrackingset tofalse - Restrict App Installations: Prevent App Store installations on supervised devices (requires Apple Configurator)
Note that some restrictions require the device to be “supervised” through Apple Configurator, which erases the device during setup. For personal use without supervision, many restrictions remain available through standard Configuration Profiles.
Android: Device Owner and Work Profile Setup
Android provides more flexibility through its Enterprise APIs. The two primary approaches for personal privacy are:
Device Owner Mode (Full Control)
Device Owner grants complete administrative control over the device. This is typically used for single-user devices where you want policy enforcement.
# First, install your MDM app (FDroid or custom)
adb install mymdm.apk
# Grant device owner permissions
adb shell dpm set-device-owner com.mymdm.app/.DeviceAdminReceiver
Once granted, your MDM app can enforce policies like:
- Disable camera access for specific apps
- Block installation from unknown sources
- Enforce disk encryption
- Set password complexity requirements
- Lock down system settings
Work Profile (Privacy-Separated)
For users who want to separate work from personal while maintaining privacy, Android’s Work Profile is ideal. This creates an isolated managed profile where IT policies apply only to work apps, leaving personal data untouched.
// For app developers: Checking if running in managed profile
DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
ComponentName adminComponent = new ComponentName(context, MyDeviceAdminReceiver.class);
if (dpm.isProfileOwnerApp(adminComponent.getPackageName())) {
// Running in work profile - apply work-specific policies
dpm.addUserRestriction(adminComponent, UserManager.DISALLOW_SCREEN_CAPTURE);
dpm.setCameraDisabled(adminComponent, true); // for work apps only
}
The critical advantage: Work Profile policies do not affect personal apps, giving you isolation without full device control.
Automating Profile Deployment
For developers managing multiple personal devices, automation simplifies profile deployment across iOS and Android.
iOS Profile Deployment Script
#!/usr/bin/env python3
import plistlib
import uuid
import os
def create_privacy_profile(output_path):
profile = {
'PayloadContent': [{
'PayloadDisplayName': 'Privacy Restrictions',
'PayloadIdentifier': f'com.theluckystrike.privacy.{uuid.uuid4()}',
'PayloadType': 'com.apple.applicationaccess',
'PayloadUUID': str(uuid.uuid4()),
'PayloadVersion': 1,
'forceEncryptedBackup': True,
'allowADTracking': False,
}],
'PayloadDisplayName': 'Personal Privacy Profile',
'PayloadIdentifier': f'com.theluckystrike.privacy.root.{uuid.uuid4()}',
'PayloadRemovalDisallowed': False,
'PayloadType': 'Configuration',
'PayloadUUID': str(uuid.uuid4()),
'PayloadVersion': 1,
}
with open(output_path, 'wb') as f:
plistlib.dump(profile, f)
print(f"Profile created: {output_path}")
if __name__ == '__main__':
create_privacy_profile('privacy.mobileconfig')
Android Profile Policy Fastlane
If you develop Android apps, you can integrate policy management into your release process:
// build.gradle
android {
defaultConfig {
manifestPlaceholders = [
'deviceAdminReceiver': '.MyDeviceAdminReceiver'
]
}
}
Managing and Removing Profiles
Both platforms allow profile inspection and removal through settings:
iOS: Settings → General → VPN & Device Management → Select Profile → Remove Profile
Android: Settings → Security → Device Admin Apps (for Device Owner) or Work Profile settings
For ongoing privacy maintenance, periodically audit installed profiles. Malicious profiles can restrict device functionality or exfiltrate data, so only install profiles from trusted sources.
Security Considerations
When implementing MDM for personal privacy, consider these trade-offs:
- Recovery: Some profiles (especially supervised iOS devices) may require full erasure to remove
- Updates: OS updates sometimes reset or conflict with profile settings
- Backup: Profile configurations may not transfer between devices or survive factory resets
Store your profile configurations in a secure location (encrypted external drive or password manager) to recreate them if needed.
Related Reading
- How to Prevent Mobile Apps From Fingerprinting Your Device
- Nurse Practitioner Mobile Device Privacy Hipaa Compliant Pho
- How to Set Up WireGuard on VPS for Personal VPN
- Set Up a Personal VPN with WireGuard
- 1password Cli Secrets Management Guide
Built by theluckystrike — More at zovo.one