What is a custom payload?
Apple's MDM protocol supports hundreds of device configuration settings. SuperOps surfaces the primary ones through the policy UI and extends the flexibility for you to set up your own configuration profiles as needed, based on your clients' specific requirements.
That is what custom payloads are for. You write the configuration directly in Apple's native format (plist XML) and push it to devices as part of a policy. The device reads it and applies the setting.
To learn more about Apple configuration profiles and profile-specific payloads, refer to Apple's developer documentation.
How can MSPs leverage this?
Your clients have varied environments, varied tools, and varied expectations. Custom payloads give you one mechanism to handle that complexity across all of them, without building separate solutions for each client.
App configuration and readiness Pre-configure third-party apps with client-specific settings so devices are ready to use the moment they are enrolled. No manual setup on the client's end, no back and forth.
Security and access control Enforce what apps and users can and cannot access at the OS level, silently and without user intervention. This includes Privacy Preferences Policy Control (PPPC), a mechanism that lets you pre-approve or restrict app access to sensitive resources like the microphone, camera, full disk, and contacts before any security tool or app is deployed.
Network and connectivity Push advanced network configurations using custom payloads. Per-app VPN is a good example: routing specific app traffic through a client's VPN without forcing all other apps through it.
Setting up a custom payload
This can be setup across macOS, iOS, and iPadOS. The following steps use a Mac Workstation Policy as the example. To set this up for iOS or iPadOS, navigate to the corresponding policy.
Go to Policy Management Open Settings, select Policy Management, and click the MDM tab. Open the policy you want to configure.
Open Custom Payload In the left sidebar under MDM Configurations, click Custom Payload.
Add a new payload Click New Payload. Give it a descriptive name that reflects what it does. For example, "Per-app VPN for Zoom" tells you exactly what the payload configures: routing Zoom traffic through the client's VPN without forcing all other apps through it. This name appears on the device under Device Management profiles.
Add your configuration Either paste your plist XML directly into the code editor, or click Upload file to import a .mobileconfig, .plist, .xml, or .txt file.
Most security and enterprise software vendors publish MDM deployment guides that include ready-to-use configuration profiles. You can download the .mobileconfig file directly from the vendor's documentation and upload it here without having to write any XML yourself.
If you are writing or editing plist XML directly, make sure your configuration profile includes these mandatory keys: PayloadUUID, PayloadType, PayloadVersion, and PayloadIdentifier. These are required by Apple for any configuration profile to be valid.
Add placeholder variables Your clients have different environments. Placeholder variables let you build one payload that adapts per client and per device at deployment time, instead of maintaining separate versions for every client you manage.
Reference any variable in your plist using
${variableName}. SuperOps replaces it with the actual value for that device when the payload is pushed. Continuing with the VPN example, here is how placeholder variables work in practice:
Using a default field SuperOps already tracks standard attributes for every enrolled device. You can pull any of these directly into your payload without any additional setup. For example,
${clientName}automatically fills in the name of the client the device belongs to:<key>PayloadDisplayName</key>
<string>VPN Policy - ${clientName}</string>Every device gets a profile labelled with its own client name. No manual effort required.
Available default fields: Asset ID, Asset name, Host name, Serial Number, Client name, Site name, Requester Name, and Requester Email
Using a custom field If you would like to store additional information about a client's assets and reference it in a payload, you can create a custom field and use it as a variable. For example, if different clients use different VPN configurations, create a custom field on the asset to capture that client's VPN identifier and reference it in the payload as
${clientVPNID}:<key>UserIdentifier</key>
<string>${clientVPNID}</string>SuperOps fills in each device's client VPN ID at deployment time. One payload, every device gets the right value.To set up a variable, open the Placeholder Variables section in the payload editor. Enter your variable name and map it to the corresponding field from the dropdown. You can add as many variables as your payload requires.
SuperOps supports custom fields across Mac, iOS, and iPadOS devices. Most MDM tools limit you to a fixed set of device attributes. SuperOps gives you the flexibility to manage diverse client environments without having to maintain multiple versions of the same payload.
Save Click Save. The payload is pushed to all devices under that policy. On macOS, verify it landed under System Settings > Privacy and Security > Profiles.
Managing payloads
Once a payload is deployed, the end user can see the configuration profile on their device under System Settings > Privacy and Security > Profiles. The profile is visible but locked. They cannot edit or remove it.
You can add multiple payloads to a single policy. Each deploys as a separate MDM profile on the device. Toggle individual payloads on or off independently. To edit, click the payload name. To delete, use the delete icon. Deletion is permanent and the profile is removed from enrolled devices immediately.
As an admin, you retain full control. If you edit a payload in SuperOps, the updated configuration is pushed to enrolled devices automatically. If you delete a payload, the corresponding profile is removed from the device immediately and the settings it enforced are no longer applied.
Next steps
Learn more on how you can use custom payload for your client environments.
Common ways in which MSPs use custom payload.
Setting up PPPC in SuperOps.