What is a custom payload?
Apple's MDM protocol supports hundreds of device configuration settings. SuperOps surfaces the primary ones through the policy UI and extends the flexibility for you to set up your own configuration profiles as needed, based on your IT organization's specific requirements.
That is what custom payloads are for. You write the configuration directly in Apple's native format (plist XML) and push it to devices as part of a policy. The device reads it and applies the setting.
To learn more about Apple configuration profiles and profile-specific payloads, refer to Apple's developer documentation.
Why IT teams use this
Custom payloads give IT teams the flexibility to enforce configurations that go beyond standard policy settings, directly where tighter organizational control matters most.
App configuration and readiness Pre-configure third-party apps with org-specific settings so they are ready to use the moment a device is enrolled. No manual setup, no employee having to figure out configurations on their own.
Security and access control Enforce what apps and users can and cannot access at the OS level, silently and without user intervention. This includes Privacy Preferences Policy Control (PPPC), a mechanism that lets you pre-approve or restrict app access to sensitive resources like the microphone, camera, full disk, and contacts before any security tool or app is deployed.
Network and connectivity Push advanced network configurations using custom payloads. Per-app VPN is a good example: routing specific app traffic through your organization's VPN without forcing all other apps through it.
Setting up a custom payload
This can be setup acrossmacOS, iOS, and iPadOS. The following steps use a Mac Workstation Policy as the example. To set this up for iOS or iPadOS, navigate to the corresponding policy.
Go to Policy Management Open Settings, select Policy Management, and click the MDM tab. Open the policy you want to configure.
Open Custom Payload In the left sidebar under MDM Configurations, click Custom Payload.
Add a new payload Click New Payload. Give it a descriptive name that reflects what it does. For example, "Per-app VPN for Zoom" tells you exactly what the payload configures: routing Zoom traffic through your organization's VPN without forcing all other apps through it. This name appears on the device under Device Management profiles.
Add your configuration Either paste your plist XML directly into the code editor, or click Upload file to import a .mobileconfig, .plist, .xml, or .txt file.
Most security and enterprise software vendors publish MDM deployment guides that include ready-to-use configuration profiles. You can download the .mobileconfig file directly from the vendor's documentation and upload it here without having to write any XML yourself.
If you are writing or editing plist XML directly, make sure your configuration profile includes these mandatory keys: PayloadUUID, PayloadType, PayloadVersion, and PayloadIdentifier. These are required by Apple for any configuration profile to be valid.
Note: The PayloadIdentifier must be unique within your policy set and across the device. SuperOps does not allow editing the PayloadIdentifier after a payload is saved. Apple devices use this as the key to track and manage each payload on the device. Changing it would cause conflicts.
Add placeholder variables Device environments are rarely uniform. Different employees and locations often need slightly different values in the same payload. Placeholder variables let you build one payload that adapts per device at deployment time, instead of maintaining multiple versions of the same configuration.
Reference any variable in your plist using
${variableName}. SuperOps replaces it with the actual value for that device when the payload is pushed.Continuing with the VPN example, here is how placeholder variables work in practice:
Using a default field SuperOps already tracks standard attributes for every enrolled device. You can pull any of these directly into your payload without any additional setup. For example,
${requesterName}automatically fills in the name of the assigned user:<key>PayloadDisplayName</key>
<string>VPN Policy - ${requesterName}</string>Every device gets a profile labelled with its assigned user. No manual effort required.
Available default fields: Asset ID, Asset name, Host name, Serial Number, Requester Name, and Requester Email.
Using a custom field If you would like to store additional information about your asset and reference it in a payload, you can create a custom field and use it as a variable. For example, if you want the VPN payload to identify which specific employee is using it, create a custom field on the asset and reference it in the payload as
${employeeID}:<key>UserIdentifier</key>
<string>${employeeID}</string>SuperOps fills in each device's value at deployment time. One payload, every client gets the right configuration.
To set up a variable, open the Placeholder Variables section in the payload editor. Enter your variable name and map it to the corresponding field from the dropdown. You can add as many variables as your payload requires.
SuperOps supports custom fields across Mac, iOS, and iPadOS devices. Most MDM tools limit you to a fixed set of device attributes. SuperOps gives you the flexibility to manage diverse client environments without having to maintain multiple versions of the same payload.
Save Click Save. The payload is pushed to all devices under that policy. On macOS, verify it landed under System Settings > Privacy and Security > Profiles.
Managing payloads
You can add multiple payloads to a single policy. Each deploys as a separate MDM profile on the device. Toggle individual payloads on or off independently. To edit, click the payload name. To delete, use the delete icon. Deletion is permanent and the profile is removed from enrolled devices immediately.
Once a payload is deployed, the end user can see the configuration profile on their device under System Settings > Privacy and Security > Profiles. The profile is visible but locked. They cannot edit or remove it.
As an admin, you retain full control. If you edit a payload in SuperOps, the updated configuration is pushed to enrolled devices automatically. If you delete a payload, the corresponding profile is removed from the device immediately and the settings it enforced are no longer applied.
Custom payloads are also automatically revoked when a device unenrolls from SuperOps, or when the enrollment profile is manually removed from the device. Once the device is no longer enrolled, all custom payload profiles are removed and the configurations they enforced are no longer active.
Next steps
Learn more on how you can use custom payload for your IT environment
Common ways in which IT team uses custom payload.
Setting up PPPC in SuperOps.