Profiles are the primary means to manage devices. Configure profiles so that your Linux devices remain secure and configured to your preferred settings.

You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices.

A profile consists of the general profile settings and a specific payload. Profiles work best when they contain only a single payload.

Wi-Fi Profile for Linux

Configuring a Wi-Fi profile lets devices connect to corporate networks, even if they are hidden, encrypted or password protected.


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux.
  2. Configure the General Settings for the profile as appropriate.
  3. Select the Wi-Fi payload.
  4. Configure Wi-Fi settings, including:



    Service Set Identifier Provide the name of the network.
    Hidden Network Indicate if the Wi-Fi network is hidden.
    Set as Active Network Indicate if the device connects to the network with no end-user interaction.
    Security Type Specify the access protocol used and certificate are requirements. Required fields depend on the selected security type.

    If None or WPA/WPA 2 are selected, then the Password field displays.

    If WPA/WPA 2 Enterprise is selected, the Protocols and Authentication fields display.

    Protocols - Use Two Factor Authentication SFA Type Authentication - Identity Anonymous Identity Username Password Identity Certificate Root Certificate

    Password To connect to the network, provide the required credentials for the device. The password field displays when WPA/WPA 2 is selected from the Security Type field.
    Proxy Type To configure the Wi-Fi proxy settings enable Proxy Type.
    Proxy Server Enter the hostname or the IP address for the proxy server.
    Proxy Server Port Enter the port for the proxy server.
    Exclusion List To exclude from the proxy, enter the hostnames. Hostnames entered here are not routed through the proxy. Use the * as a wildcard for the domain. For example: * or *
  5. Select Save & Publish.

Credential Profile for Linux

To protect corporate assets and for greater security, implement digital certificates. To implement digital certificates you must define a certificate authority, then configure a Credentials payload alongside your Wi-Fi payload. Each payload has settings for associating the certificate authority defined in the Credentials payload.


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux.
  2. Configure the profile's General settings as appropriate.
  3. Select the Credentials profile and select Configure.
  4. Use the drop-down menu to select either Upload or Defined Certificate Authority for the Credential Source. The remaining profile options are source-dependent. If you select Upload, you must enter a Credential Name and upload a new certificate. If you select Defined Certificate Authority, you must choose a predefined Certificate Authority and Template.
  5. Select Save and Publish.

Custom Configuration Profile

The Custom Configuration payload can be used to configure your Linux devices with features that Workspace ONE UEM console does not currently support through its native payloads. This payload currently utilizes open source Puppet for this configuration, so nothing other than the free Puppet agent installed on the device to support this functionality.

When a custom configuration profile is assigned to a Linux device, Workspace ONE UEM will pass the manifest to puppet running on the device. Currently, when a device is enterprise wiped or unenrolled, these configuration changes will not be removed from the device unless a removal manifest is defined in the profile.

For more information on Puppet, including sample manifests, please see:

To validate the syntax of your puppet code, please see:


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux.
  2. Configure the General settings for the profile as appropriate.
  3. Select the Custom Configuration profile and select Configure.
  4. Configure the payload including:



    Name Populate a name that distinguishes this payload from others.
    Enforce Manifest If selected, then reapply the manifest at the data transmit interval configured in Settings > Device & Users > Linux > Intelligent Hub Settings. If deselected, then the manifest executes once when the profile initially pushes to the device.
    Check for Dependency If the puppet manifest has a required dependency, it can be included here. For example, "puppetlabs/stdlib".
    Install Manifest Copy and paste the content of your Puppet Manifest here. This manifest implements on the device assigned in the general tab.
    Remove Manifest This manifest executes on the device when this profile is unassigned from a device. If this manifest is left blank, when a custom configuration profile is removed from a device, the action dictated by the Install Manifest remains on the device.
  5. Select Save and Publish.

Custom Configuration Examples

Puppet Manifest Examples

Although we encourage you to learn and explore Puppet if you are interested in creating custom configuration profiles, to get you started, following are examples of puppet code that can be used on standard Ubuntu. They will not work on other distributions of Linux.

Install Chrome Browser on Ubuntu:

  • Dependency: None
  • Installation Manifest:

file { 'google-chrome-stable_current_amd64.deb': source => '', path => '/tmp/google-chrome-stable_current_amd64.deb', ensure => present, } exec { 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb', logoutput => true, }

  • Removal Manifest:

package { 'google-chrome-stable': ensure => 'absent', }

Deactivating SSH Server on Ubuntu:

  • Dependency: puppetlabs-stdlib
  • Installation Manifest:

service { 'ssh': name => 'sshd', ensure => false, enable => false,}

Removal Manifest:

service { 'ssh': name => 'sshd', ensure => true, enable => true,}