Networking & Internet: Enterprise Deployment 2011-03-04
Apple Inc. 2011 Apple Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, electronic, photocopying, recording, or otherwise, without prior written permission of Apple Inc., with the following exceptions: Any person is hereby authorized to store documentation on a single computer for personal use only and to print copies of documentation for personal use provided that the documentation contains Apple s copyright notice. The Apple logo is a trademark of Apple Inc. No licenses, express or implied, are granted with respect to any of the technology described in this document. Apple retains all intellectual property rights associated with the technology described in this document. This document is intended to assist application developers to develop applications only for Apple-labeled computers. Apple Inc. 1 Infinite Loop Cupertino, CA 95014 408-996-1010 ASSUMING THE ENTIRE RISK AS TO ITS QUALITY AND ACCURACY. IN NO EVENT WILL APPLE BE LIABLE FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM ANY DEFECT OR INACCURACY IN THIS DOCUMENT, even if advised of the possibility of such damages. THE WARRANTY AND REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, ORAL OR WRITTEN, EXPRESS OR IMPLIED. No Apple dealer, agent, or employee is authorized to make any modification, extension, or addition to this warranty. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you. This warranty gives you specific legal rights, and you may also have other rights which vary from state to state. App Store is a service mark of Apple Inc. itunes Store is a registered service mark of Apple Inc. Apple, the Apple logo, AppleScript, FaceTime, iphone, ipod, ipod touch, itunes, Keychain, Leopard, Mac, Mac OS, Safari, Snow Leopard, and Xcode are trademarks of Apple Inc., registered in the United States and other countries. ipad and Retina are trademarks of Apple Inc. IOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license. Java is a registered trademark of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group Even though Apple has reviewed this document, APPLE MAKES NO WARRANTY OR REPRESENTATION, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THIS DOCUMENT, ITS QUALITY, ACCURACY, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. AS A RESULT, THIS DOCUMENT IS PROVIDED AS IS, AND YOU, THE READER, ARE
Contents Chapter 1 5 About Configuration Profiles 5 About 5 Creating Configuration Profiles 8 Automating Configuration Profile Creation 8 General Settings 9 Passcode Settings 9 Restrictions Settings 10 Wi-Fi Settings 12 VPN Settings 13 Email Settings 14 Exchange ActiveSync Settings 15 LDAP Settings 15 CalDAV Settings 16 Subscribed Calendars Settings 17 CardDAV Settings 17 Web Clip Settings 17 Credentials Settings 17 SCEP Settings 18 Mobile Device Management Settings 19 Advanced Settings 20 Editing Configuration Profiles 20 Installing Provisioning Profiles and Apps 20 Installing Configuration Profiles 21 Installing Configuration Profiles Using 21 Distributing Configuration Profiles by Email 21 Distributing Configuration Profiles on the Web 22 Distributing Configuration Profiles Wirelessly 23 User Installation of Downloaded Configuration Profiles 23 Removing and Updating Configuration Profiles 24 Document Revision History 25 3
CONTENTS 4
Read this document to learn how to use to create configuration profiles. Configuration profiles define how ios 4 devices work with your enterprise systems. About Configuration Profiles Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iphone, ipod touch, and ipad to work with your enterprise systems. Configuration profiles quickly load settings and authorization information onto a device. Some VPN and Wi-FI settings can be set only by using a configuration profile, and if you re not using Microsoft Exchange, you need to use a configuration profile to set device passcode policies. You can install configuration profiles on devices connected to a computer via USB using iphone Configuration Utility, or you can distribute configuration profiles by email or on a webpage. When users open the email attachment or download the profile using Safari on their device, they re prompted to begin the installation process. If you re using a Mobile Device Management server, you can distribute an initial profile that contains just the server configuration information, then have the device obtain all other profiles wirelessly. Configuration profiles can be encrypted and signed, which lets you restrict their use to a specific device and prevents anyone from changing the settings that a profile contains. You can also mark a profile as being locked to the device, so once installed, it can be removed only by wiping the device of all data, or optionally, by entering a passcode. With the exception of passwords, users cannot change the settings provided in a configuration profile. Additionally, accounts that are configured by a profile, such as Exchange accounts, can only be removed by deleting the profile. About lets you easily create, encrypt and install configuration profiles, track and install provisioning profiles and authorized apps, and capture device information, including console logs. requires one of the following: Mac OS X v10.6 Snow Leopard Windows XP Service Pack 3 with.net Framework 3.5 Service Pack1 Windows Vista Service Pack 1 with.net Framework 3.5 Service Pack 1 Windows 7 with.net Framework 3.5 Service Pack 1 About Configuration Profiles 5
operates in 32-bit mode on 64-bit versions of Windows. You can download the.net Framework 3.5 Service Pack 1 installer at: http://www.microsoft.com/downloads/details.aspx?familyid=d0e5dea7-ac26-4ad7-b68c-fe5076bba986&displaylang=en The utility lets you create an Outlook message with a configuration profile as an attachment. You can also assign users names and email addresses from your desktop address book to devices that you ve connected to the utility. Both of these features require Outlook, and aren t compatible with Outlook Express. To use these features on Windows XP computers, you may need to install 2007 Microsoft Office System Update: Redistributable Primary Interop Assemblies. This is necessary if Outlook was installed before.net Framework 3.5 Service Pack 1. The Primary Interop Assemblies installer is available at: http://www.microsoft.com/downloads/details.aspx?familyid=59daebaa-bed4-4282-a28c-b864d8bfa513&displaylang=en When you run the installer, the utility is installed in /Applications/Utilities/ on Mac OS X computers, or in Programs\\ on Windows computers. Note: Configuration profiles created with 3.3 fully support ios 4.3 devices. You can use these profiles with earlier ios releases, but payloads and settings that are not supported by a release are ignored. When you open, a window similar to the one shown below appears. 6 About
The content of the window changes as you select items in the sidebar. The sidebar shows the Library, which contains the following categories: Devices shows a list of ios devices that have been connected to your computer. Applications lists your apps that are available to install on devices attached to your computer. A provisioning profile might be needed for an application to run on a device. Provisioning Profiles lists profiles that permit the use of the device for ios development, as authorized by Apple Developer Connection. Provisioning profiles also allow devices to run enterprise apps that aren t distributed through the itunes Store. Configuration Profiles lists the configuration profiles you previously created, and lets you edit the information you entered, or create a new configuration that you can send to a user or install on a connected device. About 7
The sidebar also shows information about ios devices currently connected to your computer via USB. Information about a connected device is automatically added to the Devices list, so you can view it again without having to reconnect the device. After a device has been connected, you can also encrypt profiles for use on only that device. When a device is connected, you can use to install configuration profiles and apps on the device. You can also view the console log, which is the same log that s available in the Xcode development environment. Creating Configuration Profiles This document uses the terms configuration profile and payload. A configuration profile is the whole file that configures certain (single or multiple) settings for iphone, ipod touch, or ipad. A payload is an individual collection of a certain type of settings, such as VPN settings, within the configuration profile. A configuration profile contains one or more payloads. Although you can create a single configuration profile that contains all of the payloads you need for your organization, consider creating separate profiles that allow you to enforce policies while granting access, as well as provide updates to any settings that are subject to change. Many of the payloads allow you to specify user names and passwords. If you omit this information, the user is asked to enter the missing information when the profile is installed. If you include passwords, you should distribute the profile in encrypted format to protect its contents. For more information see Installing Configuration Profiles (page 21). To create a new configuration profile, click the New button in the toolbar. You add payloads to the profile using the payloads list. Then, you edit the payloads by entering and selecting options that appear in the editing pane. Required fields are marked with a red arrow. For some settings such as Wi-Fi, you can click the Add (+) button to add a configuration. To remove a configuration, click the Delete ( ) button in the editing pane. To edit a payload, select the appropriate item in the payloads list, click the Configure button, and then fill in the information as described in this document. Automating Configuration Profile Creation You can automate the creation of configuration files using AppleScript in Mac OS X, or C# Script in Windows. To see the supported methods and their syntax, do the following: Mac OS X: Use Script Editor to open the AppleScript dictionary for. Windows: Use Visual Studio to view the method calls provided by ipcuscripting.dll. To execute a script in Mac OS X, use the AppleScript Tell command. In Windows, pass the script name to as a command-line parameter. 8 Creating Configuration Profiles
General Settings This is where you provide the name and identifier of the profile, and specify if whether users can remove the profile after it s installed. The name you specify appears in the profiles list and is displayed on the device after the configuration profile is installed. The name doesn t have to be unique, but you should use a descriptive name that identifies the profile. The profile identifier must uniquely identify this profile and must use reverse DNS format com.companyname.identifier, where identifier describes the profile for example, com.mycompany.homeoffice. The identifier is important because, when a profile is installed, the value is compared with profiles that are already on the device. If the identifier is unique, information in the profile is added to the device. If the identifier matches an installed profile, information in the profile replaces the settings already on the device, except in the case of Exchange settings. To alter an Exchange account, the profile must first be manually removed so that the data associated with the account can be purged. A descriptive and a helpful profile description and identifier is particularly useful if you ll be managing profiles over the air using a mobile device management solution that queries devices for the profiles that are installed. To prevent a user from deleting a profile installed on a device, choose an option from the Security pop-up menu. The With Authorization option lets you specify an authorization password that permits the removal of the profile on the device. If you select the Never option, the profile can be updated with a new version, but it cannot be removed. Passcode Settings Use this payload to set device policies if you aren t using Exchange passcode policies. You can specify whether a passcode is required in order to use the device, and specify characteristics of the passcode and how often it must be changed. When the configuration profile is loaded, the user is immediately required to enter a passcode that meets the policies you select. Otherwise, the profile won t be installed. Creating Configuration Profiles 9
If you use device policies and Exchange passcode policies, the two sets of policies are merged and the strictest settings are enforced. For information about supported Exchange ActiveSync policies, see the article Exchange ActiveSync and ios 4 Devices. The following policies are available: Require passcode on device: Requires users to enter a passcode before using the device. Otherwise, anyone who has the device can access its functions and data. Allow simple value: Permits users to use sequential or repeated characters in their passcodes. (For example, this would allow the passcodes 3333 or DEFG. ) Require alphanumeric value: Requires that the passcode contain at least one letter character. Minimum passcode length: Specifies the minimum number of characters a passcode can contain. Minimum number of complex characters: The number of non-alphanumeric characters (such as $, &, and!) that the passcode must contain. Maximum passcode age (in days): Requires users to change their passcode at the interval you specify. Auto-Lock (in minutes): If the device isn t used for the period of time you specify, it automatically locks. Entering the passcode unlocks it. Passcode history: A new passcode won t be accepted if it matches a previously used passcode. You can specify how many previous passcodes are remembered and compared. Grace period for device lock: Specifies how soon the device can be unlocked again after use, without prompting again for the passcode. Maximum number of failed attempts: Determines how many failed passcode attempts can be made before the device is wiped. If you don t change this setting, after six failed passcode attempts, the device imposes a time delay before a passcode can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the device. The passcode time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded. Restrictions Settings Use this payload to specify which device features the user can use. Device Restrictions Allow installing apps: When this option is off, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their apps using the App Store or itunes. Allow use of camera: When this option is off, cameras are completely disabled and the Camera icon is removed from the Home screen. Users can t take photographs or videos, or use FaceTime. Allow FaceTime: When this option is off, users can t place or receive FaceTime video calls. Allow screen capture: When this option is off, users can t save a screenshot of the display. 10 Creating Configuration Profiles
Allow automatic sync while roaming: When this option is off, devices that are roaming will sync only when an account is accessed by the user. Allow voice dialing: When this option is off, users can t dial their phone using voice commands. Allow in-app purchase: When this option is off, users can t make in-app purchases. Allow multiplayer gaming: When this option is off, users can t play multiplayer games in Game Center. Allow adding Game Center friends: When this option is off, users can t add friends in Game Center. Force encrypted backups: When this option is off, users can choose whether or not device backups performed in itunes are stored in encrypted format on their computer. If any profile is encrypted and this option is not turned off, encryption of backups is required and enforced by itunes. Profiles that are installed on the device by are always encrypted. For more information about itunes backups, see the article Deploying itunes for ios 4 Devices. Application Restrictions Allow use of YouTube: When this option is off, the YouTube app is disabled and its icon is removed from the Home screen. Allow use of the itunes Store: When this option is off, the itunes Store is disabled and its icon is removed from the Home screen. Users can t preview, purchase, or download content. Allow use of Safari: When this option is off, the Safari web browser app is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. Enable autofill: When this option is off, Safari doesn t remember what users enter in web forms. Force Fraud warning: When this option is off, Safari doesn t attempt to prevent the user from visiting websites identified as being fraudulent or compromised. Enable JavaScript: When this option is off, Safari ignores all javascript on websites. Block pop-ups: When this option is off, Safari s pop-up blocking feature is disabled. Accept cookies: Sets Safari s cookie policy. Choose to accept all cookies, accept no cookies, or reject cookies from sites not directly accessed. Allow explicit music and podcasts: When this is turned off, explicit music or video content purchased from the itunes Store is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the itunes Store. Media Restrictions Select a ratings region, then select maximum allowed ratings for movies, TV shows, and apps. Creating Configuration Profiles 11
Wi-Fi Settings ios supports the following wireless networking security standards, as defined by the Wi-Fi Alliance: WEP WPA Personal WPA Enterprise WPA2 Personal WPA2 Enterprise Additionally, ios supports the following 802.1X authentication methods for WPA Enterprise and WPA2 Enterprise networks: EAP-TLS EAP -TTLS EAP-FAST EAP-SIM PEAP v0, PEAP v1 LEAP Use the Wi-Fi settings payload to set how the device connects to your wireless network. In order for the user to initiate a connection these settings must be specified and must match the requirements of your network. To add multiple network configurations, click the Add (+) button in the editing pane. Service Set Identifier: Enter the SSID of the wireless network to connect to. Hidden Network: Specify whether the network is broadcasting its identity. Security Type: Select an authentication method for the network. The following choices are available for both Personal and Enterprise networks. None: The network doesn t use authentication. WEP: The network uses WEP authentication only. WPA/WPA 2: The network uses WPA authentication only. Any: The device uses either WEP or WPA authentication when connecting to the network, but won t connect to non-authenticated networks. Password: Enter the password for joining the wireless network, if applicable. If you leave it blank, the user will be asked to enter it. 12 Creating Configuration Profiles
Enterprise Settings In this section, you specify settings for connecting to enterprise networks. These settings appear when you choose an Enterprise setting in the Security Type pop-up menu. In the Protocols tab, you specify which EAP methods to use for authentication, and configure the EAP-FAST Protected Access Credential settings. In the Authentication tab, you specify sign-in settings, such as user name and authentication protocols. If you ve installed an identity using the Credentials section, you can choose it using the Identity Certificate pop-up menu. In the Trust tab, you specify which certificates should be trusted for the purpose of validating the authentication server for the Wi-Fi connection. The Trusted Certificates list shows certificates that have been added using the Credentials tab, and lets you select which certificates are trusted. Add the names of the authentication servers to be trusted to the Trusted Server Certificates Names list. You can specify a particular server, such as server.mycompany.com, or a partial name such as *.mycompany.com. The Allow Trust Exceptions option lets users decide to trust a server when the chain of trust can t be established. To avoid these prompts and permit connections only to trusted services, turn off this option and embed all necessary certificates in a profile. VPN Settings Use this payload to enter the VPN settings for connecting to your network. You can add multiple VPN configurations by clicking the Add (+) button. Settings you specify in the configuration profile can t be modified by the user. For information about supported VPN protocols and authentication methods, see the article VPN Server Configuration for ios Devices. The options available vary by the protocol and authentication method you select. To configure F5 SSL, Juniper SSL or Cisco AnyConnect choose the appropriate item from the Connection Type pop-up menu. Make sure that the Realm and Role (Juniper) or Group (Cisco) values match those specified on the VPN server. Users must install both the configuration profile and the appropriate authentication app. F5 BIG-IP Edge Client, Cisco AnyConnect, and Juniper Networks Junos Pulse apps are available in the App Store. For other SSL VPN solutions, contact your vendor and ask if they have an app in the App Store that can be configured with. Enter the configuration information you get from the vendor by choosing Custom SSL from the Connection Type pop-up menu. Make sure the Identifier field matches the identifier specified by your vendor s VPN app and is in reverse DNS format (for example, com.example.myvpn). Your users must install both the vendor s app and the configuration profile to connect to your network. VPN On Demand For certificate-based and SSL configurations, you can turn on VPN On Demand so that a VPN connection is automatically established when accessing certain domains. Creating Configuration Profiles 13
The VPN On Demand options are: Setting Always Never Establish if needed Description Initiates a VPN connection for any address that matches the specified domain. Doesn t initiate a VPN connection for addresses that match the specified domain, but if VPN is already active, it can be used. Initiates a VPN connection for addresses that match the specified domain, after a failed DNS look-up has occurred. The action applies to all matching addresses. Addresses are compared using simple string matching, starting from the end and working backwards. The address.example.org matches support.example.org and sales.example.org, but doesn t match www.private-example.org. However, if you specify the match domain as example.com notice there isn t a period at the beginning it matches www.private- example.com and all the others. LDAP connections don t initiate a VPN connection; if the VPN hasn t already been established by another app, such as Safari, the LDAP lookup fails. The device closes a VPN session initiated by VPN On Demand after two minutes of inactivity. If the connection was initiated manually using the Settings app, the VPN server s timeout applies. VPN Proxy iphone supports manual VPN proxy, and automatic proxy configuration using PAC or WPAD. To specify a VPN proxy, select an option from the Proxy Setup pop-up menu. For PAC-based auto-proxy configurations, select Automatic from the pop-up menu and enter the URL of a PAC file. For Web Proxy Autodiscovery (WPAD) configurations, select Automatic from the pop-up menu. Leave the Proxy Server URL field empty, and iphone will request the WPAD file using DHCP and DNS. Email Settings Use this payload to configure POP or IMAP mail accounts for the user. ios supports industry-standard IMAP4 and POP3 mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. 14 Creating Configuration Profiles
Users can modify some of the mail settings you provide in a profile, such as the account name, password, and alternative SMTP servers. If you omit any of this information from the profile, users are asked to enter it when they access the account. You can add multiple mail accounts by clicking the Add (+) button. Exchange ActiveSync Settings Use this payload to enter the user s settings for your Microsoft Exchange server. You can create a profile for a specific user by specifying the user name, host name, and email address, or you can provide just the host name users are prompted to fill in the other values when they install the profile. You can configure multiple Exchange accounts by clicking the Add (+) button. If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are necessary to validate the server s SSL certificate. To provide a certificate that identifies the user to the Exchange ActiveSync Server, click the Add (+) button and then select an identity certificate from the Mac OS X Keychain or Windows Certificate Store. After adding a certificate, you can specify the Authentication Credential Name, if it s necessary for your ActiveSync configuration. You can also embed the certificate s passphrase in the configuration profile. If you don t provide the passphrase, the user is asked to enter it when the profile is installed. For information about requirements and supported features, see Exchange ActiveSync and ios Devices. LDAP Settings ios 4 devices retrieve contact information from your company s LDAPv3 server corporate directories.you can access LDAP directories when searching in Contacts, and they are automatically used to complete email addresses as you enter them. Use this payload to enter settings for connecting to an LDAPv3 directory. You can specify multiple search bases for each directory, and you can configure multiple directory connections by clicking the Add (+) button. If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are necessary to validate the server s SSL certificate. LDAP Attribute Aliases The LDAP administrator can set up attribute aliases to improve the mapping of directory information to Contacts on the device. LDAP attribute givenname sn mail Contacts field First Last Email Creating Configuration Profiles 15
LDAP attribute telephonenumber facsimiletelephonenumber o title buildingname street l postalcode c jpegphoto mobile pager IMHandle homephone postaladdress homepostaladdress Contacts field Work Phone Fax Company Title Building Street City Zip Country Photo Mobile phone number Pager number Instant Messaging address Home Address Home address CalDAV Settings iphone, ipod touch, and ipad synchronize calendar data with your company s CalDAV server. Changes to the calendar are periodically updated between the device and server. Creating and responding to new calendar invitations from a device is supported for CalDAV servers that support the calendar-auto-schedule specification, such as Mac OS X Server v10.6. Use this payload to provide account settings for connecting to a CalDAV-compliant calendar server. These accounts will be added to the device. As with Exchange accounts, users need to manually enter information you omit from the profile, such as their account password, when the profile is installed. If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are necessary to validate the server s SSL certificate. To configure multiple CalDAV accounts, click the Add (+) button. 16 Creating Configuration Profiles
Subscribed Calendars Settings Use this payload to add read-only calendar subscriptions to the device s Calendar app. To configure multiple subscriptions by clicking the Add (+) button. A list of public calendars you can subscribe to is available at: www.apple.com/downloads/macosx/calendars/ If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are necessary to validate the server s SSL certificate. CardDAV Settings ios 4 devices retrieve contact information from your company s CardDAV contact list. You can access CardDAV directories when searching in Contacts, and they are automatically used to complete email addresses as you enter them. Use this payload to provide account settings for connecting to a CardDAV-compliant contact server. If you omit the account information, users need to manually enter it when the profile is installed. To configure multiple CalDAV accounts, click the Add (+) button. If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are necessary to validate the server s SSL certificate. Web Clip Settings Use this payload to add web clips to the Home screen of the user s device. Web clips provide fast access to favorite web pages. Or, for example, to add a web clip with a phone number (in the form tel://14089961010), to provide a quick way to dial your support desk. To add multiple web clips by click the Add (+) button. If you choose to prevent the user from removing the web clip, it cannot be deleted from the device unless they remove the configuration profile that installed it. To add a custom icon, select a graphic file in GIF, JPEG, or PNG format. For best results provide a square image that s no larger than 400 x 400 pixels and less than 1 MB in size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary, and converted to PNG format. Web clip icons are 104 x 104 pixels for devices with a Retina display and 57 x 57 pixels for all other devices. To prevent the device from adding a shine to the image, choose Precomposed Icon. A full-screen web clip will open the URL as a web app. Credentials Settings ios 4 devices can use X.509 certificates with RSA keys. The file extensions.cer,.crt, and.der are recognized. Use the Credentials settings payload to add certificates and identities to the device. Certificates in PKCS1 and PKCS12 format are supported. Use P12 (PKCS #12 standard) files that contain exactly one identity. The file extensions.p12 and.pfx are recognized. When an identity is installed, the user is prompted for the passphrase that protects it, unless you include the passphrase in the payload. Creating Configuration Profiles 17
When you install credentials, also install the intermediate certificates that are necessary to establish a chain to a trusted certificate that s on the device. To view a list of the preinstalled roots, see the Apple Support article at: http://support.apple.com/kb/ht3580 To add an identify for use with Microsoft Exchange, use the Exchange payload. See Enterprise Settings (page 13). If you include the certificate passphrase in the payload, you should encrypt the configuration profile when you export it. If you omit the passphrase, the user will be asked to enter it when the profile is installed. To add credentials in Mac OS X: 1. Click the Add (+) button. 2. In the dialog that appears, select a PKCS1 or PKSC12 file, then click Open. If the certificate or identity that you want to install is in your Keychain, use Keychain Access to export it in.p12 format. Keychain Access is located in /Applications/Utilities/. For help, see Keychain Access Help, available in the Help menu when Keychain Access is open. To add multiple credentials to the configuration profile, click the Add (+) button again. To add credentials in Windows: 1. Click the Add (+) button. 2. Select the credential that you want to install from the Windows Certificate Store. If the credential isn t available in your personal certificate store, you must add it. The private key must be marked as exportable, which is one of the steps offered by the certificate import wizard. Adding root certificates requires administrator access to the computer, and the certificate must be added to the personal certificate store. Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a webpage. Or, you can email certificates to users. You can also use the SCEP Settings, described below, to specify how the device obtains certificates over the air when the profile is installed. SCEP Settings The SCEP payload lets you specify settings that allow the device to obtain certificates from a CA using Simple Certificate Enrollment Protocol (SCEP). Setting URL Name Description This is the address of the SCEP server. This can be any string that s understood by the certificate authority. It can be used to distinguish between instances, for example. 18 Creating Configuration Profiles
Setting Subject Subject Alternative Name Challenge Key Size and Usage Fingerprint Description The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which translates to: [ [ [ C, US ] ], [ [ O, Apple Inc. ] ],..., [ [ 1.2.5.3, bar ] ] ] Specify the type and value of an alternative name for the SCEP server. Valid values are an email address (RFC-822), the DNS name of the server, or the server s fully-qualified URL. A pre-shared secret the SCEP server can use to identify the request or user. Select a key size, and using the checkboxes below this field the acceptable uses of the key. If your Certificate Authority uses HTTP, use this field to provide the fingerprint of the CA s certificate, which the device will use to confirm authenticity of the CA s response during the enrollment process. You can enter a SHA1 or MD5 fingerprint, or select a certificate to import its signature. Mobile Device Management Settings The Mobile Device Management (MDM) payload configures the device so that its configuration will be managed over the air by an MDM server, available from third-party solution providers. Only one Mobile Device Management payload can be installed on a device, and once it s installed, the device can receive further configuration profiles wirelessly. The Mobile Device Management server can install configuration profiles, but can only remove configuration profiles that it installed. To make sure that you can update or remove configurations, once a device has been configured to use the server, you should distribute all your configuration profiles wirelessly. Setting Server URL Check In URL Topic Identity Description The fully-qualified, publicly accessible URL of the MDM server. It must begin with https://, and can specify a port number. Example: https://mdm.example.org:nnnn An optional, fully-qualified URL that the device contacts after being notified there s a profile available for installation. It must begin with https:// and can specify a port number. Example: https://mdm.example.org:nnnn If this isn t specified, the device checks in using with the Server URL. The topic field identifies which push notification messages contain MDM directives. The value must match the User ID in the Subject field of the certificate used by the MDM server to send push notifications. Select the certificate that the device uses to identify itself to the MDM server. Add the certificate to the device using the Credentials Settings, or use SCEP Settings to provide instructions for the device to obtain the certificate using SCEP. Creating Configuration Profiles 19
Setting Sign Messages Description Instructs the device to add a signature header to every http response to the MDM server. See your MDM server documentation for information about using this option with your server. Use the checkboxes to specify the rights granted to the MDM server. You can allow remote administration of profiles, ask the device to respond to various queries, as well as remove the device s passcode and wipe all device data. The options you select here work in conjunction with your MDM server. See its documentation for information. If you enable Use Development APNS Server, the device listens for all push notifications from the Apple Push Notification Server development server. This should be used only during development of MDM server software. In order to communicate with a mobile device management server, the device must be able to contact the Apple Push Notification Server. If your devices connect to your internal network, be sure to allow connections to 17.*.*.* addresses. Advanced Settings The Advanced payload lets you change the device s Access Point Name (APN) and cell network proxy settings. These settings define how the device connects to the carrier s network. Change these settings only if instructed to do so by a carrier network expert. If these settings are incorrect, the device can t access data using the cellular network. To undo a change to these settings, remove the profile from the device. ios supports APN user names and passwords of up to 64 characters. Editing Configuration Profiles In, select a profile in the Configuration Profiles list, and then use the payload list pane and editing pane to make changes. You can also import a profile by choosing File > Add to Library and then selecting a.mobileconfig file. If the settings panes aren t visible, choose View > Show Detail. The Identifier field in the General payload is used by devices to determine whether a profile is new, or an update to an existing profile. If you want the updated profile to replace one that users have already installed, don t change the Identifier. Installing Provisioning Profiles and Apps can install apps and distribution provisioning profiles on devices attached to the computer. For details see the article Distributing Enterprise Applications for ios 4 Devices. 20 Editing Configuration Profiles
Installing Configuration Profiles After you create a profile, you can connect a device and install the profile using. You can also distribute the profile to users by email, or post it to a website. When users use their device to open an email message or download the profile from the web, they re prompted to start the installation process. You can also distribute profiles using a Mobile Device Management server. Installing Configuration Profiles Using You can use to install configuration profiles on a device that has been updated to iphone OS 3.0 or later and is attached to your computer. You can also use it to remove previously installed profiles. To install a configuration profile: 1. Connect the device to a USB port on your computer. After a moment, the device appears in the Devices list in. 2. Select the device, and then click the Configuration Profiles tab. 3. Select a configuration profile from the list, and then click Install. 4. On the device, tap Install to install the profile. When you install directly a configuration profile on a device using USB, the configuration profile is automatically signed and encrypted before being transferred to the device. automatically installs a certificate on the device for this purpose; you can see the certificate in the Summary pane. The message This certificate was signed by an untrusted issuer is normal and expected, because it s self-signed. Any updates to this profile must be signed by the same copy of. For this reason, you should use one copy of the utility to install and export configuration profiles. Distributing Configuration Profiles by Email You can distribute configuration profiles by email. Users receive the message on their device and then tap the attachment to install the profile. To email a configuration profile: 1. Click the Share button in the toolbar. In the dialog that appears, select a security option: None: A plain text.mobileconfig file is created. It can be installed on any device. Some content in the file is obfuscated to prevent casual snooping if the file is examined. Installing Configuration Profiles 21
Sign Configuration Profile: The.mobileconfig file is signed and can be installed by any device, as long as the profile hasn t been altered. Once installed, the profile can be updated only by a profile that has the same identifier and is signed by the same copy of. Create and Sign Encrypted Configuration Profile For Each Selected Device: This option signs the profile so it cannot be altered, and encrypts all of the contents so the profile cannot be examined and can be installed only on a specific device. If the profile contains passwords, this option is recommended. Separate.mobileconfig files are created for each of the devices you select from the Devices list. If a device doesn t appear in the list, it either hasn t been previously connected to the computer so that the encryption key can be obtained, or it hasn t been upgraded to ios 3.0 or later. 2. Click Share, and a new Mail (Mac OS X) or Outlook (Windows) message opens with the profiles added as uncompressed attachments. The files must remain uncompressed so the device can recognize and install the profile. Distributing Configuration Profiles on the Web You can distribute configuration profiles using a website. Users install the profile by downloading it using Safari on their device. To easily distribute the URL to your users, send it via SMS. To export a configuration profile: 1. Click the Export button in the toolbar. In the dialog that appears, select a security option: None: A plain text.mobileconfig file is created. It can be installed on any device. Some content in the file is obfuscated to prevent casual snooping if the file is examined, but you should make sure that, when you put the file on your website, it s accessible only by authorized users. Sign Configuration Profile: The.mobileconfig file is signed and won t be installed by a device if it s altered. Once installed, the profile can be updated only by a profile that has the same identifier and is signed by the same copy of. You should make sure that, when you put the file on your website, it s accessible only by authorized users. Sign and Encrypt Profile: This option signs the profile so it cannot be altered, and encrypts all of the contents so the profile cannot be examined and can only be installed on a specific device. Separate.mobileconfig files are created for each of the devices you select from the Devices list. 2. Click Export, and then select a location to save the.mobileconfig files. The files are ready for posting on your website. Don t compress the.mobileconfig file or change its extension, or the device won t recognize or install the profile. 22 Installing Configuration Profiles
Distributing Configuration Profiles Wirelessly You can use a Mobile Device Management server to configure ios devices over the air. This server can be built in-house by your IT department, or purchased from a third-party solution provider. See iphone in Business: Mobile Device Management for information. User Installation of Downloaded Configuration Profiles Provide your users with the URL where they can download the profiles onto their devices, or send the profiles to an email account your users can access on the device before it s set up with your enterprise-specific information. When a user downloads the profile from the web or opens the attachment using Mail, the device recognizes the.mobileconfig extension as a profile and begins installing it when the user taps Install. During installation, the user is asked to enter any necessary information, such as passwords that weren t specified in the profile, and any other information as required by the settings you specified. The device also retrieves the Exchange ActiveSync policies from the server, and refreshes the policies, if they change, with every subsequent connection. If the device or Exchange ActiveSync policies enforce a passcode setting, the user must enter a passcode that complies with the policy in order to complete the installation. The user is also asked to enter any passwords necessary for using certificates included in the profile. If the installation isn t successfull perhaps because the Exchange server was unreachable or the user cancelled the process none of the information entered by the user is kept. Installing Configuration Profiles 23
Removing and Updating Configuration Profiles Managed configuration profiles can be updated and removed over the air by using an MDM server. To update a configuration profile that was manually installed, distribute the new profile to users and have them install the new version. As long as the profile identifier matches and (if signed) has been signed by the same copy of, the new profile replaces the profile on the device. Settings enforced by a configuration profile cannot be changed on the device. To change a setting, you must install an updated profile. If the profile was signed, it can be replaced only by a profile signed by the same copy of. The identifier in both profiles must match. For more information about the identifier, see General Settings (page 9). Important: Removing a configuration profile removes all policies and information (including mail accounts) associated with the profile. If the General Settings payload of the profile specifies that it cannot be removed by the user, the Remove button doesn t appear. If the settings permit removal using an authorization password, the user is asked to enter the password after tapping Remove. For more information about profile security settings, see General Settings. 24 Removing and Updating Configuration Profiles
REVISION HISTORY Document Revision History This table describes the changes to. Date 2011-03-04 2010-12-06 2010-08-31 2010-08-03 2010-07-08 Notes Minor updates and additions for ios 4.3. Updated for ios 4.2. Minor updates and clarifications for ios 4.1. Added more explanation of configuration profile encryption. First version for ios 4, replaces former iphone Enterprise Deployment Guide. 25
REVISION HISTORY Document Revision History 26