- Planning for and Supporting the iPhone in Business Environments
- Activation, Deployment, and Sync via iTunes
- Exchange and Other Email Options
- Automatic Setup Using Configuration Files
One of the challenges of rolling out even moderate quantities of any device is streamlining the initial configuration process. In the iPhone 2.0 firmware, Apple introduced the concept of configuration profiles. These XML property list files can be generated using the iPhone Configuration Utility, a free download that can be installed as a web-based tool (Windows or Mac OS X), or as a standalone application (Mac OS X only). The stand alone application also offers options for distributing in-house iPhone apps and building libraries of configuration profiles as well as company-owned iPhones, for which it can be used to view log files when the phones are connected to the Mac on which it runs.
Configuration files are relatively easy to create using either variation of the tool. You can create one complete profile, or specify settings in different smaller profiles. An iPhone will support configuration using multiple profiles, which can make planning management much simpler because you can specify some profiles to be used by all iPhones and be granular with other profiles that define settings appropriate to only one or two users. This strategy also can be helpful when you need to update only specific settings.
Profiles shouldn't be thought of as security policies, however. They exist only to configure certain core functions, such as installing security certificates, configuring access to company WiFi networks, or configuring the iPhone to access a mail or Exchange server. They don't support limiting access to any of the iPhone's features (the only exception being requiring a complex passcode for the phone). Also, unlike security policies, which are always enforced, profiles must be installed by iPhone users and can be deleted at any time using the iPhone's Settings application. This capability makes them effective in easing the setup process, but doesn't ensure that the profiles will be used, or that their updates will be applied by users.
In order to distribute and install configuration profiles, you can send them to users as an email attachment or host them on a web server, navigating to the file using the mobile version of Safari on the iPhone. (If hosting on a server other than Mac OS X Server 10.5.3 and later, you'll need to add a MIME setting for the .mobileconfig extension with the application/x-apple-aspen-config file type.) When a profile is loaded by the iPhone, details about the profile are displayed, and the user has the option to install the profile (or not). Once installed, the profile's settings are used as appropriate until the profile is replaced by an updated version or deleted using the Settings application.
Options that can be configured in a configuration profile fall into the following tabs:
- General. Includes information about the name of the profile; a unique identifier for each profile (used by an iPhone to identify updated versions of profiles) in the format of com.company.profile; the organization name (optional); a description (optional); and the option to sign the profile digitally, using a security certificate. (This option allows the iPhone to verify that it's a legitimate profile if the same certificate is reinstalled in the iPhone, or if a line of trust using root certificates on the iPhone has been established.)
- Passcode. Allows you to require a passcode to unlock the iPhone and to establish complexity requirements and related policies: allow simple values with repeated characters, require both letters and numbers, set a minimum length, require special characters, set a maximum passcode age, set an inactivity interval that locks the phone automatically, or set a number of failed attempts after which iTunes will be required to reauthorize use of the phone. (This number can be up to 11 times; if more than 6 failed attempts occur, there will be an increasing time delay between allowing further attempts.)
- WiFi. Allows you to preconfigure settings for one or more WiFi networks, including specifying a network name (SSID), whether the network is hidden, and the security methods allowed for wireless authentication. A full range of authentication options is supported, including WEP and WPA/WPA2, all of which offer support for enterprise authentication protocols (including TLS, LEAP TTLS, PEAP, and EAP-FAST), as well as the use of per-connection passwords and certificates for secure connections.
- VPN. Used to configure the iPhone's integrated VPN client for secure remote access (either connecting using WiFi or a carrier's 3G/EDGE network). The iPhone supports L2TP, PPTP, and IPSec (Cisco) VPN protocols and supports authentication using passwords or RSA SecurIDs. When used with L2TP and PPTP, you can also indicate whether all network traffic should be directed through the VPN connection or only traffic with destinations within the remote network. IPSec supports both the use of shared secrets and certificates for securing authentication.
- Email. Used to configure IMAP/POP and SMTP email account access. Setup is largely similar to that of any email client. Options are available for both SSL security and SMTP authentication.
- Exchange. Configures access to an Exchange server. Username should be specified in the form of domain\username. (This may not be required in all environments, but is the suggested format.) SSL is available for security.
- Credentials. Used to install certificates on the iPhone. This can be crucial for a number of features, including signing of additional profiles, configuration of IPSec VPN, and access to email/Exchange servers that are protected using SSL (particularly, as noted earlier, if you'll be working with self-signed certificates). The iPhone supports both PKCS #1 and PKCS #12 certificates.
- Advanced. Allows configuration of access point name (APN) options for connecting to carrier networks. Any configurations made on this tab should be done only if required and in concert with your carrier.