10.7. iPhone Configuration Utility
In the first part of this chapter we looked into how to setup the iPhone to connect to common services that your organization may already have. However, if you've got a project where you need to deploy 100, 1,000, or 10,000 of these devices then you're going to want the set up per handheld to be as automated as possible. In order to streamline deployment, Apple has developed the iPhone Configuration Utility, accessible at http://www.apple.com/support/iphone/enterprise/.
10.7.1. Building Configurations
The iPhone Configuration Utility can be used to develop configurations that can be pushed out to iPhones and iPod touches. Once you have downloaded the utility, open and run the application installer. Once it's complete, look in /Applications/Utilities on Mac OS X or by default in C:Program FilesiPhone Configuration Utility, where you will find the application bundle. Open it up and you will see the initial configuration utility screen. Click on Configuration Profiles, and then click on the New icon in the iPhone Configuration Utility toolbar. You will now see a screen that allows you to configure a number of settings for the iPhone.
The General Configuration Profiles tab is used to describe the profile you are creating. Here, you can enter a name, unique identifier (using reverse domain notation), an organization name, and finally a description of the profile you are creating. Here, we recommend a good naming convention. If you are going to build profiles per-user, consider placing the username followed by the time frame or version of the profile. If you are going to use a generic profile, consider entering a miniature description and/or a version number/date. In this example, you are creating a profile for your executive phones. Specify a configuration name, MyCo Executives, and then your configuration identifier using reverse domain notation: com.myco.executives.profile. Next, enter relevant information for the organization and description as shown in Figure 10-12.
Figure 10.12. iPhone Configuration Utility: General Tab
The next section is the Passcode tab, where you can configure password policies, (which the iPhone and iPod touch refer to as passcodes). Shown in Figure 10-13, various settings exist to effect password requirements for sleeping and device power-on. These include pretty standard options, like the ability to set a lock timer, specify password minimum length enforcement, create alphanumeric requirements, and there even includes internal routines to test for weak passwords. You also have the ability to prevent up to 50 previous passwords for re-use, as well as enforce periodic password changes. It's important to note that you do not configure an actual passcode at this time (that's done from the device itself after the configuration has loaded). However, if you wish to configure a passcode policy to be enforced on your company devices, this is the place to do so. First, check the box for Require passcode on device. Next, select the appropriate options that fall within the boundaries of your organization's security policy:
Allow simple value: indicates that insecure character sequences can be used as a password. For example, if you insist on using a palindrome you can use radar as your password using this option.
Require alphanumeric value: requires that at least one alphabetic character exist in the password.
Minimum passcode length: sets the minimum number of characters that a passcode must contain.
Minimum number of complex characters: sets the minimum number of characters allowable in a passcode.
Maximum passcode age (in days): sets the number of days before a passcode will need to be changed.
Auto-Lock (in minutes): configures the device to automatically lock and require a passcode to wake from the locked status.
Maximum number of failed attempts: number of times an incorrect password will be used before erasing all of the data on the device.
Figure 10.13. iPhone Configuration Utility: Configuring Passcode Settings
|
The Restrictions tab, shown in Figure 10-14, allows you to restrict certain activities on the iPhone. This includes disabling built-in features such as the device camera, Safari, YouTube, and the iTunes Music Store. You can also configure restrictions to prevent only elicit content from being watched or heard in the iPod app, and you can prevent additional applications from being installed.
Figure 10.14. iPhone Configuration Utility: Configuring Passcode Settings
The Wi-Fi tab allows you to configure an iPhone and/or an iPod touch to connect to a variety of standards compliant VPN appliances and servers. Wi-Fi supports WEP, WPA, and WPA2 Enterprise, which allows support for most modern wireless environments, including those that depend on 802.1x for authentication and authorization. At the Wi-Fi section, click "Configure" to be presented with configuration options. In the resulting screen, shown in Figure 10-15, enter the name of the SSID, the Wireless network's broadcast name. There is not a drop-down menu to select discovered Wireless networks, so you must type the network name by hand. Bear in mind that SSID's are case sensitive. Cycle through all the settings, hopefully matching each one in the iPhone Configuration Utility with those you were able to discover while testing the handhelds.
Figure 10.15. iPhone Configuration Utility: Wi-Fi
The Hidden Network field will allow you to connect to hidden networks and must be checked if the network does not publicly announce its SSID. Next, check the Security Type field and find the type of Wireless network encryption that your organization is using. At its most basic, WEP and WPA/WPA2 Personal will not require further configuration. If you select WEP, or WPA/WPA2 options, then the user will need to enter the wireless network password themselves, it cannot be embedded into the configuration file. However, if you select WEP Enterprise or WPA/WPA2 Enterprise then you will need to configure your encryption protocol settings to match the configuration in production.
Under the Protocols tab for your enterprise Wi-Fi connection you will configure the protocol stack for your wireless network. First, use the checkboxes to select the authentication protocols that are supported. Options include TLS, LEAP, TTLS, PEAP, and EAP-FAST. If you are going to be using EAP-FAST then also select the Protected Access Credential (PAC) by first choosing whether to use PAC, and if so, whether or not to provision PAC and whether to do so anonymously.
Finally, select the authentication protocol to be used to access the inner ring (MSCHAPv2) and then click on the Authentication tab of the Wi-Fi screen. As shown in Figure 10-16, use the Authentication tab within the Wi-Fi screen to provide the username to be used to authenticate to networks and whether you want to send an authentication password along with the configuration. Then select a certificate to use for authentication if you have one and provide an outer identity (if required for your organization).
Figure 10.16. iPhone Configuration Utility: WPA Enterprise User Authentication
Next, click on the Trust tab of the Wi-Fi screen (see Figure 10-17). Here, you will see the option to provide a certificate that can be used to satisfy the requirement that a client utilizes an SSL certificate to authenticate into the environment. Here, certificates which were added under Credentials tab are listed, which we'll cover later in this section. However, once added, you would check the box for each to trust and present at authentication to the wireless network. To do so, click on the checkbox for each to be sent as part of the configuration. You will also want specify Trusted Certificate names (as defined in the certificates CN). To do so, use the plus (+) icon below the Trusted Server Certificate Names, and then type the name of each certificate to be trusted.
You can also provide multiple preconfigured networks that the mobile device can log into. Using the + and - buttons in the upper-right hand corner of the Wi-Fi screen you can add and remove more networks.
Figure 10.17. iPhone Configuration Utility: WPA Enterprise Trusts
NOTE
You can use the "Trusted Server Certificate Names" to bypass the prompt for users to trust dialog when connecting to the wireless access point.
Once you are satisfied with your wireless configuration settings, proceed to the VPN tab of your configuration profile (see Figure 10-18). If desired, click on the Configure button in order to deploy a VPN payload to the device. First provide a friendly name for your end users that describes the connection. Next, select a protocol. You can use PPTP, L2TP, and IPSec (which Apple calls IPSec), much in the same way that you can use the same options in the VPN when configured on a single mobile device, as shown previously in this chapter.
Figure 10.18. iPhone Configuration Utility: VPN configuration
The next section, Email, allows for the configuration of non-ActiveSync-based email accounts. Skip to the Exchange section if you have no IMAP/POP based email accounts to configure. Otherwise, click configure to configure the email section, and enter the appropriate information into the following fields (and as shown in Figure 10-19):
Account description: a friendly identifier, you will typically want this to be similar to aid those in your remote support team who may end up providing phone support.
Account type: choose POP if your account uses POP or IMAP if your account uses IMAP.
Account name: the name that will show on sent email.
Email address: the email address that will be used with the POP or IMAP account.
Once you have entered the global configuration information, use the Incoming Mail sub-tab to configure the following:
Mail Server and port: the host name or IP address of the server that the POP or IMAP account is hosted from.
User name: the userid for the server entered previously.
Use password authentication: enables password authentication for the account.
Use SSL: configures mail to leverage SSL. (If you use this setting then it does not hurt to also add and trust the certificate in the Credentials tab if said ticket was self-assigned rather than originating from a trusted CA.)
Figure 10.19. iPhone Configuration utilty: IMAP/POP Email
NOTE
The password here should only be used with encrypted profiles, as it is stored as a string in the IncomingPassword key of the file.
Once you are satisfied with your entries, click on the Outgoing Mail sub-tab and assuming your server requires (or at least allows) authenticated SMTP enter the appropriate SMTP information supplied by your mail host, shown in Figure 10-20.
Figure 10.20. iPhone Configuration Utility: SMTP email settings
If you wish to deploy Exchange configurations in this profile, you can configure the account settings appropriate for your Microsoft Exchange Server environment under the Exchange section. Only a single Exchange account can be configured on a device. These settings should match those in the Settings screen fairly accurately. To successfully configure an account, you will need to enter the following settings, shown in Figure 10-21:
Account name: the friendly name for the account.
Exchange ActiveSync host: the server that houses the Outlook Web Access role for your organization (your CAS server).
User: the userID for the user in Active Directory/Exchange.
Email address: the email address you will use.
Use SSL: enable ActiveSync over SSL (again, enter the SSL certificate using the Credentials tab if you will be using this option).
Authentication credential: allows for the specification of a certificate used for authentication.
Figure 10.21. iPhone Configuration Utility: Configuring Exchange Accounts
With iPhone 3.0, we also saw the introduction of address lookup via the LDAP protocol. The iPhone configuration utility provides the ability to deploy these settings in mass to users. If you previously provided settings to configure an Exchange account, it is worth noting that the Global Address List (GAL) will be available for searching via the Contacts app as well as in the Mail app when specifying email addresses. However, if your environment does not host Exchange, then configuring iPhones to utilize LDAP services can be very handy. You can deploy multiple LDAP configurations. When deploying a configuration, it is necessary to provide the following information, as shown in Figure 10-22:
Account description: the friendly name for the account.
Account hostname and port: the server that houses the LDAP service, and the port which the service is available. By default this is TCP 389, or TCP 636, when using SSL.
Account username and password: Allows for the specification of an LDAP user for authentication. If your LDAP server does not support anonymous connections, you may want to create a user specific for this cause, such as ldap_iphone.
Use SSL: enable LDAP over SSL, make sure to specify the appropriate port.
Search settings: In this field you can supply multiple search paths which will be searched, as well as the standard LDAP scope options: Base, One Level, Subtree. If a scope of Base is selected, searches will only match against the object specified by the distinguished name provided via the search path. Using "One Level" will search for objects residing directly in the container or organizational unit specified via the search path. In an OS X Open Directory environments, a search path of "cn=Users,dc=myco,dc=com", but can also be "cn=People,dc=myco,dc=com". The subtree scope is the most forgiving, allowing you to search across all leaves of the provided search path. As such, a search path of "dc=myco,dc=com" would find entries both in cn=Users and cn=People. Subtree is also the slowest search pattern; search paths should be refined as much as possible.
NOTE
As of this writing, the LDAP client did not support self-signed certificates.
Figure 10.22. iPhone Configuration Utility: Configuring LDAP Accounts
With iPhone 3.0, we also saw the introduction of CalDAV support, allowing the iPhone's built-in calendar app to integrate with CalDAV based calendaring services, with full read/write privileges. Multiple accounts can be configured, and configuration itself of the CalDAV service is pretty basic, requiring only a few fields, as shown in Figure 10-23:
Account description: the friendly name for the account.
Account hostname and port: specify server hostname or IP that houses the CalDAV service, as well as the port over which the service is available. By default this is TCP 8008, TCP 8443 when using SSL.
Principal URL: specify the URL to the user's calendar. You will typically leave this blank, as it is best to let it automatically determine the appropriate URL based upon the user provided username.
Account username and password: specify the username and password to authenticate as. You will likely want to leave these fields blank, which will require the user to enter them upon configuration.
Use SSL: enable CalDAV over SSL, make sure to specify the appropriate port
Figure 10.23. iPhone Configuration Utility: Configuring CalDAV Settings
You can also deploy read-only web-based calendar subscriptions based upon the .ics format. These can be useful for publishing information such as staff meetings, holidays, and special events. The payload information for a subscribe calendar is fairly basic and multiple subscriptions can be deployed. The following field information must be provided, as shown in Figure 10-24:
Description: the friendly name for the calendar.
URL: specify the http:// url where the calendar can be accessed.
Account username and password: allows for the specification of an LDAP user for authentication. If your LDAP server does not support anonymous connections, you may want to create a user specific for this cause, such as webcal_iphone.
Use SSL: Utilize SSL via the https protocol.
Figure 10.24. iPhone Configuration Utility: Configuring WebCal Subscriptions
The next section, Web Clips, allows you to create an iconified link to a webpage, which is very useful for ensuring employees have quick, easy access to things like the company intranet or help desk system. Deploying web clips is as simple as specifying a name, a url, and an icon. You can also specify whether or not the user can delete the webclip, as shown in Figure 10-25.
Figure 10.25. iPhone Configuration Utility: Configuring WebCal Subscriptions
The next section allows you to deploy custom SSL certificates to your iPhone, shown in Figure 10-26. If your establishment uses an internal Certificate Authority, you will need to deploy your CA's certificate to prevent users from receiving SSL errors when using encrypted services. Alternatively, if you are using certificate based authentication for any of the supported services, you deploy them here. Your users will be thankful given that they will need to click on less items to get setup and your support desk will thank you as well, considering they will more than likely get fewer phone calls with users who need help isolating various SSL issues.
To install certificates, click on the configure button in the Credentials section. You will be presented with an open dialog box, use it to navigate to the folder containing your certificates in .cer or .p12 format. With the certificate highlighted, click open. Assuming your certificate is in a supported format, the certificate will then be displayed and added to the payload. You can use the plus (+) and minus (−) buttons to add more certificates or remove certificates, respectively.
Figure 10.26. iPhone Configuration Utility: Deploying Certificates
SCEP allows you to utilize the Simple Certificate Enrollment Protocol for deploying configuration settings and certificates via SCEP, should you have such facilities in place. SCEP allows you to deploy highly customized user or device-specific configurations to iPhones. Unfortunately, setting up the system will require custom development. For more information on SCEP and Over-the-Air enrollment, see Apple's iPhone Enterprise Deployment Guide.
The Advanced section contains settings for the device Access Point Name and cellular proxy settings; they should not be altered unless specified by your carrier.
NOTE
For more information on enterprise deployment, see the Apple "iPhone OS Enterprise Deployment Guide" at http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf.
10.7.2. Deploying Configurations
There isn't much of a reason to build a configuration if you aren't then going to apply it to a device. The iPhone Configuration Utility can be used to deploy configurations to iPhone and iPod touch devices directly, or you can export a signed configuration for deployment via email or web. The process is very similar to that of manually deploying certificates, described earlier in this chapter in the Installing Certificates section. To start, assume that you are batch processing a large number of iPhones, and as such, you will be doing the deployment from a central location. The process involves first connecting the device to an admin station running the iPhone configuration utility with the appropriate mobile profile for deployment. Once connected, the iPhone configuration utility will discover and catalog the device, including the device serial number, unique identifier, and the device's public key. Figure 10-27 illustrates an iPhone discovered via the iPhone configuration utility.
Figure 10.27. iPhone configuration utility: Devices
From here, you can assign a user to the device, using the Address Book framework, and you can specify an email address, though unfortunately this information isn't used during the deployment. At this point, you can deploy the configuration file to the device. To do so, click on the specific iPhone listed under the "Devices" section, and then select the Configuration Profiles Tab (see Figure 10-28).
Figure 10.28. iPhone configuration utility: Installing Configuration Profiles
With the Configuration Profiles tab selected, you can click Install to install a specific profile onto the iPhone. Doing so will invoke the standard profile installation GUI, which is similar to the process of importing certificates.
When loading a mobile configuration, the first screen that you will see is an overview screen, which displays the profiles intended configuration and trust settings, as shown in Figure 10-29.
Figure 10.29. iPhone Profile Installation
Tap on the Install button on the iPhone to install the profile. At this point, you will be queried for any information missing from the mobile configuration. For instance, if you configured a VPN, Mail, or CalDAV payload, but did not specify a username, you will be prompted to provide that information at this point (see Figure 10-30). Likewise, if your configuration contains passcode enforcement, you will need to enter the passcode at the tail end of this process. Therefore, if you wish to batch process your iPhones prior to giving them to your users, your administrators will need your user's passwords, or the account creation process will need to be performed by users. In such a case, you will likely want to provide the configuration via a secured web service. This can be a two step process as well. For instance, the batch process might include SSL certs, generic LDAP connections, and perhaps a webclip towards the webhosted service-centric mobile profile. User's then need only click on the custom icon that you provide, which sends them to the remote mobile configuration file, and thereby directly into the installation screen. While not completely automated, it provides a fairly user-friendly deployment method.
Unfortunately, there is no authentication sharing between the various services, so you will have to enter credentials for each individual service.
Figure 10.30. iPhone Profile Installation: provide authentication credentials
There are a number of reasons why importing a configuration profile can fail. If, for example, the profile tells the device to configure an ActiveSync account and one is already present then the user will receive an error when they attempt to install the profile. If the user fails to enter a passcode with the appropriate passcode strength and gives up, then the entire configuration process will fail. Alternatively, if you are deploying Mail accounts which are configured to use SSL that is either self-signed, or signed by a CA which is not included in the iPhone's base trust, then the profile installation will fail, even if it contains the CA root certificate in the profile. For these instances, you may need to build out and deploy two configurations, one with the SSL certificates, and the other with the Account configuration payloads.
|
10.7.2.1. Importing and Exporting Profiles
The iPhone Configuration Utility allows for importing and exporting configuration profiles for distribution via email or web browser. To perform this task, first ensure that you have a configuration polished up and ready to go. Once this is done, highlight the profile, and then select either Share or Export from the toolbar, as shown in Figure 10-31. The former option will email the mobile configuration file, the latter will present a standard save dialog box and allow you to specify the name and location for exporting.
Figure 10.31. Exporting iPhone Configuration Profiles
After selecting either option, you will be presented with a dialog asking whether or not you want to sign the configuration, as shown in Figure 10-31. If you are exporting this for deployment, it is highly recommended that you do so. There are a few options here. First and foremost, you can opt not to sign the profile at all. This provides no security on the file, and leaves it open for alteration without any detection capabilities. By signing the configuration, devices which seek to deploy its payload can verify that it is tamper free. Obviously, this is always desirable. Next, it is possible to simply sign the configuration, or we can encrypt it for each registered device. The former option is much more forgiven, and is desirable if you wish to deploy this to an unknown amount of iPhones, and want the task to be as hassle free as possible. Alternatively, if you have all of your iPhones cataloged in the iPhone Configuration Utility, then you can create an encrypted profile for each phone.
The iPhone configuration utility signs exported profiles with a self-signed Certificate authority created when you first open the application for the first time. This certificate authority is used to sign the configuration profiles created by your copy of the application. If you are delegating configuration profile development among multiple members of your staff, you may wish to export this private key and certificate programmatically. The following is an example of perl script that will export this information with the password "pass" to files in the current directory where the script is run. Using this methodology you can keep all members of your group up to date with the latest copy of this certificate and private key.
#!/usr/bin/perl -w # ipcuexport.pl Created by Zack Smith
#
# This script will export the iPhone Configuration Utility certificates and private key
# to files in the current directory with the naming
conventions below.
$certname = "iPCUCertificateAuthority.crt";
$pubkey = "iPCUCertificatePublic.p12";
$privkey = "iPCUCertificatePrivate.p12" ;
open(CERTS, "security export -k login.keychain -t certs|");
my $ifile = "";
my $thisfile = "";
while(<CERTS>) {
$ifile .= $_;
$thisfile .= $_;
if($_ =~ /^-+END(sw+)?sCERTIFICATE-+$/) {
$subject = `echo "$thisfile" | openssl x509 -noout -subject`;
if($subject =~ m/iPCU Certificate Authority/){
$crtmodulus = `echo "$thisfile" | openssl x509 -noout -modulus`;
my $fname = $certname;
open CERT, ">$fname";
print CERT $thisfile;
close CERT;
}
$thisfile = "";
}
}
close(CERTS);
$exportPublic = `openssl x509 -inform pem -in $certname -noout -pubkey > $pubkey`;
open(PRIV, "security export -k login.keychain -t privKeys -f pkcs12 -P pass | openssl
pkcs12 -passin pass:pass -passout pass:pass|");
my $kfile = "";
my $thiskey = "";
while(<PRIV>) {
$kfile .= $_;
$thiskey .= $_;
if($_ =~ /^-+END(sw+)?sRSA PRIVATE KEY-+$/) {
$modulus = `echo "$thiskey" | openssl rsa -noout -modulus -passin pass:pass `;
if($modulus = $crtmodulus){
my $fname = $privkey;
open FILE, ">$fname";
print FILE $thiskey;
close FILE;
}
$thiskey = "";
}
}
close(PRIV);