iPhone OS Enterprise Deployment Guide Second Edition, for Version 3.
K Apple Inc. © 2010 Apple Inc. All rights reserved. This manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Contents Preface 6 6 7 8 10 11 11 12 12 12 13 iPhone in the Enterprise What’s New for the Enterprise in iPhone OS 3.
55 55 Updating and Removing Profiles Other Resources Chapter 4 57 57 59 60 62 Deploying iTunes Installing iTunes Quickly Activating Devices with iTunes Setting iTunes Restrictions Backing Up a Device with iTunes Chapter 5 63 63 64 64 64 65 65 66 66 66 66 Deploying Applications Registering for Application Development Signing Applications Creating the Distribution Provisioning Profile Installing Provisioning Profiles Using iTunes Installing Provisioning Profiles Using iPhone Configuration Utility In
Appendix C 81 84 Wi-Fi Payload Sample Configuration Profiles 88 Sample Scripts Contents 5
Learn how to integrate iPhone, iPod touch, and iPad with your enterprise systems. This guide is for system administrators. It provides information about deploying and supporting iPhone, iPod touch, and iPad in enterprise environments. What’s New for the Enterprise in iPhone OS 3.0 and Later iPhone OS 3.x includes numerous enhancements, including the following items of special interest to enterprise users: Â CalDAV calendar wireless syncing is supported.
 Web clips can be installed using a configuration profile.  802.1x EAP-SIM is now supported.  Devices can be authenticated and enrolled over-the-air using a Simple Certificate Enrollment Protocol (SCEP) server.  iTunes can store device backups in encrypted format.  iPhone Configuration Utility supports profile creation via scripting.  iPhone Configuration Utility 2.2 supports iPad, iPhone, and iPod touch. Mac OS X v10.6 Snow Leopard is required. Windows 7 is also supported.
You can download the .Net Framework 3.5 Service Pack 1 installer at: http://www.microsoft.com/downloads/details.aspx?familyid=ab99342f-5d1a-413d-831981da479ab0d7 The utility allows you to create an Outlook message with a configuration profile as an attachment. Additionally, you can assign users’ names and email addresses from your desktop address book to devices that you’ve connected to the utility. Both of these features require Outlook and are not compatible with Outlook Express.
The Exchange policy to require device encryption (RequireDeviceEncryption) is supported on iPhone 3GS, on iPod touch (Fall 2009 models with 32 GB or more) and on iPad. iPhone, iPhone 3G, and other iPod touch models don’t support device encryption and won’t connect to an Exchange Server that requires it.
Microsoft Exchange Autodiscovery The Autodiscover service of Exchange Server 2007 is supported. When you manually configure a device, Autodiscover uses your email address and password to automatically determine the correct Exchange server information. For information about enabling the Autodiscover service, see http://technet.microsoft.com/en-us/ library/cc539114.aspx.
Cisco IPSec with certificate-based authentication supports VPN on demand for domains you specify during configuration. See “VPN Settings” on page 35 for details. Network Security iPhone OS supports the following 802.11i wireless networking security standards as defined by the Wi-Fi Alliance:  WEP  WPA Personal  WPA Enterprise  WPA2 Personal  WPA2 Enterprise Additionally, iPhone OS supports the following 802.
Email Accounts iPhone, iPod touch, and iPad support industry-standard IMAP4- and POP3-enabled mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. You can also use IMAP to access email from Exchange accounts in addition to the Exchange account you use with direct push. When a user searches their mail, they have the option of continuing the search on the mail server. This works with Microsoft Exchange Server 2007 as well as most IMAP-based accounts.
Additional Resources In addition to this guide, the following publications and websites provide useful information:  iPhone in Enterprise webpage at www.apple.com/iphone/enterprise/  iPad in Business webpage at: www.apple.com/ipad/business/  Exchange Product Overview at http://technet.microsoft.com/en-us/library/ bb124558.aspx  Deploying Exchange ActiveSync at http://technet.microsoft.com/en-us/library/ aa995962.aspx  Exchange 2003 Technical Documentation Library at http://technet.microsoft.
1 Deploying iPhone and iPod touch 1 This chapter provides an overview of how to deploy iPhone, iPod touch, and iPad in your enterprise. iPhone, iPod touch, and iPad are designed to easily integrate with your enterprise systems, including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks.
Activating Devices Each iPhone must be activated with your wireless carrier before it can be used to make and receive calls, send text messages, or connect to the cellular data network. Contact your carrier for voice and data tariffs and activation instructions for consumer and business customers. You or your user need to install a SIM card in the iPhone. After the SIM card is installed, iPhone must be connected to a computer with iTunes to complete the activation process.
Preparing Access to Network Services and Enterprise Data iPhone OS 3.x software enables secure push email, push contacts, and push calendar with your existing Microsoft Exchange Server 2003 or 2007 solution, as well as Global Address Lookup, Remote Wipe, and device passcode policy enforcement. It also allows users to securely connect to company resources via WPA Enterprise and WPA2 Enterprise wireless networks using 802.
 Make sure the DNS for your network returns a single, externally-routable address to the Exchange ActiveSync server for both intranet and Internet clients. This is required so the device can use the same IP address for communicating with the server when both types of connections are active.  If you’re using a Microsoft ISA Server, create a web listener as well as an Exchange web client access publishing rule. See Microsoft’s documentation for details.
 If you plan to use certificate-based authentication, make sure you have your public key infrastructure configured to support device and user-based certificates with the corresponding key distribution process.  Verify the compatibility of your certificate formats with the device and your authentication server. For information about certificates see “Certificates and Identities” on page 11.
 If you want to configure URL-specific proxy settings, place a PAC file on a web server that’s accessible with the basic VPN settings, and ensure that it’s served with a MIME type of application/x-ns-proxy-autoconfig. Alternatively, configure your DNS or DHCP to provide the location of a WPAD file on a server that is similarly accessible.
Subscribed Calendars If you want to publish read-only calendars of corporate events, such as holidays or special event schedules, iPhone OS devices can subscribe to calendars and display the information alongside Microsoft Exchange and CalDAV calendars. iPhone OS works with calendar files in the standard iCalendar (.ics) format. An easy way to distribute subscribed calendars to your users is to send the fully qualified URL in SMS or email.
If you use Microsoft Exchange, you can also supplement your EAS policies by using configuration policies. This can provide access to policies that aren’t available in Microsoft Exchange 2003, for example, or allow you to define policies specifically for iPhone OS devices. Configuring Devices You need to decide how you’ll configure each iPhone, iPod touch, or iPad. This is influenced in part by how many devices you plan on deploying and managing over time.
Over-the-Air Enrollment and Configuration Enrollment is the process of authenticating a device and user so that you can automate the process of distributing certificates. Digital certificates provide many benefits to users. They can be used to authenticate access to key enterprise services, such as Microsoft Exchange ActiveSync, WPA2 Enterprise wireless networks, and corporate VPN connections. Certificate-based authentication also permits the use of VPN On Demand for seamless access to corporate networks.
Phase 1 - Begin Enrollment Profile service Enrollment request 2 1 sample Device information request User: Anne Johnson sample Attributes required: UDID, OS version, IMEI Challenge token: AnneJohnson1 URL for response: https://profiles.example.com Phase 1 – Begin Enrollment: Enrollment begins with the user using Safari to access the URL of the profile distribution service you’ve created. You can distribute this URL via SMS or email.
Phase 2 - Device Authentication Profile service Signed response via POST sample Attributes: UDID, OS Version, IMEI Challenge token: AnneJohnson1 Phase 2 – Device Authentication: After the user accepts the installation of the profile received in phase 1, the device looks up the requested attributes, adds the challenge response (if provided), signs the response using the device’s built-in identity (Apple-issued certificate), and sends it back to the profile distribution service using HTTP Post.
Phase 3 - Device Certificate Installation Certificate issuing service Profile service 1 3 Challenge Key generation specs URL for response Challenge Certificate Signing Request Public key sample Device certificate 2 RSA: 1024 Challenge: AnneJohnson1 URL:http://ca.example.com/ getkey.
Phase 4 - Device Configuration 2 Profile service A .mobileconfig file encrypted for device and signed by profile service Device attributes signed with device certificate sample sample 1 UDID, OS version, IMEI, MAC address Exchange policies, VPN settings, additional SCEP payloads, mail accounts, etc. Phase 4 – Device Configuration: In step 1, the device replies with the list of attributes, signed using the encryption certificate provided by the CA in the previous phase.
Other Resources  Digital Certificates PKI for IPSec VPNs at https://cisco.hosted.jivesoftware.com/docs/ DOC-3592  Public key infrastructure at http://en.wikipedia.org/wiki/Public_key_infrastructure  IETF SCEP protocol specification at http://www.ietf.org/internet-drafts/draft-noursescep-18.txt Additional information and resources for iPhone, iPod touch and iPad in the enterprise are available at www.apple.com/iphone/enterprise/ and www.apple.com/ipad/ business/.
2 Creating and Deploying Configuration Profiles 2 Configuration profiles define how iPhone, iPad and iPod touch work with your enterprise systems. Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod touch, and iPad to work with your enterprise systems.
About iPhone Configuration Utility iPhone Configuration Utility lets you easily create, encrypt and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs. When you run the iPhone Configuration Utility installer, the utility is installed in /Applications/Utilities/ on Mac OS X, or in Programs\iPhone Configuration Utility\ on Windows.
The sidebar also displays Connected Devices, which shows information about the iPhone OS devices currently connected to your computer’s USB port. Information about a connected device is automatically added to the Devices list, so you can view it again without having to reconnect the device. After a device has been connected, you can also encrypt profiles for use on only that device.
Automating Configuration Profile Creation You can also automate the creation of configuration files using AppleScript on a Mac, or C# Script on Windows. To see the supported methods and their syntax, do the following: Â Mac OS X: Use Script Editor to open the AppleScript Dictionary for iPhone Configuration Utility. Â Windows: Use Visual Studio to view the method calls provided by iPCUScripting.dll. To execute a script, on Mac, use the AppleScript Tell command.
The identifier is important because when a profile is installed, the value is compared with profiles that are already on the device. If the identifier is unique, information in the profile is added to the device. If the identifier matches a profile already installed, information in the profile replaces the settings already on the device, except in the case of Exchange settings.
 Grace period for device lock: Specifies how soon the device can be unlocked again after use, without re-prompting for the passcode.  Maximum number of failed attempts: Determines how many failed passcode attempts can be made before the device is wiped. If you don’t change this setting, after six failed passcode attempts, the device imposes a time delay before a passcode can be entered again. The time delay increases with each failed attempt.
Wi-Fi Settings Use this payload to set how the device connects to your wireless network. You can add multiple network configurations by clicking the Add (+) button in the editing pane. These settings must be specified, and must match the requirements of your network, in order for the user to initiate a connection. Â Service Set Identifier: Enter the SSID of the wireless network to connect to. Â Hidden Network: Specifies whether the network is broadcasting its identity.
VPN Settings Use this payload to enter the VPN settings for connecting to your network. You can add multiple sets of VPN connections by clicking the Add (+) button. For information about supported VPN protocols and authentication methods, see “VPN” on page 10. The options available vary by the protocol and authentication method you select.
For PAC-based auto-proxy configurations, select Automatic from the pop-up menu and then enter the URL of a PAC file. For information about PACS capabilities and the file format, see “Other Resources” on page 55. For Web Proxy Autodiscovery (WPAD) configurations, select Automatic from the pop-up menu. Leave the Proxy Server URL field empty, iPhone will request the WPAD file using DHCP and DNS. For information about WPAD see “Other Resources” on page 55.
LDAP Settings Use this payload to enter settings for connecting to an LDAPv3 directory. You can specify multiple search bases for each directory, and you can configure multiple directory connections by clicking the Add (+) button. If you select the Use SSL option, be sure to add the certificates necessary to authenticate the connection using the Credentials pane. CalDAV Settings Use this payload to provide accounts settings for connecting to a CalDAV-compliant calendar server.
Credentials Settings Use this payload to add certificates and identities to the device. For information about supported formats, see “Certificates and Identities” on page 11. When installing credentials, also install the intermediate certificates that are necessary to establish a chain to a trusted certificate that’s on the device. To view a list of the preinstalled roots, see the Apple Support article at http://support.apple.com/kb/HT2185.
SCEP Settings The SCEP payload lets you specify settings that allow the device to obtain certificates from a CA using Simple Certificate Enrollment Protocol (SCEP). Setting Description URL This is the address of the SCEP server. Name This can be any string that will be understood by the certificate authority, it can be used to distinguish between instances, for example. Subject The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.
The Identifier field in the General payload is used by the device to determine whether a profile is new, or an update to an existing profile. If you want the updated profile to replace one that users have already installed, don’t change the Identifier. Installing Provisioning Profiles and Applications iPhone Configuration Utility can install applications and distribution provisioning profiles on devices attached to the computer. For details, see Chapter 5, “Deploying Applications,” on page 63.
b Sign Configuration Profile: The .mobileconfig file is signed and won’t be installed by a device if it’s altered. Some fields are obfuscated to prevent casual snooping if the file is examined. Once installed, the profile can only be updated by a profile that has the same identifier and is signed by the same copy of iPhone Configuration Utility.
User Installation of Downloaded Configuration Profiles Provide your users with the URL where they can download the profiles onto their devices, or send the profiles to an email account your users can access using the device before it’s set up with your enterprise-specific information. When a user downloads the profile from the web, or opens the attachment using Mail, the device recognizes the .mobileconfig extension as a profile and begins installation when the user taps Install.
Removing and Updating Configuration Profiles Configuration profile updates aren’t pushed to users. Distribute the updated profiles to your users for them to install. As long as the profile identifier matches, and if signed, it has been signed by the same copy of iPhone Configuration Utility, the new profile replaces the profile on the device. Settings enforced by a configuration profile cannot be changed on the device. To change a setting, you must install an updated profile.
3 Manually Configuring Devices 3 This chapter describes how to manually configure iPhone, iPod touch, and iPad. If you don’t provide automatic configuration profiles, users can configure their devices manually. Some settings, such as passcode policies, can only be set by using a configuration profile. VPN Settings To change VPN settings, go to Settings > General > Network > VPN. When you configure VPN settings, the device asks you to enter information based on responses it receives from your VPN server.
Cisco IPSec Settings When you manually configure the device for Cisco IPSec VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Don’t enter the group name in this field. Password The passphrase of the user’s VPN login account.
PPTP Settings When you manually configure the device for PPTP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: 46 Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. RSA SecurID If you’re using an RSA SecurID token, turn on this option, so the Password field is hidden.
L2TP Settings When you manually configure the device for L2TP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Password The password of the user’s VPN login account.
Wi-Fi Settings To change Wi-Fi settings, go to Settings > General > Network > Wi-Fi. If the network you’re adding is within range, select it from the list of available networks. Otherwise, tap Other. Make sure that your network infrastructure uses authentication and encryption supported by iPhone and iPod touch. For specifications, see “Network Security” on page 11. For information about installing certificates for authentication, see “Installing Identities and Root Certificates” on page 54.
Exchange Settings You can configure only one Exchange account per device. To add an Exchange account, go to Settings > Mail, Contacts, Calendars, and then tap Add Account. On the Add Account screen, tap Microsoft Exchange. When you manually configure the device for Exchange, use this chart to identify the settings and information you enter: Field Description Email The user’s complete email address. Domain The domain of the user’s Exchange account.
After the Exchange account is successfully configured, the server’s passcode policies are enforced. If the user’s current passcode doesn’t comply with the Exchange ActiveSync policies, the user is prompted to change or set the passcode. The device won’t communicate with the Exchange server until the user sets a compliant passcode. Next, the device offers to immediately sync with the Exchange server.
LDAP Settings iPhone, iPod touch, and iPad can look up contact information on LDAP directory servers. To add an LDAP server, go to Settings > Mail, Contacts, Calendars > Add Account > Other. Then tap Add LDAP Account. Enter the LDAP server address, and user name and password if required, then tap Next. If the server is reachable and supplies default search settings to the device, the settings will be used.
The following Search Scope settings are supported: Search Scope setting Description Base Searches the base object only. One Level Searches objects one level below the base object, but not the base object itself. Subtree Searches the base object and the entire tree of all objects descended from it. You can define multiple sets of search settings for each server. CalDAV Settings iPhone, iPod touch, and iPad work with CalDAV calendar servers that provide group calendars and scheduling.
Calendar Subscription Settings You can add read-only calendars, such as project schedules or holidays. To add a calendar, go to Settings > Mail, Contacts, Calendars > Add Account > Other and then tap Add Subscribed Calendar. Enter the URL for an iCalendar (.ics) file, and the user name and password if necessary, then tap Save. You can also specify whether alarms that are set in the calendar should be removed when the calendar is added to the device.
Installing Identities and Root Certificates If you don’t distribute certificates using profiles, your users can install them manually by using the device to download them from a website, or by opening an attachment in an email message. The device recognizes certificates with the following MIME types and file extensions:  application/x-pkcs12, .p12, .pfx  application/x-x509-ca-cert, .cer, .crt, .
Additional Mail Accounts You can configure only one Exchange account, but you can add multiple POP and IMAP accounts. This can be used, for example, to access mail on a Lotus Notes or Novell Groupwise mail server. Go to Settings > Accounts > Mail, Contacts, Calendars > Add Account > Other. For more about adding an IMAP account, see the iPhone User Guide, iPod touch User Guide, or iPad User Guide.
Chapter 3 Manually Configuring Devices
4 Deploying iTunes 4 You use iTunes to sync music and video, install applications, and more. This chapter describes how to deploy iTunes and enterprise applications, and defines the settings and restrictions you can specify. iPhone, iPod touch, and iPad can sync each type of data (music, media, etc) to only one computer at a time. For example, you can sync music with a desktop computer and bookmarks with a portable computer, by setting iTunes sync options appropriately on both computers.
Installing on Windows using iTunesSetup.exe If you plan to use the regular iTunes installation process but omit some components, you can pass properties to iTunesSetup.exe using the command line. Property Meaning NO_AMDS=1 Don’t install Apple Mobile Device Services. This component is required for iTunes to sync and manage mobile devices. NO_ASUW=1 Don’t install Apple Software Update for Windows. This application alerts users to new versions of Apple software. NO_BONJOUR=1 Don’t install Bonjour.
Installing iTunes on Macintosh Computers Mac computers come with iTunes installed. The latest version of iTunes is available at www.itunes.com. To push iTunes to Mac clients, you can use Workgroup Manager, an administrative tool included with Mac OS X Server. Quickly Activating Devices with iTunes Before a new iPhone, iPod touch, or iPad can be used, it must be activated by connecting it to a computer that is running iTunes.
Using Activation-Only Mode Make sure that you’ve turned on activation-only mode as described above, and then follow these steps. 1 If you’re activating an iPhone, insert an activated SIM card. Use the SIM eject tool, or a straightened paper clip, to eject the SIM tray. See the iPhone User Guide for details. 2 Connect iPhone, iPod touch, or iPad to the computer. The computer must be connected to the Internet to activate the device. iTunes opens, if necessary, and activates the device.
Setting iTunes Restrictions for Mac OS X On Mac OS X, you control access by using keys in a plist file. On Mac OS X the key values shown above can be specified for each user by editing ~/Library/Preferences/ com.apple.iTunes.plist using Workgroup Manager, an administrative tool included with Mac OS X Server. For instructions, see the Apple Support article at http://docs.info.apple.com/ article.html?artnum=303099.
To update iPhone OS, follow these steps: 1 On a computer that doesn’t have iTunes software updating turned off, use iTunes to download the software update. To do so, select an attached device in iTunes, click the Summary tab, and then click the “Check for Update” button. 2 After downloading, copy the updater file (.
5 Deploying Applications 5 You can distribute iPhone, iPod touch, and iPad applications to your users. If you want to install iPhone OS applications that you’ve developed, you distribute the application to your users, who install the applications using iTunes. Applications from the online App Store work on iPhone, iPod touch, and iPad without any additional steps. If you develop an application that you want to distribute yourself, it must be digitally signed with a certificate issued by Apple.
Signing Applications Applications you distribute to users must be signed with your distribution certificate. For instructions about obtaining and using a certificate, see the iPhone Developer Center at http://developer.apple.com/iphone. Creating the Distribution Provisioning Profile Distribution provisioning profiles let you create applications that your users can use on their device.
Windows Vista  bootdrive:\Users\username\AppData\Roaming\Apple Computer\MobileDevice\ Provisioning Profiles  bootdrive:\ProgramData\Apple Computer\MobileDevice\Provisioning Profiles  the path specified in the HKCU or HKLM by the ProvisioningProfilesPath registry key SOFTWARE\Apple Computer, Inc\iTunes iTunes automatically installs provisioning profiles found in the locations above onto devices it syncs with.
Installing Applications Using iPhone Configuration Utility You can use iPhone Configuration Utility to install applications on connected devices. Follow these steps: 1 In iPhone Configuration Utility, choose File > Add to Library, and then select the application that you want to install. The application is added to iPhone Configuration Utility and can be viewed by selecting the Applications category in the Library. 2 Select a device in the Connected Devices list. 3 Click the Applications tab.
A Cisco VPN Server Configuration Use these guidelines to configure your Cisco VPN server for use with iPhone, iPod touch and iPad. Supported Cisco Platforms iPhone OS supports Cisco ASA 5500 Security Appliances and PIX Firewalls configured with 7.2.x software or later. The latest 8.0.x software release (or later) is recommended. iPhone OS also supports Cisco IOS VPN routers with IOS version 12.4(15)T or later. VPN 3000 Series Concentrators don’t support iPhone VPN capabilities.
Authentication Groups The Cisco Unity protocol uses authentication groups to group users together based on a common set of authentication and other parameters. You should create an authentication group for iPhone OS device users. For pre-shared key and hybrid authentication, the group name must be configured on the device with the group’s shared secret (pre-shared key) as the group password.
IPSec Settings Use the following IPSec settings:  Mode: Tunnel Mode  IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication, Main Mode for certificate authentication.  Encryption Algorithms: 3DES, AES-128, AES-256  Authentication Algorithms: HMAC-MD5, HMAC-SHA1  Diffie Hellman Groups: Group 2 is required for pre-shared key and hybrid. authentication. For certificate authentication, use Group 2 with 3DES and AES-128. Use Group 2 or 5 with AES-256.
Configuration Profile Format B This appendix specifies the format of mobileconfig files for those who want to create their own tools. This document assumes that you’re familiar with the Apple XML DTD and the general property list format. A general description of the Apple plist format is available at www.apple.com/DTDs/PropertyList-1.0.dtd. To get started, use iPhone Configuration Utility to create a skeleton file that you can modify using the information in this appendix.
Key Value PayloadIdentifier String, mandatory. This value is by convention a dot-delimited string uniquely describing the profile, such as “com.myCorp.iPhone.mailSettings” or “edu.myCollege.students.vpn”. This is the string by which profiles are differentiated—if a profile is installed which matches the identifier of another profile, it overrides it (instead of being added). PayloadDisplayName String, mandatory.
Key Value PayloadIdentifier String, mandatory. This value is by convention a dot-delimited string uniquely describing the payload. It’s usually the root PayloadIdentifier with an appended subidentifier, describing the particular payload. PayloadDisplayName String, mandatory. This value is a very short string displayed to the user which describes the profile, such as “VPN Settings”. It does not have to be unique. PayloadDescription String, optional.
Key Value maxFailedAttempts Number, optional. Default 11. Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the device’s lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked. maxInactivity Number, optional. Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it’s locked by the system.
Key Value EmailAccountType String, mandatory. Allowed values are EmailTypePOP and EmailTypeIMAP. Defines the protocol to be used for that account. EmailAddress String, mandatory. Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation. IncomingMailServerAuthentication String, mandatory. Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword and EmailAuthNone.
Web Clip Payload The Web Clip payload is designated by the com.apple.webClip.managed PayloadType value. In addition to the settings common to all payloads, this payload defines the following: Key Value URL String, mandatory. The URL that the Web Clip should open when clicked. The URL must begin with HTTP or HTTPS or it won’t work. Label String, mandatory. The name of the Web Clip as displayed on the Home screen. Icon Data, optional. A PNG icon to be shown on the Home screen.
LDAP Payload The LDAP payload is designated by the com.apple.ldap.account PayloadType value. There’s a one-to-many relationship from LDAP Account to LDAPSearchSettings. Think of LDAP as a tree. Each SearchSettings object represents a node in the tree to start the search at, and what scope to search for (node, node+1 level of children, node + all levels of children). In addition to the settings common to all payloads, this payload defines the following: Key Value LDAPAccountDescription String, optional.
Calendar Subscription Payload The CalSub payload is designated by the com.apple.subscribedcalendar.account PayloadType value. In addition to the settings common to all payloads, this payload defines the following: Key Value SubCalAccountDescription String, optional. Description of the account. SubCalAccountHostName String, mandatory. The server address. SubCalAccountUsername String, optional. The user’s login name SubCalAccountPassword String, optional. The user’s password.
SubjectAltName Dictionary Keys The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you’re using, but might include DNS name, URL, or email values. For an example, see “Sample Phase 3 Server Response With SCEP Specifications” on page 85.
Exchange Payload The Exchange payload is designated by the com.apple.eas.account PayloadType value. This payload creates a Microsoft Exchange account on the device. In addition to the settings common to all payloads, this payload defines the following: Key Value EmailAddress String, mandatory. If not present in the payload, the device prompts for this string during profile installation. Specifies the full email address for the account. Host String, mandatory.
PPP Dictionary Keys The following elements are for VPN payloads of type PPP. Key Value AuthName String. The VPN account user name. Used for L2TP and PPTP. AuthPassword String, optional. Only visible if TokenCard is false. Used for L2TP and PPTP. TokenCard Boolean. Whether to use a token card such as an RSA SecurID card for connecting. Used for L2TP. CommRemoteAddress String. IP address or host name of VPN server. Used for L2TP and PPTP. AuthEAPPlugins Array.
Key Value PayloadCertificateUUID String. The UUID of the certificate to use for the account credentials. Only present if AuthenticationMethod = Certificate. Used for Cisco IPSec. PromptForVPNPIN Boolean. Whether to prompt for a PIN when connecting. Used for Cisco IPSec. Wi-Fi Payload The Wi-Fi payload is designated by the com.apple.wifi.managed PayloadType value. This describes version 0 of the PayloadVersion value.
EAPClientConfiguration Dictionary In addition to the standard encryption types, it’s possible to specify an enterprise profile for a given network via the “EAPClientConfiguration” key. If present, its value is a dictionary with the following keys. 82 Key Value UserName String, optional. Unless you know the exact user name, this property won’t appear in an imported configuration. Users can enter this information when they authenticate. AcceptEAPTypes Array of integer values.
Key Value TTLSInnerAuthentication String, optional. This is the inner authentication used by the TTLS module. The default value is “MSCHAPv2”. Possible values are “PAP”, “CHAP”, “MSCHAP”, and “MSCHAPv2”. OuterIdentity String, optional. This key is only relevant to TTLS, PEAP, and EAPFAST. This allows the user to hide his or her identity. The user’s actual name appears only inside the encrypted tunnel. For example, it could be set to “anonymous” or “anon”, or “anon@mycompany.net”.
Sample Configuration Profiles This section includes sample profiles that illustrate the over-the-air enrollment and configuration phases. These are excerpts and your requirements will vary from the examples. For syntax assistance, see the details provided earlier in this appendix. For a description of each phase, see “Over-the-Air Enrollment and Configuration” on page 22. Sample Phase 1 Server Response
Sample Phase 2 Device Response PAGE 86 O Example, Inc. CN User Device Cert Challenge ...
Sample Phase 4 Device Response PAGE 88Sample Scripts C This appendix provides sample scripts for iPhone OS deployment tasks. The scripts in this section should be modified to fit your needs and configurations. Sample C# Script for iPhone Configuration Utility This sample script demonstrates creating configuration files using iPhone Configuration Utility for Windows. using System; using Com.Apple.
passcodePayload.AllowSimple = true; // restrictions IRestrictionsPayload restrictionsPayload = profile.AddRestrictionsPayload(); restrictionsPayload.AllowYouTube = false; // wi-fi IWiFiPayload wifiPayload = profile.AddWiFiPayload(); wifiPayload.ServiceSetIdentifier = "Example Wi-Fi"; wifiPayload.EncryptionType = WirelessEncryptionType.WPA; wifiPayload.Password = "password"; wifiPayload = profile.AddWiFiPayload(); profile.RemoveWiFiPayload(wifiPayload); // vpn IVPNPayload vpnPayload = profile.
Sample AppleScript for iPhone Configuration Utility This sample script demonstrates creating configuration files using iPhone Configuration Utility for Mac OS X. tell application "iPhone Configuration Utility" log (count of every configuration profile) set theProfile to make new configuration profile with properties {displayed name:"Profile Via Script", profile identifier:"com.example.configviascript", organization:"Example Org.
