iPhone OS Enterprise Deployment Guide Second Edition, for Version 3.
K Apple Inc. © 2009 Apple Inc. All rights reserved. This manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Contents Preface 6 6 7 8 10 11 11 12 12 12 13 iPhone in the Enterprise What’s New for the Enterprise in iPhone OS 3.
56 56 Updating and Removing Profiles Other Resources Chapter 4 57 57 59 60 62 Deploying iTunes Installing iTunes Quickly Activating Devices with iTunes Setting iTunes Restrictions Backing Up iPhone with iTunes Chapter 5 63 63 64 64 64 65 65 66 66 66 66 Deploying iPhone Applications Registering for Application Development Signing Applications Creating the Distribution Provisioning Profile Installing Provisioning Profiles Using iTunes Installing Provisioning Profiles Using iPhone Configuration Utili
Appendix C 81 84 Wi-Fi Payload Sample Configuration Profiles 88 Sample Scripts Contents 5
Learn how to integrate iPhone and iPod touch with your enterprise systems. This guide is for system administrators. It provides information about deploying and supporting iPhone and iPod touch in enterprise environments. What’s New for the Enterprise in iPhone OS 3.0 and Later iPhone OS 3.x includes numerous enhancements, including the following items of special interest to enterprise users. Â CalDAV calendar wireless syncing is now supported.
 Web clips can now be installed using a configuration profile.  802.1x EAP-SIM is now supported.  Devices can now be authenticated and enrolled over-the-air using a Simple Certificate Enrollment Protocol (SCEP) server.  iTunes can now store device backups in encrypted format.  iPhone Configuration Utility now supports profile creation via scripting.
The utility allows you to create an Outlook message with a configuration profile as an attachment. Additionally, you can assign users’ names and email addresses from your desktop address book to devices that you’ve connected to the utility. Both of these features require Outlook and are not compatible with Outlook Express. To use these features on Windows XP computers, you may need to install 2007 Microsoft Office System Update: Redistributable Primary Interop Assemblies.
The Exchange policy to require device encryption (RequireDeviceEncryption) is supported on iPhone 3GS, and on iPod touch (Fall 2009 models with 32 GB or more). iPhone, iPhone 3G, and other iPod touch models do not support device encryption and will not connect to an Exchange Server that requires it.
Microsoft Exchange Autodiscovery The Autodiscover service of Exchange Server 2007 is supported. When you’re manually configuring an iPhone or iPod touch, Autodiscover uses your email address and password to automatically determine the correct Exchange server information. For information about enabling the Autodiscover service, see http://technet.microsoft.com/en-us/library/cc539114.aspx.
Network Security iPhone and iPod touch support the following 802.11i wireless networking security standards as defined by the Wi-Fi Alliance:  WEP  WPA Personal  WPA Enterprise  WPA2 Personal  WPA2 Enterprise Additionally, iPhone and iPod touch support the following 802.1X authentication methods for WPA Enterprise and WPA2 Enterprise networks:  EAP-TLS  EAP -TTLS  EAP-FAST  EAP-SIM  PEAP v0, PEAP v1  LEAP Certificates and Identities iPhone and iPod touch can use X.509 certificates with RSA keys.
Email Accounts iPhone and iPod touch support industry-standard IMAP4- and POP3-enabled mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. You can also use IMAP to access email from Exchange accounts in addition to the Exchange account you use with direct push. When a user searches their mail, they have the option of continuing the search on the mail server. This works with Microsoft Exchange Server 2007 as well as most IMAPbased accounts.
Additional Resources In addition to this guide, the following publications and websites provide useful information:  iPhone in Enterprise webpage at www.apple.com/iphone/enterprise/  Exchange Product Overview at http://technet.microsoft.com/en-us/library/ bb124558.aspx  Deploying Exchange ActiveSync at http://technet.microsoft.com/en-us/library/ aa995962.aspx  Exchange 2003 Technical Documentation Library at http://technet.microsoft.com/ en-us/library/bb123872(EXCHG.65).
1 Deploying iPhone and iPod touch 1 This chapter provides an overview of how to deploy iPhone and iPod touch in your enterprise. iPhone and iPod touch are designed to easily integrate with your enterprise systems, including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks. As with any enterprise solution, good planning and an understanding of your deployment options make deployment easier and more efficient for you and your users.
Activating Devices Each iPhone must be activated with your wireless carrier before it can be used to make and receive calls, send text messages, or connect to the cellular data network. Contact your carrier for voice and data tariffs and activation instructions for consumer and business customers. You or your user need to install a SIM card in the iPhone. After the SIM card is installed, iPhone must be connected to a computer with iTunes to complete the activation process.
Preparing Access to Network Services and Enterprise Data iPhone OS 3.0 software enables secure push email, push contacts, and push calendar with your existing Microsoft Exchange Server 2003 or 2007 solution, as well as Global Address Lookup, Remote Wipe, and device passcode policy enforcement. It also allows users to securely connect to company resources via WPA Enterprise and WPA2 Enterprise wireless networks using 802.
 Make sure the DNS for your network returns a single, externally-routable address to the Exchange ActiveSync server for both intranet and Internet clients. This is required so the device can use the same IP address for communicating with the server when both types of connections are active.  If you’re using a Microsoft ISA Server, create a web listener as well as an Exchange web client access publishing rule. See Microsoft’s documentation for details.
 If you plan to use certificate-based authentication, make sure you have your public key infrastructure configured to support device and user-based certificates with the corresponding key distribution process.  Verify the compatibility of your certificate formats with the device and your authentication server. For information about certificates see “Certificates and Identities” on page 11.
IMAP Email If you don’t use Microsoft Exchange, you can still implement a secure, standards-based email solution using any email server that supports IMAP and is configured to require user authentication and SSL. For example, you can access Lotus Notes/Domino or Novell GroupWise email using this technique. The mail servers can be located within a DMZ subnetwork, behind a corporate firewall, or both. With SSL, iPhone and iPod touch support 128-bit encryption and X.
An easy way to distribute subscribed calendars to your users is to send the fully qualified URL using SMS or email. When the user taps the link, iPhone offers to subscribe to the specified calendar. Enterprise Applications If you’re planning to deploy enterprise iPhone and iPod touch applications, you install the applications on your devices using iPhone Configuration Utility or iTunes.
Configuring Devices Next, you need to decide how you’ll configure each iPhone and iPod touch. In large part, this is influenced by how many devices you plan on deploying and managing over time. If the number is relatively small, you may find that it’s simpler for you or your users to manually configure each device. This involves using the device to enter the settings for each mail account, Wi-Fi settings, and VPN configuration information. See Chapter 3 for details about manual configuration.
Over-the-Air Enrollment and Configuration Enrollment refers to the process of authenticating a device and user so that you can automate the process of distributing certificates. Digital certificates provide many benefits to iPhone users. They can be used to authenticate access to key enterprise services such as Microsoft Exchange ActiveSync, WPA2 Enterprise wireless networks, and corporate VPN connections.
Phase 1 - Begin Enrollment Profile service Enrollment request 2 1 sample Device information request User: Anne Johnson sample Attributes required: UDID, OS version, IMEI Challenge token: AnneJohnson1 URL for response: https://profiles.example.com Phase 1 – Begin Enrollment: Enrollment begins with the user using Safari to access the URL of the profile distribution service you’ve created. You can distribute this URL via SMS or email.
Phase 2 - Device Authentication Profile service Signed response via POST sample Attributes: UDID, OS Version, IMEI Challenge token: AnneJohnson1 Phase 2 – Device Authentication: After the user accepts the installation of the profile received in phase 1, the device looks up the requested attributes, adds the challenge response (if provided), signs the response using the device’s built-in identity (Appleissued certificate), and sends it back to the profile distribution service using HTTP Post.
Phase 3 - Device Certificate Installation Certificate issuing service Profile service 1 3 Challenge Key generation specs URL for response Challenge Certificate Signing Request Public key sample Device certificate 2 RSA: 1024 Challenge: AnneJohnson1 URL:http://ca.example.com/ getkey.
Phase 4 - Device Configuration 2 Profile service A .mobileconfig file encrypted for device and signed by profile service Device attributes signed with device certificate sample sample 1 UDID, OS version, IMEI, MAC address Exchange policies, VPN settings, additional SCEP payloads, mail accounts, etc. Phase 4 – Device Configuration: In step 1, the device replies with the list of attributes, signed using the encryption certificate provided by the CA in the previous phase.
Other Resources  Digital Certificates PKI for IPSec VPNs at https://cisco.hosted.jivesoftware.com/docs/ DOC-3592  Public key infrastructure at http://en.wikipedia.org/wiki/Public_key_infrastructure  IETF SCEP protocol specification at http://www.ietf.org/internet-drafts/draft-noursescep-18.txt Additional information and resources for iPhone and iPod touch in the enterprise are available at www.apple.com/iphone/enterprise/.
Chapter 1 Deploying iPhone and iPod touch
2 Creating and Deploying Configuration Profiles 2 Configuration profiles define how iPhone and iPod touch work with your enterprise systems. Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone and iPod touch to work with your enterprise systems.
About iPhone Configuration Utility iPhone Configuration Utility lets you easily create, encrypt and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs. When you run the iPhone Configuration Utility installer, the utility is installed in /Applications/Utilities/ on Mac OS X, or in Programs\iPhone Configuration Utility\ on Windows.
The sidebar also displays Connected Devices, which shows information about the iPhone or iPod touch currently connected to your computer’s USB port. Information about a connected device is automatically added to the Devices list, so you can view it again without having to reconnect the device. After a device has been connected, you can also encrypt profiles for use on only that device.
Automating Configuration Profile Creation You can also automate the creation of configuration files using AppleScript on a Mac, or C# Script on Windows. To see the supported methods and their syntax, do the following: Â Mac OS X: Use Script Editor to open the AppleScript Dictionary for iPhone Configuration Utility. Â Windows: Use Visual Studio to view the method calls provided by iPCUScripting.dll. To execute a script, on Mac, use the AppleScript Tell command.
The identifier is important because when a profile is installed, the value is compared with profiles that are already on the device. If the identifier is unique, information in the profile is added to the device. If the identifier matches a profile already installed, information in the profile replaces the settings already on the device, except in the case of Exchange settings.
 Grace period for device lock: Specifies how soon the device can be unlocked again after use, without re-prompting for the passcode.  Maximum number of failed attempts: Determines how many failed passcode attempts can be made before the device is wiped. If you don’t change this setting, after six failed passcode attempts, the device imposes a time delay before a passcode can be entered again. The time delay increases with each failed attempt.
Wi-Fi Settings Use this payload to set how the device connects to your wireless network. You can add multiple network configurations by clicking the Add (+) button in the editing pane. These settings must be specified, and must match the requirements of your network, in order for the user to initiate a connection. Â Service Set Identifier: Enter the SSID of the wireless network to connect to. Â Hidden Network: Specifies whether the network is broadcasting its identity.
VPN Settings Use this payload to enter the VPN settings for connecting to your network. You can add multiple sets of VPN connections by clicking the Add (+) button. For information about supported VPN protocols and authentication methods, see “VPN” on page 10. The options available vary by the protocol and authentication method you select.
For PAC-based auto-proxy configurations, select Automatic from the pop-up menu and then enter the URL of a PAC file. For information about PACS capabilities and the file format, see “Other Resources” on page 56. For Web Proxy Autodiscovery (WPAD) configurations, select Automatic from the pop-up menu. Leave the Proxy Server URL field empty, iPhone will request the WPAD file using DHCP and DNS. For information about WPAD see “Other Resources” on page 56.
LDAP Settings Use this payload to enter settings for connecting to an LDAPv3 directory. You can specify multiple search bases for each directory, and you can configure multiple directory connections by clicking the Add (+) button. If you select the Use SSL option, be sure to add the certificates necessary to authenticate the connection using the Credentials pane. CalDAV Settings Use this payload to provide accounts settings for connecting to a CalDAV-compliant calendar server.
Credentials Settings Use this payload to add certificates and identities to the device. For information about supported formats, see “Certificates and Identities” on page 11. When installing credentials, also install the intermediate certificates that are necessary to establish a chain to a trusted certificate that’s on the device. To view a list of the preinstalled roots, see the Apple Support article at http://support.apple.com/kb/HT2185.
SCEP Settings The SCEP payload lets you specify settings that allow the device to obtain certificates from a CA using Simple Certificate Enrollment Protocol (SCEP). Setting Description URL This is the address of the SCEP server. Name This can be any string that will be understood by the certificate authority, it can be used to distinguish between instances, for example. Subject The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.
The Identifier field in the General payload is used by the device to determine whether a profile is new, or an update to an existing profile. If you want the updated profile to replace one that users have already installed, don’t change the Identifier. Installing Provisioning Profiles and Applications iPhone Configuration Utility can install applications and distribution provisioning profiles on devices attached to the computer. For details, see Chapter 5, “Deploying iPhone Applications,” on page 63.
b Sign Configuration Profile: The .mobileconfig file is signed and won’t be installed by a device if it’s altered. Some fields are obfuscated to prevent casual snooping if the file is examined. Once installed, the profile can only be updated by a profile that has the same identifier and is signed by the same copy of iPhone Configuration Utility.
User Installation of Downloaded Configuration Profiles Provide your users with the URL where they can download the profiles onto their devices, or send the profiles to an email account your users can access using the device before it’s set up with your enterprise-specific information. When a user downloads the profile from the web, or opens the attachment using Mail, the device recognizes the .mobileconfig extension as a profile and begins installation when the user taps Install.
Removing and Updating Configuration Profiles Configuration profile updates aren’t pushed to users. Distribute the updated profiles to your users for them to install. As long as the profile identifier matches, and if signed, it has been signed by the same copy of iPhone Configuration Utility, the new profile replaces the profile on the device. Settings enforced by a configuration profile cannot be changed on the device. To change a setting, you must install an updated profile.
3 Manually Configuring Devices 3 This chapter describes how to configure iPhone and iPod touch manually. If you don’t provide automatic configuration profiles, users can configure their devices manually. Some settings, such as passcode policies, can only be set by using a configuration profile. VPN Settings To change VPN settings, go to Settings > General > Network > VPN. When you configure VPN settings, the device asks you to enter information based on responses it receives from your VPN server.
Cisco IPSec Settings When you manually configure the device for Cisco IPSec VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: 46 Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Don’t enter the group name in this field.
PPTP Settings When you manually configure the device for PPTP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. RSA SecurID If you’re using an RSA SecurID token, turn on this option, so the Password field is hidden.
L2TP Settings When you manually configure the device for L2TP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: 48 Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Password The password of the user’s VPN login account.
Wi-Fi Settings To change Wi-Fi settings, go to Settings > General > Network > Wi-Fi. If the network you’re adding is within range, select it from the list of available networks. Otherwise, tap Other. Make sure that your network infrastructure uses authentication and encryption supported by iPhone and iPod touch. For specifications, see “Network Security” on page 11. For information about installing certificates for authentication, see “Installing Identities and Root Certificates” on page 55.
Exchange Settings You can configure only one Exchange account per device. To add an Exchange account, go to Settings > Mail, Contacts, Calendars, and then tap Add Account. On the Add Account screen, tap Microsoft Exchange. When you manually configure the device for Exchange, use this chart to identify the settings and information you enter: Field Description Email The user’s complete email address. Domain The domain of the user’s Exchange account.
After the Exchange account is successfully configured, the server’s passcode policies are enforced. If the user’s current passcode doesn’t comply with the Exchange ActiveSync policies, the user is prompted to change or set the passcode. The device won’t communicate with the Exchange server until the user sets a compliant passcode. Next, the device offers to immediately sync with the Exchange server.
LDAP Settings iPhone can look up contact information on LDAP directory servers. To add an LDAP server, go to Settings > Mail, Contacts, Calendars > Add Account > Other. Then tap Add LDAP Account. Enter the LDAP server address, and user name and password if required, then tap Next. If the server is reachable and supplies default search settings to the device, the settings will be used.
The following Search Scope settings are supported: Search Scope setting Description Base Searches the base object only. One Level Searches objects one level below the base object, but not the base object itself. Subtree Searches the base object and the entire tree of all objects descended from it. You can define multiple sets of search settings for each server. CalDAV Settings iPhone works with CalDAV calendar servers to provide group calendars and scheduling.
Calendar Subscription Settings You can add read-only calendars, such as project schedules or holidays. To add a calendar, go to Settings > Mail, Contacts, Calendars > Add Account > Other and then tap Add Subscribed Calendar. Enter the URL for an iCalendar (.ics) file, and the user name and password if necessary, then tap Save. You can also specify whether alarms that are set in the calendar should be removed when the calendar is added to the device.
Installing Identities and Root Certificates If you don’t distribute certificates using profiles, your users can install them manually by using the device to download them from a website, or by opening an attachment in an email message. The device recognizes certificates with the following MIME types and file extensions:  application/x-pkcs12, .p12, .pfx  application/x-x509-ca-cert, .cer, .crt, .
Additional Mail Accounts You can configure only one Exchange account, but you can add multiple POP and IMAP accounts. This can be used, for example, to access mail on a Lotus Notes or Novell Groupwise mail server. Go to Settings > Accounts > Mail, Contacts, Calendars > Add Account > Other. For more about adding an IMAP account, see the iPhone User Guide or iPod touch User Guide.
4 Deploying iTunes 4 You use iTunes to sync music and video, install applications, and more. This chapter describes how to deploy iTunes and enterprise applications, and defines the settings and restrictions you can specify. iPhone and iPod touch can sync each type of data (music, media, etc) to only one computer at a time. For example, you can sync music with a desktop computer and bookmarks with a portable computer, by setting iTunes sync options appropriately on both computers.
Installing on Windows using iTunesSetup.exe If you plan to use the regular iTunes installation process but omit some components, you can pass properties to iTunesSetup.exe using the command line. Property Meaning NO_AMDS=1 Don’t install Apple Mobile Device Services. This component is required for iTunes to sync and manage mobile devices. NO_ASUW=1 Don’t install Apple Software Update for Windows. This application alerts users to new versions of Apple software. NO_BONJOUR=1 Don’t install Bonjour.
Installing iTunes on Macintosh Computers Mac computers come with iTunes installed. The latest version of iTunes is available at www.itunes.com. To push iTunes to Mac clients, you can use Workgroup Manager, an administrative tool included with Mac OS X Server. Quickly Activating Devices with iTunes Before a new iPhone or iPod touch can be used, it must be activated by connecting it to a computer that is running iTunes. Normally, after activating a device, iTunes offers to sync the device with the computer.
Using Activation-Only Mode Make sure that you’ve turned on activation-only mode as described above, and then follow these steps. 1 If you’re activating an iPhone, insert an activated SIM card. Use the SIM eject tool, or a straightened paper clip, to eject the SIM tray. See the iPhone User Guide for details. 2 Connect iPhone or iPod touch to the computer. The computer must be connected to the Internet to activate the device. iTunes opens, if necessary, and activates the device.
Setting iTunes Restrictions for Mac OS X On Mac OS X, you control access by using keys in a plist file. On Mac OS X the key values shown above can be specified for each user by editing ~/Library/Preferences/ com.apple.iTunes.plist using Workgroup Manager, an administrative tool included with Mac OS X Server. For instructions, see the Apple Support article at http://docs.info.apple.com/ article.html?artnum=303099.
To update iPhone software, follow these steps: 1 On a computer that doesn’t have iTunes software updating turned off, use iTunes to download the iPhone software update. To do so, select an attached device in iTunes, click the Summary tab, and then click the “Check for Update” button. 2 After downloading, copy the updater file (.
5 Deploying iPhone Applications 5 You can distribute iPhone and iPod touch applications to your users. If you want to install iPhone OS applications that you’ve developed, you distribute the application to your users, who install the applications using iTunes. Applications from the online App Store work on iPhone and iPod touch without any additional steps. If you develop an application that you want to distribute yourself, it must be digitally signed with a certificate issued by Apple.
Signing Applications Applications you distribute to users must be signed with your distribution certificate. For instructions about obtaining and using a certificate, see the iPhone Developer Center at http://developer.apple.com/iphone. Creating the Distribution Provisioning Profile Distribution provisioning profiles allow you to create applications that your users can use on their iPhone or iPod touch.
Windows Vista  bootdrive:\Users\username\AppData\Roaming\Apple Computer\MobileDevice\ Provisioning Profiles  bootdrive:\ProgramData\Apple Computer\MobileDevice\Provisioning Profiles  the path specified in the HKCU or HKLM by the ProvisioningProfilesPath registry key SOFTWARE\Apple Computer, Inc\iTunes iTunes automatically installs provisioning profiles found in the locations above onto devices it syncs with.
Installing Applications Using iPhone Configuration Utility You can use iPhone Configuration Utility to install applications on connected devices. Follow these steps: 1 In iPhone Configuration Utility, choose File > Add to Library, and then select the application that you want to install. The application is added to iPhone Configuration Utility and can be viewed by selecting the Applications category in the Library. 2 Select a device in the Connected Devices list. 3 Click the Applications tab.
Cisco VPN Server Configuration A Appendix A Use these guidelines to configure your Cisco VPN server for use with iPhone and iPod touch. Supported Cisco Platforms iPhone supports Cisco ASA 5500 Security Appliances and PIX Firewalls configured with 7.2.x software or later. The latest 8.0.x software release (or later) is recommended. iPhone also supports Cisco IOS VPN routers with IOS version 12.4(15)T or later. VPN 3000 Series Concentrators don’t support iPhone VPN capabilities.
Authentication Groups The Cisco Unity protocol uses authentication groups to group users together based on a common set of authentication and other parameters. You should create an authentication group for iPhone and iPod touch users. For pre-shared key and hybrid authentication, the group name must be configured on the device with the group’s shared secret (pre-shared key) as the group password.
IPSec Settings Use the following IPSec settings:  Mode: Tunnel Mode  IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication, Main Mode for certificate authentication.  Encryption Algorithms: 3DES, AES-128, AES-256  Authentication Algorithms: HMAC-MD5, HMAC-SHA1  Diffie Hellman Groups: Group 2 is required for pre-shared key and hybrid. authentication. For certificate authentication, use Group 2 with 3DES and AES-128. Use Group 2 or 5 with AES-256.
Configuration Profile Format B This appendix specifies the format of mobileconfig files for those who want to create their own tools. This document assumes that you’re familiar with the Apple XML DTD and the general property list format. A general description of the Apple plist format is available at www.apple.com/DTDs/PropertyList-1.0.dtd. To get started, use iPhone Configuration Utility to create a skeleton file that you can modify using the information in this appendix.
Key Value PayloadIdentifier String, mandatory. This value is by convention a dot-delimited string uniquely describing the profile, such as “com.myCorp.iPhone.mailSettings” or “edu.myCollege.students.vpn”. This is the string by which profiles are differentiated—if a profile is installed which matches the identifier of another profile, it overrides it (instead of being added). PayloadDisplayName String, mandatory.
Key Value PayloadIdentifier String, mandatory. This value is by convention a dot-delimited string uniquely describing the payload. It’s usually the root PayloadIdentifier with an appended subidentifier, describing the particular payload. PayloadDisplayName String, mandatory. This value is a very short string displayed to the user which describes the profile, such as “VPN Settings”. It does not have to be unique. PayloadDescription String, optional.
Key Value maxFailedAttempts Number, optional. Default 11. Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the iPhone lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked. maxInactivity Number, optional. Default Infinity. Specifies the number of days for which the device can be idle (without being unlocked by the user) before it’s locked by the system.
Key Value EmailAddress String, mandatory. Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation. IncomingMailServerAuthentication String, mandatory. Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword and EmailAuthNone. IncomingMailServerHostName String, mandatory. Designates the incoming mail server host name (or IP address).
Web Clip Payload The Web Clip payload is designated by the com.apple.webClip.managed PayloadType value. In addition to the settings common to all payloads, this payload defines the following: Key Value URL String, mandatory. The URL that the Web Clip should open when clicked. The URL must begin with HTTP or HTTPS or it won’t work. Label String, mandatory. The name of the Web Clip as displayed on the Home screen. Icon Data, optional. A PNG icon to be shown on the Home screen.
LDAP Payload The LDAP payload is designated by the com.apple.ldap.account PayloadType value. There’s a one-to-many relationship from LDAP Account to LDAPSearchSettings. Think of LDAP as a tree. Each SearchSettings object represents a node in the tree to start the search at, and what scope to search for (node, node+1 level of children, node + all levels of children). In addition to the settings common to all payloads, this payload defines the following: Key Value LDAPAccountDescription String, optional.
Calendar Subscription Payload The CalSub payload is designated by the com.apple.subscribedcalendar.account PayloadType value. In addition to the settings common to all payloads, this payload defines the following: Key Value SubCalAccountDescription String, optional. Description of the account. SubCalAccountHostName String, mandatory. The server address. SubCalAccountUsername String, optional. The user’s login name SubCalAccountPassword String, optional. The user’s password.
SubjectAltName Dictionary Keys The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you’re using, but might include DNS name, URL, or email values. For an example, see “Sample Phase 3 Server Response With SCEP Specifications” on page 85.
Exchange Payload The Exchange payload is designated by the com.apple.eas.account PayloadType value. This payload creates a Microsoft Exchange account on the device. In addition to the settings common to all payloads, this payload defines the following: Key Value EmailAddress String, mandatory. If not present in the payload, the device prompts for this string during profile installation. Specifies the full email address for the account. Host String, mandatory.
PPP Dictionary Keys The following elements are for VPN payloads of type PPP. Key Value AuthName String. The VPN account user name. Used for L2TP and PPTP. AuthPassword String, optional. Only visible if TokenCard is false. Used for L2TP and PPTP. TokenCard Boolean. Whether to use a token card such as an RSA SecurID card for connecting. Used for L2TP. CommRemoteAddress String. IP address or host name of VPN server. Used for L2TP and PPTP. AuthEAPPlugins Array.
Key Value PayloadCertificateUUID String. The UUID of the certificate to use for the account credentials. Only present if AuthenticationMethod = Certificate. Used for Cisco IPSec. PromptForVPNPIN Boolean. Whether to prompt for a PIN when connecting. Used for Cisco IPSec. Wi-Fi Payload The Wi-Fi payload is designated by the com.apple.wifi.managed PayloadType value. This describes version 0 of the PayloadVersion value.
EAPClientConfiguration Dictionary In addition to the standard encryption types, it’s possible to specify an enterprise profile for a given network via the “EAPClientConfiguration” key. This key is declared as kEAPOLControlEAPClientConfiguration in . If present, its value is a dictionary with the following keys. 82 Key Value UserName String, optional. Unless you know the exact user name, this property won’t appear in an imported configuration.
Key Value TTLSInnerAuthentication String, optional. This is the inner authentication used by the TTLS module. The default value is “MSCHAPv2”. Possible values are “PAP”, “CHAP”, “MSCHAP”, and “MSCHAPv2”. OuterIdentity String, optional. This key is only relevant to TTLS, PEAP, and EAPFAST. This allows the user to hide his or her identity. The user’s actual name appears only inside the encrypted tunnel. For example, it could be set to “anonymous” or “anon”, or “anon@mycompany.net”.
Sample Configuration Profiles This section includes sample profiles that illustrate the over-the-air enrollment and configuration phases. These are excerpts and your requirements will vary from the examples. For syntax assistance, see the details provided earlier in this appendix. For a description of each phase, see “Over-the-Air Enrollment and Configuration” on page 22. Sample Phase 1 Server Response
Sample Phase 2 Device Response PAGE 86 SubjectAltName rfc822name foo@example.org dnsname foo.example.org foo-test.example.org uniformresourceidentifier http://foo.example.
Sample Phase 4 Device Response PAGE 88Sample Scripts C This appendix provides sample scripts for iPhone deployment tasks. The scripts in this section should be modified to fit your needs and configurations. Sample C# Script for iPhone Configuration Utility This sample script demonstrates creating configuration files using iPhone Configuration Utility for Windows. using System; using Com.Apple.
passcodePayload.AllowSimple = true; // restrictions IRestrictionsPayload restrictionsPayload = profile.AddRestrictionsPayload(); restrictionsPayload.AllowYouTube = false; // wi-fi IWiFiPayload wifiPayload = profile.AddWiFiPayload(); wifiPayload.ServiceSetIdentifier = "Example Wi-Fi"; wifiPayload.EncryptionType = WirelessEncryptionType.WPA; wifiPayload.Password = "password"; wifiPayload = profile.AddWiFiPayload(); profile.RemoveWiFiPayload(wifiPayload); // vpn IVPNPayload vpnPayload = profile.
Sample AppleScript for iPhone Configuration Utility This sample script demonstrates creating configuration files using iPhone Configuration Utility for Mac OS X. tell application "iPhone Configuration Utility" log (count of every configuration profile) set theProfile to make new configuration profile with properties {displayed name:"Profile Via Script", profile identifier:"com.example.configviascript", organization:"Example Org.
