iPhone and iPod touch Enterprise Deployment Guide
K Apple Inc. © 2008 Apple Inc. All rights reserved. This manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Preface 5 5 6 8 8 9 9 9 Contents iPhone in the Enterprise System Requirements Microsoft Exchange ActiveSync VPN Network Security Certificates Email accounts Additional Resources Chapter 1 10 10 11 14 15 15 Deploying iPhone and iPod touch Activating Devices Preparing Access to Network Services and Enterprise Data Determining Device Passcode Policies Configuring Devices Other Resources Chapter 2 16 16 20 25 26 27 28 Creating and Deploying Configuration Profiles About iPhone Configuration Utility C
39 Setting iTunes Restrictions Chapter 5 42 42 43 43 43 44 44 45 45 45 Deploying iPhone Applications Register for Application Development Signing Applications Creating the Distribution Provisioning Profile Installing Provisioning Profiles using iTunes Installing Provisioning Profiles using iPhone Configuration Utility for Mac OS X Installing Applications using iTunes Installing Applications using iPhone Configuration Utility for Mac OS X Using Enterprise Applications Other Resources Appendix A 46 4
Preface iPhone in the Enterprise Learn how to integrate iPhone and iPod touch with your enterprise systems. This guide is for system administrators. It provides information about deploying and supporting iPhone and iPod touch in enterprise environments. System Requirements Read this section for an overview of the system requirements and the various components available for integrating iPhone and iPod touch with your enterprise systems.
Windows computers  Windows XP Service Pack 2 or Windows Vista  500 MHz Pentium processor or faster  256 MB of RAM  QuickTime 7.1.6 or later Some features of iTunes, such as use of the iTunes Store, have additional requirements. See the documentation included with the iTunes installer for more information. iPhone Configuration Utility iPhone Configuration Utility lets you create configuration profiles for your devices.
Remote Wipe You can remotely wipe the contents of an iPhone or iPod touch. Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings. It can take approximately one hour for each 8 GB of device capacity for the process to finish. With Exchange Server 2007, you can initiate a remote wipe using the Exchange Management Console, Outlook Web Access, or the Exchange ActiveSync Mobile Administration Web Tool.
Exchange ActiveSync Features Not Supported Not all Exchange features are supported, including, for example:  Folder management  Opening links in email to documents stored on Sharepoint servers  Task synchronization  Setting an “out of office” autoreply message  Creating meeting invitations  Flagging messages for follow-up VPN iPhone and iPod touch work with VPN servers that support the following protocols and authentication methods:  L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA Sec
Certificates iPhone and iPod touch can use certificates in the following raw formats: Â PKCS1 (.cer, .crt, .der) Â PKSC12 (.p12, .pfx) Email accounts iPhone and iPod touch support industry-standard IMAP4- and POP3-enabled mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. Additional Resources In addition to this guide, the following publications and websites provide information about iPhone and iPod touch: Â iPhone User Guide, available for download at www.apple.
1 Deploying iPhone and iPod touch 1 This chapter provides an overview of how to deploy iPhone and iPod touch in your enterprise. iPhone and iPod touch are designed to easily integrate with your enterprise systems including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks. As with any enterprise solution, good planning and an understanding of your deployment options make deployment easier and more efficient for you and your users.
Although there is no cellular service or SIM card for iPod touch, it must also be connected to a computer with iTunes for unlocking. Because iTunes is required to complete the activation process for both iPhone and iPod touch, you must decide whether you want to install iTunes on each user’s Mac or PC, or whether you’ll complete activation for each device with your own iTunes installation.
Network Configuration  Make sure port 443 is open on the firewall. If your company uses Outlook Web Access, port 443 is most likely already open.  Verify that a server certificate is installed on the Exchange frontend server and enable Require Basic SSL for the Exchange ActiveSync virtual directory.  On the Microsoft Internet Security and Acceleration (ISA) Server, verify that a server certificate is installed and update the public DNS to properly resolve incoming connections.
WPA/WPA2 Enterprise Network Configuration  Verify network appliances for compatibility and select an authentication type (EAP type) supported by iPhone and iPod touch. Make sure that 802.1X is enabled on the authentication server, and if necessary, install a server certificate and assign network access permissions to users and groups.  Configure wireless access points for 802.1X authentication and enter the corresponding RADIUS server information.  Test your 802.
IMAP Email If you don’t use Microsoft Exchange, you can still implement a secure, standards-based email solution using any email server that supports IMAP and is configured to require user authentication and SSL. These servers can be located within a DMZ subnetwork, behind a corporate firewall, or both. With SSL, iPhone and iPod touch support 128-bit encryption and X.509 root certificates issued by the major certificate authorities.
If you don’t use Microsoft Exchange, you can set similar policies on your devices by creating configuration profiles. You distribute the profiles via email or a web site that is accessible using the device. If you want to change a policy, you must post or send an updated profile to users for them to install. For information about the device passcode policies, see “Passcode Settings” on page 22. Configuring Devices Next, you need to decide how you’ll configure each iPhone and iPod touch.
2 Creating and Deploying Configuration Profiles 2 Configuration profiles define how iPhone and iPod touch work with your enterprise systems. Configuration profiles are XML files that, when installed, provide information that iPhone and iPod touch can use to connect to and communicate with your enterprise systems. They contain VPN configuration information, device security policies, Exchange settings, mail settings, and certificates. You distribute configuration profiles by email or using a webpage.
When you open iPhone Configuration Utility, a window similar to the one shown below appears. The content of the main section of the window changes as you select items in the sidebar. The sidebar displays the Library, which contains the following categories: Â Devices shows a list of iPhone and iPod touch devices that have been connected to your computer. Â Provisioning Profiles lists profiles that permit the use of the device for iPhone OS development, as authorized by Apple Developer Connection.
iPhone Configuration Utility for the Web The web-based version of iPhone Configuration Utility lets you create configuration profiles for your devices. Follow the instructions below for the platform you’re using. Installing on Mac OS X To install the utility on Mac OS X v10.5 Leopard, open the iPhone Web Config Installer and follow the onscreen instructions. When the installer finishes, the utility is ready for use. See “Accessing iPhone Configuration Utility for Web” on page 18.
A screen similar to the one shown here will appear. For information about using the utility, see “Creating Configuration Profiles,” below. Changing the User name and Password for iPhone Configuration Utility Web To change the user name and password for accessing the utility, edit the following file: Â installpath/Apple/iPhone Configuration Web Utility/config/authentication.
To restart the utility on Windows 1 Go to Control Panel > Administrative Tools > Services. 2 Select Apple iPhone Configuration Web Utility. 3 Select Restart from the Action menu. To restart the utility on Mac OS X 1 Open Terminal. 2 Enter sudo -s and authenticate with an administrator password. 3 Enter launchctl unload /System/Library/LaunchDaemons/com.apple.iPhone ConfigService.plist 4 Enter launchctl load /System/Library/LaunchDaemons/com.apple.iPhone ConfigService.
General Settings This is where you provide the name and identifier of this profile. A configuration name is required. The name you specify appears in the profiles list and is displayed on the device after the configuration profile is installed. Although the name doesn’t have to be unique, you should use a descriptive name that identifies the profile. The configuration identifier must uniquely identify this profile and must use the format com.companyname.identifier, where identifier describes the profile.
To sign a profile, click Apply Signature in the Signature section of the General pane. In the Configuration Signing window that appears, add the digital certificates necessary to authenticate your signature. (Certificates in raw formats 1 and 12 are supported.) Then select your private key file and click Sign. The certificate you select here isn’t added to the device, and is only used to verify your signature.
 Maximum passcode age (in days): Requires users to change their passcode at the interval you specify.  Passcode lock (in minutes): If the device isn’t used for this period of time, it automatically locks. Entering the passcode unlocks it. Wi-Fi Settings Use this pane to set how the device connects to your wireless network. You can add multiple network configurations by clicking the Add (+) button.
VPN Settings Use this pane to enter the VPN settings for connecting to your network. You can add multiple sets of VPN connections by clicking the Add (+) button. For information about supported VPN protocols and authentication methods, see “VPN” on page 8. Email Settings Use this pane to configure POP or IMAP mail accounts for the user.
Credentials Settings Use this pane to add certificates to the device. Certificates in raw formats PKCS1 (.cer, .der, .crt) and PKCS12 (.p12, .pfx) are supported. When installing an identity certificate on the device, make sure that the file contains a certificate and not just a private key. If you install only a private key without the necessary certificate, the identity won’t be valid.
The Configuration Identifier field in the General pane is used by the device to determine whether a profile is new, or an update to an existing profile. If you want the updated profile to replace one that users have already installed, don’t change the Configuration Identifier. Preparing Configuration Profiles for Deployment After you’ve created a profile, decide whether you want to distribute it to users by email, or by posting it to a website.
IIS Web Server If your web server is IIS, add the MIME type in the Properties page of the server using IIS Manager. The extension is mobileconfig and the file type is application/x-appleaspen-config. Alternatively, you can add this information to specific sites using the HTTP Headers section of a website’s properties panel.
If the installation isn’t completed successfully, perhaps because the Exchange server was unreachable or the user cancelled the process, none of the information entered by the user is retained. Users may want to change how many days worth of data is synced to the device. The default is three days. This can be changed by going to Settings > Mail, Contacts, Calendars > Exchange account name.
3 Manually Configuring Devices 3 This chapter describes how to configure iPhone and iPod touch manually. If you don’t provide automatic configuration profiles, users can configure their devices manually. Some settings, such as passcode policies, can only be set by using a configuration profile. VPN Settings To change VPN settings, go to Settings > General > Network > VPN. When you configure VPN settings, the device asks you to enter information based on responses it receives from your VPN server.
Cisco IPSec Settings When you manually configure the device for Cisco IPSec VPN, a screen similar to following appears: Use this chart to identify the settings and information you enter: 30 Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Don’t enter the group name in this field. Password The passphrase of the user’s VPN login account.
PPTP Settings When you manually configure the device for PPTP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. RSA SecurID If you’re using an RSA SecurID token, turn on this option, so the Password field is hidden.
L2TP Settings When you manually configure the device for L2TP VPN, a screen similar to the following appears: Use this chart to identify the settings and information you enter: 32 Field Description Description A descriptive title that identifies this group of settings. Server The DNS name or IP address of the VPN server to connect to. Account The user name of the user’s VPN login account. Password The passphrase of the user’s VPN login account.
Wi-Fi Settings To change Wi-Fi settings, go to Settings > General > Network > Wi-Fi. If the network you’re adding is within range, select it from the list of available networks. Otherwise, tap Other. Make sure that your network infrastructure uses authentication and encryption supported by iPhone and iPod touch. For specifications, see “Network Security” on page 8.
Exchange Settings You can configure only one Exchange account per device. To add an Exchange account, go to Settings > Mail, Contacts, Calendars, and then tap Add Account. On the Add Account screen, tap Microsoft Exchange. When you manually configure the device for Exchange, use this chart to identify the settings and information you enter: 34 Field Description Email The user’s complete email address. Username The user name of the user’s Exchange account. Enter it in the format domain\username.
iPhone and iPod touch support Microsoft’s Autodiscovery service, which uses your user name and password to determine the address of the front-end Exchange server. If the server’s address can’t be determined, you’ll be asked to enter it. After the Exchange account is successfully configured, the server’s passcode policies are enforced. If the user’s current passcode doesn’t comply with the Exchange ActiveSync policies, the user is prompted to change or set their passcode.
Important: When you configure a device to sync with Exchange, all existing calendar and contact information on the device is overwritten. Additionally, iTunes no longer sync contacts and calendars with your desktop computer. You can still sync your device wirelessly with MobileMe services. To change how many day’s worth of data is synced to your device, go to Settings > Mail, Contacts, and Calendars. The default setting is three days.
When a certificate is downloaded to the device, the Install Profile screen appears. The description indicates the type of certificate: identity or certificate authority (root). To install the certificate, tap Install. To view or remove a certificate that has been installed, go to Settings > General > Profile. If you remove a certificate that is required for accessing an account or network, your device cannot connect to those services.
4 Deploying iTunes 4 You use iTunes to sync music and video, install applications, and more. This chapter describes how to deploy iTunes and enterprise applications, and defines the settings and restrictions you can specify. Installing iTunes iTunes uses standard Macintosh and Windows installers. The latest version of iTunes is available for downloading at www.apple.com/itunes. For more about iTunes system requirements, see “iTunes” on page 5.
Silently Installing on Windows To push iTunes to client computers, extract the individual .msi files from iTunesSetup.exe. To Extract .msi files from iTunesSetup.exe: 1 Run iTunesSetup.exe. 2 Open %temp% and find a folder named IXPnnn.TMP, where %temp% is your temporary directory (typically bootdrive:\documents and Settings\user\Local Settings\temp\) and nnn is a 3-digit random number. 3 Copy the .msi files from the folder to another location. 4 Quit the installer opened by iTunesSetup.exe.
    Play iTunes media content that is marked as explicit Play movies Play TV shows Play games Setting iTunes Restrictions for Mac OS X On Mac OS X, you control access by using keys in a plist file. On Mac OS X the key values shown above can be specified for each user by editing ~/Library/Preferences/ com.apple.iTunes.plist using Workgroup Manager, an administrative tool included with Mac OS X Server. For instructions, see the Apple Support article at http://docs.info.apple.com/ article.
Updating iTunes and iPhone Software Manually If you turn off automated and user-initiated software update checking in iTunes, you’ll need to distribute software updates to users for manual installation. To update iTunes, see the installation and deployment steps described earlier in this document. It’s the same process you followed for distributing iTunes to your users.
5 Deploying iPhone Applications 5 You can distribute iPhone and iPod touch applications to your users. If you want to install iPhone OS applications that you’ve developed, you distribute the application to your users, who install the applications using iTunes. Applications from the online App Store work on iPhone and iPod touch without any additional steps. If you develop an application that you want to distribute yourself, it must be digitally signed with a certificate issued by Apple.
Signing Applications Applications you distribute to users must be signed with your distribution certificate. For instructions about obtaining and using a certificate, see the iPhone Developer Center at http://developer.apple.com/iphone. Creating the Distribution Provisioning Profile Distribution provisioning profiles allow you to create applications that your users can use on their iPhone or iPod touch.
Windows Vista  bootdrive:\Users\username\AppData\Roaming\Apple Computer\MobileDevice\ Provisioning Profiles  bootdrive:\ProgramData\Apple Computer\MobileDevice\Provisioning Profiles  the path specified in the HKCU or HKLM by the ProvisioningProfilesPath registery key SOFTWARE\Apple Computer, Inc\iTunes iTunes automatically installs provisioning profiles found in the locations above onto devices it syncs with.
Installing Applications using iPhone Configuration Utility for Mac OS X You can use iPhone Configuration Utility for Mac OS X to install applications on connected devices. Follow these steps: 1 In iPhone Configuration Utility, choose File > Open and then select the application that you want to install. The application is added to iPhone Configuration Utility and can be viewed by selecting the Applications category in the Library. 2 Select a device from the Connected Devices list.
Cisco VPN Server Configuration A Use these guidelines to configure your Cisco VPN server for use with iPhone and iPod touch. Authentication Methods iPhone support the following authentication methods: Â Pre-shared key IPsec authentication with user authentication via xauth. Â Client and server certificates for IPsec authentication with optional user authentication via xauth. Â Hybrid authentication where the server provides a certificate and the client provides a pre-shared key for IPsec authentication.
Certificates When setting up and installing certificates, make sure of the following: Â The server identity certificate must contain the server’s DNS name and/or IP address in the subject alternate name (SubjectAltName) field. The device uses this information to verify that the certificate belongs to the server. You can specify the SubjectAltName using wildcard characters for per-segment matching, such as vpn.*.mycompany.com, for more flexibility.
Other Supported Features iPhone and iPod touch support the following: Â Application Version: The client software version is sent to the server, allowing the server to accept or reject connections based on the device’s software version. Â Banner: The banner, if configured on the server, is displayed on the device and the user must accept it or disconnect. Â Split Tunnel: Split tunneling is supported. Â Split DNS: Split DNS is supported. Â Default Domain: Default domain is supported.
Configuration Profile Format B Appendix B This appendix specifies the format of mobileconfig files for those who want to create their own tools. This document assumes that you’re familiar with the Apple XML DTD and the general property list format. A general description of the Apple plist format is available at www.apple.com/DTDs/PropertyList-1.0.dtd. This document uses the terms payload and profile.
Key Value PayloadDisplayName String, mandatory. This value determines a very short string to be displayed to the user describing the profile, such as “VPN Settings”. It does not have to be unique. PayloadDescription String, optional. This value determines what descriptive, freeform text will be shown to the user on the Detail screen for the entire profile. This string should clearly identify the profile so the user can decide whether to install it. PayloadContent Array, optional.
Passcode Policy Payload The Passcode Policy payload is designated by the com.apple.mobiledevice.passwordpolicy PayloadType value. The presence of this payload type prompts iPhone to present the user with an alphanumeric passcode entry mechanism, which allows the entry of arbitrarily long and complex passcodes. In addition to the settings common to all payloads, this payload defines the following: Key Value allowSimple Boolean, optional. Default YES. Determines whether a simple passcode is allowed.
Email Payload The email payload is designated by the com.apple.mail.managed PayloadType value. This payload creates an email account on the device. In addition to the settings common to all payloads, this payload defines the following: 52 Key Value EmailAccountDescription String, optional. A user-visible description of the email account, shown in the Mail and Settings applications. EmailAccountName String, optional. The full user name for the account. This is the user name in sent messages, etc.
APN Payload The APN (Access Point Name) payload is designated by the com.apple.apn.managed PayloadType value. In addition to the settings common to all payloads, this payload defines the following: Key Value DefaultsData Dictionary, mandatory. This dictionary contains two key/value pairs. DefaultsDomainName String, mandatory. The only allowed value is com.apple.managedCarrier. apns Array, mandatory.
VPN Payload The VPN payload is designated by the com.apple.vpn.managed PayloadType value. In addition to the settings common to all payload types, the VPN payload defines the following keys. Key Value UserDefinedName String. Description of the VPN connection displayed on the device. OverridePrimary Boolean. Specifies whether to send all traffic through the VPN interface. If true, all network traffic is sent over VPN. VPNType String.
IPSec Dictionary Keys The following elements are for VPN payloads of type IPSec Key Value RemoteAddress String. IP address or host name of the VPN server. Used for Cisco IPSec. AuthenticationMethod String. Either “SharedSecret” or “Certificate”. Used for L2TP and Cisco IPSec. XAuthName String. User name for VPN account. Used for Cisco IPSec. XAuthEnabled Integer. 1 if XAUTH is ON, 0 if it is OFF. Used for Cisco IPSec. LocalIdentifier String. Present only if AuthenticationMethod = SharedSecret.
Key Value EncryptionType String. The possible values for “EncryptionType” are “WEP”, “WPA”, or “Any”. “WPA” corresponds to WPA and WPA2 and applies to both encryption types. Make sure that these values exactly match the capabilities of the network access point. If you’re unsure about the encryption type, or would prefer that it applies to all encryption types, use the value “Any”. Password String, optional.
Key Value TLSTrustedServerCommonNames Array of string values, optional. This is the list of server certificate common names that will be accepted. If a server presents a certificate that is not in this list, it will not be trusted.
If EAPFASTUsePAC is true, then an existing PAC is used, if it is present. The only way to get a PAC on the device currently is to allow PAC provisioning. So, you need to enable EAPFASTProvisionPAC, and if desired, also EAPFASTProvisionPACAnonymously. EAPFASTProvisionPACAnonymously has a security weakness: it doesn’t authenticate the server using a certificate; it relies on the shared secret of the user’s password.