Apple iPhone Configuration Utility 3.0

Apple have released version 3 of the iPhone Configuration Utility, the tool that enables administrators to create deployable packages containing customised settings for Email, VPN, WiFi and device usage, etc and then deploy those packages to any number of iPhone devices, simplifying device setup and removing the need for users to contact the IT department as well as ensuring compliance.
The latest version of the tool can be downloaded here - http://support.apple.com/kb/DL851
This latest version of the tool provides support for iPhone OS 4 and the new functionality available in the new platform.

As before, various aspects of the device's configuration and functionality can be preconfigured by creating a configuration profile, including:

• Mobile Internet access point settings

  

• Password policy - length, complexity, age, history, number of failed attempts etc

  

• Restrictions - application installation, camera, screenshot capture, web browsing, youtube, itunes, movies, tv shows, etc

  

• WiFi

  

• VPN

  

• Email - POP / IMAP

  

• Exchange ActiveSync
• LDAP directory access
• CalDAV calendar access
• WebClips - shortcuts to web content
• Certificates
• Mobile Device Management

Exchange ActiveSync

Expanded elements of the Exchange ActiveSync protocol version 12.1 can now be configured, including:

All Exchange versions

• Enforce password on device
• Minimum password length
• Maximum failed password attempts
• Require both numbers and letters
• Inactivity time in minutes

Exchange 2007 / 2010

• Allow or prohibit simple password
• Password expiration
• Password history
• Policy refresh interval
• Minimum number of complex characters in password
• Require manual syncing while roaming
• Allow camera
• Require device encryption

Remote wipe of devices is also supported from Exchange.

Once saved, configuration profiles can be deployed to devices via email, by posting to a web server or locally via USB.

Mobile Device Management

iPhone OS 3.x or later supports over the air enrolment and configuration. New to version 3.0 of the iPhone Configuration Utility is the ability to enter details of the mobile device management server into a configuration profile, as well as the ability to specify which configuration items should be available via the DM server.
Support is also included for the Apple Push Notification Service (APNS), allowing the administrator to specify that should changes be made to the configuration profile, the DM server can be alerted to the change and push them to enrolled devices automatically.

Enrolment is the mechanism by which a device is authenticated before a configuration profile can then be delivered. This ensures that only trusted devices receive configuration settings. Because configuration profiles can also be locked and encrypted, once installed they cannot be removed or edited by the user, or shared with others.

The enrolment process can be deployed using web services and a certificate authority, and also requires a mechanism for user authentication. A typical end-to-end process would run as follows:

• The URL of the device management server is distributed via SMS or email
• The user accesses the link via the Safari web browser on the device. The web service will prompt the user to authenticate (which may be tied into Active Directory authentication)
• The web service issues an encrypted mobileconfig profile to the device which is installed automatically but not applied. The profile then requests one or more of a number of device attributes (iOS version, MAC address, IMEI number or SIM number)
• The device responds with the requested information, signing the response with its own (Apple-issued) certificate
• The web service issues an SCEP (Simple Certificate Enrolment Protocol) response with instructions on how to generate an RSA 1024 certificate request, and where to send it for certification
• The device sends the certificate request to the certification authority
• The CA creates the certificate and issues it to the device
• The device is then able to decrypt the encrypted mobileconfig profile

In a nutshell, then, although the iPhone supports over the air enrolment and configuration, this is not an out-of-the-box tool supplied by Apple - there is an amount of development and integration work to be done before devices can successfully authenticate with and access your network.

Fortunately, a number of device management vendors have already integrated this functionality of the iPhone into their own products, removing the need to do any integration work yourself, and enabling management of iPhone devices alongside other platforms within a single management interface. Vendors include Sybase Afaria, DME by Excitor as well as Fromdistance. Visit the device management section of the blog for more information.

For more information on the iPhone Configuration Utility, download the Apple Enterprise Deployment Guide - http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf