iOS 5 in the Enterprise: Creating Configuration Profiles
- Using General Settings
- Setting a Passcode
- Choosing Restrictions
- Configuring Wi-Fi
- Setting Up VPN
- Setting Up Email
- Using Exchange ActiveSync
- Enabling LDAP
- Setting the Date with CalDAV
- Getting in Touch with CardDAV
- Keeping up with Subscribed Calendars
- Using Web Clips
- Setting Credentials
- About SCEP
- Using Mobile Device Management
- Managing Advanced Settings
- Wrapping Up
This is the “big” chapter for the iPhone Configuration Utility (iPCU), and for anyone who needs to perform extensive/advanced management of iOS devices. Configuration profiles are XML files that control the behavior of your iOS devices, restrict or allow specific features, and set up functions such as email and calendars. Once created, configuration profiles can be distributed via USB, email, or a web page.
You can also encrypt and sign a profile to restrict the devices it can be applied to, and password-protect it so that it cannot be removed short of wiping all the data on the device. Configuration profiles can be long and complicated, or kept simple and used only to point a device at a Mobile Device Management server that can push the desired settings to the devices.
Using General Settings
When you’re creating a configuration profile, the iPCU might have you thinking that the General settings are the only mandatory settings. That’s not exactly correct. You need General plus at least one additional setting. This is logical because it doesn’t make sense to have a configuration that has only the General section because the General section doesn’t really do anything in terms of configuring your iOS device. It’s just there to identify the profile.
But, if you aren’t expecting that behavior, and you’re testing a profile, it could be annoying when the device refuses to install a profile with only the General settings configured.
The General settings are concerned only with the profile identity security (Figure 4.1). As such, the number of settings here is pretty small. You can set the name of the profile, which is what users see when they go into the General settings on the device and select Profiles (Figure 4.2). That’s not a misprint by the way; you can have multiple profiles on a single device. If you choose to have multiple profiles, however, please watch your settings. Choosing conflicting settings would be . . . bad.
Figure 4.1. General settings for identity security
Figure 4.2. General settings on an iOS device
Most of the settings here are descriptive, starting with a Name for the profile that the user will see on the device and a unique Identifier named similarly to plist files—for example, “com.bynkii.bookprofile”—that serves two important purposes: First, if no other profile on a device has that same identifier, the profile’s settings are added to the device. Second, if a profile on the device does have the same identifier, the settings in the new profile replace the previous profile’s settings.
This functionality can make it easy to update an existing profile. Rather than performing a full remove and replace, you can just edit an existing profile while retaining the same identifier, and re-install the profile on the device. The exception is when changing Exchange accounts. When changing an Exchange account, you must remove the profile with the Exchange info so that the Exchange data can be purged.
The Organization and Description fields are available for you to insert customized information that—like the Name field contents—are displayed on the device.
The Security setting controls the ability to remove the profile and has three settings: Always, With Authorization, and Never. Always is pretty self-explanatory: The profile can always be removed by clicking Remove in the profile’s information section (Figure 4.3).
Figure 4.3. Click Remove to delete a profile from a device.
If you choose With Authorization, the profile can be removed only by entering a passcode that you set when you create the profile in the iPCU. You’ll see a warning to that effect when you install a profile with this security setting (Figure 4.4).
Figure 4.4. Warning displayed when installing an app that requires authorization
If you choose the final option, Never, you’re required to erase all the data from the device to remove the profile.
Realistically, don’t choose Never unless you are in a high-security environment (and I mean “Lawrence Livermore National Laboratory where we perform nuclear weapons research,” not just “I don’t want people to know about our new website data” security); or unless you are not going to update that profile anytime soon. Choosing Never usually causes far more problems than it solves. Choosing With Authorization will cover you 99 percent of the time. If the device is a personal device that someone is using for work purposes, consider choosing Always. because it’s kind of rude to lock someone out of her own phone.