A configuration profile is an XML file that allows you to distribute configuration information to iOS-based devices. If you need to configure a large number of devices or to provide lots of custom email settings, network settings, or certificates to a large number of devices, configuration profiles are an easy way to do it.
An iOS configuration profile contains a number of settings that you can specify, including:
Restrictions on device features (disabling the camera, for example)
Email server settings
LDAP directory service settings
CalDAV calendar service settings
Credentials and keys
Advanced cellular network settings
There are four ways to deploy configuration profiles:
By physically connecting the device
In an email message
On a webpage
Using over-the air configuration as described in this document
iOS supports both encrypted and unencrypted profiles. Encrypted profiles guarantee data integrity and protect sensitive policy information from prying eyes. Encrypted configuration profiles are signed with the public key associated with a device’s identity certificate. This public key can be obtained in one of two ways: by connecting via USB to a computer running the iPhone Configuration Utility (iPCU) or using over-the-air enrollment.
If it is practical to connect each device to a single computer before deployment, you can use the iPhone Configuration Utility (iPCU) to encrypt profiles specific to each device. Later, you can securely deliver updated profiles via email or a webpage. (If you don't care about encrypted profiles, you can use iPCU without connecting the devices.)
If this manual enrollment meets your needs, you should read “iPhone Configuration Utility” and other documents in the Enterprise Deployment subcategory instead.
Although the other methods offer a simple way to configure devices for enterprise use, in large-scale deployments, you'll want to automate the deployment process.
iOS over-the-air enrollment and configuration provides an automated way to configure devices securely within the enterprise. This process provides IT with assurance that only trusted users are accessing corporate services and that their devices are properly configured to comply with established policies. Because configuration profiles can be both encrypted and locked, the settings cannot be removed, altered, or shared with others.
More importantly, for geographically distributed enterprises, an over-the-air profile service allows you to enroll iOS-based devices without physically connecting them to an iPhone Configuration Utility host.
The profile service described in this document creates a configuration on the fly; the device then downloads that configuration. The device remembers the enrollment URL so that it can update its configuration from the server in the future if the configuration expires or a VPN connection failure occurs.
This document describes the over-the-air enrollment process. With this process, administrators can instruct users to begin the process of enrollment by providing a URL via email or SMS notification. When users agree to the profile installation, their devices are automatically enrolled and configured in a single session.
Organization of This Document
This document takes you through the process of setting up a server to deliver encrypted custom profiles to iOS-based devices over the air.
“Over-the-Air Profile Delivery Concepts” explains the terminology and basic security concepts involved in over-the-air enrollment and profile delivery.
“Creating a Profile Server for Over-The-Air Enrollment and Configuration” describes the reference implementation of a profile server, piece by piece, in chronological order of execution, from device authentication and enrollment to profile delivery.
“Configuration Profile Examples” provides sample profiles and code to generate profiles.
This document assumes a basic knowledge of Ruby programming, XML, property lists, the iPhone Configuration Utility, and OpenSSL.
For more information, see the following pages:
Cisco: Digital Certificates PKI for IPSec VPNs (PDF)
Wikipedia: Public key infrastructure
Additional information and resources for iOS-based devices in the enterprise are available at http://www.apple.com/iphone/business/, including Configuration Profile Reference. This appendix specifies the format of
.mobileconfig files for developers who want to create their own tools.