Take Control of iOS Device Configuration - Creating a Basic Configuration Profile for an iPhone or iPad
One of the first steps in deploying an iOS device in the enterprise is taking control of its configuration. Creating an iTunes Store account, connecting to iTunes, and the rest of the processes that consumers follow to configure their iPhone or iPad just won’t cut it for most enterprise IT administrators. The good news is they don’t have to. The better news is that one of the best enterprise configuration tools is easy to learn and use. The best news is … the tool is free!
The tool I’m alluding to is the iPhone Configuration Utility from Apple. This article will give a quick overview of what a configuration profile is, a description of the iPhone Configuration Utility, where to get it, and how to use it to create a basic iOS device configuration profile. Future articles will cover creating more advanced profiles.
What is a Configuration Profile?
A configuration profile is an XML file that contains settings to deploy to an iOS device. These settings will control everything from device passcode policies to email account configurations. Configuration profiles can be used on both iPhones and iPads. Common uses for configuration profiles include:
- setting up email, calendar, and contact accounts (including Exchange)
- creating VPN connections
- defining WiFi settings
- enabling restrictions for how the device can (and cannot) be used
Using the iPhone Configuration Utility (iPCU)
Very few people seem to cherish the idea of writing an entire XML file in Notepad, myself included. Luckily, Apple has created the iPhone Configuration Utility that will do it for us. The iPhone Configuration Utility, or iPCU for short, is a program that uses a simple GUI to create, manage, and deploy XML configuration profiles to iOS devices. It is free and available in both Mac OSx and Windows versions from Apple’s website at apple.com/support/iphone/enterprise/.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Don’t be fooled by the iPhone reference in the name; the iPCU will create profiles for both iPhones and iPads. Profiles created with newer versions of the iPCU can be deployed to devices with older iOS versions. One note of caution though, any setting in a profile that an older version of iOS doesn’t support will be ignored. This is just one more reason to keep your devices running the latest iOS version.
Once the iPCU is downloaded and installed, run it. It will open to a clean user interface with the Library – Devices section selected. Click on the Library – Configuration Profiles section as shown below:
Working with configuration profiles involves navigating various panes of the application. There is a header area showing the name and basic information of previously created profiles or possibly one currently being created. Also presented is a list of the possible payloads that can be configured. If a payload has been selected, an area displaying the settings within that payload is shown.
Before creating a profile it is necessary to understand payloads. Payloads are just groups of related settings organized under a common heading. In the current iteration of the iPCU there are 16 possible payloads, but only one, the General payload, is required to be defined in order to create a configuration profile.
The General payload includes the following settings:
Only Name, Identifier, and Security are required. Once these three settings are defined, the security profile can be deployed. Realistically, you will want to configure at least one of the other optional payloads to get measurable value out of your configuration profile.
How to Create a Basic Configuration Profile
Creating a basic profile is straightforward. Click the New button on the toolbar or select the File menu and click New Configuration Profile. Select the General payload heading and the aforementioned group of settings will appear:
Profile Name is the default data in the Name textbox. The Name setting’s primary purpose is to make it easier for you, the IT Admin, and the user to know what profile is installed on a given device, which is handy when you have multiple configuration profiles applied to a single iOS device. Change the profile name to whatever friendly name you want. I recommend a name that will make it easy for you to remember what the profile does. In this case, the friendly name I’ll enter is “Petri Blog – General.” When I click the Identifier textbox, the iPCU saves the change I made to the name automatically. The new information appears in the top summary area as shown here:
The Identifier, like the name, keeps track of installed profiles. Whereas the admin and user use the name for this purpose, the device uses the Identifier. The Identifier determines whether a configuration profile is new to the device or is an update. The Identifier setting must be entered in backwards FQDN format. Since the profile name is “Petri Blog – General,” I’ll enter “com.petri.general” for Identifier. As before, when I click the Organization textbox, the changes appear in the summary area.
Organization and Description are optional fields. Use them to help keep track of whom and for what a profile is used. In the end, they come in handy. I will enter in “Petri.co.il” for Organization along with “A basic iOS configuration profile” for Description.
The final piece of required information is Security. Security controls when and how a profile can be removed from an iOS device once it has been installed. Options for Security are Always, With Authorization, or Never. Select Always to let a user remove a profile whenever they want. Never prevents removing the profile from a device short of a factory reset. With Authentication strikes a compromise by allowing the profile to be removed once the user enters a password. My preference is the With Authentication setting. You can enter any password you like, but I recommend not selecting a user or administrator credential. Doing so allows you to give the user the removal password without compromising the security of your network or PC’s. After setting the password, click in another area to allow the iPCU to save your changes.
Success! As you can see, getting started using the iPCU is quick and easy. Now that we have nailed down the basics, we can delve into other features and functions in configuration profiles in my upcoming articles.
Next up: Creating a configuration profile with the iPCU that automates connecting iOS devices to Microsoft Exchange!