iOS Configuration Utility
With the release of the iPad, Apple generated a lot of buzz as to whether we finally have a non-Windows based tablet that was suitable for the Enterprise. I took a look at this question in the article “iPad for the Enterprise” and came to the conclusion that the iPad could be a fantastic presentation and sales tool, but due to most companies dependency on Microsoft technologies, only by virtualising Windows could it replace existing laptops for day to day use.
In this article I want to take a look at another challenge faced by the iPad (and all other iOS devices) in the enterprise. How do companies support and manage these devices in the field?
It is very clear that Apple focus their product range on the consumer space and although they have included enterprise features in recent iOS updates, the devices are still tied to the consumer software iTunes and the restrictive AppStore polices.
Apple’s answer to these restrictions is the iPhone Configuration Utility (currently on version 3.0). Although it has iPhone in the name I expect it will be re-branded in the future as it actually supports all iOS devices, including the iPad. The iPhone Configuration Utility is available for Windows or Mac OS X and allows you to create custom configuration profiles for iOS based devices, that can be deployed over the air (via the web or e-mail). This allows administrators to apply custom configurations (such as WiFi, VPN and e-mail) as well as define security policies and restrict access to certain parts of the device. The policy itself can be deployed before the device is issued or over the Internet.
The iPhone Configuration Utility is free for anyone to download and is very easy to use, unfortunately as with all things Apple you are restricted to a set of predefined configuration options and therefore don’t have the same granular control you have come expect in the Windows world.
Let’s take a quick look at what features the iPhone Configuration Utility has to offer. The first thing you will note when opening the application is that it has the standard “Cocoa” feel to it (even on Windows). It has four simple options in the left menu, of which you will focus most of your time in “Configuration Profiles”. From here you will be able to create a custom profile as shown in the image below.
The “Configuration Profiles” menu is split in to 16 categories:
By selecting a category you can configure your specific settings. This can include multiple configurations under a single category, for example it is possible to pre-define multiple WiFi networks (including security settings) so that the iOS device will automatically be able to connect when in range.
In my opinion the most interesting category is “Restrictions”. It is here where you can specify what features you want to enable (or disable). The following options are available for configuration:
As you can see there is a broad set of options, including the ability to restrict access to core iOS applications, such as Safari, the AppStore, iTunes and YouTube. You can also configure what data you want the user to be able to store on the device, for example Movies, TV and Apps. For more information on the different iPhone Configuration Utility options check out my screenshot gallery.
Once you have completed the configuration profile you are ready for deployment. This can be completed via the web, e-mail or directly connecting the iOS device via USB. The image below shows a directly connected iPad, from here you can install a selected profile, where you will be prompted to confirm on the iOS device itself. This is the easiest way to test new configuration profiles. If you decide to deply the profile via the web or e-mail you will need to use the share/export buttons in the top menu. From here you will also have the option to encrypt and self sign the configuration profile (otherwise things such as configured WiFi and VPN passwords will be shown in clear text).
Once deployed the configuration profile can been seen on the iOS device under “Settings > Profile”. Depending on how the profile was configured, the admin can remove the profile from here by entering a pre-configured password. The profile itself sits on top of the operating system and does not require a restore to be installed or removed. If the device is restored to factory default setting via iTunes then the profile will be lost (unless a local backup is restored). Profiles are however not impacted by an iOS update.
Although the iPhone Configuration Utility is a useful tool for enterprises when needing to pre-configure iOS devices, it does have some limitations. Firstly, you can only configure the options that Apple have specified, for example there is no way to restrict the ability for users to setup new WiFi or VPN connections, which may be a requirement for highly regulated industries. Also, although you can deploy the profile over the air, you can’t deploy native applications, for this you need to use the AppStore or a pre-configured development environment (where your devices Unique Device ID will need registered). As a result the configuration profile itself can’t be used as an over the air recovery facility.
Another important part of iOS device support and management that works with the iPhone Configuration Utility is Mobile Device Management (MDM). This is configured as part of the profile and is essentially a web service that allows you to make changes to the device whilst it is in the field. Apple don’t offer their own MDM and as a result you are forced to use a third party service such as - MobileIron or Trust Digital. I plan to cover Mobile Device Management in a future article.