This article details how to create, upload and deploy an Apple iPhone Configuration profile for use with Sophos Mobile Control.
Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod touch, and iPad to work with your enterprise systems. Configuration profiles quickly load settings and authorization information onto a device. Some VPN and Wi-FI settings can be set only by using a configuration profile, and if you’re not using Microsoft Exchange, you need to use a configuration profile to set device passcode policies.
You can install configuration profiles on devices connected to a computer via USB using iPhone Configuration Utility, or you can distribute configuration profiles by email or on a webpage. When users open the email attachment or download the profile using Safari on their device, they’re prompted to begin the installation process. If you’re using a Mobile Device Management server, you can distribute an initial profile that contains just the server configuration information, then have the device obtain all other profiles wirelessly.
Configuration profiles can be encrypted and signed, which lets you restrict their use to a specific device and prevents anyone from changing the settings that a profile contains. You can also mark a profile as being locked to the device, so once installed, it can be removed only by wiping the device of all data, or optionally, by entering a passcode.
With the exception of passwords, users cannot change the settings provided in a configuration profile. Additionally, accounts that are configured by a profile, such as Exchange accounts, can only be removed by deleting the profile.
This utility is free and available in both Mac OS X and Windows versions from Apple's website at http://www.apple.com/support/iphone/enterprise/
Known to apply to the following Sophos product(s) and version(s)
Sophos Mobile Control as a Service 3.0
Sophos Mobile Control 3.0
Sophos Mobile Control 2.5.0
Sophos Mobile Control 2.0
What To Do
Under the following steps we will detail the process
- How to create an Apple iPhone Configuration profile (.mobileconfig file) using the Apple iPhone Configuration Utility
- Save these configuration profile changes under Apple iPhone Configuration Utility as a mobileconfig file
- Create a new Apple iOS profile under Sophos Mobile Control and upload mobileconfig file
- Finally deploy the profile to our desired devices.
Step 1 - How to create an Apple iPhone Configuration profile (.mobileconfig file) using the Apple iPhone Configuration Utility
First we need to create the Apple iPhone Configuration profile that will hold your custom settings
- Once the iPCU is downloaded and installed, run it. It will open to a clean user interface with the Library – Devices section selected. Click on the Library – Configuration Profiles section as shown below:
- Before creating a profile it is necessary to understand payloads. Payloads are just groups of related settings organized under a common heading. In the current iteration of the iPCU there are 16 possible payloads, but only one, the General payload, is required to be defined in order to create a configuration profile.
|General ||Within this section, you’ll need to setup and create the name of the profile along with the identifier. The identifier will need to be unique and follow a naming structure of a reverse DNS format (ie: com.company_name.identifier). You can also input information about the organization name, a brief description, and set the security for the profile. You can specify that a password be entered before the user remove the profile. Within this option, you should know that the Never option will specify that the option can be updated, but never removed. |
|Passcode ||Here you can set the requirements for the passcode, specifying how long the passcode should be, how often it should be changed, and other parameters to ensure the iOS device is following company guidelines. |
|Device Functionality ||All physical and other such features that you can enable or disable. Have a policy against cameras? Disable the camera. Paying for an employee’s data plan and don’t want it to use data while roaming? Adjust that setting. You can also disable FaceTime, app installation, in-app purchases, and even Siri. The Game Center settings can be adjusted within this area as well. |
|Applications ||Features like YouTube, iTunes, cookies, and other browser features can be controlled here. |
|iCloud ||This area may be of considerable value for users, as you can mandate how often the device should be backed up and have it already taken care of, as opposed to attempting to locate their data when the user somehow wipes or loses their device. |
|Security and Privacy ||Here you can select whether or not diagnostic data is sent to Apple, or specify if the user can install their own certificates |
|Content Ratings ||Here you can specify whether explicit music or podcasts can be purchased or downloaded from the iTunes store |
|Wi-Fi (Enterprise Settings) || If you use Enterprise-level authentication to the organization’s wireless network, you can make the specifications, certificates, and encryption settings, depending on your enterprise setup |
|VPN ||Here you can setup the VPN along with the credentials, certificates, and other such required pieces in order to make the VPN readily accessible for your users |
|Email ||This is used for any email account that uses IMAP or POP3 specifications. If you use an Exchange server, use the Exchange ActiveSync settings below. |
|Exchange ActiveSync ||If your company utilizes Microsoft Exchange, you can create all the settings here to minimize the setup time for your users’ access to mail, calendar, and contacts. |
|LDAP (Attribute Alias) ||This is especially useful if your company utilizes LDAP for contacts. You can map the contact fields to the corresponding iOS contact fields. |
|CalDAV ||This contains the settings for any calendar that uses the CalDAV specifications. |
|CardDAV ||For any contacts that are synced through the CardDAV specification, the information for syncing can be established here. |
|Subscribed Calendars ||If any CalDAV calendars are setup, this is where you can define read-only access to others’ calendars. |
| Web Clips ||The settings here are useful for adding Web Clip shortcuts to users’ iOS desktop screens. You can determine how these icons will look on the desktop, and you can make the Web Clips non-user removable. |
| Credentials ||Additional certificates used by the organization or by the user can be set here. All certificates will need to be in .cer, .crt, and .der format in order to be recognized by the device. |
| SCEP ||You can add your organization CA so users may download other certificates if need be |
| Mobile Device Management ||If you’re planning on using a Mobile Device Management service within your organization, this is where you enter the requirements and additional information that will control the devices settings. You will need to have your company’s settings and server information for the MDM in order to complete this section of the payload. |
| Advanced ||These are for cellular settings that can aid in cell service coverage for your users. |
You can set APN settings and change roaming access options. Use this section with caution.
Even with this tool, profiles on the iOS device are an opt-in and opt-out setup. You can set the profile to not be user-removable, but that doesn't prevent the user from wiping their own device and reloading everything without the profile installed.
It must be remembered that tablets are designed and created to be an individual, consumer-based device with all functionality geared toward that mentality. Although profiles will aid you in assisting your users in setting up their iPads to use the company resources, it will not guarantee that they are 100% secure and nothing will ever be compromised.
Passcodes can be setup and required, wiping can be completed through remote means, but your security is only as good as your users understand it. So, while the iPCU can be extremely beneficial in setting up VPN, installing certificates, and managing passcode requirements, your IT departments should still consider policies and trainings designed at helping users understand the necessity of security and how it benefits them, not just their company and employer.
Step 2 - Save these configuration profile changes under Apple iPhone Configuration Utility as a mobileconfig file
At this stage, we want to finalise our custom settings to use with our iOS devices.
- Once you've finished editing your configuration profile, click Export (do not select sign or encrypt)
- Choose the location you wish to save the mobileconfig file to
Step 3 - Creating a new Apple iOS profile under Sophos Mobile Control
At this stage, we'll open the Sophos Mobile Control web interface, authenticate and create a new Apple iOS profile
- Click Apple iOS | Profiles | +
- Enter the name, Version, Operating systems,
- Click Choose File
- Browse to the location of the *.mobileconfig created
- Click Upload
- Click the disc icon to save the changes
Step 4 - Deploying the Apple iOS profile (mobileconfig) to iOS devices
Finally at this stage, we want to deploy our Apple iOS profile with our custom settings to our devices.
- Click Apple iOS | Transfer
- Select the desired device(s)
- Select the desired profile
- Select execution date as Now
- Click the Lightning bolt icon