MDM Primer-02
TweetFollow Us on Twitter

MDM Primer-02

Mobile Device Management (MDM) Primer
Fall, 2011

(continued)

Configuration Profiles

Configuration profiles are lists of settings that IT departments use to quickly set up iOS devices. These profiles may be setup to configure end users' devices to access Microsoft Exchange servers, the corporate VPN tunnel, Wi-Fi networks and corporate resources. Configuration profiles also give IT the ability to lock the settings.

Configuration profiles can be created with the iPhone Configuration Utility (iPCU), a free application for Mac OS X (10.6.x and 10.7.x) and Windows (XP, Vista and 7).


Figure 4 - iPCU Configuration Profiles

What are configuration profiles?

A configuration profile is an XML file that can be used to distribute configuration information to iOS devices. IT administrators will use these configuration profiles to configure specific, single or multiple, settings for iOS devices. Each configuration profile contains one or more "payloads,” which detail out all of the settings that one can possibly set on an iOS device, which include:

  • Passcode - requirement of passcode, simple vs. complex passcode
  • Restrictions - locking down Safari, YouTube, iTunes, installation of apps, deletion of apps, allowed content
  • Wi-Fi - networks SSID's and passwords (any standard 802.11x wireless network)
  • VPN - Cisco IPSec, L2TP, PPTP, SSL VPN
  • Email - Standards-based email, contacts, and calendars (IMAP, POP, CardDAV and CalDAV)
  • Exchange ActiveSync - supporting Exchange Server 2003, 2007 and 2010
  • LDAP - directory service settings
  • CalDAV - calendar service settings for shared calendars
  • CardDAV - group address book
  • Subscribed Calendars - read only access to shared calendars
  • Web clips - URL's to a specific website, shortcut
  • Credentials - PKCS1 and PKCS12 certificates to install on the device
  • SCEP - Simple Certificate Enrollment Protocol allows the device to obtain certificates from a certificate authority
  • Mobile Device Management - configures the device so that its configuration is managed over the air by an MDM server
  • Advanced - Cellular network settings (APN)

Best Practices for Protecting Configuration Profiles

Administrators should sign and/or encrypt a configuration profile to prevent it from being altered or viewed. You can also protect a configuration profile by locking it with a passcode so that an end user can't remove it.


Figure 5 - Setting Security

Signing and encryption

The data on a configuration profile can contain sensitive information such as account information and passwords. iPCU allows three options for exporting out the profiles you have built and protect your data.

A signed profile may only be replaced by another profile with the same Identifier and signed by the same copy of iPCU. iPCU may be used to both encrypt and sign configuration profiles, locking them down to a specific device and preventing others from changing or viewing the settings of the profile.

Security on profiles is available as follows, upon Export:

  • None - Creates a plain text .mobileconfig file that can be installed on any device. Data is not encrypted and may be viewed in any text editor. There is no security in place.
  • Sign configuration profile (good security) - Creates a signed .mobileconfig file that can be installed on any device, provided the profile hasn't been altered. After installation, the profile can be updated only by another profile with the same Identifier and signed by the same copy of iPCU.
 The profile is signed with the public key associated with a device's identity certificate. This public key can be obtained by connection through USB to a computer running iPCU or using over-the-air enrollment.
  • Create and sign encrypted configuration profile for each selected device (best security) - Signs the profile so it cannot be altered, encrypts all the contents so the profile cannot be viewed in a text editor, and can be installed only on specific devices that appear in the Devices list. Separate .mobileconfig files are created for each of the devices you select from the Devices list. In most cases, this is the best option to select and offers the highest amount of security.

Locking Profiles

A profile may also be distributed that's locked to a device so that after it's installed, it can be removed only by wiping the device of all data (full reset) or, by entering a passcode. Locking a configuration profile is recommended to prevent end users from deleting it from a device. The following three choices are available for locking:

  • Always - The end user may remove the profile at any time.
  • With Authorization - Password is set, and needed, for removal of profile.
  • Never - Profile may only be updated with a new version, but not be removed.

Installing configuration profiles

Profiles can be installed via one of several methods:


Figure 6 - Hard-wired USB Connections

  • USB - for smaller installations, this is a viable way of getting payloads onto your mobile devices. As the quantity goes up, the benefits to this method go down and it becomes much more work. This process is, typically, done by IT directly. The USB method is meant for low-quantity deployments, such as 50 or less devices.


    Figure 7 - Wireless Connections

  • Wirelessly - Profiles can be distributed wirelessly via email, website and over the air. When an end user downloads the profile from the web or opens it as an attachment in Mail, the device recognizes the .mobileconfig extension as a profile and begins installation when the user taps Install. If a passcode has been set on the device, the user will be prompted to enter in their credentials.
  • Email - Distribution of profiles via email. The end user receives the email message on the iOS device and then taps on the attachment to install the profile. This process does require the end user to accept and install.
  • Website - Distribution of profiles via a corporate website require the user to follow a specific link to download a profile. The end users can navigate to the web page on their device and then download the profile onto it. This process does require the end user to accept and install.
  • Over the air - IT can use a secure enrollment and configuration process enabled by the Simple Certificate Enrollment Protocol (SCEP) to distribute encrypted configuration profiles over the air. SCEP does require some infrastructure to be setup, but makes the process much easier for IT departments to manage in the long run.

Did you know that the fastest way to get a handle on MDM is through MacTech's seminar series?
MacTech InDepth: Mobile Device Management will do a deep dive on MDM in one day. December 7, 2011 San Francisco, CA. Learn the issues, talk to vendors, be able to make a plan. Save $200 with early bird registration or find out more about the event.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Tomb of the Mask guide - How to increase...
Tomb of the Mask is a great endless arcade game from Happymagenta in which quick reflexes and a persistent attitude can go a long way toward earning a top score. Check out these tips to see if you can give yourself an edge on the leaderboards. [... | Read more »
Smooth Operator! (Games)
Smooth Operator! 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Smooth Operator is a weird, weird two-player kissing game. Squeeze in for 2 player fun on a single iPad, creating awkward... | Read more »
Sinless: Remastered (Games)
Sinless: Remastered 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: | Read more »
_PRISM Guide - How to solve those puzzle...
_PRISM is a rather delightful puzzle game that’s been tailor made for touch screens. While part of the fun is figuring things out as you go along, we thought we’d offer you a helping hand at getting in the right mindset. Don’t worry about messing... | Read more »
Set off on an adventure through the Cand...
Like match three puzzlers? If so, Jelly Blast, the innovative iOS and Android game which launched last year, is worth a look. Jelly Blast sees you head off on an epic adventure through the Candy Kingdom with your friends Lily, Mr. Hare, and Mr.... | Read more »
Ellipsis - Touch. Explore. Survive. (...
Ellipsis - Touch. Explore. Survive. 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: | Read more »
Ys Chronicles II (Games)
Ys Chronicles II 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: After a hard fight to recover the six sacred books in Ys Chronicles I, Adol is back for a sequel! | Read more »
FINAL FANTASY Ⅸ (Games)
FINAL FANTASY Ⅸ 1.0.4 Device: iOS Universal Category: Games Price: $16.99, Version: 1.0.4 (iTunes) Description: ==========●Special sale price for the FINAL FANTASY IX release! ●20% off from February 10 to February 21, 2016... | Read more »
Tennis Club Story (Games)
Tennis Club Story 1.03 Device: iOS Universal Category: Games Price: $4.99, Version: 1.03 (iTunes) Description: Aim for the ace position of tennis club prestige in this simulation! Your leadership decides if players make it to the big... | Read more »
Juggernaut Wars guide - How to use skill...
Juggernaut Warsis a brand new auto-RPG on iOS and Android that challenges you to build a team of heroes, send them out into various different missions to defeat waves of heroes, and level them up to increase their power. The actual combat itself... | Read more »

Price Scanner via MacPrices.net

Sale! B&H Photo offers 12-inch Retina Mac...
B&H Photo has 12″ Retina MacBooks on sale for $300 off MSRP for a limited time. Shipping is free, and B&H charges NY tax only: - 12″ 1.1GHz Gray Retina MacBook: $999 $300 off MSRP - 12″ 1.... Read more
App Annie Reveals Future of the App Economy:...
App Annie, a San Francisco based mobile app data and insights platform, has launched its first comprehensive app economy forecast. This new offering will provide brands, agencies, investors and app... Read more
Apple restocks Certified Refurbished Mac mini...
Apple has restocked Certified Refurbished 2014 Mac minis, with models available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: - 1.4GHz Mac mini: $419 $... Read more
What iPad Pro Still Needs To Make It Truly Pr...
I love my iPad Air 2. So much that I’m grudgingly willing to put up with its compromises and limitations as a production tool in order to take advantage of its virtues. However, since a computer for... Read more
21-inch 3.1GHz 4K on sale for $1399, $100 off...
B&H Photo has the 21″ 3.1GHz 4K iMac on sale $1399 for a limited time. Shipping is free, and B&H charges NY sales tax only. Their price is $100 off MSRP: - 21″ 3.1GHz 4K iMac (MK452LL/A): $... Read more
Apple price trackers, updated continuously
Scan our Apple Price Trackers for the latest information on sales, bundles, and availability on systems from Apple’s authorized internet/catalog resellers. We update the trackers continuously: - 15″... Read more
Save up to $240 with Apple Certified Refurbis...
Apple is now offering Certified Refurbished 12″ Retina MacBooks for up to $240 off the cost of new models. Apple will include a standard one-year warranty with each MacBook, and shipping is free. The... Read more
Apple refurbished 13-inch Retina MacBook Pros...
Apple has Certified Refurbished 13″ Retina MacBook Pros available for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 13″ 2.7GHz... Read more
Apple refurbished Time Capsules available for...
Apple has certified refurbished Time Capsules available for $120 off MSRP. Apple’s one-year warranty is included with each Time Capsule, and shipping is free: - 2TB Time Capsule: $179, $120 off - 3TB... Read more
13-inch 2.5GHz MacBook Pro (refurbished) avai...
Apple has Certified Refurbished 13″ 2.5GHz MacBook Pros available for $829, or $270 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 13″ 2.5GHz MacBook Pros... Read more

Jobs Board

Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer - *Apple* OSX & Hardware...
Lead Engineer - Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
Simply Mac *Apple* Specialist- Service Repa...
Simply Mac is the largest premier retailer of Apple products in the nation. In order to support our growing customer base, we are currently looking for a driven Read more
Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer - *Apple* OSX & Hardware...
Lead Engineer - Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.