Apple came up with a slick way to allow you to distribute various iPhone setting to your users via email or the web, it is called profiles. Profiles are basically xml config files that act like plug-ins for the iPhone. They can configure things like Wi-FI, network, passcode, email and VPN settings on each iPhone. They can even be used to install certificates. Profiles like this are helpful if you have a large number of devices to manage or if you just have a large number of settings you want enforced on each users iPhone. Additionally, for certain settings, like some VPN and Wi-FI settings, you have to use profiles.
The bottom line is that moving the manual configuration burden off of each user and into a simple downloadable profile file can drastically cut down on the number of support calls you’ll receive. For this article I’m going to focus on how you build VPN profiles for the embedded Cisco IPSEC VPN client. But, many of the steps we will take are identical no matter what settings you want to create a profile for. I found building profiles to be pretty straight-forward, let’s take a look.
First off you can use either a MAC or a PC for this process. I used my PC, so will show you that approach. I’m quite certain that it would be even easier if I used my MAC.
For a PC setup here are Apple’s Instructions with my notes added:
“To install the utility on Windows, do the following:
1 For Windows XP, download and run the Microsoft .NET Framework Version 2.0
Redistributable Package (x86) installer from www.microsoft.com/downloads.
JH: I found that I had to uninstall my older .NET 1.1 version and my newer 2.0 SP1 version first, then install the 2.0 version. Not sure why but I received an error on 2.0 install before this
2 Run iPhoneConfigWebUtilSetup.exe.
JH: You can obtain the .exe herehttp://www.apple.com/support/downloads/iphoneconfigurationwebutility10forwindows.html
3 To configure the ability to email profiles to users directly from the utility, edit the file
C:Program Files\Apple\iPhone Configuration Web Utility\config\environments\production.rb so that the parameters in the ActionMailer::Base.smtp_settings method are appropriate for your network.
To confirm that the utility is running, open the Services control panel and make sure that the iPhone Configuration Utility Web service is running.”
Ok so now the “profile maker” is installed, however you will not see a new program under your start menu since it runs purely as a service. A web service at that, so probably not something you want to keep running all the time for security reasons. So you access it do the following:
1- Open your web browser and go to http://localhost:3000
2- Login using admin password admin
You will see a screen like this, with several tabs:
The first tab, general, has some mandatory fields.
1- You must input a NAME for your profile. Whatever you put here is what the end-user sees when they install it.
2- You must input an identifier. The identifier is used to identify if a profile about to be installed on the iPhone is new or just updates to an existing profile. Basically, if the identifier name doesn’t match anything on the iPhone already then it is unique and its settings are added to the device. However, if the identifier name does match an existing profile on the iPhone then the new settings will replace the current settings.
3- The description field is optional but useful.
4- Click Save
Here is a look at my settings:
Next you should set a passcode policy for the iPhones. This is the pin that you need to enter to access your phone. Here is a look at the setting I chose, not the most secure but the best for me.
Now you setup your Cisco IPSEC VPN settings. The iPhone supports username/password authentication as well as certificate based auth and certificate plus xauth authentication.
For the VPN tab you will need to configure the following settings:
1- You must input a Connection Name. This will show up on the users iPhone if multiple VPN connections are configured.
2- You must select Connection Type of IPSEC (Cisco).
3- Type in the ASA’s IP address under Server.
4- Leave the account field default. Each user will input this themselves. Their value is cached locally on the iPhone.
5- For Machine Authentication either keep the default to use the tunnel/group name or select certificates. I use group name.
6- Enter the group shared secret and the group name.
7- Hit save
Here is a look at my settings (with a non-real IP address of course):
Now we have to export the profile file. To do this go back to the General tab. Down at the bottom of the page are your options.
If you click on the export button the file is downloaded to your PC. You can then send the file via email or post it to your web server and send the link to iPhone users. You must configure your web server so that .mobileconfig files are transmitted as application/x-apple-aspen-config files.
To install, the user browses to the link using iPhone’s safari browser, clicks the link and is then prompted to install the profile.
Here is what the user sees on their iPhone once they open the profile file, they just click Install:
That’s it, you’re done! Not to bad right?
Now, for the end user of the iPhone, to start up and use the VPN once it is installed is easy.
They just click on Settings then VPN. They pick the VPN profile they want to use (if they only have one then it is selected by default and they bypass this step) and slide VPN from off to on. This starts the IPSEC client. They are then prompted for credentials and once verified you can pop a banner page to them that they have to accept to continue. Once connected a VPN icon appears in the upper left corner of the screen. Here are some iPhone screen shots of my experience:
To delete a profile you go to settings then general then profiles. Open a profile and click Remove.
Overall, I found the process very easy and it worked the very first time. You probably noticed that I didn’t include any Cisco ASA configs. That because there is no changes on that end, just configure up the IPSEC client vpn head-end like you usually do or use the ASDM VPN wizard to step you through it.
Here is a link to the Apple iPhone Enterprise Deployment Guide
http://support.apple.com/manuals/en_US/Enterprise_Deployment_Guide.pdf
No comments:
Post a Comment