iPhone optimize

Manage company iPads with the iPhone Configuration Utility

Jacob Bradshaw highlights the iPhone Configuration Utility and how you can use it to secure and manage iPads in your organization.

Given the enormous popularity the iPad has enjoyed within the past few years, it seems inevitable that these devices will eventually saturate the workplace. But even when tablets begin to flood your network, there are tools available that can make your workload lighter, including the iPhone Configuration Utility (iPCU), which helps secure and manage both iPhones and iPads.

If you already have it, download the iPhone Configuration Utility. Fortunately, this is a multi-platform tool and will work on Windows XP with Service Pack 3 or later and .NET 3.5 framework or Mac 10.6.8 or later.

Within the initial screen, there are several different options to chose from -- such as Importing Apps and Provisioning Profiles -- but the primary role of iPCU is setting up Configuration Profiles. With these profiles, you can secure the device with passcodes, set options for remote wiping, disable cameras, and even disable other software features like YouTube or iTunes. Once these profiles are created, they can be pushed onto devices that are connected to the computer through USB, exported and emailed to a user, or made available through a web site.

To begin, there's some different vocabulary that you should be aware of. The configuration profile is the actual profile that will be distributed to the iOS devices. The payload is an individual collection of features that create the profile, such as VPN, Wi-Fi settings, and so on.

Now, let's take a look inside iCPU:

General: Within this section, you'll need to setup and create the name of the profile along with the identifier. The identifier will need to be unique and follow a naming structure of a reverse DNS format (ie: com.company_name.identifier). You can also input information about the organization name, a brief description, and set the security for the profile. You can specify that a password be entered before the user remove the profile. Within this option, you should know that the Never option will specify that the option can be updated, but never removed. Passcode: Here you can set the requirements for the passcode, specifying how long the passcode should be, how often it should be changed, and other parameters to ensure the iOS device is following company guidelines. Restrictions:
  • Device Functionality: All physical and other such features that you can enable or disable. Have a policy against cameras? Disable the camera. Paying for an employee's data plan and don't want it to use data while roaming? Adjust that setting. You can also disable FaceTime, app installation, in-app purchases, and even Siri. The Game Center settings can be adjusted within this area as well.
  • Applications: Features like YouTube, iTunes, cookies, and other browser features can be controlled here.
  • iCloud: This area may be of considerable value for users, as you can mandate how often the device should be backed up and have it already taken care of, as opposed to attempting to locate their data when the user somehow wipes or loses their device.
  • Security and Privacy: Here you can select whether or not diagnostic data is sent to Apple, or specify if the user can install their own certificates.
  • Content Ratings: Here you can specify whether explicit music or podcasts can be purchased or downloaded from the iTunes store.
Wi-Fi (Enterprise Settings): If you use Enterprise-level authentication to the organization's wireless network, you can make the specifications, certificates, and encryption settings, depending on your enterprise setup. VPN: Here you can setup the VPN along with the credentials, certificates, and other such required pieces in order to make the VPN readily accessible for your users. Email: This is used for any email account that uses IMAP or POP3 specifications. If you use an Exchange server, use the Exchange ActiveSync settings below. Exchange ActiveSync: If your company utilizes Microsoft Exchange, you can create all the settings here to minimize the setup time for your users' access to mail, calendar, and contacts. LDAP (Attribute Alias): This is especially useful if your company utilizes LDAP for contacts. You can map the contact fields to the corresponding iOS contact fields. CalDAV: This contains the settings for any calendar that uses the CalDAV specifications. CardDAV: For any contacts that are synced through the CardDAV specification, the information for syncing can be established here. Subscribed Calendars: If any CalDAV calendars are setup, this is where you can define read-only access to others' calendars. Web Clips: The settings here are useful for adding Web Clip shortcuts to users' iOS desktop screens. You can determine how these icons will look on the desktop, and you can make the Web Clips non-user removable. Credentials: Additional certificates used by the organization or by the user can be set here. All certificates will need to be in .cer, .crt, and .der format in order to be recognized by the device. SCEP: You can add your organization CA so users may download other certificates if need be. Mobile Device Management: If you're planning on using a Mobile Device Management service within your organization, this is where you enter the requirements and additional information that will control the devices settings. You will need to have your company's settings and server information for the MDM in order to complete this section of the payload. Advanced: These are for cellular settings that can aid in cell service coverage for your users. You can set APN settings and change roaming access options. Use this section with caution.

Even with this tool, profiles on the iOS device are an opt-in and opt-out setup. You can set the profile to not be user-removable, but that doesn't prevent the user from wiping his or her own device and reloading everything without the profile installed.

It must be remembered that tablets are designed and created to be an individual, consumer-based device with all functionality geared toward that mentality. Although profiles will aid you in assisting your users in setting up their iPads to use the company resources, it will not guarantee that they are 100% secure and nothing will ever be compromised.

Passcodes can be setup and required, wiping can be completed through remote means, but your security is only as good as your users understand it. So, while the iPCU can be extremely beneficial in setting up VPN, installing certificates, and managing passcode requirements, your IT departments should still consider policies and trainings designed at helping users understand the necessity of security and how it benefits them, not just their company and employer.

What are some experiences you've had with the iPhone Configuration Utility, and in what ways has it benefited you? Share your comments in the discussion thread below.

About

Jacob Bradshaw is a Systems Admin for the Marriott Library at the University of Utah. He manages all things Mac and mobile related and still geeks out over the latest in all things mobile.

4 comments
Donna Culff Systems Admin
Donna Culff Systems Admin

This is a great tool, however I have set Mail to Not Configured to stop employees accessing their personal mail and applied the profile, only for it to allow me to add my personal gmail account on their? Which is disappointing. Is there anyway around this?

Gisabun
Gisabun

Isn't that nice of Apple. A configuration utility that even runs on Windows XP. I'm surprised it wasn't an Apple only utility.

ffries
ffries

IPCU can push app packages and updates downloaded from iTunes. Once the app has been downloaded once, you can point the IPCU to that directory and push those apps as necessary. This can save tremendosouly on organizational bandwidth usage. Especially if you have a large number of devices.