Blogger Paul Mah explains how to use Apple’s iPhone Configuration Utility to deploy and secure iPhones in your enterprise.


Several months ago, I wrote about why the RIM BlackBerry is better suited for the enterprise than the Apple iPhone. But despite the iPhone’s weaker management controls, the device is hardly dead in the water when it comes to corporate deployments.

Apple’s free iPhone Configuration Utility makes it easy for administrators to create profiles for configuring basic behavior and deploying the profiles onto end users’ iPhones. This tutorial walks you through how to create and deploy custom configuration profiles onto an iPhone or an iPod Touch.

For more on this topic, read Vincent Danen’s tip Get increased password protection on the iPhone, and order iPhone in the Enterprise: Management solutions from the TechRepublic Store.

Deploying iPhones in your enterprise

Create and configure profiles

First, you need to download the iPhone Configuration Utility from the Apple site; the application (currently version 2.2) is available for the Mac OS X and the Windows platforms.

After downloading the utility, the first thing you’ll want to do is create a new configuration profile under the appropriate tab. The settings that you see in Figure A pertain to data security policies, various network and wireless configurations, Exchange account details, mail settings, the installation of security certificates on the iPhone, and more.
Figure A

Click the image to enlarge.

In the screenshot, you see the Applications and Provisioning Profiles tabs. Provisioning Profiles is for companies that develop applications for internal distribution. After digital signing with a certificate issued by Apple, an appropriate distribution provisioning profile must be installed onto corporate iPhones in order for the devices to run these applications. The Applications tab is used to facilitate the rollout of such applications.

Note: The iPhone Configuration Utility does not handle the creation of the provisioning profile itself; as such, I am focusing on the exporting and installing of a configuration profile.  Managers and administrators who are interested in this can read more in Section 5 of Apple’s iPhone OS Enterprise Deployment Guide (PDF).
Export the configuration profile
After configuring the profile, it is necessary to export the profile into a .mobileconfig file if the desired deployment method is via email or the Web. Available security options here are essentially None, Sign, and Sign And Encrypt (Figure B).
Figure B

Click the image to enlarge.

Signed configuration profiles cannot be surreptitiously modified; once installed, the profiles can only be altered by a profile with the same identifier and correctly signed by the same instance of the iPhone Configuration Utility. This affords some protection against modification of the configuration. While crucial information is obfuscated here, the file itself is not encrypted in any way.

Signed and encrypted configuration profiles cannot be modified or examined. I would discount the use of anything lesser than an encrypted configuration profile, since this exposes the settings to casual snooping.

Deploy the configuration profile
The simplest way to deploy configuration profiles is to connect the device via USB. The iPhone will be seen from within the iPhone Configuration Utility, and it is a matter of tagging the correct profile and clicking Install (Figure C). Profiles deployed in this manner are automatically signed and encrypted.
Figure C

Click the image to enlarge.

In addition, it is possible to deploy configuration profiles via email or over the Web. To distribute via email, simply send the profile as an uncompressed email attachment. Users will need to tap on the file from the message body, or navigate to the appropriate website via Safari and tap on the file to initiate installation.

You can also deploy configuration profiles over-the-air via the secure enrollment and configuration process enabled via the Simple Certificate Enrollment Protocol (SCEP), which will also be automatically signed and encrypted.

Securing iPhones in your enterprise

There are a number of configurable options are exposed via the iPhone Configuration Utility to better secure the iPhone.

Configure security
After creating the configuration profile, it is important to define the conditions under which it can be removed. In Figure D, you see that the default setting allows users to remove the profile at any time, which certainly does not contribute to a more secure smartphone environment.
Figure D

Click the image to enlarge.

Selecting With Authentication will bring up a prompt for an Authorization Password that is required prior to deleting the profile. Users will be able to reset the device to factory defaults to circumvent all controls; any installed applications will be wiped out at the same time.

Enforce Passcode requirement
The Passcode option (Figure E) makes it possible to go beyond the default four-digit numeric passcode used by the iPhone. After creating a Passcode payload, select Require Passcode On Device. Also, be sure to change the Minimum Passcode Length to the desired length; this will force users to create a passcode conforming to the new complexity requirements upon installing the configuration profile. I recommend 6 – 8 characters as a bare minimum. It is possible to up the complexity requirements of the passcode by various means, such as forcing the use of an alphanumeric value and disallowing the use of simple or repeating values. You can also define the setting for failed attempts allowable after which the device will automatically erase all data on the device.
Figure E

Click the image to enlarge.

Enforce use of VPN
The ability to enforce the use of an encrypted VPN offers good protection against snooping; this is easily achieved by forcibly routing all network traffic via a VPN connection (Figure F). The use of VPN also helps protect data transferred across open Wi-Fi networks. For greater security, it is recommended to make use of IPSec with digital certificates, which should offer protection against man-in-the-middle (MITM) attacks.
Figure F

Click the image to enlarge.

Custom APN
Some mobile providers offer the ability to create a custom Access Point Name (APN); the iPhone Configuration Utility allows the iPhone to be configured to a specific APN.

While this will not protect against eavesdropping by your mobile provider (think federal wiretaps), the use of a custom APN makes it possible to segregate your company’s data packets from the general network traffic.

Other alternatives
There are more ways to secure the iPhone, including disabling the installation of apps from the App Store and the use of iTunes; you can do this by configuring the options in the Restrictions tab (Figure G). The ability to do a screen capture of the iPhone is also disabled.
Figure G

Click the image to enlarge.

Ultimately, the security of the iPhone relies heavily on the fact that applications running on the device have to be digitally signed. The lack of multitasking for user-level applications does enforce a sandbox on the amount of process or memory snooping that can be done; unfortunately, the availability (and use) of jailbreak tools to run third-party applications greatly weakens this security paradigm.


Apple has announced a number a slew of improvements in the iPhone OS 4.0, including improved ease of over-the-air deployment. (Find out what enterprise IT needs to know about iPhone 4.) For now, the iPhone Configuration Utility remains the best tool for deploying and securing the iPhone in your organization.

Get smartphones tips and news in your inbox
TechRepublic’s Smartphones newsletter, delivered each Thursday, features tips on how to deploy and manage smartphones in your enterprise, product reviews, news updates, photo galleries, and more. Automatically sign up today!