Jacob Bradshaw highlights the iPhone Configuration Utility and how you can use it to secure and manage iPads in your organization.
Given the enormous popularity the iPad has enjoyed within the past few years, it seems inevitable that these devices will eventually saturate the workplace. But even when tablets begin to flood your network, there are tools available that can make your workload lighter, including the iPhone Configuration Utility (iPCU), which helps secure and manage both iPhones and iPads.
If you already have it, download the iPhone Configuration Utility. Fortunately, this is a multi-platform tool and will work on Windows XP with Service Pack 3 or later and .NET 3.5 framework or Mac 10.6.8 or later.
Within the initial screen, there are several different options to chose from -- such as Importing Apps and Provisioning Profiles -- but the primary role of iPCU is setting up Configuration Profiles. With these profiles, you can secure the device with passcodes, set options for remote wiping, disable cameras, and even disable other software features like YouTube or iTunes. Once these profiles are created, they can be pushed onto devices that are connected to the computer through USB, exported and emailed to a user, or made available through a web site.
To begin, there's some different vocabulary that you should be aware of. The configuration profile is the actual profile that will be distributed to the iOS devices. The payload is an individual collection of features that create the profile, such as VPN, Wi-Fi settings, and so on.
Now, let's take a look inside iCPU:General: Within this section, you'll need to setup and create the name of the profile along with the identifier. The identifier will need to be unique and follow a naming structure of a reverse DNS format (ie: com.company_name.identifier). You can also input information about the organization name, a brief description, and set the security for the profile. You can specify that a password be entered before the user remove the profile. Within this option, you should know that the Never option will specify that the option can be updated, but never removed. Passcode: Here you can set the requirements for the passcode, specifying how long the passcode should be, how often it should be changed, and other parameters to ensure the iOS device is following company guidelines. Restrictions:
- Device Functionality: All physical and other such features that you can enable or disable. Have a policy against cameras? Disable the camera. Paying for an employee's data plan and don't want it to use data while roaming? Adjust that setting. You can also disable FaceTime, app installation, in-app purchases, and even Siri. The Game Center settings can be adjusted within this area as well.
- Applications: Features like YouTube, iTunes, cookies, and other browser features can be controlled here.
- iCloud: This area may be of considerable value for users, as you can mandate how often the device should be backed up and have it already taken care of, as opposed to attempting to locate their data when the user somehow wipes or loses their device.
- Security and Privacy: Here you can select whether or not diagnostic data is sent to Apple, or specify if the user can install their own certificates.
- Content Ratings: Here you can specify whether explicit music or podcasts can be purchased or downloaded from the iTunes store.
Even with this tool, profiles on the iOS device are an opt-in and opt-out setup. You can set the profile to not be user-removable, but that doesn't prevent the user from wiping his or her own device and reloading everything without the profile installed.
It must be remembered that tablets are designed and created to be an individual, consumer-based device with all functionality geared toward that mentality. Although profiles will aid you in assisting your users in setting up their iPads to use the company resources, it will not guarantee that they are 100% secure and nothing will ever be compromised.
Passcodes can be setup and required, wiping can be completed through remote means, but your security is only as good as your users understand it. So, while the iPCU can be extremely beneficial in setting up VPN, installing certificates, and managing passcode requirements, your IT departments should still consider policies and trainings designed at helping users understand the necessity of security and how it benefits them, not just their company and employer.
What are some experiences you've had with the iPhone Configuration Utility, and in what ways has it benefited you? Share your comments in the discussion thread below.