iPhone Configuration Utility

iPhone Configuration Utility

Introduction
Read this document to learn how to use iPhone Configuration Utility to create configuration profiles. Configuration
profiles define how iOS devices work with your enterprise systems.

About configuration profiles

Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration
information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod
touch, and iPad to work with your enterprise systems. Configuration profiles quickly load settings and authorization
information onto a device. Some VPN and Wi-FI settings can be set only by using a configuration profile, and if
you’re not using Microsoft Exchange, you need to use a configuration profile to set device passcode policies.

You can install configuration profiles on devices connected to a computer via USB using iPhone Configuration
Utility, or you can distribute configuration profiles by email or on a webpage. When users open the email attachment
or download the profile using Safari on their device, they’re prompted to begin the installation process. If you’re
using a Mobile Device Management server, you can distribute an initial profile that contains just the server
configuration information, then have the device obtain all other profiles wirelessly.

Configuration profiles can be encrypted and signed, which lets you restrict their use to a specific device and
prevents anyone from changing the settings that a profile contains. You can also mark a profile as being locked to
the device, so once installed, it can be removed only by wiping the device of all data, or optionally, by entering a
passcode.

With the exception of passwords, users cannot change the settings provided in a configuration profile. Accounts that
are configured by a profile, such as Exchange accounts, can only be removed by deleting the profile.

About iPhone Configuration Utility

Use iPhone Configuration Utility to easily create, encrypt, and install configuration profiles, track and install
provisioning profiles and authorized apps, and capture device information, such as console logs.

iPhone Configuration Utility requires one of the following:

Windows XP Service Pack 3 with.NET Framework 3.5 Service Pack1

Windows Vista Service Pack 1 with .NET Framework 3.5 Service Pack 1

Windows 7 with .NET Framework 3.5 Service Pack 1

Windows 8 with .NET Framework 3.5 Service Pack 1

iPhone Configuration Utility operates in 32-bit mode on 64-bit versions of Windows.

You can download the .Net Framework 3.5 Service Pack 1 installer at: www.microsoft.com/downloads/details.aspx?
FamilyID=d0e5dea7-ac26-4ad7-b68c-fe5076bba986&displaylang=en

The iPhone Configuration Utility lets you create an Outlook message with a configuration profile as an attachment.
You can also assign users’ names and email addresses from your desktop address book to devices that you’ve
configured by connecting them to your computer. Both of these features require Outlook, and aren’t compatible with
Outlook Express. On Windows XP computers, you may need to install 2007 Microsoft Office System Update:
Redistributable Primary Interop Assemblies. This is necessary if Outlook was installed before .NET Framework 3.5
Service Pack 1.

The Primary Interop Assemblies installer is available at: www.microsoft.com/downloads/details.aspx?

familyid=59DAEBAA-BED4-4282-A28C-B864D8BFA513&displaylang=en

When you run the iPhone Configuration Utility installer, the utility is installed in Programs\iPhone Configuration
Utility.

Note: Configuration profiles created with iPhone Configuration Utility 3.6.2 fully support iOS 6.1 devices. You can
use these profiles with earlier iOS releases, but payloads and settings that aren’t supported by a release are
ignored.

In iPhone Configuration Utility, the sidebar shows the Library, which contains the following categories:

Devices shows a list of iOS devices that have been connected to your computer.
Applications lists your apps that are available to install on devices attached to your computer. A provisioning profile
might be needed for an app to run on a device.
Provisioning Profiles lists profiles that permit the use of the device for iOS development, as authorized by Apple
Developer Connection. Provisioning profiles also allow devices to run enterprise apps that aren’t distributed
through the App Store.
Configuration Profiles lists the configuration profiles you previously created, and lets you edit the information you
entered, or create a new configuration that you can send to a user or install on a connected device.
The sidebar also shows information about iOS devices currently connected to your computer via USB. Information
about a connected device is automatically added to the Devices list, so you can view it again without having to
reconnect the device. After a device has been connected, you can also encrypt profiles for use on only that device.

When a device is connected, you can use iPhone Configuration Utility to install configuration profiles and apps on
the device. You can also view the console log, which is the same log that’s available in the Xcode development
environment.

iPhone Configuration Utility ► Creating configuration profiles

About creating configuration profiles

This document uses the terms configuration profile and payload. A configuration profile is a file that configures one
or more settings for iPhone, iPod touch, or iPad. A payload is a collection of a certain type of settings, such as VPN
settings, within the configuration profile. A configuration profile contains one or more payloads.

Although you can create a single configuration profile that contains all of the payloads you need for your
organization, consider creating separate profiles that allow you to enforce policies while granting access, as well as
provide updates to any settings that may change.

Many of the payloads let you specify user names and passwords. If you omit this information, the user is asked to
enter the missing information when the profile is installed. If you include passwords, you should distribute the
profile in encrypted format to protect its contents. For more information see About installing configuration profiles.

To create a new configuration profile, click the New button in the iPhone Configuration Utility toolbar. You add
payloads to the profile using the payloads list. Then you edit the payloads by entering and selecting options that
appear in the editing pane. Required fields are marked with a red arrow. For some settings such as Wi-Fi, you can
click the Add button (+) to add a configuration. To remove a configuration, click the Delete button (–) in the editing
pane.

To edit a payload, select the appropriate item in the payloads list, click the Configure button, and then fill in the
information as described in this document.

iPhone Configuration Utility ► Creating configuration profiles

Automating configuration profile creation

You can automate the creation of configuration files using C# Script. To see the supported methods and their
syntax, use Visual Studio to view the method calls provided by iPCUScripting.dll. To execute a script, pass the script
name to iPhone Configuration Utility as a command-line parameter.

iPhone Configuration Utility ► Creating configuration profiles

General settings
This is where you provide the name and identifier of the profile, and specify whether users can remove the profile
after it’s installed.

Setting Description

Name The name you specify appears in the profiles list and is
displayed on the device after the configuration profile is
installed. The name doesn’t have to be unique, but you should
use a descriptive name that identifies the profile.

Identifier The profile identifier must uniquely identify this profile and must
use the reverse DNS format com.companyname.identifier, where
identifier describes the profile—for example,
com.mycompany.homeoffice.

The identifier is important because, when a profile is installed,

the value is compared with profiles that are already on the
device. If the identifier is unique, information in the profile is
added to the device. If the identifier matches an installed
profile, information in the profile replaces the settings already on
the device—except in the case of Exchange settings. To alter an
Exchange account, the profile must first be manually removed so
that the data associated with the account can be purged.

Organization Enter the name of your organization, to help users identify the
source of this profile.

Description A description and identifier is useful if you’ll be managing

profiles over the air using a mobile device management solution
that queries devices for the profiles that are installed.

Consent Message Enter a brief message that will be displayed, and the user will be
asked to acknowledge, when the profile is installed.

Security To prevent a user from deleting a profile installed on a device,

choose an option from the Security pop-up menu. The With
Authorization option lets you specify an authorization password
 that permits removing the profile from the device. If you select
the Never option, the profile can be updated with a new version,
but it cannot be removed.

Automatically Remove Profile The profile is automatically deleted from the device after the
interval (in days, following installation) or a specific date has
expired. Profile expirations are evaluated by the device once per
day.

iPhone Configuration Utility ► Creating configuration profiles

Passcode settings
Use this payload to set device policies if you aren’t using Exchange passcode policies. You can specify whether a
passcode is required in order to use the device, and specify characteristics of the passcode and how often it must
be changed. When the configuration profile is loaded, the user is immediately required to enter a passcode that
meets the policies you select. Otherwise, the profile won’t be installed.

If you use device policies and Exchange passcode policies, the two sets of policies are merged and the strictest
settings are enforced. For information about supported Exchange ActiveSync policies, see the article “Exchange
ActiveSync and iOS Devices.”

The following policies are available:

Setting Description

Allow simple value Permits users to use sequential or repeated characters in their
passcodes. (For example, this would allow the passcodes “3333”
or “DEFG.”)

Require alphanumeric value Requires that the passcode contain at least one letter or number.

Minimum passcode length Specifies the minimum number of characters a passcode can
contain.

Minimum number of complex characters The minimum number of non-alphanumeric characters (such as
$, &, and !) that the passcode must contain.

Maximum passcode age Requires users to change their passcode at the interval (in days)
you specify.

Passcode history A new passcode won’t be accepted if it matches a previously

used passcode. You can specify how many previous passcodes
are remembered and compared.

Maximum Auto-Lock If the device isn’t used for number of minutes you specify, it
automatically locks. Entering the passcode unlocks it. This
setting specifies the maximum value the user is allowed to
configure.

Maximum Grace period for device lock Specifies how soon the device can be unlocked again after use,
without prompting again for the passcode. This setting specifies
the maximum value the user is allowed to configure. Setting this
to None allows the user to choose any of the intervals available.
Setting this to Immediately requires a passcode every time the
device is unlocked.
Maximum number of failed attempts Determines how many failed passcode attempts can be made
before the device is wiped. After six failed passcode attempts,
the device imposes a time delay before a passcode can be
entered again. The time delay increases with each failed
attempt. After the final failed attempt, all data and settings are
securely erased from the device. The passcode time delay
begins after the sixth attempt, so if you set this value to 6 or
lower, no time delay is imposed and the device is erased when
the attempt limit is exceeded.

iPhone Configuration Utility ► Creating configuration profiles ► Restrictions settings

Device functionality

Setting Description

Allow installing apps When this option is off, the App Store is disabled and its icon is
removed from the Home screen. Users are unable to install or
update apps using the App Store or iTunes.

Allow use of camera When this option is off, cameras are completely disabled and the
Camera icon is removed from the Home screen. Users can’t take
photographs or videos, or use FaceTime.

Allow FaceTime When this option is off, users can’t place or receive FaceTime
video calls.

Allow screen capture When this option is off, users can’t save a screenshot of the
display.

Allow automatic sync while roaming When this option is off, devices that are roaming will sync only
when an account is accessed by the user.

Allow Siri When this option is off, users can’t use Siri, voice commands, or
dictation.

Allow Siri while device locked When this option is off, users must unlock the device with their
passcode before using Siri.

Allow voice dialing When this option is off, users can’t dial their phone using voice
commands.

Allow Passbook while device is locked When this option is off, the device doesn’t display Passbook
notifications while locked.

Allow In-App purchase When this option is off, users can’t make in-app purchases.

Force user to enter store password for all purchases Requires users to enter their Apple ID password before making
any purchase. Normally, there’s a brief grace period after a
purchase is made before users have to authenticate for
subsequent purchases.

Allow multiplayer gaming When this option is off, users can’t play multiplayer games in
Game Center.
Allow adding Game Center friends When this option is off, users can’t add friends in Game Center.

iPhone Configuration Utility ► Creating configuration profiles ► Restrictions settings

Applications

Setting Description

Allow use of YouTube When this option is off, the YouTube app is disabled and its icon
is removed from the Home screen. (The YouTube app is
included with iOS 5 and earlier.)

Allow use of the iTunes Store When this option is off, the iTunes Store is disabled and its icon
is removed from the Home screen. Users can’t preview, purchase,
or download content.

Allow use of Safari When this option is off, the Safari web browser app is disabled
and its icon removed from the Home screen. This also prevents
users from opening web clips.

Enable autofill When this option is off, Safari doesn’t remember what users enter
in web forms.

Force Fraud warning When this option is off, Safari doesn’t attempt to prevent the user
from visiting websites identified as being fraudulent or
compromised.

Enable JavaScript When this option is off, Safari ignores all javascript on websites.

Block pop-ups When this option is off, Safari’s pop-up blocking feature is
disabled.

Accept cookies Choose to accept all cookies, accept no cookies, or reject cookies
from sites not directly accessed.

iPhone Configuration Utility ► Creating configuration profiles ► Restrictions settings

iCloud

Setting Description

Allow backup When this option is on, users can back up their device to iCloud.

Allow document sync When this option is on, users can store documents in iCloud.

Allow Photo Stream When this option is on, users can enable Photo Stream.

Installing a configuration profile with this restriction will erase

Photo Stream photos from the user’s device and prevent photos
from the Camera Roll from being sent to Photo Stream. If there
are no other copies of these photos, they may be lost.

Allow shared photo streams When this option is on, users can invite others to view their photo
streams and can view photo streams shared by others.
iPhone Configuration Utility ► Creating configuration profiles ► Restrictions settings

Security and privacy

Setting Description

Allow diagnostic data to be sent to Apple When this option is off, iOS diagnostic information isn’t sent to
Apple.

Allow user to accept untrusted TLS certificates When this option is off, users will not be asked if they want to
trust certifications that cannot be verified. This setting applies to
Safari and to Mail, Contacts, and Calendar accounts.

Force encrypted backups When this option is off, users can choose whether or not device
backups performed in iTunes are stored in encrypted format on
their computer. If any profile is encrypted and this option isn’t
turned off, encryption of backups is required and enforced by
iTunes. Profiles installed on the device by iPhone Configuration
Utility are always encrypted. For more information about iTunes
backups, see the article Deploying iTunes for iOS Devices.

iPhone Configuration Utility ► Creating configuration profiles ► Restrictions settings

Content ratings
Select a ratings region, then select maximum allowed ratings for movies, TV shows, and apps.

Setting Description

Allow explicit music, podcasts, and iTunes U When this option is off, explicit music or video content in the
iTunes Store is hidden. Explicit content is flagged by content
providers.

Allow iBookstore erotica When this option is off, erotica in the iBookstore is hidden.
Explicit content is flagged by content providers.

iPhone Configuration Utility ► Creating configuration profiles ► Wi-Fi settings

Enterprise settings
In this section, you specify settings for connecting to enterprise networks. These settings appear when you choose
an Enterprise setting in the Security Type pop-up menu.

In the Protocols tab, you specify which EAP methods to use for authentication, and configure the EAP-FAST
Protected Access Credential settings.

In the Authentication tab, you specify sign-in settings, such as user name and authentication protocols. If you’ve
installed an identity using the Credentials section, you can choose it using the Identity Certificate pop-up menu.
In the Trust tab, you specify which certificates should be trusted for the purpose of validating the authentication
server for the Wi-Fi connection. The Trusted Certificates list shows certificates that have been added using the
Credentials tab, and lets you select which certificates are trusted. Add the names of the authentication servers to be
trusted to the Trusted Server Certificates Names list. You can specify a particular server, such as
server.mycompany.com, or a partial name such as *.mycompany.com.

iPhone Configuration Utility ► Creating configuration profiles ► VPN settings

About VPN settings

Use this payload to enter the VPN settings for connecting to your network. You can add multiple VPN configurations
by clicking the Add button (+). Settings you specify in the configuration profile can’t be modified by the user.

For information about supported VPN protocols and authentication methods, see the the article VPN Servier
Configuration for iOS Devices. The options available vary by the protocol and authentication method you select.

To configure F5 SSL, Juniper SSL, SonicWALL Mobile Conntect, Aruba Networks VIA, Check Point Mobile,
OpenVPN, or Cisco AnyConnect, choose the appropriate item from the Connection Type pop-up menu. Make sure
that the Realm and Role (Juniper), Group (Cisco), or Login Group or Domain (SonicWALL) values match those
specified on the VPN server. Users must install both the configuration profile and the appropriate authentication
app from the App Store.

For other SSL VPN solutions, contact your vendor to see if they have an app in the App Store that can be configured
with iPhone Configuration Utility. Enter the configuration information you get from the vendor by choosing Custom
SSL from the Connection Type pop-up menu. Make sure the Identifier field matches the identifier specified by your
vendor’s VPN app and is in reverse DNS format (for example, com.example.myvpn). Your users must install both
the vendor’s app and the configuration profile to connect to your network.

Note: Shared secrets that contain quotation marks are not supported.

iPhone Configuration Utility ► Creating configuration profiles ► VPN settings

VPN On Demand
For certificate-based and SSL configurations, you can turn on VPN On Demand so that a VPN connection is
automatically established when accessing certain domains.

Setting Description

Always Initiates a VPN connection for any address that matches the
specified domain.

Never Doesn’t initiate a VPN connection for addresses that match the
specified domain, but if VPN is already active, it can be used.

Establish if needed Initiates a VPN connection for addresses that match the specified
domain, after a failed DNS look-up has occurred.

The action applies to all matching addresses. Use an asterisk (*) as a wildcard character. For example, * matches
all addresses, and *.example.com matches only those that end with example.com.

LDAP connections don’t initiate a VPN connection; if the VPN hasn’t already been established by another app, such
as Safari, the LDAP lookup fails.

The device closes a VPN session initiated by VPN On Demand after two minutes of inactivity. If the connection was
initiated manually using the Settings app, the VPN server’s timeout applies.

iPhone Configuration Utility ► Creating configuration profiles ► VPN settings

VPN proxy
iPhone supports manual VPN proxy, and automatic proxy configuration using PAC or WPAD. To specify a VPN proxy,
select an option from the Proxy Setup pop-up menu.

For PAC-based auto-proxy configurations, select Automatic from the pop-up menu and enter the URL of a PAC file.

For Web Proxy Autodiscovery (WPAD) configurations, select Automatic from the pop-up menu. If you leave the Proxy
Server URL field empty, iPhone will request the WPAD file using DHCP and DNS.

iPhone Configuration Utility ► Creating configuration profiles

Mail settings
Use this payload to configure POP or IMAP mail accounts for the user. iOS supports industry-standard IMAP4 and
POP3 mail solutions on a range of server platforms, including OS X, Windows, UNIX, and Linux.

Users can change some of the mail settings you provide in a profile, such as the account name, password, and
alternative SMTP servers. If you omit any of this information from the profile, users are asked to enter it when they
access the account.

You can add multiple mail accounts by clicking the Add button (+).

Setting Description

Allow Move When this option is off, the user cannot move messages sent or
received by this account to a different mail account. Also
prevents using another account to reply to or forward a message
from this account.

Allow Recent Address Syncing When this option is off, recently used addresses aren’t synced
with other devices using iCloud.

Use only in Mail This is an outgoing mail setting. This account can only be used
to send messages from Mail. It cannot be selected as a sending
account for messages created by other apps, such as Photos or
Safari.

Use S/MIME This is an outgoing mail setting. To select the signing and
encryption certificates to use with this account, you must first add
them using the Credentials pane. The identities must be
enabled for Key Encipherment, and their Common Name must
match the email address specified in this payload.

See Credentials settings for information about adding

certificates.
iPhone Configuration Utility ► Creating configuration profiles

Exchange ActiveSync settings

Use this payload to enter the user’s settings for your Microsoft Exchange server. You can create a profile for a
specific user by specifying the user name, host name, and email address, or you can provide just the host name—
users are prompted to fill in the other values when they install the profile.

You can configure multiple Exchange accounts by clicking the Add button (+).

Setting Description

Allow Move When this option is off, the user cannot move messages sent or
received by this account to a different mail account. Also
prevents using another account to reply to or forward a message
from this account.

Allow Recent Address Syncing When this option is off, recently used addresses aren’t synced
with other devices using iCloud.

Use only in Mail This account can only be used to send messages from Mail. It
cannot be selected as a sending account for messages created
by other apps, such as Photos or Safari.

Use S/MIME This is an outgoing mail setting. To select the signing and
encryption certificates to use with this account, you must first add
them using the Credentials pane. The identities must be
enabled for Key Encipherment and their Common Name must
match the email address specified in this payload.

See Credentials settings for important information about adding

certificates.

Identity Certificate Select the identity certificate used to authenticate with the
Exchange ActiveSync Server. The certificate must first be added
using the Credentials pane. See Credentials settings.

If some of your users have devices with iOS 4, after selecting the
certificate, turn on “Make Identity Certificate Compatible with
iOS 4.” This embeds the certificate in the Exchange payload, in
addition to referencing it from the Credentials payload.
Configuration profiles that use this older method are also
compatible with iOS 5.

If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are
necessary to validate the server’s SSL certificate.

For information about requirements and supported features, see the article Exchange ActiveSync and iOS Devices.

iPhone Configuration Utility ► Creating configuration profiles ► LDAP settings

LDAP attribute aliases

The LDAP administrator can set up attribute aliases to improve the mapping of directory information to Contacts on
iOS devices.
LDAP attribute Contacts field

givenName First

sn Last

mail Email

telephoneNumber Work Phone

facsimileTelephoneNumber Fax

o Company

title Title

buildingName Building

street Street

l City

postalCode Zip

c Country

jpegPhoto Photo

mobile Mobile phone number

pager Pager number

IMHandle Instant Messaging address

homePhone Home

postalAddress Address

homePostalAddress Home address

iPhone Configuration Utility ► Creating configuration profiles

Calendar settings
iPhone, iPod touch, and iPad synchronize calendar data with your company’s Calendar server. Changes to the
calendar are periodically updated between the device and server.

Use this payload to provide account settings for connecting to a CalDAV-compliant calendar server. These accounts
will be added to the device. As with Exchange accounts, users need to manually enter information you omit from the
profile, such as their account password, when the profile is installed.

Creating and responding to new calendar invitations from a device is supported for CalDAV servers that support the
“calendar-auto-schedule” specification.

If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are
necessary to validate the server’s SSL certificate.

To configure multiple CalDAV accounts, click the Add button (+).

iPhone Configuration Utility ► Creating configuration profiles

Subscribed calendars settings

Use this payload to add read-only calendar subscriptions to the device’s Calendar app. To configure multiple
subscriptions, click the Add button (+).

A list of public calendars you can subscribe to is available at: www.apple.com/downloads/macosx/calendars/

If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are
necessary to validate the server’s SSL certificate.

iPhone Configuration Utility ► Creating configuration profiles

Contacts settings
iOS devices retrieve contact information from your company’s contact list. You can access directories when
searching in Contacts, and those directories are automatically used to complete email addresses as you enter
them.

Use this payload to provide account settings for connecting to a CardDAV-compliant contact server. If you omit the
account information, users need to manually enter it when the profile is installed.

To configure multiple CardDAV accounts, click the Add button (+).

If you select the Use SSL option, use the Credentials pane to add any root or intermediate certificates that are
necessary to validate the server’s SSL certificate.

iPhone Configuration Utility ► Creating configuration profiles

Web clip settings

Use this payload to add web clips to the Home screen of the user’s device. Web clips provide fast access to favorite
web pages. Or, for example, add a web clip with a phone number (in the form tel://14089961010) to provide a quick
way to dial your support desk. To add multiple web clips, click the Add button (+).

If you choose to prevent the user from removing the web clip, it cannot be deleted from the device unless the user
removes the configuration profile that installed it.

To add a custom icon, select a graphic file in GIF, JPEG, or PNG format. For best results, provide a square image
that’s no larger than 400 x 400 pixels and less than 1 MB in size when uncompressed. The graphic will be
automatically scaled and cropped to fit, if necessary, and converted to PNG format. Web clip icons are 104 x 104
pixels for devices with a Retina display, and 57 x 57 pixels for all other devices. To prevent the device from adding a
shine to the image, choose Precomposed Icon.

A full-screen web clip opens the URL as a web app.

iPhone Configuration Utility ► Creating configuration profiles

Credentials settings
iOS devices can use X.509 certificates with RSA keys. The file extensions .cer, .crt, and .der are recognized.

Use the Credentials settings payload to add certificates and identities to the device. When an identity is installed,
the user is prompted for the passphrase that protects it, unless you include the passphrase in the payload.

When you install credentials, you should also install the intermediate certificates that are necessary to establish a
chain to a trusted certificate that’s on the device. To view a list of the preinstalled roots, see the Apple Support article
at: http://support.apple.com/kb/HT4415

If the credential isn’t available in your personal certificate store, you must add it.

Adding credentials: Select the certificate you want from the Windows certificate store. The private key must be
marked as exportable, which is one of the options offered by the Certificate Import Wizard. Adding root
certificates requires administrator access to the computer, and the certificate must be added to the personal
certificate store.

If you include the certificate passphrase in the payload, you should encrypt the configuration profile when you export
it. If you omit the passphrase, the user will be asked to enter it when the profile is installed.

Instead of installing certificates using a configuration profile, you can let users use Safari to download the
certificates to their device from a webpage. Or, you can email certificates to users. You can also use the SCEP
Settings, described below, to specify how the device obtains certificates over the air when the profile is installed.

To add an identity for use with Microsoft Exchange, use the Exchange payload instead. See Exchange ActiveSync
settings.

iPhone Configuration Utility ► Creating configuration profiles

SCEP settings
The SCEP payload lets you specify settings that allow the device to obtain certificates from a CA using Simple
Certificate Enrollment Protocol (SCEP).

Setting Description

URL This is the address of the SCEP server.

Name This can be any string that’s understood by the certificate

authority. It can be used to distinguish between instances, for
example.

Subject The representation of a X.500 name represented as an array of

OID and value. For example, /C=US/O=Apple
Inc./CN=foo/1.2.5.3=bar, which translates to: [ [ [“C”, “US”] ], [
[“O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]

Subject Alternative Name Specify the type and value of an alternative name for the SCEP
server. Valid values are an email address (RFC-822), the DNS
name of the server, or the server’s fully qualified URL.

Challenge A pre-shared secret the SCEP server can use to identify the
request or user.

Key Size and Usage Select a key size, and—using the checkboxes below this field—
the acceptable uses of the key.

Fingerprint If your Certificate Authority uses HTTP, use this field to provide
 the fingerprint of the CA’s certificate, which the device will use to
confirm authenticity of the CA’s response during the enrollment
process. You can enter a SHA1 or MD5 fingerprint, or select a
certificate to import its signature.

Retries The number of times the device should try again if the server
sends a pending response.

Retry Delay The number of seconds to wait between retries.

iPhone Configuration Utility ► Creating configuration profiles

Mobile Device Management settings

The Mobile Device Management (MDM) payload configures the device so that its configuration will be managed over
the air by an MDM server, available from third-party solution providers. Only one MDM payload can be installed on a
device, and once it’s installed, the device can receive further configuration profiles wirelessly.

The Mobile Device Management server can install configuration profiles, but can only remove configuration profiles
that it installed. To make sure that you can update or remove configurations, once a device has been configured to
use the server, you should distribute all your configuration profiles wirelessly.

Setting Description

Server URL The fully-qualified, publicly accessible URL of the MDM server. It
must begin with https://, and can specify a port number.
Example: https://mdm.example.org:nnnn

Check In URL An optional, fully-qualified URL that the device contacts after
being notified there’s a profile available for installation. It must
begin with https:// and can specify a port number. Example:
https://mdm.example.org:nnnn

If this isn’t specified, the device uses the Server URL.

Topic The topic field identifies which push notification messages

contain MDM directives. The value must match the User ID in
the Subject field of the certificate used by the MDM server to
send push notifications.

Identity Select the certificate that the device uses to identify itself to the
MDM server. Add the certificate to the device using the
Credentials pane, or use SCEP Settings to provide instructions
for the device to obtain the certificate using SCEP.

Sign Messages Instructs the device to add a signature header to every http
response to the MDM server. See your MDM server
documentation for information about using this option with your
server.

Check out when removed Instructs the device to notify the MDM server if this payload is
removed by the user.

Access Rights Use the Access Rights checkboxes to specify the rights granted to
the MDM server.

You can allow the device to respond to various queries, permit

 remote administration of profiles, apps, and settings, and allow
remote passcode changes and wiping.

The options you select here work together with your MDM server.
See its documentation for information.

Apple Push Notification Service If you enable Use Development APNS Server, the device listens
for all push notifications from the Apple Push Notification Server
development server. This should be used only during
development of MDM server software.

In order to communicate with an MDM server, the device must be able to contact the Apple Push Notification Server.
If your devices connect to your internal network, be sure to allow connections to 17.*.*.* addresses.

iPhone Configuration Utility ► Creating configuration profiles

APN settings
The APN Settings payload lets you change the device’s Access Point Name (APN) and cell network proxy settings.
These settings define how the device connects to the carrier’s network. Change these settings only if instructed to
do so by a carrier network expert. If these settings are incorrect, the device can’t access data using the cellular
network. To undo a change to these settings, remove the profile from the device.

iOS supports APN user names and passwords of up to 64 characters.

iPhone Configuration Utility

Editing configuration profiles

In iPhone Configuration Utility, select a profile in the Configuration Profiles list, and then use the payload list pane
and editing pane to make changes. You can also import a profile by choosing File > Add to Library and then
selecting a .mobileconfig file. If the settings panes aren’t visible, choose View > Show Detail.

The Identifier field in the General payload is used by devices to determine whether a profile is new or an update to
an existing profile. If you want the updated profile to replace one that users have already installed, don’t change the
Identifier.

iPhone Configuration Utility

Installing provisioning profiles and apps

iPhone Configuration Utility can install apps and distribution provisioning profiles on devices attached to the
computer. For details see the article Distributing Enterprise Apps for iOS Devices.

iPhone Configuration Utility ► Installing configuration profiles

About installing configuration profiles

After you create a profile, you can connect a device and install the profile using iPhone Configuration Utility.
You can also distribute the profile to users by email, or post it to a website. When users use their device to open an
email message or download the profile from the web, they’re prompted to start the installation process.

You can also distribute profiles using a Mobile Device Management server.

iPhone Configuration Utility ► Installing configuration profiles

Installing configuration profiles using iPhone Configuration Utility

You can use iPhone Configuration Utility to install configuration profiles on a device that has been updated to
iPhone OS 3.0 or later and is attached to your computer. You can also use it to remove previously installed profiles.

To install a configuration profile:

1. Connect the device to a USB port on your computer.

After a moment, the device appears in the Devices list in iPhone Configuration Utility.

2. Select the device, and then click the Configuration Profiles tab.

3. Select a configuration profile from the list, and then click Install.

4. On the device, tap Install.

When you install a configuration profile directly on a device using USB, the configuration profile is automatically
signed and encrypted before being transferred to the device. iPhone Configuration Utility automatically installs a
certificate on the device for this purpose; you can see the certificate in the Summary pane. The message “This
certificate was signed by an untrusted issuer” is normal and expected, because it’s self-signed. Any updates to this
profile must be signed by the same copy of iPhone Configuration Utility. For this reason, you should use one copy of
the utility to install and export configuration profiles.

iPhone Configuration Utility ► Installing configuration profiles

Distributing Configuration Profiles by mail

You can distribute configuration profiles by email. Users receive the message on their device, and then tap the
attachment to install the profile.

To email a configuration profile:

1. Click the Share button in the iPhone Configuration Utility toolbar.

In the dialog that appears, select a security option:

None: A plain text .mobileconfig file is created. It can be installed on any device. Some content in the file is
obfuscated to prevent casual snooping if the file is examined.

Sign Configuration Profile: The .mobileconfig file is signed and can be installed by any device, as long as
the profile hasn’t been altered. Once installed, the profile can be updated only by a profile that has the same
identifier and is signed by the same copy of iPhone Configuration Utility.

Create and Sign Encrypted Configuration Profile For Each Selected Device: This option signs the profile so
it cannot be altered, and encrypts all of the content so the profile cannot be examined and can be installed
 only on a specific device. Use this option if the profile contains passwords. Separate .mobileconfig files are
created for each of the devices you select from the Devices list. If a device doesn’t appear in the list, either it
hasn’t been previously connected to the computer so that the encryption key can be obtained, or it hasn’t
been upgraded to iOS 3.0 or later.

2. Click Share, and a new Outlook message opens with the profiles added as uncompressed attachments. The
files must remain uncompressed, so that the device can recognize and install the profile.

iPhone Configuration Utility ► Installing configuration profiles

Distributing configuration profiles on the web

You can distribute configuration profiles using a website. Users install the profile by downloading it using Safari on
their device. To easily distribute the URL to your users, send it via SMS.

To export a configuration profile:

1. Click the Export button in the iPhone Configuration Utility toolbar.

In the dialog that appears, select a security option:

None: A plain text .mobileconfig file is created. It can be installed on any device. Some content in the file is
obfuscated to prevent casual snooping if the file is examined, but you should make sure that, when you put
the file on your website, it’s accessible only by authorized users.

Sign Configuration Profile: The .mobileconfig file is signed and won’t be installed by a device if it’s altered.
Once installed, the profile can be updated only by a profile that has the same identifier and is signed by the
same copy of iPhone Configuration Utility. You should make sure that, when you put the file on your website,
it’s accessible only by authorized users.

Sign and Encrypt Profile: This option signs the profile so it cannot be altered, and encrypts all of the contents
so the profile cannot be examined and can only be installed on a specific device. Separate .mobileconfig
files are created for each of the devices you select from the Devices list.

2. Click Export, and then select a location to save the .mobileconfig files.

The files are ready for posting on your website. Don’t compress the .mobileconfig file or change its extension, or the
device won’t recognize and install the profile.

iPhone Configuration Utility ► Installing configuration profiles

Distributing configuration profiles wirelessly

You can use a Mobile Device Management server to configure iOS devices over the air. This server can be built in-
house by your IT department, or purchased from a third-party solution provider. OS X Server for Moutain Lion
includes Profile Manager, an MDM solution for creating and distributing configuration profiles wirelessly. For
information see iPhone in Business: Mobile Device Management.

iPhone Configuration Utility ► Installing configuration profiles

User installation of downloaded configuration profiles
Provide your users with the URL where they can download the profiles onto their devices, or send the profiles to an
email account your users can access on the device before it’s set up with your enterprise-specific information.

During installation, the user is asked to enter any necessary information, such as passwords that weren’t specified
in the profile, and any other information that’s required by the settings you specified.

The device also retrieves the Exchange ActiveSync policies from the server, and refreshes the policies, if they
change, with every subsequent connection. If the device or Exchange ActiveSync policies enforce a passcode
setting, the user must enter a passcode that complies with the policy in order to complete the installation.

The user is also asked to enter any passwords necessary for using certificates included in the profile.

If the installation isn’t successful—perhaps because the Exchange server was unreachable or the user cancelled
the process—none of the information entered by the user is kept.

iPhone Configuration Utility

Removing and updating configuration profiles

Managed configuration profiles can be updated and removed over the air by using an MDM server. To update a
configuration profile that was manually installed, distribute the new profile to users and have them install the new
version. As long as the profile identifier matches and the profile (if signed) has been signed by the same copy of
iPhone Configuration Utility, the new profile replaces the old profile on the device.

Settings enforced by a configuration profile cannot be changed on the device. To change a setting, you must install
an updated profile. If the profile was signed, it can be replaced only by a profile signed by the same copy of iPhone
Configuration Utility. The identifier in both profiles must match. For more information about the identifier, see
General settings.

Important: Removing a configuration profile removes all policies and information (including mail accounts)
associated with the profile.

If the General Settings payload of the profile specifies that it cannot be removed by the user, the Remove button
doesn’t appear. If the settings permit removal using an authorization password, the user is asked to enter the
password after tapping Remove. For more information about profile security settings, see General settings.

© 2013 Apple Inc. All rights reserved.

Apple, the Apple logo, FaceTime, iCloud, iPad, iPhone, iPod, iPod touch, iTunes, Mac, Mac OS, Safari, and Xcode are trademarks of Apple Inc., registered in the U.S. and other countries.
Retina is a trademark of Apple Inc. iTunes Store is a service mark of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.

IOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license.

Java is a registered trademark of Oracle and/or its affiliates.

UNIX is a registered trademark of The Open Group.

Other company and product names mentioned herein may be trademarks of their respective companies.

Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the
performance or use of these products. All understandings, agreements, or warranties, if any, take place directly between the vendors and the prospective users. Every effort has been made to
ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors.