Apple iPhone User Manual version 3.2

iPhone OS

Enterprise Deployment Guide

Second Edition, for Version 3.2 or later

Apple Inc.

This manual may not be copied, in whole or in part, without the written consent of Apple.

The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors.

Apple 1 Infinite Loop Cupertino, CA 95014 408-996-1010 www.apple.com

Apple, the Apple logo, Bonjour, iPhone, iPod, iPod touch, iTunes, Keychain, Leopard, Mac, Macintosh, the Mac logo, Mac OS, QuickTime, and Safari are trademarks of Apple Inc., registered in the U.S. and other countries.

iPad is a trademark of Apple Inc.

iTunes Store and App Store are service marks of Apple Inc., registered in the U.S. and other countries. MobileMe is a service mark of Apple Inc.

Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.

Simultaneously published in the United States and Canada.

019-1835/2010-04

Preface 6 iPhone in the Enterprise

What’s New for the Enterprise in iPhone OS 3.0 and Later

System Requirements

Microsoft Exchange ActiveSync

VPN

Network Security

Certificates and Identities

Email Accounts

LDAP Servers

CalDAV Servers

Additional Resources

Chapter 1 14 Deploying iPhone and iPod touch

Activating Devices

Preparing Access to Network Services and Enterprise Data

Determining Device Passcode Policies

Configuring Devices

Over-the-Air Enrollment and Configuration

Other Resources

Chapter 2 28 Creating and Deploying Configuration Profiles

About iPhone Configuration Utility

Creating Configuration Profiles

Editing Configuration Profiles

Installing Provisioning Profiles and Applications

Installing Configuration Profiles

Removing and Updating Configuration Profiles

Chapter 3 44 Manually Configuring Devices

VPN Settings

Wi-Fi Settings

Exchange Settings

Installing Identities and Root Certificates

Additional Mail Accounts

Updating and Removing Profiles

Other Resources

Chapter 4 57 Deploying iTunes

Installing iTunes

Quickly Activating Devices with iTunes

Setting iTunes Restrictions

Backing Up a Device with iTunes

Chapter 5 63 Deploying Applications

Registering for Application Development

Signing Applications

Creating the Distribution Provisioning Profile

Installing Provisioning Profiles Using iTunes

Installing Provisioning Profiles Using iPhone Configuration Utility

Installing Applications Using iTunes

Installing Applications Using iPhone Configuration Utility

Using Enterprise Applications

Disabling an Enterprise Application

Other Resources

Appendix A 67 Cisco VPN Server Configuration

Supported Cisco Platforms

Authentication Methods

Authentication Groups

Certificates

IPSec Settings

Other Supported Features

Appendix B 70 Configuration Profile Format

Root Level

Payload Content

Profile Removal Password Payload

Passcode Policy Payload

Email Payload

Web Clip Payload

Restrictions Payload

LDAP Payload

CalDAV Payload

Calendar Subscription Payload

SCEP Payload

APN Payload

Exchange Payload

VPN Payload

Contents

Wi-Fi Payload

Sample Configuration Profiles

Appendix C 88 Sample Scripts

Contents

iPhone in the Enterprise

Learn how to integrate iPhone, iPod touch, and iPad with your enterprise systems.

This guide is for system administrators. It provides information about deploying and supporting iPhone, iPod touch, and iPad in enterprise environments.

What’s New for the Enterprise in iPhone OS 3.0 and Later

iPhone OS 3.x includes numerous enhancements, including the following items of special interest to enterprise users:

CalDAV calendar wireless syncing is supported.

LDAP server support for contact look-up in mail, address book, and SMS.

Configuration profiles can be encrypted and locked to a device so that their removal requires an administrative password.

iPhone Configuration Utility allows you to add and remove encrypted configuration profiles directly onto devices that are connected to your computer by USB.

Online Certificate Status Protocol (OCSP) is supported for certificate revocation.

On-demand certificate-based VPN connections are now supported.

VPN proxy configuration via a configuration profile and VPN servers is supported.

Microsoft Exchange users can invite others to meetings. Microsoft Exchange 2007 users can also view reply status.

Exchange ActiveSync client certificate-based authentication is supported.

Additional EAS policies are supported, along with EAS protocol 12.1.

Additional device restrictions are available, including the ability to specify the length of time that a device can be left unlocked, disable the camera, and prevent users from taking a screenshot of the device’s display.

Local mail messages and calendar events can be searched. For IMAP, MobileMe, and Exchange 2007, mail that resides on the server can also be searched.

Additional mail folders can be designated for push email delivery.

APN proxy settings can be made specified using a configuration profile.

Preface

Web clips can be installed using a configuration profile.

802.1x EAP-SIM is now supported.

Devices can be authenticated and enrolled over-the-air using a Simple Certificate Enrollment Protocol (SCEP) server.

iTunes can store device backups in encrypted format.

iPhone Configuration Utility supports profile creation via scripting.

iPhone Configuration Utility 2.2 supports iPad, iPhone, and iPod touch. Mac OS X v10.6 Snow Leopard is required. Windows 7 is also supported.

System Requirements

Read this section for an overview of the system requirements and the various components available for integrating iPhone, iPod touch, and iPad with your enterprise systems.

iPhone and iPod touch

iPhone and iPod touch devices you use with your enterprise network must be updated to iPhone OS 3.1.x.

iPad

iPad must be updated to iPhone OS 3.2.x.

iTunes

iTunes 9.1 or later is required in order to set up a device. iTunes is also required in order to install software updates for iPhone, iPod touch, and iPad. You also use iTunes to install applications, and sync music, video, notes, or other data with a Mac or PC.

To use iTunes, you need a Mac or PC that has a USB 2.0 port and meets the minimum requirements listed on the iTunes website. See www.apple.com/itunes/download/.

iPhone Configuration Utility

iPhone Configuration Utility lets you create, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information such as console logs.

iPhone Configuration Utility requires one of the following:

Â Mac OS X v10.5 Snow Leopard

Â Windows XP Service Pack 3 with .NET Framework 3.5 Service Pack 1

Â Windows Vista Service Pack 1 with .NET Framework 3.5 Service Pack 1

Â Windows 7 with .NET Framework 3.5 Service Pack 1

iPhone Configuration Utility operates in 32-bit mode on 64-bit versions of Windows.

Preface

iPhone in the Enterprise

You can download the .Net Framework 3.5 Service Pack 1 installer at: http://www.microsoft.com/downloads/details.aspx?familyid=ab99342f-5d1a-413d-831981da479ab0d7

The utility allows you to create an Outlook message with a configuration profile as an attachment. Additionally, you can assign users’ names and email addresses from your desktop address book to devices that you’ve connected to the utility. Both of these features require Outlook and are not compatible with Outlook Express. To use these features on Windows XP computers, you may need to install 2007 Microsoft Office System Update: Redistributable Primary Interop Assemblies. This is necessary if Outlook was installed before .NET Framework 3.5 Service Pack 1.

The Primary Interop Assemblies installer is available at: http://www.microsoft.com/downloads/details.aspx?FamilyID=59daebaa-bed4-4282a28c-b864d8bfa513

Microsoft Exchange ActiveSync

iPhone, iPod touch, and iPad support the following versions of Microsoft Exchange:

Â Exchange ActiveSync for Exchange Server (EAS) 2003 Service Pack 2

Â Exchange ActiveSync for Exchange Server (EAS) 2007

For support of Exchange 2007 policies and features, Service Pack 1 is required.

Supported Exchange ActiveSync Policies

The following Exchange policies are supported:

Â Enforce password on device

Â Minimum password length

Â Maximum failed password attempts

Â Require both numbers and letters

Â Inactivity time in minutes

The following Exchange 2007 policies are also supported:

Â Allow or prohibit simple password

Â Password expiration

Â Password history

Â Policy refresh interval

Â Minimum number of complex characters in password

Â Require manual syncing while roaming

Â Allow camera

Â Require device encryption

For a description of each policy, refer to your Exchange ActiveSync documentation.

8 Preface iPhone in the Enterprise

The Exchange policy to require device encryption (RequireDeviceEncryption) is supported on iPhone 3GS, on iPod touch (Fall 2009 models with 32 GB or more) and on iPad. iPhone, iPhone 3G, and other iPod touch models don’t support device encryption and won’t connect to an Exchange Server that requires it.

If you enable the policy “Require Both Numbers and Letters” on Exchange 2003, or the policy “Require Alphanumeric Password” on Exchange 2007, the user must enter a device passcode that contains at least one complex character.

The value specified by the inactivity time policy (MaxInactivityTimeDeviceLock or AEFrequencyValue) is used to set the maximum value that users can select in both Settings > General > Auto-Lock and Settings > General > Passcode Lock > Require Passcode.

Remote Wipe

You can remotely wipe the contents of an iPhone, iPod touch, or iPad. Wiping removes all data and configuration information from the device. The device is securely erased and restored to original, factory settings.

Important: On iPhone and iPhone 3G, wiping overwrites the data on the device, which

can take approximately one hour for each 8 GB of device capacity. Connect the device to a power supply before wiping. If the device turns off due to low power, the wiping process resumes when the device is connected to power. On iPhone 3GS and iPad, wiping removes the encryption key to the data (which is encrypted using 256-bit AES encryption) which occurs instantaneously.

With Exchange Server 2007, you can initiate a remote wipe using the Exchange Management Console, Outlook Web Access, or the Exchange ActiveSync Mobile Administration Web Tool.

With Exchange Server 2003, you can initiate a remote wipe using the Exchange ActiveSync Mobile Administration Web Tool.

Users can also wipe a device in their possession by choosing “Erase All Content and Settings” from the Reset menu in General settings. Devices can also be configured to automatically initiate a wipe after several failed passcode attempts.

If you recover a device that was wiped because it was lost, use iTunes to restore it using the device’s latest backup.

Microsoft Direct Push

The Exchange server automatically delivers email, contacts, and calendar events to iPhone and iPad Wi-Fi + 3G if a cellular or Wi-Fi data connection is available. iPod touch and iPad Wi-Fi don’t have a cellular connection, so they receive push notifications only when they’re active and connected to a Wi-Fi network.

Preface iPhone in the Enterprise 9

Microsoft Exchange Autodiscovery

The Autodiscover service of Exchange Server 2007 is supported. When you manually configure a device, Autodiscover uses your email address and password to automatically determine the correct Exchange server information. For information about enabling the Autodiscover service, see http://technet.microsoft.com/en-us/ library/cc539114.aspx.

Microsoft Exchange Global Address List

iPhone, iPod touch, and iPad retrieve contact information from your company’s Exchange server corporate directory. You can access the directory when searching in Contacts, and it’s automatically accessed for completing email addresses as you enter them.

Additional Supported Exchange ActiveSync Features

In addition to the features and capabilities already described, iPhone OS supports: Â Creating calendar invitations. With Microsoft Exchange 2007, you can also view the

status of replies to your invitations.

Â Setting Free, Busy, Tentative, or Out of Office status for your calendar events.

Â Searching mail messages on the server. Requires Microsoft Exchange 2007.

Â Exchange ActiveSync client certificate-based authentication.

Unsupported Exchange ActiveSync Features

Not all Exchange features are supported, including, for example:

Â Folder management

Â Opening links in email to documents stored on SharePoint servers

Â Task synchronization

Â Setting an “out of office” autoreply message

Â Flagging messages for follow-up

VPN

iPhone OS works with VPN servers that support the following protocols and authentication methods:

Â L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID and

CryptoCard, and machine authentication by shared secret.

Â PPTP with user authentication by MS-CHAPV2 Password, RSA SecurID, and

CryptoCard.

Â Cisco IPSec with user authentication by Password, RSA SecurID, or CryptoCard,

and machine authentication by shared secret and certificates. See Appendix A for compatible Cisco VPN servers and recommendations about configurations.

10 Preface iPhone in the Enterprise

Cisco IPSec with certificate-based authentication supports VPN on demand for domains you specify during configuration. See “VPN Settings” on page 35 for details.

Network Security

iPhone OS supports the following 802.11i wireless networking security standards as defined by the Wi-Fi Alliance:

Â WEP

Â WPA Personal

Â WPA Enterprise

Â WPA2 Personal

Â WPA2 Enterprise

Additionally, iPhone OS supports the following 802.1X authentication methods for WPA Enterprise and WPA2 Enterprise networks:

Â EAP-TLS

Â EAP -TTLS

Â EAP-FAST

Â EAP-SIM

Â PEAP v0, PEAP v1

Â LEAP

Certificates and Identities

iPhone, iPod touch, and iPad can use X.509 certificates with RSA keys. The file extensions .cer, .crt, and .der are recognized. Certificate chain evaluations are performed by Safari, Mail, VPN, and other applications.

Use P12 (PKCS #12 standard) files that contain exactly one identity. The file extensions .p12 and .pfx are recognized. When an identity is installed, the user is prompted for the passphrase that protects it.

Certificates necessary for establishing the certificate chain to a trusted root certificate can be installed manually or by using configuration profiles. You don’t need to add root certificates that are included on the device by Apple. To view a list of the preinstalled system roots, see the Apple Support article at http://support.apple.com/kb/HT3580.

Certificates can be securely installed over the air via SCEP. See “Overview of the Authenticated Enrollment and Configuration Process” on page 22 for more information.

Preface iPhone in the Enterprise 11

Email Accounts

iPhone, iPod touch, and iPad support industry-standard IMAP4- and POP3-enabled mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. You can also use IMAP to access email from Exchange accounts in addition to the Exchange account you use with direct push.

When a user searches their mail, they have the option of continuing the search on the mail server. This works with Microsoft Exchange Server 2007 as well as most IMAP-based accounts.

The user’s email account information, including Exchange user ID and password, are securely stored on the device.

LDAP Servers

iPhone, iPod touch, and iPad retrieve contact information from your company’s LDAPv3 server corporate directories.You can access directories when searching in Contacts, and and they are automatically accessed for completing email addresses as you enter them.

CalDAV Servers

iPhone, iPod touch, and iPad synchronize calendar data with your company’s CalDAV server. Changes to the calendar are periodically updated between the device and server.

You can also subscribe to read-only published calendars, such as holiday calendars or those of a colleague’s schedule.

Creating and sending new calendar invitations from a device isn’t supported for CalDAV accounts.

12 Preface iPhone in the Enterprise

Additional Resources

In addition to this guide, the following publications and websites provide useful information:

Â iPhone in Enterprise webpage at www.apple.com/iphone/enterprise/

Â iPad in Business webpage at: www.apple.com/ipad/business/

Â Exchange Product Overview at http://technet.microsoft.com/en-us/library/

bb124558.aspx

Â Deploying Exchange ActiveSync at http://technet.microsoft.com/en-us/library/

aa995962.aspx

Â Exchange 2003 Technical Documentation Library at http://technet.microsoft.com/

en-us/library/bb123872(EXCHG.65).aspx

Â Managing Exchange ActiveSync Security at http://technet.microsoft.com/en-us/

library/bb232020(EXCHG.80).aspx

Â Wi-Fi for Enterprise webpage at www.wi-fi.org/enterprise.php

Â iPhone VPN Connectivity to Cisco Adaptive Security Appliances (ASA) at

www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/ connectivity/guide/iphone.html

Â iPhone User Guide, available for download at www.apple.com/support/iphone/;

view the guide on iPhone, tap the iPhone User Guide bookmark in Safari or go to http://help.apple.com/iphone/

Â iPhone Guided Tour at www.apple.com/iphone/guidedtour/

Â iPod touch User Guide, available for download at www.apple.com/support/ipodtouch;

view the guide on iPod touch, tap the iPod touch User Guide in Safari or go to http://help.apple.com/ipodtouch/

Â iPod touch Guided Tour at www.apple.com/ipodtouch/guidedtour/

Â iPad User Guide, available for download at www.apple.com/support/ipad; view the

guide on iPad, tap the iPad User Guide in Safari or go to http://help.apple.com/ipad/

Â iPad Guided Tour at www.apple.com/ipad/guided-tour/

Preface iPhone in the Enterprise 13

1 Deploying iPhone and iPod touch

This chapter provides an overview of how to deploy iPhone, iPod touch, and iPad in your enterprise.

iPhone, iPod touch, and iPad are designed to easily integrate with your enterprise systems, including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks. As with any enterprise solution, good planning and an understanding of your deployment options make deployment easier and more efficient for you and your users.

When planning your deployment of iPhone, iPod touch, and iPad, consider the following:

Â How will your company’s iPhones and iPad (Wi-Fi + 3G models) be activated for

wireless cellular service?

Â Which enterprise network services, applications, and data will your users need to

access?

Â What policies do you want to set on the devices to protect sensitive company data?

Â Do you want to manually configure devices individually, or use a streamlined process

for configuring a large fleet?

The specifics of your enterprise environment, IT policies, wireless carrier, and your computing and communication requirements affect how you tailor your deployment strategy.

Activating Devices

Each iPhone must be activated with your wireless carrier before it can be used to make and receive calls, send text messages, or connect to the cellular data network. Contact your carrier for voice and data tariffs and activation instructions for consumer and business customers.

You or your user need to install a SIM card in the iPhone. After the SIM card is installed, iPhone must be connected to a computer with iTunes to complete the activation process. If the SIM card is already active, iPhone is ready for immediate use; otherwise, iTunes walks you through the process of activating a new line of service.

iPad must be connected to a computer with iTunes to activate the device. For iPad Wi-Fi + 3G in the U.S., you sign up and manage (or cancel) an AT&T data plan using iPad. Go to Settings > Cellular Data > View Account. iPad is unlocked, so you can use your preferred carrier. Contact your carrier to set up an account and obtain a compatible micro SIM card. In the U.S., micro SIM cards compatible with AT&T are included with iPad Wi-Fi + 3G.

Although there is no cellular service or SIM card for iPod touch and iPad Wi-Fi, they must also be connected to a computer with iTunes for activation.

Because iTunes is required in order to complete the activation process, you must decide whether you want to install iTunes on each user’s Mac or PC, or whether you’ll complete activation for each device with your own iTunes installation.

After activation, iTunes isn’t required in order to use the device with your enterprise systems, but it’s required for synchronizing music, video, and web browser bookmarks with a computer. It’s also required for downloading and installing software updates for devices and installing your enterprise applications.

For more information about activating devices and using iTunes, see Chapter 4.

Chapter 1 Deploying iPhone and iPod touch 15

Preparing Access to Network Services and Enterprise Data

iPhone OS 3.x software enables secure push email, push contacts, and push calendar with your existing Microsoft Exchange Server 2003 or 2007 solution, as well as Global Address Lookup, Remote Wipe, and device passcode policy enforcement. It also allows users to securely connect to company resources via WPA Enterprise and WPA2 Enterprise wireless networks using 802.1X wireless authentication and/or via VPN using PPTP, LT2P over IPSec, or Cisco IPSec protocols.

If your company doesn’t use Microsoft Exchange, your users can still use iPhone or iPod touch to wirelessly sync email with most standard POP or IMAP-based servers and services. And they can use iTunes to sync calendar events and contacts from Mac OS X iCal and Address Book or Microsoft Outlook on a Windows PC. For wireless access to calendars and directories, CalDAV and LDAP are supported.

As you determine which network services you want users to access, refer to the information in the following sections.

Microsoft Exchange

iPhone communicates directly with your Microsoft Exchange Server via Microsoft Exchange ActiveSync (EAS). Exchange ActiveSync maintains a connection between the Exchange Server and iPhone or iPad Wi-Fi + 3G, so that when a new email message or meeting invitation arrives, the device is instantly updated. iPod touch and iPad Wi-Fi don’t have a cellular connection, so they receive push notifications only when they’re active and connected to a Wi-Fi network.

If your company currently supports Exchange ActiveSync on Exchange Server 2003 or Exchange Server 2007, you already have the necessary services in place. For Exchange Server 2007, make sure the Client Access Role is installed. For Exchange Server 2003, make sure you’ve enabled Outlook Mobile Access (OMA).

If you have an Exchange Server but your company is new to Exchange ActiveSync, review the information in the following sections.

Network Configuration

Â Make sure port 443 is open on the firewall. If your company uses Outlook Web

Access, port 443 is most likely already open.

Â Verify that a server certificate is installed on the front-end Exchange server and turn

on basic authentication only, in the Authentication Method properties, to require an SSL connection to the Microsoft Server ActiveSync directory of your IIS.

Â If you’re using a Microsoft Internet Security and Acceleration (ISA) Server, verify that a

server certificate is installed and update the public DNS to properly resolve incoming connections.

16 Chapter 1 Deploying iPhone and iPod touch

Â Make sure the DNS for your network returns a single, externally-routable address to

the Exchange ActiveSync server for both intranet and Internet clients. This is required so the device can use the same IP address for communicating with the server when both types of connections are active.

Â If you’re using a Microsoft ISA Server, create a web listener as well as an Exchange

web client access publishing rule. See Microsoft’s documentation for details.

Â For all firewalls and network appliances, set the idle session timeout to 30 minutes.

For information about heartbeat and timeout intervals, refer to the Microsoft Exchange documentation at

Exchange Account Setup

Â Enable Exchange ActiveSync for specific users or groups using the Active Directory

service. These are enabled by default for all mobile devices at the organizational level in Exchange Server 2003 and Exchange Server 2007. For Exchange Server 2007, see Recipient Configuration in the Exchange Management Console.

Â Configure mobile features, policies, and device security settings using the Exchange

System Manager. For Exchange Server 2007, this is done in the Exchange Management Console.

Â Download and install the Microsoft Exchange ActiveSync Mobile Administration Web

Tool, which is necessary to initiate a remote wipe. For Exchange Server 2007, remote wipe can also be initiated using Outlook Web Access or the Exchange Management Console.

http://technet.microsoft.com/en-us/library/cc182270.aspx.

WPA/WPA2 Enterprise Wi-Fi Networks

Support for WPA Enterprise and WPA2 Enterprise ensures that corporate wireless networks are securely accessed on iPhone, iPod touch and iPad. WPA/WPA2 Enterprise uses AES 128-bit encryption, a proven block-based encryption method that provides a high level of assurance that corporate data remains protected.

With support for 802.1X authentication, iPhone OS devices can be integrated into a broad range of RADIUS server environments. 802.1X wireless authentication methods are supported, including EAP-TLS, EAP-TTLS, EAP-FAST, PEAPv0, PEAPv1, and LEAP.

WPA/WPA2 Enterprise Network Configuration

Â Verify network appliances for compatibility and select an authentication type (EAP

type) supported by iPhone, iPod touch, and iPad. Make sure that 802.1X is enabled on the authentication server, and if necessary, install a server certificate and assign network access permissions to users and groups.

Â Configure wireless access points for 802.1X authentication and enter the

corresponding RADIUS server information.

Â Test your 802.1X deployment with a Mac or a PC to make sure RADIUS authentication

is properly configured.

Chapter 1 Deploying iPhone and iPod touch 17

Â If you plan to use certificate-based authentication, make sure you have your public

key infrastructure configured to support device and user-based certificates with the corresponding key distribution process.

Â Verify the compatibility of your certificate formats with the device and your

authentication server. For information about certificates see “Certificates and Identities” on page 11.

Virtual Private Networks

Secure access to private networks is supported on iPhone, iPod touch, and iPad using Cisco IPSec, L2TP over IPSec, and PPTP virtual private network protocols. If your organization supports one of these protocols, no additional network configuration or third-party applications are required in order to use your devices with your VPN infrastructure.

Cisco IPSec deployments can take advantage of certificate-based authentication via industry-standard X.509 certificates. Additionally, certificate-based authentication allows you to take advantage of VPN On Demand, which provides seamless, secure wireless access to your enterprise network.

For two-factor token-based authentication, iPhone OS supports RSA SecurID and CryptoCard. Users enter their PIN and token-generated, one-time password directly on their device when establishing a VPN connection. For compatible Cisco VPN servers and recommendations about configurations, see Appendix A.

iPhone, iPod touch and iPad also support shared secret authentication for Cisco IPSec and L2TP/IPSec deployments, and MS-CHAPv2 for basic user name and password authentication.

VPN Proxy auto-config (PAC and WPAD) is also supported, which allows you specify proxy server settings for accessing specific URLs.

VPN Setup Guidelines

Â iPhone OS integrates with most existing VPN networks, so minimal configuration is

necessary to enable devices to access to your network. The best way to prepare for deployment is to check if your company’s existing VPN protocols and authentication methods are supported by iPhone.

Â Ensure compatibility with standards by your VPN concentrators. It’s also a good idea

to review the authentication path to your RADIUS or authentication server, to make sure standards supported by iPhone OS are enabled within your implementation.

Â Check with your solutions providers to confirm that your software and equipment

are up-to-date with the latest security patches and firmware.

18 Chapter 1 Deploying iPhone and iPod touch

Â If you want to configure URL-specific proxy settings, place a PAC file on a web server

that’s accessible with the basic VPN settings, and ensure that it’s served with a MIME type of application/x-ns-proxy-autoconfig. Alternatively, configure your DNS or DHCP to provide the location of a WPAD file on a server that is similarly accessible.

IMAP Email

If you don’t use Microsoft Exchange, you can still implement a secure, standards-based email solution using any email server that supports IMAP and is configured to require user authentication and SSL. For example, you can access Lotus Notes/Domino or Novell GroupWise email using this technique. The mail servers can be located within a DMZ subnetwork, behind a corporate firewall, or both.

With SSL, iPhone OS supports 128-bit encryption and X.509 certificates issued by the major certificate authorities. It also supports strong authentication methods including industry-standard MD5 Challenge-Response and NTLMv2.

IMAP Network Setup Guidelines

Â For additional security protection, install a digital certificate on the server from

a trusted certificate authority (CA). Installing a certificate from a CA is an important step in ensuring that your proxy server is a trusted entity within your corporate infrastructure. See “Credentials Settings” on page 38 for information about installing certificates on iPhone.

Â To let iPhone OS devices retrieve email from your server, open port 993 in the firewall

and make sure that the proxy server is set to IMAP over SSL.

Â To let devices send email, port 587, 465, or 25 must be open. Port 587 is used first,

and is the best choice.

LDAP Directories

iPhone OS lets you access standards-based LDAP directory servers and provide a global address directory or other information similar to the Global Address List in Microsoft Exchange.

When an LDAP account is configured on the device, the device searches for the attribute namingContexts at the server’s root level to identify the default search base. The search scope is set to subtree by default.

CalDAV Calendars

CalDAV support in iPhone OS provides global calendars and scheduling for organizations that don’t use Microsoft Exchange. iPhone OS works with calendar servers that support the CalDAV standard.

Chapter 1 Deploying iPhone and iPod touch 19

Subscribed Calendars

If you want to publish read-only calendars of corporate events, such as holidays or special event schedules, iPhone OS devices can subscribe to calendars and display the information alongside Microsoft Exchange and CalDAV calendars. iPhone OS works with calendar files in the standard iCalendar (.ics) format.

An easy way to distribute subscribed calendars to your users is to send the fully qualified URL in SMS or email. When the user taps the link, the device offers to subscribe to the specified calendar.

Enterprise Applications

To deploy enterprise iPhone OS applications, you install the applications on your devices using iPhone Configuration Utility or iTunes. Once you deploy an application to users’ devices, updating those applications will be easier if each user has iTunes installed on their Mac or PC.

Online Certificate Status Protocol

When you provide digital certificates for iPhone OS devices, consider issuing them so they’re OCSP-enabled. This allows the device to ask your OCSP server if the certificate has been revoked before using it.

Determining Device Passcode Policies

Once you decide which network services and data your users will access, you should determine which device passcode policies you want to implement.

Requiring passcodes to be set on your devices is recommended for companies whose networks, systems, or applications don’t require a password or an authentication token. If you’re using certificate-based authentication for an 802.1X network or Cisco IPSec VPN, or your enterprise application saves your login credentials, you should require users to set a device passcode with a short timeout period so a lost or stolen device cannot be used without knowing the device passcode.

Policies can be set on iPhone, iPod touch, and iPad in either of two ways. If the device is configured to access a Microsoft Exchange account, the Exchange ActiveSync policies are wirelessly pushed to the device. This allows you to enforce and update the policies without any user action. For information about EAS policies, see “Supported Exchange ActiveSync Policies” on page 8.

If you don’t use Microsoft Exchange, you can set similar policies on your devices by creating configuration profiles. If you want to change a policy, you must post or send an updated profile to users or install the profile using iPhone Configuration Utility. For information about the device passcode policies, see “Passcode Settings” on page 32.

20 Chapter 1 Deploying iPhone and iPod touch

If you use Microsoft Exchange, you can also supplement your EAS policies by using configuration policies. This can provide access to policies that aren’t available in Microsoft Exchange 2003, for example, or allow you to define policies specifically for iPhone OS devices.

Configuring Devices

You need to decide how you’ll configure each iPhone, iPod touch, or iPad. This is influenced in part by how many devices you plan on deploying and managing over time. If the number is small, you may find that it’s simpler for you or your users to manually configure each device. This involves using the device to enter the settings for each mail account, Wi-Fi settings, and VPN configuration information. See Chapter 3 for details about manual configuration.

If you deploy a large number of devices, or you have a large collection of email settings, network settings, and certificates to install, then you may want to configure the devices by creating and distributing configuration profiles. Configuration profiles quickly load settings and authorization information onto a device. Some VPN and Wi-Fi settings can only be set using a configuration profile, and if you’re not using Microsoft Exchange, you’ll need to use a configuration profile to set device passcode policies.

Configuration profiles can be encrypted and signed, which allows you to restrict their use to a specific device, and prevents anyone from changing the settings that a profile contains. You can also mark a profile as being locked to the device, so once installed it cannot be removed without wiping the device of all data, or optionally, with an administrative passcode.

Whether or not you’re configuring devices manually or using configuration profiles, you also need to decide if you’ll configure the devices or if you will delegate this task to your users. Which you choose depends on your users’ locations, company policy regarding users’ ability to manage their own IT equipment, and the complexity of the device configuration you intend to deploy. Configuration profiles work well for a large enterprise, for remote employees, or for users that are unable to set up their own devices.

If you want users to activate their device themselves or if they need to install or update enterprise applications, iTunes must be installed on each user’s Mac or PC. iTunes is also required for iPhone OS software updates, so keep that in mind if you decide to not distribute iTunes to your users. For information about deploying iTunes, see Chapter 4.

Chapter 1 Deploying iPhone and iPod touch 21

Over-the-Air Enrollment and Configuration

Enrollment is the process of authenticating a device and user so that you can automate the process of distributing certificates. Digital certificates provide many benefits to users. They can be used to authenticate access to key enterprise services, such as Microsoft Exchange ActiveSync, WPA2 Enterprise wireless networks, and corporate VPN connections. Certificate-based authentication also permits the use of VPN On Demand for seamless access to corporate networks.

In addition to using the over-the-air enrollment capabilities to issue certificates for your company’s public key infrastructure (PKI), you can also deploy device configuration profiles. This ensures that only trusted users are accessing corporate services and that their devices are configured according to your IT policies. And because configuration profiles can be both encrypted and locked, the settings cannot be removed, altered, or shared with others. These capabilities are available to you in the over-the-air process described below, and also by using iPhone Configuration Utility to configure devices while they’re attached to your administrative computer. See Chapter 2 to learn about using iPhone Configuration Utility.

Implementing over-the-air enrollment and configuration requires development and integration of authentication, directory, and certificate services. The process can be deployed using standard web services, and once it’s in place, it permits your users to set up their devices in a secure, authenticated fashion.

Overview of the Authenticated Enrollment and Configuration Process

To implement this process, you need to create your own profile distribution service that accepts HTTP connections, authenticates users, creates mobileconfig profiles, and manages the overall process described in this section.

You also need a CA (certificate authority) to issue the device credentials using Simple Certificate Enrollment Protocol (SCEP). For links to PKI, SCEP, and related topics see “Other Resources” on page 27.

The following diagram shows the enrollment and configuration process that iPhone supports.

22 Chapter 1 Deploying iPhone and iPod touch

Phase 1 - Begin Enrollment

Profile service

Device information

request

sample

Attributes required: UDID,

OS version, IMEI

Challenge token: AnneJohnson1

URL for response:

https://profiles.example.com

Enrollment request

sample

User: Anne Johnson

Phase 1 – Begin Enrollment: Enrollment begins with the user using Safari to access the URL of the profile distribution service you’ve created. You can distribute this URL via SMS or email. The enrollment request, represented as step 1 in the diagram, should authenticate the user’s identify. Authentication can be as simple as basic auth, or you can tie into your existing directory services.

In step 2, your service sends a configuration profile (.mobileconfig) in response. This response specifies a list of attributes that the device must provide in the next reply and a pre-shared key (challenge) that can carry the identity of the user forward during this process so you can customize the configuration process for each user. The device attributes that the service can request are iPhone OS version, device ID (MAC Address), product type (iPhone 3GS returns iPhone2,1), phone ID (IMEI), and SIM information (ICCID).

For a sample configuration profile for this phase, see “Sample Phase 1 Server Response” on page 84.

Chapter 1 Deploying iPhone and iPod touch 23

Phase 2 - Device Authentication

Profile service

Signed response via POST

sample

Attributes: UDID,

OS Version, IMEI

Challenge token:

AnneJohnson1

Phase 2 – Device Authentication: After the user accepts the installation of the profile received in phase 1, the device looks up the requested attributes, adds the challenge response (if provided), signs the response using the device’s built-in identity (Apple-issued certificate), and sends it back to the profile distribution service using HTTP Post.

For a sample configuration profile for this phase, see “Sample Phase 2 Device Response” on page 85.

24 Chapter 1 Deploying iPhone and iPod touch

Phase 3 - Device Certificate Installation

Certificate

issuing service

Device certificate

sample

RSA: 1024

Challenge: AnneJohnson1

URL:http://ca.example.com/

getkey.exe

Profile service

Challenge

Key generation specs

URL for response

Challenge

Certificate Signing Request

Public key

Phase 3 – Certificate Installation: In step 1, the profile distribution service responds with specifications that the device uses to generate a key (RSA 1024) and where to return it for certification using SCEP (Simple Certificate Enrollment Protocol).

In step 2, the SCEP request must be handled in automatic mode, using the challenge from the SCEP packet to authenticate the request.

In step 3, the CA responds with an encryption certificate for the device.

For a sample configuration profile for this phase, see “Sample Phase 3 Server Response With SCEP Specifications” on page 85.

Chapter 1 Deploying iPhone and iPod touch 25

Phase 4 - Device Configuration

Profile service

A .mobileconfig file

encrypted for device

and signed by profile service

Device attributes

signed with

device certificate

sample

UDID, OS version,

IMEI, MAC address

Exchange policies, VPN

settings, additional

SCEP payloads,

mail accounts, etc.

Phase 4 – Device Configuration: In step 1, the device replies with the list of attributes, signed using the encryption certificate provided by the CA in the previous phase.

In step 2, the profile service responds with an encrypted .mobileconfig file that’s automatically installed. The profile service should sign the .mobileconfig file. Its SSL certificate can be used for this purpose, for example.

In addition to general settings, this configuration profile should also define enterprise policies that you want to enforce and it should be a locked profile so the user cannot remove it from the device. The configuration profile can contain additional requests for enrollment of identities using SCEP, which are executed as the profile is installed.

Similarly, when a certificate installed using SCEP expires or is otherwise invalidated, the device asks the user to update the profile. When the user authorizes the request, the device repeats the above process to obtain a new certificate and profile.

For a sample configuration profile for this phase, see “Sample Phase 4 Device Response” on page 87.

26 Chapter 1 Deploying iPhone and iPod touch

Other Resources

Â Digital Certificates PKI for IPSec VPNs at https://cisco.hosted.jivesoftware.com/docs/

DOC-3592

Â Public key infrastructure at http://en.wikipedia.org/wiki/Public_key_infrastructure

Â IETF SCEP protocol specification at http://www.ietf.org/internet-drafts/draft-nourse-

scep-18.txt

Additional information and resources for iPhone, iPod touch and iPad in the enterprise are available at www.apple.com/iphone/enterprise/ and www.apple.com/ipad/ business/.

Chapter 1 Deploying iPhone and iPod touch 27

+ 63 hidden pages