How to Securely Deploy iPhones with Exchange ActiveSync - Phase 4 - Creating the iPhone Configuration Profile

Tuesday, March 2, 2010
This is the fifth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will create iPhone Configuration Profiles using Apple's iPhone Configuration Utility.  I will also show you how to embed the user certificate and private key into the profile and how to marry the profile to a specific iPhone. 

Let's get started.

First, you will need to download and install the Apple iPhone Configuration Utility (iCU).  The latest version as of this writing is version and is the one I will use here.  The iCU only installs on Windows XP SP3 or Windows Vista SP1 or greater.  It will not install on Windows Server.  It also requires NET 3.5 SP1.

Note: The iCU is not an enterprise class software program.  All the configurations, hardware profiles and configuration profiles are stored locally on the workstation in %USERPROFILE%\Local Settings\Application Data\Apple Computer\MobileDevice folder.  For this reason, I recommend using a single workstation for iPhone management and to backup this folder and child folders to a network location periodically.

Begin the configuration process by logging into the workstation with the credentials used to request and install the user certificate created in Phase 1.  This user has the ActiveSyncUser user certificate stored in his/her personal certificate store.  It will be needed later in this process.

Before the iPhone can be configured it must be activated on the AT&T network.  This is performed using iTunes.  Simply launch iTunes, connect the new iPhone to the computer using the USB cable, and follow the iTunes Setup Assistant.  Once the iPhone is activated you can close iTunes.

Now launch the iPhone Configuration Utility.  The iPhone will automatically be added to the Devices Library in the iCU, as shown below:

In the Devices library, click the iPhone and enter the user's name and email address to identify the device profile.  Note that most iPhones will have the helpful name "iPhone", so the Contact info you enter here will help you out later.

Now click the Configuration Profiles library and click the New icon to create a new base configuration profile.  The base configuration profile can be used for configuration settings that cannot be made using the Exchange ActiveSync Policy, such as iPhone Restrictions or VPN settings.  Apple calls these configurations "payloads".

To create a new base configuration, select the General (Mandatory) setting and enter a Name, Identifier, Organization, and Description, as shown. 

Choose whether the base configuration profile can be removed.  Choices are Always, With Authentication (using a password), or Never.  For base configurations, I recommend With Authentication to prevent end-users from easily removing company restrictions.  You must then supply the Authorization password.  Notice there is no "Save" button anywhere.  Whatever you configure is written immediately to the configuration profile(s).

You can now configure your base configuration settings and restrictions, as shown.  Refer to the iCU help for configuration settings.  If you want to delete a payload from a profile, click the minus sign in the top right corner of the configuration item.

I recommend using Exchange 2007 / 2010 ActiveSync over-the-air policies for any configuration that can be configured using them (for example, device locking duration and passcode complexity).  This will give you the greatest amount of flexibility and will allow you to make changes on the fly.

Now deploy the iPhone Base Profile to the iPhone by clicking the iPhone name under DEVICES on the left pane.  Select the iPhone Base Profile and click Install.

The iPhone will prompt you to install the iPhone Base Profile, as shown below.  Tap Install and the Install Now.  After the profile installs, tap Done.

Back in the iCU, click the Configuration Profiles library.  Click the New icon again to create the ActiveSync Profile.  Configure the General (Mandatory) section as shown:

I recommend setting Security so that the ActiveSync Profile can Always be removed.  This will allow users to remove the EAS profile, which will help later if you ever need to re-deploy the EAS profile.

Now click the Exchange ActiveSync section and configure your ActiveSync settings for the iPhone.  Enter the Account Name, Exchange ActiveSync Host, Domain, User, and Email Address, as shown:

Do not enter the user's password.  The iPhone will prompt the user for any field you leave blank when it installs the profile.  Going forward, the only items you will need to configure for subsequent ActiveSync profiles are the User and Email Address.

Click the + sign under Authentication Credential Name.  The Personal Certificate Store will open for you to add the ActiveSyncUser user certificate to the Exchange ActiveSync profile, as shown:

Enter the password you entered for the certificate's private key in Phase 1.  The certificate and private key will be added to the Exchange ActiveSync configuration.  Check Include Authentication Credential Passphrase to include it in the profile, otherwise the device will prompt the user for the passphrase (not good).

You now have a fully configured iPhone ActiveSync Configuration Profile.  All that's left is to export the ActiveSync Profile so that the user can install it.  You need the user to do this because the profile will prompt for the user's Active Directory password (something I hope you don't know).

Ensure that the ActiveSync Profile is selected and click the Export button.  The Export Configuration Profile window will open.  Select Create and sign encrytped configuration profile for each selected device from the dropdown box and select the correct device, as shown below.  Then click Export.  This will "marry" the ActiveSync configuration profile to the selected device, preventing it from being installed on any other iPhone.  This is how we meet the requirement that "only authorized devices can access Activesync".

Now I need to jump forward a bit.  In the next phase, I will explain how to create the deployment website.  For now, let's assume that the website already exists and that the UNC path to the share for that website is \\EXCAS1\eas.  Save the configuration profile to that share, naming the profile with the AD user's logon name (for example, jqsmith.mobileconfig).

Congratulations!  You have now created a unique ActiveSync configuration profile with the embedded ActiveSyncUser user certificate, and encrypted and married the profile to a specific iPhone.

This concludes Phase 4 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.  The next phase will cover how to create the website for end-user iPhone profile deployment.

Other articles in this series: