Apple, Opensource

Simple OTA Configuration Profile Installation

Simple OTA Configuration Profile Installation

Deploying iPhones is always a challenge as it is a very user empowering product that changes how an organization looks at things. In some cases, organizations might want over-arching control of the use of the iOS devices and they choose to go with iPhone MDM solutions such as Afaria, Mobile Iron and similar products.

For most parts, however, SMEs or schools might find that while it would be nice to deploy iPhones, they would not want so much as to control these devices, but more to configure them.

As such, MDM solutions might be an overkill either in terms of price, or in terms of technical complexity. We all know that iPCU is a tool that allows administrators to deploy configurations over USB, e-Mail or hosting it on a Web server. However, this does not provide any hint to how to host this in an authenticated Web Server.

After reading the post at the EXPTA Blog, I realized that there are people out there that has no idea how to do this. In this post, i will highlight how to get a simple version of OTA profile installation for an iOS device done really easily, especially if you have an OSX Server. I will not go into the setup one step at a time, but i will highlight the key components to setup for this to work.

First of all, a few prerequistes.

  • OSX Server
  • iPCU
  • A little of your time

Here are the mail steps to setting this up.

OSX Server

The OSX Server should be setup such that it is either a stand alone Directory, or connected to another Directory system such as an AD. It should also have a DNS entry that points to this server in a memorable manner, such as ipcu.something.com

The OSX server should then have its web server setup and a new site located with ipcu.something.com. A new web root location should be defined such that CGI executions are allowed (e.g. /data/ipcu). A REALM should then be configured for the the the webroot as a FOLDER and its authentication method set to BASIC. This will control the access rights to this folder based on some authenticated user.

Configure the Users and Groups that are allowed access into this realm by selecting the correct GROUPs of people allowed to login to this REALM. While it is definitely also possible to configure individual USERs to this list, manipulating groups of users would surely be easier.

Upon starting your web service, it should then be possible to navigate to ipcu.something.com and be prompted for a username and password before being able to access the site.

Index script to get the authenticated user name

We now create a index script, which i did in PERL, to obtain the authenticated user name and to send it the configuration profile when logged in.

This is done by ensuring that the Default Index Files for the site includes a index.pl file and that under SETTINGS, the pl extension is allowed as a Content Handler. Create the index.pl file with the contents of the following and ensure that it as execution rights (755):-

#!/usr/bin/perl

#####
# mobileconfig setup
#####

$config = "../profiles/".$ENV{REMOTE_USER}.".mobileconfig";

if (-e $config) {
  unless(open(CONFIG, $config)) {
    print "Content-Type: text/html\n\n";
    print "Config file cannot be opened\n";
    exit;
  }
  print "Content-Type: application/x-apple-aspen-config\n\n";
  while ($data=<CONFIG>) {
    print $data;
  }
  close(CONFIG);
  exit;
} else {
  print "Content-Type: text/html\n\n";
  print "Config file cannot be found\n";
  exit;
}

Put this file in the /data/ipcu folder.
Create another folder called /data/profiles. This would be the folder that stores the individual configuration profiles of the users.

iPCU Configuration

We can now go to the iPCU tool that you have downloaded from Apple, and configure the default configurations required for the individual users. For example, if your authentication username is called john, you should have a file called john.mobileconfig stored inside /data/profiles.

Authenticating as john to ipcu.something.com should then automatically push the user the file john.mobileconfig.

Explanation of the PERL script index.pl

This script is really simple as its sole purpose in life is to take the authenticated user name, and match that to the same [username].mobileconfig file. This could also be modified easily with some scripting to also flag the fact that the mobileconfig file has been sent to the user in a SQL database. Of course, i didn’t show that here.

We specifically put the profiles in a non-webroot location so as to prevent inquisitive users coming in from the web from getting to the profiles via a URL.

Conclusion

The above provides a very simple way of allowing authenticated users to get to some configuration profile for the iOS device. It could also, be made more complex by coupling users to a MySQL database and then flagging for different profiles to be installed during different procedures. For example, the first procedure could install the required certificates and security profiles, while the second would install the service configuration profiles. This is all a matter of programming or scripting.

However, do take note that this does not make use of SCEP or any other certificate service and is as simple as it could be. If a more complex or higher security process is required, i  wold still propose you go out there, and just purchase an iPhone MDM solution to make your life easier.