Configuration profiles: An iPad administrator's best friend

The influx of iPads and other mobile devices into the enterprise may worry IT administrators, but configuration profiles allow for centralized management of iOS devices.

If you want to use iPads in your enterprise but are worried about keeping them under control, iPad Configuration Profiles are about to become your new best friend.

Applying configuration profiles to your iOS devices delivers a level of safety, control and comfort that you may not have thought possible. As a management tool, configuration profiles enable administrators to define the items with which iOS devices interact, including infrastructure such as switches, routers and access points. IT pros can also use them to determine which applications can be installed, prompt users for passwords or set a number of bad password entries before wiping. In addition, configuration profiles can affect security credentials.

Configuration profiles are XML files that contain centralized settings, such as passcode guidelines, functionality restrictions and configuration specifications for virtual private networks, Wi-Fi, email and more. These profiles allow for centralized control of enterprise iOS systems. More than one profile at a time is supported on a mobile device.

One of the quickest and easiest ways to create, manage, modify and deploy configuration profiles for iOS devices is by using Apple's free iPhone Configuration Utility. You can download this tool in either Mac OS X or Windows editions, and version 3.4 of the software fully supports iOS 5, as well as older iOS versions.

To create a profile with the iPhone Configuration Tool, begin by selecting Configuration Profiles under the Library heading. Click the New button on the toolbar to begin defining the payloads, or groups of settings, to be configured when the profile is applied to a device.

There are 16 possible payloads that can be configured, but only the payload marked General is required. Select the General payload inside the iPad setup utility to access its group of settings. These settings include Name, Identifier, Organization, Description and Security. Before you can save the profile, you must provide information for the Name and Identifier fields and select the Security option you want. Organization and Description are optional settings to include in a profile.

Ensure that you enter a meaningful name for your profile. Once a name appears on a device, you'll know what profile has been applied. This is especially useful when multiple configuration profiles have been applied to a single iPad.

Devices use identifiers to determine whether the current configuration profile is being applied for the first time or if it is updating an existing profile. The Identifier setting must be entered in a format that is equivalent to a fully qualified domain name in reverse. For example, the Identifier for "exchange.acme.com" would be entered as "com.acme.exchange."

The final required setting is for profile removal security, with options for Always, With Authorization or Never. Always lets users remove a profile whenever they want. Never prevents the profile from being removed from the device, short of a factory reset. Because of this permanence, be particularly careful with deploying policies that can never be removed.

The With Authorization option allows a profile to be removed once the user enters a special password, which IT defines. This authentication setting is generally recommended at minimum, because it ensures that configuration settings remain centrally controlled.

The Configuration Utility automatically saves a profile as changes are made. As soon as required information is entered, the profile is saved and displayed near the top of the application screen. You can return to the application at any time, select your configuration profile and make later changes.

Applying a profile is a simple task, although admins can deploy profiles in a variety of ways:

  • They can connect the mobile device to the computer running the iPhone Configuration Utility.
  • They can send the policy to a device through email, although this deployment approach requires the device to have its email already configured.
  • IT can also deploy the policy file -- with a .mobileconfig extension -- through an available Web server. Once deployed to a Web server, devices must browse to the URL of the .mobileconfig file and apply the profile when prompted.

In all cases, there is the option to sign and encrypt the configuration profile. When connecting a device via USB and using the iPhone Configuration Utility, this signing and encrypting process is handled automatically. If you're using email or the Web to distribute profiles, you must sign, encrypt or both during the sharing process. Developers or advanced administrators who wish to create XML configuration profiles manually without the tool will require separate certificates and signing tools to complete this step.

Notwithstanding whether you deploy company-owned iOS devices or are responsible for keeping employee-owned mobile devices under control, iPad Configuration Profiles provide an easy and surprisingly manageable method for maintaining their configuration.

Read more from Greg Shields

About the author:
Greg Shields, MCSE, is an independent author and consultant based in Denver with many years of IT architecture and enterprise administration experience. He is an IT trainer and speaker on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available from Sapien Press.

Dig Deeper on Mobile operating systems and devices

Unified Communications