One of biggest stories behind the release of the iPhone 3G -- and the iPhone 2.0 firmware update for first-generation iPhones -- was the inclusion of features designed for use in business environments. While many analysts and enterprise users have argued in recent weeks about whether the iPhone can replace Research In Motion's BlackBerry as the prevailing smart phone for business, little has been said about the tools and processes that Apple offers systems administrators to actually deploy and manage iPhones at work.
In this three-part series, I'll look at three areas that make up the IT side of enterprise iPhone deployment: the activation, configuration and deployment process; how the iPhone is managed in an Exchange environment (including tips for some early adopters); and the options for developing and deploying in-house iPhone applications.
Here I offer advice on how best to activate, configure and deploy the iPhone. Parts 2 and 3 will be posted during the next month.
Activation and iTunes
One of the first steps in deploying the iPhone in any environment is the activation process. This involves both the purchase and business account setup, which is done in concert with AT&T in the U.S. or with other carriers in other countries where the iPhone is sold. Working with a carrier directly makes sense for developing necessary business plans, and it's required for any business iPhone activation, whether you're from a mom-and-pop operation or a big company.
As with any GSM smart phone, activation requires associating a SIM card with a business account and a specific phone number. This is handled by the carrier, which may provide already-active SIM cards (much like the in-store activation for consumers), or you may need to activate the iPhone after inserting the SIM card and before deployment.
The specific route you take will depend on both the carrier and whether you're re-using existing SIM cards. In general, assume that you will need iTunes to activate the iPhone, particularly if you're buying more than a handful.
Note: With the iPod Touch 2.0 update, the iPod Touch can offer several of the iPhone's enterprise features, although it cannot make or receive calls and needs Wi-Fi access for any data service. The iPod Touch is also activated with iTunes.
Although iTunes should be considered an activation requirement, it's not required for enterprise functionality. Once activated, an iPhone can be configured and used without iTunes, allowing users access to many of the iPhone's data features such as Web browsing, e-mail and other Exchange features -- including calendars and the Global Address List -- and applications. They can also send and receive calls. Without iTunes, users will not, however, be able to sync music, video, photos or Web browser bookmarks.
That means you have two major options when it comes to activating and deploying iPhones: You can manage the activation within your IT department, where all iPhones are activated with a limited number of computers using iTunes and then distributed to users, or you can give users access to iTunes and allow them to activate and sync their phones on their own (or activate them with the guidance of an IT staff member).
Each choice has merit and each has potential problems. Allowing employee access to iPhones via iTunes is a questionable move in a business environment. Even if users only plan to build and sync media libraries to a company-provided iPhone, iTunes could still be used to update or restore the phone without IT supervision or test newly released updates.
On the other hand, iTunes backs up the contents of an iPhone, including all of its settings, during each sync. That can provide a safety net for users in case of problems or if the phone is lost or stolen. And it provides a convenient sync of mail accounts, calendars and contacts in a non-Exchange environment, and Web browser bookmarks in any environment.
Note: In predominantly Mac environments, Apple's managed preferences architecture makes it possible to some restrict individual iTunes features. Similar options for doing this in Windows environments are available by editing the appropriate Registry keys. If your organization opts for user activation and syncing, these offer better options than wide-scale access to all of iTunes. But there is still no way to limit iTunes solely to sync functionality for the iPhone.
For many enterprises, the ideal option is likely to be centralized iPhone activation, particularly in an Exchange environment where user e-mail and calendar data is synced directly to the Exchange server rather than requiring sync with a workstation.
This allows more control over data on the iPhone, avoids the need to install iTunes on workstations and positions IT as the contact for any iPhone-related issues. It also helps a company stop users from associating their phones with an Apple ID and iTunes Store account, making it harder for them to make purchases through the App Store for iPhone or the iTunes Wi-Fi Store.
Apple provides some automated configuration of iPhones for the workplace through the use of configuration files, or profiles, that can be used to establish a number of typical configuration options. These could include requiring a passcode to access the phone, configuration of Exchange or IMAP/POP e-mail accounts, VPN configuration (for PPTP, L2TP and IPSec/Cisco VPNs), some configuration for access to Wi-Fi networks and the installation of certificates on the phone.
How the iPhone connects to a carrier's network using Access Point Name settings is also supported, although these settings should ideally be coordinated with your carrier if they're needed.
IPhone profiles are XML property list files that can be generated with either a Mac OS X application -- the iPhone Configuration Utility -- or a Web-based tool that can be installed on either a Mac or a Windows PC (examples of both are shown below).
While either tool can generate configuration files, the application interface also allows you to build a library of iPhones within your network -- complete with installed application and user information. And the Console viewer offers easy access to log files on the iPhone when it is connected to a computer, which is useful for troubleshooting problems and testing in-house applications. The application environment also allows for management and deployment of in-house applications.
There are two overall disappointments to Apple's implementation of configuration files for enterprise environments. First, the files are not pushed out over the air and automatically applied to iPhone clients. They must be sent to a client by e-mail or hosted on a Web server and loaded using the mobile Safari browser on the iPhone. This makes distribution a bit more cumbersome, both for the initial deployment and for later updates.
Second, users must choose to install profiles or updates (as shown below). You cannot enforce an updated profile. When an updated profile is received via e-mail or accessed via a Web server, users can choose whether to install the profile. Users can also delete profiles using the iPhone's Settings application, meaning there's no guarantee that profiles will be kept up to date -- or used at all.
Note: If you are hosting configuration files on a Web server other than Mac OS X Server 10.5.3 or higher, you will need to add support for the.mobileconfig extension MIME type of application/x-apple-aspen-config.
Similarly, with the exception of a passcode requirement, profiles don't do much to restrict iPhone features. There is, for example, no way to limit the installed applications users can access, and no way to restrict them to Wi-Fi networks specified in a profile (such as ones that are known to be secure). Profiles exist only to simplify the iPhone setup and enforce policies.
At least profiles can be digitally signed, thus ensuring that a user who gets a new or updated profile gets one that's legitimately issued by a company's IT staff. Profiles can be signed using certificates issued by a public certificate authority (such as VeriSign) or with a self-signed certificate, provided that you deploy a copy of the certificate to iPhones (which can be done using a profile).
Another note: Passcode policies can be enforced over the air using Exchange ActiveSync, which I'll cover in part 2 of this series. When both profiles and Exchange policies define passcode requirements, the strictest combination of the two is enforced by the iPhone.
One particularly useful feature is that a single iPhone can maintain multiple profiles. This allows you to configure and deploy different profiles for different functions. All iPhones will likely need the same series of certificates installed, for example, and that can be done with one profile. Only a specific group of users, however, may need VPN access configured, which can be done as a separate profile. This also allows you a bit more ease and flexibility in updating configurations, since you don't need to make changes to every existing profile and option.
When using OS X's iPhone Configuration Utility, a list of available profiles (as well as their creation date) can be viewed and edited by selecting Configuration Profiles in the sidebar. The sidebar also has options for Provisioning Profiles and Applications -- both of which are used to deploy in-house applications and will be discussed in part 3 of this series -- and a Devices list of all iPhones that have been connected to the computer.
The Web-based configuration tool allows you to create profiles and export or e-mail profiles to users. It also lets you import and modify existing profiles. It does not, however, allow you to work with in-house applications or maintain a library of iPhones that have been connected to a computer.
By default, once the Web-based tool is installed, it can be accessed via the IP address of the computer on which it's running using port 3000 (for example, http://127.0.0.1:3000). A default username of "admin" with a password of "admin" allows access. Both the port and the username/password combination can be changed if needed. Apple's documentation (download PDF) explains how to do this in either Mac OS X or Windows.
The eight tabs available for creating a profile using either tool -- along with their options -- are the following.
General: This provides overall information about the profile, the ability to digitally sign it, the options to export it for storage or hosting on a Web server, the options for importing an existing profile for editing and the information on how to e-mail the profile directly to users. Specific options include:
- Name: The profile name displayed to users (required).
- Identifier: A unique alphanumeric string used to identify the profile for updates later provided to iPhones where the profile is already installed. The format is similar to that used for applications and Dashboard widgets in the form of com.example.profile (required).
- Organization: The organization for which the profile is being created.
- Description: A short description for users.
- Signature: A dialog used to select a certificate and private key used to digitally sign the profile.
- Delivery: Buttons for importing, exporting and e-mailing profiles.
Passcode: This, as the name implies, defines passcode policies for an iPhone. Options include:
- Require passcode on device: Prompts users to create a passcode to unlock the iPhone.
- Allow simple value: Permits basic repeated characters as a passcode.
- Require alphanumeric value: Requires passcode to include numbers and letters.
- Minimum passcode length.
- Minimum number of complex characters: Required number of nonalphanumeric characters.
- Maximum passcode age: Number of days after which a user must change the passcode.
- Passcode lock: Number of minutes (one to five) of inactivity after which the iPhone locks automatically.
- Maximum number of failed attempts: The number of failed attempts permitted when entering the passcode after which the iPhone will need to be authorized with iTunes to be used again. Note: For more than six attempts, a time delay before each following attempt will be imposed and increased with each failed attempt.
Wi-Fi: Allows you to define one or more Wi-Fi network configurations for the iPhone. Options include network SSID, whether the network is hidden and the security type for the network, including support for any security (or none), WEP and WPA/WPA2. Distinctions are made between personal and enterprise security types, with enterprise allowing configuration of authentication technologies, specification of usernames and use of certificates. Supported authentication protocols include TLS, LEAP, TTLS, PEAP and LEAP-FAST.
Note: The passwords for Wi-Fi networks cannot be included in profiles.
VPN: For establishing VPN configurations, the iPhone supports L2TP, PPTP and IPSec (Cisco) VPN protocols. The options for the protocols available in the profile configuration mirror those in most VPN clients.
For L2TP and PPTP, the iPhone supports authentication using both passwords and RSA SecurIDs, as well as the option to designate whether all traffic should be routed through the VPN connection or only traffic intended for destinations within the remote network. Apple's documentation explains more options for additional VPN support.