Summary of the content on the page No. 1
iPhone and iPod touch
Enterprise Deployment
Guide
Summary of the content on the page No. 2
K Apple Inc. © 2008 Apple Inc. All rights reserved. This manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Every effort has been made to ensure that
Summary of the content on the page No. 3
3 Contents Preface 5 iPhone in the Enterprise 5 System Requirements 6 Microsoft Exchange ActiveSync 8 VPN 8 Network Security 9 Certificates 9 Email accounts 9 Additional Resources Chapter 1 10 Deploying iPhone and iPod touch 10 Activating Devices 11 Preparing Access to Network Services and Enterprise Data 14 Determining Device Passcode Policies 15 Configuring Devices 15 Other Resources Chapter 2 16 Creating and Deploying Configuration Profi
Summary of the content on the page No. 4
39 Setting iTunes Restrictions Chapter 5 42 Deploying iPhone Applications 42 Register for Application Development 43 Signing Applications 43 Creating the Distribution Provisioning Profile 43 Installing Provisioning Profiles using iTunes 44 Installing Provisioning Profiles using iPhone Configuration Utility for Mac OS X 44 Installing Applications using iTunes 45 Installing Applications using iPhone Configuration Utility for Mac OS X 45 Using Ente
Summary of the content on the page No. 5
iPhone in the Enterprise Learn how to integrate iPhone and iPod touch with your enterprise systems. This guide is for system administrators. It provides information about deploying and supporting iPhone and iPod touch in enterprise environments. System Requirements Read this section for an overview of the system requirements and the various components available for integrating iPhone and iPod touch with your enterprise systems. iPhone and iPod touch iPhone and iPod touch
Summary of the content on the page No. 6
Windows computers  Windows XP Service Pack 2 or Windows Vista  500 MHz Pentium processor or faster  256 MB of RAM  QuickTime 7.1.6 or later Some features of iTunes, such as use of the iTunes Store, have additional requirements. See the documentation included with the iTunes installer for more information. iPhone Configuration Utility iPhone Configuration Utility lets you create configuration profiles for your devices. The Mac OS X version of the utility also lets
Summary of the content on the page No. 7
Remote Wipe You can remotely wipe the contents of an iPhone or iPod touch. Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings. It can take approximately one hour for each 8 GB of device capacity for the process to finish. With Exchange Server 2007, you can initiate a remote wipe using the Exchange Management Console, Outlook Web Access, or the Exchange ActiveSync Mobi
Summary of the content on the page No. 8
Exchange ActiveSync Features Not Supported Not all Exchange features are supported, including, for example:  Folder management  Opening links in email to documents stored on Sharepoint servers  Task synchronization  Setting an “out of office” autoreply message  Creating meeting invitations  Flagging messages for follow-up VPN iPhone and iPod touch work with VPN servers that support the following protocols and authentication methods:  L2TP/IPSec with user authentica
Summary of the content on the page No. 9
Certificates iPhone and iPod touch can use certificates in the following raw formats: Â PKCS1 (.cer, .crt, .der) Â PKSC12 (.p12, .pfx) Email accounts iPhone and iPod touch support industry-standard IMAP4- and POP3-enabled mail solutions on a range of server platforms including Windows, UNIX, Linux, and Mac OS X. Additional Resources In addition to this guide, the following publications and websites provide information about iPhone and iPod touch: Â iPhone User Guide, available for download
Summary of the content on the page No. 10
1 Deploying iPhone and iPod touch 1 This chapter provides an overview of how to deploy iPhone and iPod touch in your enterprise. iPhone and iPod touch are designed to easily integrate with your enterprise systems including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks. As with any enterprise solution, good planning and an understanding of your deployment options make deployment easier and more efficient for you and your use
Summary of the content on the page No. 11
Although there is no cellular service or SIM card for iPod touch, it must also be connected to a computer with iTunes for unlocking. Because iTunes is required to complete the activation process for both iPhone and iPod touch, you must decide whether you want to install iTunes on each user’s Mac or PC, or whether you’ll complete activation for each device with your own iTunes installation. After activation, iTunes isn’t required to use the device with your enterprise systems, but it is n
Summary of the content on the page No. 12
Network Configuration  Make sure port 443 is open on the firewall. If your company uses Outlook Web Access, port 443 is most likely already open.  Verify that a server certificate is installed on the Exchange frontend server and enable Require Basic SSL for the Exchange ActiveSync virtual directory.  On the Microsoft Internet Security and Acceleration (ISA) Server, verify that a server certificate is installed and update the public DNS to properly resolve incoming connections.  Make su
Summary of the content on the page No. 13
WPA/WPA2 Enterprise Network Configuration  Verify network appliances for compatibility and select an authentication type (EAP type) supported by iPhone and iPod touch. Make sure that 802.1X is enabled on the authentication server, and if necessary, install a server certificate and assign network access permissions to users and groups.  Configure wireless access points for 802.1X authentication and enter the corresponding RADIUS server information.  Test your 802.1X deployment with a Mac
Summary of the content on the page No. 14
IMAP Email If you don’t use Microsoft Exchange, you can still implement a secure, standards-based email solution using any email server that supports IMAP and is configured to require user authentication and SSL. These servers can be located within a DMZ subnetwork, behind a corporate firewall, or both. With SSL, iPhone and iPod touch support 128-bit encryption and X.509 root certificates issued by the major certificate authorities. They also support strong authentication methods includin
Summary of the content on the page No. 15
If you don’t use Microsoft Exchange, you can set similar policies on your devices by creating configuration profiles. You distribute the profiles via email or a web site that is accessible using the device. If you want to change a policy, you must post or send an updated profile to users for them to install. For information about the device passcode policies, see “Passcode Settings” on page 22. Configuring Devices Next, you need to decide how you’ll configure each iPhone and iPod touch. In
Summary of the content on the page No. 16
2 Creating and Deploying Configuration Profiles 2 Configuration profiles define how iPhone and iPod touch work with your enterprise systems. Configuration profiles are XML files that, when installed, provide information that iPhone and iPod touch can use to connect to and communicate with your enterprise systems. They contain VPN configuration information, device security policies, Exchange settings, mail settings, and certificates. You distribute configuration profiles by email or using a
Summary of the content on the page No. 17
When you open iPhone Configuration Utility, a window similar to the one shown below appears. The content of the main section of the window changes as you select items in the sidebar. The sidebar displays the Library, which contains the following categories: Â Devices shows a list of iPhone and iPod touch devices that have been connected to your computer. Â Provisioning Profiles lists profiles that permit the use of the device for iPhone OS development, as authorized by Apple Developer C
Summary of the content on the page No. 18
iPhone Configuration Utility for the Web The web-based version of iPhone Configuration Utility lets you create configuration profiles for your devices. Follow the instructions below for the platform you’re using. Installing on Mac OS X To install the utility on Mac OS X v10.5 Leopard, open the iPhone Web Config Installer and follow the onscreen instructions. When the installer finishes, the utility is ready for use. See “Accessing iPhone Configuration Utility for Web” on page 18. Installing
Summary of the content on the page No. 19
A screen similar to the one shown here will appear. For information about using the utility, see “Creating Configuration Profiles,” below. Changing the User name and Password for iPhone Configuration Utility Web To change the user name and password for accessing the utility, edit the following file: Â installpath/Apple/iPhone Configuration Web Utility/config/authentication.rb The default installation location is: Â Mac OS X: /usr/local/iPhoneConfigService/ Â Windows: \Program Files\Apple\iPh
Summary of the content on the page No. 20
To restart the utility on Windows 1 Go to Control Panel > Administrative Tools > Services. 2 Select Apple iPhone Configuration Web Utility. 3 Select Restart from the Action menu. To restart the utility on Mac OS X 1 Open Terminal. 2 Enter sudo -s and authenticate with an administrator password. 3 Enter launchctl unload /System/Library/LaunchDaemons/com.apple.iPhone ConfigService.plist 4 Enter launchctl load /System/Library/LaunchDaemons/com.apple.iPhone ConfigService.plist Creating Configura