In the previous recipe, we defined a wireless network that devices automatically join once the profile is installed. In this task, we're going to look at all of the other features available to Apple Configurator administrators. These include:
Configuring policies
Passcode restrictions
Microsoft Exchange connectivity, and more
Each of the options that is enabled is considered an additional payload installed by the profile and appears in the description when a profile is viewed on the devices of end users. These payloads, if an MDM server is available, should usually be installed by MDM.
But most environments do not have an MDM solution in place. Therefore, your task is to go through each available payload, thus educating yourself on what is possible with regards to centralized profile management.
Because we created a payload in the previous task, we're going to build on the work that was already performed. Therefore, you should have a payload for Wi-Fi already created prior to starting this task.
Open the previously created payload (or create a new one and fill in the general information).
For each payload that you are going to configure, click on the payload title in the Apple Configurator sidebar.
Click on the Configure button.
We'll start with the Passcode payload, which defines the type of PIN code that must be used on devices.
Click on the Passcode payload in the Apple Configurator sidebar.
Click on Configure to see the options available in the Passcode payload. These options along with their descriptions can be seen in the following screenshot:
Next, click on Restrictions. The Restrictions payload is used to disable features of iOS. The controls are set in three different sections, as follows:
Functionality: The Functionality section includes the following options:
Allow use of camera: Uncheck this option to disable both the front facing camera and rear facing camera on the device. Photos can still be used but the cameras no longer operate.
Allow FaceTime: Uncheck this option to disable the FaceTime application.
Allow screen capture: Uncheck this option to disable the ability to make screenshots (press and hold menu, then Sleep/Wake if you haven't done this before).
Allow Photo Stream (disallowing can cause data loss): Uncheck this option to disable the Photo Stream feature from iCloud. If you don't have an iCloud account, there's no need to do so.
Allow voice dialing: Uncheck this option to disable the voice dial feature.
Allow Siri: Uncheck this option to disable voice activated commands using Siri.
Allow Siri while device is locked: Leave Siri enabled, except when the device is locked (automatically enabled when Siri is disabled).
Allow installing apps: Uncheck this option to disable the ability to install apps (note, if you disable this option, then you as the administrator cannot install apps either).
Allow In-App Purchase: Uncheck this option to disable the ability for any app to perform an in-app purchase (for example, unlocking those extra levels in Angry Birds).
Require iTunes Store password for all purchases: Forces the Apple ID for the iTunes Store account to be entered, along with a password for that account, each time an app is purchased.
Allow multiplayer gaming: Uncheck this option to disable any apps that leverage the multiplayer gaming API.
Allow adding Game Center friends: Uncheck this option to disable adding friends in Game Center (note, this does not disable Game Center itself).
Allow iCloud document sync: Disable the ability to synchronize documents with iCloud.
Allow iCloud backup: Disable the ability to back data up on devices through iCloud.
Allow automatic sync while roaming: Disable synchronization while the device's antenna is roaming.
Force encrypted backups: Forces backups of devices to be encrypted in iTunes.
Allow users to accept untrusted TLS certificates: When checked, users can only access certificates that are trusted.
Send diagnostic and usage data to Apple: Disable the ability to send diagnostic data to Apple.
Applications: The Applications section includes the following options:
Allow use of YouTube: Uncheck this option to disable the YouTube app (which then no longer appears on the device and disables YouTube access from within Safari).
Allow use of iTunes Store: Uncheck this option to disable the App Store app (and therefore the ability to install apps).
Allow use of Safari: When unchecked, this option disables the Safari app. Third-party web browsers can still be used.
Enable autofill: When unchecked, this option disables the ability to use stored data to automatically fill forms on devices.
Force fraud warning: When checked, this option forces the fraud warning screen (otherwise it can be disabled).
Enable JavaScript: When unchecked, this option disables the ability to use JavaScript.
Block pop-ups: When checked, this option disables site pop-ups.
Accept Cookies: When unchecked, this option disables the ability for the device to accept cookies from websites.
Media Content: The Media Content section includes the following sections:
Ratings region: Automatically configures regions for ratings use.
Allow content ratings: This further has the following options:
Movies: Disables access to movies based on their ratings.
TV Shows: Disables access to television shows based on their ratings.
Apps: Restricts access to apps based on their ratings.
Allow explicit music & podcasts: Disable the ability to access music or podcasts that contain explicit content.
Next, click on Virtual Private Network (VPN). A VPN server allows users to connect to services on the local network as though they were on the network over untrusted networks. The VPN payload is used to automatically configure VPN connections. Multiple accounts can be configured. To enable VPN, use the following options:
Connection Name: A name for the VPN network.
Connection Type: The protocol or vendor of the VPN endpoint, including IPSEC, L2TP, and PPTP are the most common protocols as well as vendor-specific connections in Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, and non-vendor specific Custom SSL.
Server: The host name or IP address of the server.
Account: A valid username with access to the VPN service.
User Authentication: Most environments will use a password to connect, although RSA SecurID is supported as well.
Shared Secret: The second factor for security, a shared secret shared by users, is not required for PPTP but is for most other types of connections.
Send All Traffic: Uses the VPN for all traffic, not just that local to the VPN network. For example, when checked, all web traffic goes through the VPN tunnel, even if not destined for a web server on the VPN. When disabled, it sends traffic destined for public networks over the WAN interface of the local router.
Proxy Setup: Defines proxy server connections, either using automatic (through a PAC file) or manual, where each entry for proxy communications is defined separately and manually.
Once you have defined the appropriate VPN information, click on Mail.
The Mail payload defines accounts to connect to mail services. Here, connections to POP and IMAP servers can be defined. Exchange accounts should be defined in the Exchange ActiveSync payload, which we will cover next. Click on Configure to set up a mail account and then provide the following information about the account(s) being defined:
Account Description: A name that helps the user of the device remember which account this is.
Account Type: This tells whether the account will be a POP or an IMAP account. POP removes mail from the server whereas IMAP synchronizes mail to the server.
User Display Name: The name shown to those who receive e-mail messages from the sender.
Email Address: The e-mail address for the account being set up.
Do not allow user to move messages from this account: Disables the ability to move mail from one account to another.
Use Only in Mail: Only allows outgoing mail to go through the mail app rather than through a third-party apps connection to the mail API.
Enable S/MIME: Enables per-message encryption and decryption. Requires a certificate to be installed as well, done with the Credentials payload.
Incoming Mail: The following information is needed while configuring the incoming mail:
Mail Server and Port: The server hostname or IP address with a second field for the port number (changes based on the protocol and whether SSL is supported).
User Name: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Authentication Type: Most environments use password authentication, although some (as per the administrator of the server usually) use MD5, NTLM, or HTTP MD5 Digest, all supported by the payload.
Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the credentials payload and then appear when the checkbox is checked.
Outgoing Mail: The following information is needed while configuring the outgoing mail:
Mail Server and Port: The server hostname or IP address with a second field for the port number (changes based on the protocol and whether SSL is supported).
User Name: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Authentication Type: Most environments use password authentication, although some (as per the administrator of the server usually) use MD5, NTLM, or HTTP MD5 Digest, all supported by the payload.
Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Outgoing password same as incoming: Automatically sets the password for the outgoing (SMTP) account to be the same as the incoming account's password.
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
Next, click on Exchange ActiveSync to configure the Exchange ActiveSync payload. This payload is specifically designed to connect to servers that run Microsoft Exchange Server 2007 or later or servers that have support for the ActiveSync protocol (such as Google Apps). Click on Configure to set up an account and then provide the following information, as shown in the screenshot:
Account Description: A name for the account that is easy for the end user to remember (does not need to match any information on the server).
Exchange ActiveSync Host: The name or IP address of the Exchange ActiveSync server (usually a CAS role within the Exchange organization).
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
Domain: The domain name (for example,
yourdomainname.com).User: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Email Address: The e-mail address for the Exchange account.
Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Past Days of Mail to Sync: The history of mail being synchronized to the device.
Authentication Credential: Allows for the using of a SCEP server to pull down SSL information.
Do not allow user to move messages from this account: Disables the ability to move mail between e-mail accounts (for example, putting a message in the folder of a different e-mail account.
Use Only in Mail: Disables the ability to use SMTP for this e-mail account by another app other than the Mail app.
Enable S/MIME: Enables encrypting outgoing mail through S/MIME. Requires a certificate to be selected as well.
Next, click on the LDAP payload, used for looking up contacts stored in an LDAP server. This is how you would access contacts stored in Open Directory if the LDAP gateway feature is enabled on an OS X server. To configure the LDAP payload, click on Continue and then provide the following information:
Account Description: A name for the account that is easy for the end user to remember (does not need to match any information on the server).
Account Username: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Account Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Account Hostname: The name or IP address of the LDAP server.
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
Search Settings: Allows for the placing of a search base into the configuration (see the LDAP administrator for information regarding whether or not this is necessary).
The Calendar payload configures access to CalDAV servers. If you use Exchange calendaring, this is configured with the Exchange ActiveSync payload instead. If you use a CalDAV server though (as is common with OS X Server environments), click on Configure and then provide the following information:
Account Description: A name for the account that is easy for the end user to remember (does not need to match any information on the server).
Account Hostname and Port: The name or IP address of the CalDAV server. Also provide a custom port number if the port has been changed from the default setting.
Principal URL: The URL in the server to the account. This should automatically fill in for each device based on username.
Account Username: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Account Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
The Contacts payload configures a CardDAV client, common in OS X Server hosted groupware environments. To configure the CardDAV client, click on the CardDAV payload and then click on Configure. Once prompted, provide the following information:
Account Description: A name for the account that is easy for the end user to remember (does not need to match any information on the server).
Account Hostname and Port: The name or IP address of the CardDAV server. Also provides a custom port number if the port has been changed from the default setting.
Principal URL: The URL in the server to the account. This should automatically fill in for each device based on username.
Account Username: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Account Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
Next, click on the Subscribed Calendars payload. Subscribed Calendars are a means of accessing publicly posted calendars. The Subscribed Calendars payload configures access to these calendars (which are usually ICA files). Click on Configure to begin the configuration of the payload. The options to set up Subscribed Calendars are as follows:
Description: The name that will appear in the calendar app for each instance of a shared calendar.
URL: The address of the ICA file that the instance is subscribing to.
Username: The user's account name on the server (can be left blank to prompt the user at the time the account is created).
Password: The user's password on the server (can also be left blank to prompt the user at the time the account is created).
Use SSL: Enables SSL certificates for the connection. These certificates need to be installed in the Credentials payload and then appear when the checkbox is checked.
Web clips are links that appear on an iOS device as though they are an app. You can configure multiple payloads of web clips to place multiple links on target devices. This is commonly used to send a link to enrol into an MDM server, put the organization's official site on each device, a link to the course management software in schools, or maybe a link to the company' document repository.
Configure the Web Clips payload by clicking on Web Clips and then on the Configure button. Then provide the following information for each site:
Label: The name that appears on the home screen under the badge.
URL: The address of the site.
Removable: Disables the ability to remove a web clip.
Icon: Allows administrators to upload an icon rather than using the one that appears in the address bar of the web browser.
Precomposed Icon: iOS rounds corners of app badges and puts a horizon effect on badges. This option automatically configures the app badge for what was uploaded rather than applying these effects.
Full Screen: Hides the address bar when the page is opened, having the effect that the website appears as though it were an app in some cases.
The Credentials payload is used to automatically populate the iOS device with a certificate or multiple certificates. To configure this payload, first have the certificates on hand and ready to import. When you click on the Configure button, you will be prompted to import the certificates immediately. Once imported, the certificates can be used by other payloads as well.
The SCEP payload automatically enrolls devices into an SCEP (Simple Certificate Enrollment Protocol) server. SCEP servers are handy as they allow administrators to automatically revoke certificates. Work with your SCEP systems administrator to configure this payload as it's very specific to each environment where SCEP is leveraged.
The APN payload is used to configure connections to an Apple Push Notification server. This should be done under the watchful eye of an APN administrator. Both the SCEP and APN payloads require the services to be accessible at the time the payload is installed.
Once payloads are configured as intended, click on the Save button to save any changes to the profile. Install the profile on devices to test that the settings are interpreted by iOS as intended.
One thing to be careful of with regard to making multiple profiles is that each profile needs to be accepted on devices. This means that when imaging a large number of devices you will not want to put a different payload into each profile; otherwise you'll spend a lot of time clicking on Accept and Done buttons!
Each payload enabled adds data into the XML structure of the .mobileconfig file. Each option you enable toggles or fills in a setting of that same file. When the file is applied on the device, the configuration options are applied. If the profile is removable, then removing the profile also removes any of the data that came with the configuration. For example, if mail is configured with a profile that also has restrictions on it, removing the profile with the restrictions on it also ends up removing the mail that was downloaded with the profile.
There are certain activities which can be performed while working with payload entries.
Each payload has the ability to have multiple instances of settings (except Passcode, Restrictions, and APN). This means that you can have multiple mail accounts, multiple VPN connections, multiple Wi-Fi networks, and so on. In order to make additions to any payload, click on the plus sign button [ + ] in the upper right-hand corner of the payload screen. In order to remove one, click on the minus sign button [ – ]. If you remove the last instance of the payload declaration, you will be left with the Configure button, meaning that the payload is not being configured.