描述配置文件(.mobileconfig)

2023年6月21日发(作者：)

描述配置⽂件（.mobileconfig）转：/s/blog_ 配置描述⽂件是XML ⽂件，包含以下内容：设备安全策略、VPN 配置信息、Wi-Fi 设置、APN 设置、Exchange帐户设置、邮件设置以及允许 iPhone 和 iPod touch 与企业系统配合使⽤的证书。

“iPhone配置实⽤⼯具”可让您轻松地创建、维护和安装配置描述⽂件及对配置描述⽂件进⾏加密，跟踪和安装预置描述⽂件与授权的应⽤程序，以及采集包括控制台⽇志在内的设备信息。（这个⼯具可以从官⽹上进⾏下载）

⽬前所知的，安装这个配置⽂件除了上述的使⽤“iphone配置实⽤⼯具”之外，还可以通过邮件附件或通过使⽤safari浏览包含有下载的⽹页的⽅式激活安装（install profile窗⼝）。

下⾯这个⽂章⼤致介绍了下配置描述⽂件从⽣成到安装的过程：Over-the-air IPhone Setup Using a Signed .mobileconfig FileNote: this does not push your configuration to an iPhone. The user of the iPhone must go to a web address and installaconfiguration profile. Suppose that you have a few iPhones that you need to support, but you don't want to spend the time typing in all of the e-mail (IMAP or POP), LDAP, wireless network, or other settings into each phone. Perhaps you have found but you don't reallyfeellike setting up a whole SCEP Certification Authority to get things done either since your requirements are so simple. Butyou do realize that it is much easier to tell your user to go to /iphone/ on their iPhone than to stepthemthrough all the individual setup routines. Amazingly enough, there is not much documentation out there on how to hand-roll config file that you can passout on an HTTPS server to your users. We also want it to be "Verified" by the iPhone so that your users can see it is fromyou. While they can install untrusted profiles, it sure adds a nice touch to have the green checkmark. Perhaps you've scoured the Internet since you've read that you can "just useopenssl smime" to sign your .mobileconfig file,but no one seems to tell you　how. We'll go over that here as well.

1) Create a configuration(.mobileconfig) file This file will contain all the configuration you want for your users' iPhones. I believe youcan use Apple's to create this don't have to,but it'll probably save you some typing. The defines the syntax of the profilesin Appendix B. You can do some pretty fancy request/responsescripting betweenthe phone and your server, but I'll just go overa simpler method that just sends a configuration file from your webserver totheir .mobileconfig file will end up looking something likethis:

PayloadContent PayloadDisplayName LDAP Settings PayloadType t PayloadVersion 1 PayloadUUID 6df7a612-ce0a-4b4b-bce2-7b844e3c9df0 PayloadIdentifier LDAPAccountDescription Company Contacts LDAPAccountHostName LDAPAccountUseSSL LDAPAccountUserName uid=username,dc=example,dc=com LDAPSearchSettings LDAPSearchSettingDescription Company Contacts LDAPSearchSettingSearchBase LDAPSearchSettingScope LDAPSearchSettingScopeSubtree LDAPSearchSettingDescription Sales Departments LDAPSearchSettingSearchBase ou=Sales,dc=example,dc=com LDAPSearchSettingScope LDAPSearchSettingScopeSubtree PayloadDisplayName Email Settings PayloadType d PayloadVersion 1 PayloadUUID 362e5c11-a332-4dfb-b18b-f6f0aac032fd PayloadIdentifier EmailAccountDescription Company E-mail EmailAccountName Full Name EmailAccountType EmailTypeIMAP EmailAddress username@ IncomingMailServerAuthentication EmailAuthPassword IncomingMailServerHostName IncomingMailServerUseSSL IncomingMailServerUsername username@ OutgoingPasswordSameAsIncomingPassword OutgoingMailServerAuthentication EmailAuthPassword OutgoingMailServerHostName OutgoingMailServerUseSSL OutgoingMailServerUsername username@ PayloadOrganization Your Organization's Name PayloadDisplayName Organization iPhone Settings PayloadVersion 1 PayloadUUID 954e6e8b-5489-484c-9b1d-0c9b7bf18e32 PayloadIdentifier gs PayloadDescription Sets up Organization's LDAP directories and email on the iPhone PayloadType Configuration

I'll talk just brieflyabout the configuration above. The iPhone, as far as I can tell,uses the UUIDs to know whether or not itis replacing or installinga new profile onto the phone. On a Mac or Linux box, you cangenerate a UUID with thecommanduuidgen. You'll notice that I did not include any passwords above. With thesesettings, the iPhone will prompt theuser for their e-mail password upon installation of the profile. (The LDAP password will beprompted on first use if logging infails.) I actually wrote a PHP script that would take a template .mobileconfig file for me and fill in the username fields for medepending on PHP_AUTH_ you get the basics down, you can go back and do that. Thereis also a way to encryptthe .mobileconfig files, but we are not covering that here.

Sign the .mobileconfig file This is the part that no one else seems to go over. Signing your configuration profile is an optional step, but it's not toohard if you already have an X.509 web server or email this step, I'll use the following notations:config is your unsigned configuration is your server's certificate to signthe profile is your server's private is the certificate bundle for the CA that issued your server's config will be your signedconfiguration profile Once you have all the fileslisted above, you will run a command like the following:openssl smime -sign -in config -config -signer -inkey - -outformder -nodetachThe -outform der and -nodetach are your real tickets here in getting it into a form that the iPhone wants. Now you config and move on to the next step! Help for those that will use PHP scripting: You'll want to look at openssl_pkcs7_sign() function with the $flags field set to will create a file that isbase-64 encoded. After you strip off the e-mail headers at the top,you can base64_decode() toget the same output. Forexample:$mobileconfig = base64_decode(preg_replace('/(.+n)+n/', '',$signed, 1));

Serve up the file on your HTTPS server Okay, it'll probably work on your HTTP server as well. Just another configuration I didn't bother testing. There is just one caveats when it comes to serving up this file. It needs to be served upwith a MIME Content-Type ofapplication/x-apple-aspen-config. You may be able to do this by adding a line to your server's configuration ss file inthe folder with: AddType application/x-apple-aspen-config .mobileconfigIf serving the file from within PHP, you may do somethinglike:header('Content-type: application/x-apple-aspen-config; chatset=utf-8');header('Content-Disposition: attachment; filename="config"');echo $mobileconfig;Try it out on your iPhoneGet your iPhone and load up Safari. Go to the web address of where your profile is saved, :///iphone/.Your phone should prompt you to install the can see and remove profiles from Settings >General on your iPhone. Note, that it is possible to create aprofile thatcannot be removed except for by the original profile identifier and signed by the same authority. Be careful that you don'tlock yourself out.

Finished!At this point, we are finished. See the for other configuration profiles that you can create. It doesn't let you create or seteverything that I wish it did (especially when it comes to setting up IMAPdefaults), but it lets you do quite a bit.I hope that this helps you! This is obviously a very brief guide and I glazed over a few details. If you have any comments, letme know. My e-mail address can be deduced from the very bottom of the document.

See Also-----

注：Ｍac版本的iPhone配置实⽤⼯具,如果在有预置描述⽂件，可以直接签名．

2023年6月21日发(作者：)

描述配置⽂件（.mobileconfig）转：/s/blog_ 配置描述⽂件是XML ⽂件，包含以下内容：设备安全策略、VPN 配置信息、Wi-Fi 设置、APN 设置、Exchange帐户设置、邮件设置以及允许 iPhone 和 iPod touch 与企业系统配合使⽤的证书。

“iPhone配置实⽤⼯具”可让您轻松地创建、维护和安装配置描述⽂件及对配置描述⽂件进⾏加密，跟踪和安装预置描述⽂件与授权的应⽤程序，以及采集包括控制台⽇志在内的设备信息。（这个⼯具可以从官⽹上进⾏下载）

⽬前所知的，安装这个配置⽂件除了上述的使⽤“iphone配置实⽤⼯具”之外，还可以通过邮件附件或通过使⽤safari浏览包含有下载的⽹页的⽅式激活安装（install profile窗⼝）。

下⾯这个⽂章⼤致介绍了下配置描述⽂件从⽣成到安装的过程：Over-the-air IPhone Setup Using a Signed .mobileconfig FileNote: this does not push your configuration to an iPhone. The user of the iPhone must go to a web address and installaconfiguration profile. Suppose that you have a few iPhones that you need to support, but you don't want to spend the time typing in all of the e-mail (IMAP or POP), LDAP, wireless network, or other settings into each phone. Perhaps you have found but you don't reallyfeellike setting up a whole SCEP Certification Authority to get things done either since your requirements are so simple. Butyou do realize that it is much easier to tell your user to go to /iphone/ on their iPhone than to stepthemthrough all the individual setup routines. Amazingly enough, there is not much documentation out there on how to hand-roll config file that you can passout on an HTTPS server to your users. We also want it to be "Verified" by the iPhone so that your users can see it is fromyou. While they can install untrusted profiles, it sure adds a nice touch to have the green checkmark. Perhaps you've scoured the Internet since you've read that you can "just useopenssl smime" to sign your .mobileconfig file,but no one seems to tell you　how. We'll go over that here as well.

1) Create a configuration(.mobileconfig) file This file will contain all the configuration you want for your users' iPhones. I believe youcan use Apple's to create this don't have to,but it'll probably save you some typing. The defines the syntax of the profilesin Appendix B. You can do some pretty fancy request/responsescripting betweenthe phone and your server, but I'll just go overa simpler method that just sends a configuration file from your webserver totheir .mobileconfig file will end up looking something likethis:

PayloadContent PayloadDisplayName LDAP Settings PayloadType t PayloadVersion 1 PayloadUUID 6df7a612-ce0a-4b4b-bce2-7b844e3c9df0 PayloadIdentifier LDAPAccountDescription Company Contacts LDAPAccountHostName LDAPAccountUseSSL LDAPAccountUserName uid=username,dc=example,dc=com LDAPSearchSettings LDAPSearchSettingDescription Company Contacts LDAPSearchSettingSearchBase LDAPSearchSettingScope LDAPSearchSettingScopeSubtree LDAPSearchSettingDescription Sales Departments LDAPSearchSettingSearchBase ou=Sales,dc=example,dc=com LDAPSearchSettingScope LDAPSearchSettingScopeSubtree PayloadDisplayName Email Settings PayloadType d PayloadVersion 1 PayloadUUID 362e5c11-a332-4dfb-b18b-f6f0aac032fd PayloadIdentifier EmailAccountDescription Company E-mail EmailAccountName Full Name EmailAccountType EmailTypeIMAP EmailAddress username@ IncomingMailServerAuthentication EmailAuthPassword IncomingMailServerHostName IncomingMailServerUseSSL IncomingMailServerUsername username@ OutgoingPasswordSameAsIncomingPassword OutgoingMailServerAuthentication EmailAuthPassword OutgoingMailServerHostName OutgoingMailServerUseSSL OutgoingMailServerUsername username@ PayloadOrganization Your Organization's Name PayloadDisplayName Organization iPhone Settings PayloadVersion 1 PayloadUUID 954e6e8b-5489-484c-9b1d-0c9b7bf18e32 PayloadIdentifier gs PayloadDescription Sets up Organization's LDAP directories and email on the iPhone PayloadType Configuration

I'll talk just brieflyabout the configuration above. The iPhone, as far as I can tell,uses the UUIDs to know whether or not itis replacing or installinga new profile onto the phone. On a Mac or Linux box, you cangenerate a UUID with thecommanduuidgen. You'll notice that I did not include any passwords above. With thesesettings, the iPhone will prompt theuser for their e-mail password upon installation of the profile. (The LDAP password will beprompted on first use if logging infails.) I actually wrote a PHP script that would take a template .mobileconfig file for me and fill in the username fields for medepending on PHP_AUTH_ you get the basics down, you can go back and do that. Thereis also a way to encryptthe .mobileconfig files, but we are not covering that here.

Sign the .mobileconfig file This is the part that no one else seems to go over. Signing your configuration profile is an optional step, but it's not toohard if you already have an X.509 web server or email this step, I'll use the following notations:config is your unsigned configuration is your server's certificate to signthe profile is your server's private is the certificate bundle for the CA that issued your server's config will be your signedconfiguration profile Once you have all the fileslisted above, you will run a command like the following:openssl smime -sign -in config -config -signer -inkey - -outformder -nodetachThe -outform der and -nodetach are your real tickets here in getting it into a form that the iPhone wants. Now you config and move on to the next step! Help for those that will use PHP scripting: You'll want to look at openssl_pkcs7_sign() function with the $flags field set to will create a file that isbase-64 encoded. After you strip off the e-mail headers at the top,you can base64_decode() toget the same output. Forexample:$mobileconfig = base64_decode(preg_replace('/(.+n)+n/', '',$signed, 1));

Serve up the file on your HTTPS server Okay, it'll probably work on your HTTP server as well. Just another configuration I didn't bother testing. There is just one caveats when it comes to serving up this file. It needs to be served upwith a MIME Content-Type ofapplication/x-apple-aspen-config. You may be able to do this by adding a line to your server's configuration ss file inthe folder with: AddType application/x-apple-aspen-config .mobileconfigIf serving the file from within PHP, you may do somethinglike:header('Content-type: application/x-apple-aspen-config; chatset=utf-8');header('Content-Disposition: attachment; filename="config"');echo $mobileconfig;Try it out on your iPhoneGet your iPhone and load up Safari. Go to the web address of where your profile is saved, :///iphone/.Your phone should prompt you to install the can see and remove profiles from Settings >General on your iPhone. Note, that it is possible to create aprofile thatcannot be removed except for by the original profile identifier and signed by the same authority. Be careful that you don'tlock yourself out.

Finished!At this point, we are finished. See the for other configuration profiles that you can create. It doesn't let you create or seteverything that I wish it did (especially when it comes to setting up IMAPdefaults), but it lets you do quite a bit.I hope that this helps you! This is obviously a very brief guide and I glazed over a few details. If you have any comments, letme know. My e-mail address can be deduced from the very bottom of the document.

See Also-----

注：Ｍac版本的iPhone配置实⽤⼯具,如果在有预置描述⽂件，可以直接签名．