Deploy Corporate iPhone Settings
The first time a VP brought you their iPhone to configure, it was a new toy. It was fun, even if it took twenty minutes of typing on that tiny onscreen keyboard. Now with version 2.0 and Exchange support, the iPhone it isn't new or a toy anymore, but it would still take you weeks to individually configure all the iPhones your company needs.
It's for these enterprise-wide deployments that Apple provided the iPhone Configuration Utility, an OS X native application to create and distribute settings for corporate iPhones. Install the program on any Macintosh (or use the web-based version for Windows) and you can create .mobileconfig files that set passcode policy, wireless networks, VPN, POP/IMAP or Exchange email, and more.
First, open the iPhone Configuration Utility, select "Configuration Profiles" and click "New" in the toolbar above. Moving through each of the application's tabs, fill in the appropriate access and account information for your network. Individual account names and passwords need to be input on each device by the user, but security certificates can be pre-loaded by your administration team. You can create as many configurations as are reasonable for your environment, offering different setups for different classes (or departments) of employee.
Once your policy and access information is in place, you can distribute each configuration by clicking "Export" to save the file to disk then upload it to any web server. This method (preferred over email distribution for large deployments and new devices) requires that your web server transmit .mobileconfig files uncompressed and with a MIME type of application/x-apple-aspen-config. Mac OS X Server 10.5.3 and above are pre-configured this way, while Windows users can set this in the server Properties page of IIS Manager. Those running earlier versions of OS X can add this information using the MIME Types pane of the Web settings in Server Admin.
By simply browsing to the appropriate URL, each iPhone will automatically begin the installation. While this process will prompt the user for their domain authentication criteria before configuring the device, it's still advisable to limit access to the URL by only serving the .mobileconfig file to your intranet. Also, while adding a signed profile in the "General" pane (using a certificate issued by one of Apple's pre-installed trusted root authorities) isn't required, it's simpler to get a new security certificate issued for this purpose than try explaining to users why it's OK to install an unverified profile that lacks the attractive green "Trusted" icon.
With very little work up-front, this process offers not just a way to minimize initial deployment times company-wide, but also allows a method to distribute network access changes across your entire enterprise down the line.
Recommended Reading: For further information on customizing iPhone configuration, download Apple's iPhone Enterprise Deployment Guide [PDF - 728KB].
