Note: If you are hosting configuration files on a Web server other than Mac OS X Server 10.5.3 or higher, you will need to add support for the.mobileconfig extension MIME type of application/x-apple-aspen-config.
Similarly, with the exception of a passcode requirement, profiles don't do much to restrict iPhone features. There is, for example, no way to limit the installed applications users can access, and no way to restrict them to Wi-Fi networks specified in a profile (such as ones that are known to be secure). Profiles exist only to simplify the iPhone setup and enforce policies.
At least profiles can be digitally signed, thus ensuring that a user who gets a new or updated profile gets one that's legitimately issued by a company's IT staff. Profiles can be signed using certificates issued by a public certificate authority (such as VeriSign) or with a self-signed certificate, provided that you deploy a copy of the certificate to iPhones (which can be done using a profile).
Another note: Passcode policies can be enforced over the air using Exchange ActiveSync, which I'll cover in part 2 of this series. When both profiles and Exchange policies define passcode requirements, the strictest combination of the two is enforced by the iPhone.
One particularly useful feature is that a single iPhone can maintain multiple profiles. This allows you to configure and deploy different profiles for different functions. All iPhones will likely need the same series of certificates installed, for example, and that can be done with one profile. Only a specific group of users, however, may need VPN access configured, which can be done as a separate profile. This also allows you a bit more ease and flexibility in updating configurations, since you don't need to make changes to every existing profile and option.
Creating profiles
When using OS X's iPhone Configuration Utility, a list of available profiles (as well as their creation date) can be viewed and edited by selecting Configuration Profiles in the sidebar. The sidebar also has options for Provisioning Profiles and Applications -- both of which are used to deploy in-house applications and will be discussed in part 3 of this series -- and a Devices list of all iPhones that have been connected to the computer.
The Web-based configuration tool allows you to create profiles and export or e-mail profiles to users. It also lets you import and modify existing profiles. It does not, however, allow you to work with in-house applications or maintain a library of iPhones that have been connected to a computer.
By default, once the Web-based tool is installed, it can be accessed via the IP address of the computer on which it's running using port 3000 (for example, http://127.0.0.1:3000). A default username of "admin" with a password of "admin" allows access. Both the port and the username/password combination can be changed if needed. Apple's documentation (download PDF) explains how to do this in either Mac OS X or Windows.
