New Features in iPhone Configuration Utility Version 3.0
TECH NOTE 10-0715
Date: July 15, 2010
Overview
This note covers the major differences between Apple iPhone Configuration Utility 3.0 (IPCU 3.0) and previous version 2.2. The IPCU 3.0 was release July 14, 2010. Note that Apple has not yet released a new version of the Enterprise Deployment Guide, which contains descriptions of all the settings covered here in detail. Therefore, there is not currently any public information on the differences.
The download files are available at the following locations:
- Macintosh Version - http://support.apple.com/kb/dl851
- Windows Version - http://support.apple.com/kb/dl926
The IPCU is used primarily by Enterprise Customers to create, maintain, encrypt, and push configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.
The IPCU operates the same on both the Macintosh and Windows operating systems.
Primary Differences
The primary difference between 3.0 and prior version include::
- New support for Mobile Device Management (MDM) which is now available in iOS4. MDM enables a server to "take control" of the device and deliver configuration profiles over the air without user intervention. (See MDM section)
- Support for more "granular" restrictions over user access to content, for example, controlling access to Movies by MPAA Rating (See Restrictions section)
- Additional VPN (Virtual Private Network) clients, including support for CISCO ANY CONNECT and Juniper Networks SSL. (See VPN section)
- New support for CardDAV for synchronizing contacts. (See CardDAV section)
- Support for multiple Exchange accounts and limit on number of days of mail to psych; previously, only one account was allowed and there was no admin-set limit on number of days to sync. (See Exchange ActiveSync section)
- Support for SANs in SCEP - SANs simplify configuration by allowing the protection of multiple host names with a single SSL certificate. For example, SANs allow you to specify a list of host names to be protected by a single SSL certificate. SANs are supported by Microsoft Exchange Server 2007 and above. (See SCEP section)
- Tweaks for displaying Web Clips (shortcuts) - You can now launch Web Clips full screen in Safari, and also define your icon to not be "modified" by the OS (i.e., with visual effects).
- Bug fixes (not specifically provided by Apple)
Differences by Configuration Profile Section
The following table outlines the major functional differences (if any) between ICPU 3.0 and the prior versions. In the column Changed we've indicated if there has been NO CHANGE (same as before), MINOR CHANGE (added more options to existing section), or MAJOR CHANGE (many new options, or entirely new section).
| Section | Changed | Description | |
|---|---|---|---|
 |
General | NO CHANGE | Sets profile name, identifier, organization, and description. Also sets whether profile can be removed and if so, the password. |
 |
Passcode | NO CHANGE | Sets requirement for passcode on device. Includes ability to enforce the use of a passcode, require passcodes to contain at least one letter, minimum passcode length, number of complex characters, passcode days-to-live, number of unique passcodes before reuse, grace period for device lock, and maximum number of failed attempts before device wipe. |
 |
Restrictions | MAJOR CHANGE | Previous IPCU allowed restrictions for global "explicit content" for Apps and Content from iTunes Store, use of Safari, YouTube, iTUnes Music Store, App Store (installing of apps), use of camer and allowing screen capture. New IPCU added Device Functionality control of FaceTime, sync while roaming, voice dialing, In App Purchase, and forcing "encrypted" backups. Application control for Safari for enabling autofill, fraud warnings, javascript, plugins, pop-up blocking, and cookie preferences (accept always, from visited sites, or never). Ratings now allows setting geographic region (e.g., United States), and sets maximum allowed "ratings" for Movies, TV Shows, and Apps from the iTunes store. Ratings for each media are used (e.g., Movies have "G", "PG", "R", etc) or you can allow or disallow all media or apps. |
 |
Wi-Fi | NO CHANGE | Sets SSID, allows hidden network, sets encryption type (Any, WEP, WPA/WPA2, etc), and preset password for the wireless network. Supports multiple networks. |
 |
VPN | MINOR CHANGE | Allows network admin to set VPN connection name, type*, server (host name or IP Address), account name, user authentication type (Password or RSA SecurID two-factor authentication), Shared Secret, "Send All Traffic" routing, and Proxy Setup (none, manual, or automatic), and Proxy Server, Port, Authentication Username and Password. *NEW in this version is support for additional connection types. In adddition to L2TP, PPP, and IPSEC, support for CISCO ANY CONNECT and Juniper Networks SSL was added. |
 |
NO CHANGE | Sets display name of the account, type (IMAP or POP) and path prefix, user display name, email address, incoming mail server and/or port, username, password, and authentication method (password prompt or SSL), outgoing password to use same as incoming. | |
 |
Exchange ActiveSync |
MINOR CHANGE | Two helpful changes in Exchange Activation: the ability to create multiple exchange accounts, and
Administrators can limit the backward synchronization of Exchange e-mail.
In the prior versions, only one Exchange account was allowed. This section sets Account name, Exchange ActiveSync hostname, Require SSL, Domain name, User name, Email Address, Password, Past Days of Mail to Sync, ActiveSync authentication credential name, and option tho prompt user for authentication passphrase. |
 |
LDAP | NO CHANGE | Sets account description, username, password, hostname, Require SSL, and multiple Search Settings for the LDAP server. Search settings allow you to set multiple attributes and search at the base level, one level, or subtree. |
 |
CalDAV | NO CHANGE | Defines settings for configuration access to CalDAV servers. Sets the account description, account hostname, port (default 8443), Principal URL, Account Username, Account Password, and Require SSL option. |
 |
Subscribed Calendars |
NO CHANGE | Defines settings for calendar subscriptions. Sets calendar Description, URL, Username, Password, and Require SSL option. |
 |
CardDAV | NEW SECTION | This section defines settings for connecting to your CardDAV server (CardDAV is an address book client/server protocol designed to allow users to access and share contact data on a server). Sets the account description, account hostname, port (default 8843), Principal URL, Account Username, Account Password, and Require SSL option. |
 |
Web Clips | MINOR CHANGE | Two new tweaks: you can now allow the web app to launch "full screen", and define your icon to be "precomposed" which means the OS won't clip the edges on display. Defines settings for creating "Web Clips" (shortcuts to Safari). Sets Label, URL, Removal preference (can user remove the Web Clip), Icon, Precomposed Icon (should icon be displayed without added visual effects), and Full Screen (whether the clip launches as a Full Screen application). |
 |
Credentials | NO CHANGE | This section allows you install multiple PKCS1 or PKCS12 certificates. You can include your corporate certificate and other certificates necessary to authenticate device access to the network. The certificates are loaded from either your configuration store (Windows) or certificate file (Macintosh). |
 |
SCEP | MINOR CHANGE | The only change in SCEP is the ability to create a "Subject Alternative Name" (SAN) type and value. The SCEP (Simple Certificate Enrollment Protocol) section defines the setup for one or more SCEP servers that can be used to establish a trusted connection for configuration and profile data exchange. Settings include the base URL for the SCEP server, name of the CA-IDENT, Subject (representation of an X.500 name), Subject Alternative Name Type (RFC822 Name, DNS name, or URI), Key Size (1024 or 2048 bits), Use as digital signature (checkbox), Use for key encipherment (checkbox), and the Fingerprint (hex string or from Certificate). |
 |
MDM | NEW SECTION | Mobile Device Management (MDM) enables a server to "take control" of the device and deliver configuration profiles over the air without user intervention. This section allows you install multiple MDM servers. Each server is configured with an MDM URL, "Check In URL" (used to check in during installation), Push Notification "Topic", Cryptographic "Identity" (from existing credential), and Sign Messages (checkbox) option. In addition, you can allow the device to be queried in the background for General, Network, Security, and Restriction settings; and Configuration, Provisioning, and Application profiles. MDM can be allowed to add/remove Configuration and Provisioning Profiles, Change the device password, and perform a remote wipe. Normally the standard Apple Push Notification Service is used to communicate with the device, but you can optionally use the "Development" APNS server. |
 |
Advanced | NO CHANGE | The Advanced Settings only apply if your carrier allows you to edit the APN settings or if you have an authorized, unlocked iPhone. The settings include Access Point Name (APN), User Name, Password, and Proxy Server and Port. |
Suggestions for Improvement
1. Allow Longer Interval between ActiveSync Tasks. After the iOS 4.0 release, Apple updated (and pushed) a policy fix that allows a longer interval between ActiveSync tasks. However, this policy cannot be defined in a device profile via the IPCU interface or XML. This would be extremely helpful.
2. Provide MDM Server Documentation. At this time (iOS 4.01 release), documentation for the server-side MDM setup has not been publicly available. Given that the IPCU now makes these values visible, this documentation should be published.
3. Allow scriptable app updates. Allow the IPCU to be scripted to allow adds, deletes, and updates of Applications (just not profiles).
Last Updated 19-Jul-2010
