User Guide

26 Chapter 1 Deploying iPhone and iPod touch

Phase 4 – Device Configuration: In step 1, the device replies with the list of attributes,

signed using the encryption certificate provided by the CA in the previous phase.

In step 2, the profile service responds with an encrypted .mobileconfig file that’s

automatically installed. The profile service should sign the .mobileconfig file. Its SSL

certificate can be used for this purpose, for example.

In addition to general settings, this configuration profile should also define enterprise

policies that you want to enforce and it should be a locked profile so the user cannot

remove it from the device. The configuration profile can contain additional requests for

enrollment of identities using SCEP, which are executed as the profile is installed.

Similarly, when a certificate installed using SCEP expires or is otherwise invalidated,

the device asks the user to update the profile. When the user authorizes the request,

the device repeats the above process to obtain a new certificate and profile.

For a sample configuration profile for this phase, see “Sample Phase 4 Device

Response” on page 87.

Profile service

UDID, OS version,

IMEI, MAC address

Exchange policies, VPN

settings, additional

SCEP payloads,

mail accounts, etc.

Phase 4 - Device Configuration

A .mobileconfig file

encrypted for device

and signed by profile service

Device attributes

signed with

device certificate

sample