iPhone Configuration Utility 2.0 review
In the hands of an IT administrator, iPhone Configuration Utility becomes an important security tool for iPhones on his network. The new 2.0 release sports some welcome improvements, though it could use better documentation and still falls flat in some areas.
With the 3.0 release of the iPhone’s OS, Apple added quite a few welcome features to help make the iPhone more useful in a business environment. The iPhone Configuration Utility (ICU) was released shortly thereafter. For the uninitiated, the ICU helps system administrators to create, maintain, encrypt and push configuration profiles - XML files on the iPhone which contain information crucial to the device’s secure communication on a corporate intranet.
I’ve spent quite a lot of time working with the ICU since version 2 was released, and it has mostly been a good experience. (Note: Since we don’t do any in-house applications, or preload applications, I’ve not used the Applications or Provisioning Profiles features of ICU 2.)
There’s no work to upgrade configurations from the first version of the ICU. They just worked, and required zero extra work to continue using unchanged, a big benefit to adminstrators transitioning to the new software.
Within the Configuration Profiles setup, the UI has gotten a tweak to make using the new features easier. Instead of a series of tabs across the top of a pane, the individual features are now set up vertically, with rather nice icons. While a minor change, I’ve found the new layout to be much nicer to work with.
The completely new features, such as LDAP, CalDAV, SCEP, and others are easy to use: to set up an LDAP account or accounts in a Configuration Profile, for example, you fill in the Account Description, (the “Name” the user will see), the account password and username if needed, the DNS name or IP address of the LDAP server, whether SSL is used or not and the search base information.
For CalDAV, you have the Account Description, Server DNS name or IP Address and port, optional username and password, and should the account use LDAP. From the IT POV, the setup is dead simple.
Existing options get some new tricks as well. For example, when I’m configuring company-issued iPhones, I can set the profile to be unremovable except by wiping the device. I can still enforce a passcode, but I can require a more complex passcode, with non-alphanumeric characters, I can set aging/autolock/passcode history, I can set a grace period, (how long the device can be locked without requiring a passcode to unlock), and one that could be of great advantage to iPhone users with sensitive data on the device, maximum number of failed attempts.
This lets you set a maximum number of failures on the device, (between 4 and 16). If that number of failures is reached, the device automatically erases all the data on the device. This is handy when dealing with a thief smart enough to prevent a remote wipe by using Airplane Mode.