Apple's iPhone Configuration Utility Disappoints

Apple delivered on its promise of a configuration tool for iPhones, but leaves security, application delivery and device visibility by the wayside.

Apple's initial stab at the iPhone last year was a resounding success with consumers, but the business audience remained wary of the device due to its lack of security and management features. With this month's release of the iPhone 2.0, Apple has taken aim at the corporate audience, providing a suite of new on-device features and centralized management tools intended to make the device compelling for business customers.

Based on eWEEK Labs' tests, however, results are mixed. While the on-device improvements are most welcome, and hint at a much more secure future for the iPhone's network connections and configurations, Apple's first-generation configuration tools for back-end management and policy controls are woefully under-featured when compared to modern mobile device management platforms.

With its new iPhone Configuration Utility applications, Apple has taken a somewhat unsatisfying stab at providing mobile device management services for iPhones. Apple might have achieved its stated goal of providing a configuration tool for iPhones, but it does so in a fashion that leaves security, application delivery and device visibility by the wayside.

These shortcomings bear all the hallmarks of Apple's long-standing lack of understanding for the needs of enterprise customers, and call into question the company's ability to create an effective solution in-house that can serve the needs of its largest customers. Unfortunately, as the iPhone enters the infancy of its enterprise relevancy, there is nowhere else to turn for more robust enterprise management capabilities.

That said, the various iterations of the iPhone Configuration Utility could be successfully used in smaller, depot-style support environments, but the tools as currently structured lack the security and remote reach for large deployments to use effectively.

In a remote environment, the Configuration Utility requires a significant amount of user interaction to install policies--policies that are, by default, delivered in an insecure and compromisable manner. To cap it off, the users remain the arbiter of what is installed on the devices, as they have the power to simply remove any policies they don't agree with.

Apple has introduced three versions of the iPhone Configuration Utility: an application that can be used only on Macs running OS X 10.5 (Leopard), as well as a pair of Web-based applications (one for Mac and one for Windows XP or Vista).

The versions are pretty much identical in terms of their ability to define and export policies for iPhone configuration, but the Mac-only application has a few additional capabilities missing from the Web-based iterations that deliver applications and track policies.

With all versions of the utilities, administrators can create profiles that deliver VPN settings (including the new Cisco IPSEC VPN capabilities); Wi-Fi settings (including certificates for enterprise-grade security); e-mail accounts for POP, IMAP or Microsoft Exchange servers; device-lock requirements; and even wireless WAN radio behavior. Administrators can also sign the policies with a certificate or a key so that users will see a little emblem on the profile before they install it that tells them the file is trustable.

That's right--users will have to install profiles themselves. Apple does not include an agent on the device that can listen for and receive policies over the air.

Instead, administrators can export profiles from the Configuration Utility app for delivery via e-mail or a Web page. The user downloads the file, clicks on it to install (at which time the user can see exactly what the policy will do), and then answers a series of questions on the device to configure personalized settings such as a device pass code, Wi-Fi pre-shared keys, and user name/password combinations for e-mail and VPN configuration.

The policies themselves come in the form of an unencrypted X M L file. Certain fields-such as a VPN group password--are masked in some manner, but Apple makes it clear in the Configuration Utility EULA and in documentation that any sensitive data will be not be encrypted and that files should only be seen by authorized users.

Oddly, none of the Configuration Utility apps offer any mechanism for validating a policy before sending it out. The only way to make sure a policy is good is to install it on an iPhone.

This is unfortunate. Indeed, during tests I found it pretty easy to create an invalid policy: Simply clicking Configure on a profile to see what settings are available added the profile to the policy, even if I did not actually enter any data.

The Web-based iterations of the iPhone Configuration Utility also are pretty poor at policy version control--in fact, there is no version control at all. Each time I accessed the Web utility, it would show only the last policy I created. When I needed to edit a different policy, I had to import it back into the tool.

With the Mac OS X-based version, administrators can deliver applications to iPhones, but only to iPhones directly connected to the Mac running the Configuration Utility app--not to devices out in the field.

Administrators using this version also have the option of locking users from App Store access by setting a restriction on the iPhone. However, at this time, restrictions cannot be created via policy (even though Apple's documentation offers hints that this feature is in the works). In addition, this version shows a rudimentary device inventory-for devices that have been connected to the Mac running the Configuration Utility at some point in the past. But there is no data collection for remote devices, so administrators cannot tell whether policies are up to date or installed at all.