Overview of provisioning
Provisioning iOS devices to end users encompasses the activation and deployment of the settings that make up the basic device configuration. The basic settings deployed within an iOS Device Configuration Profile might include the Exchange Server settings, any prerequisite VPN connection settings, device options that aren't covered in Exchange Server security policies, or certificates required for secure connection.
Although iOS devices can make use of Microsoft Exchange's Autodiscover service to automatically detect the correct Exchange Server settings, utilizing the provisioning options from Apple enables you to ensure that these settings are applied consistently across your organization, can be updated centrally when required, and cannot be easily removed by your end users.
In addition to Exchange Server settings, provisioning devices using iOS Device Configuration Profiles also allows the following:
- VPN (Virtual Private Network) Connection Settings
- Wireless LAN Connection Settings
- Addition of Root Certificates to devices
- Addition of Identity Certificates used in place of password authentication
- Subscriptions to CalDAV and iCalendar format calendars
- LDAP, POP3, IMAP, and SMTP Configuration settings for non-Exchange ActiveSync environments
- Deployment of custom applications
As illustrated above, there are a lot more options available than just getting Exchange Server connected and depending on your environment—for example if your security policy does not allow access to Exchange Server unless connected via a VPN connection—it may be necessary to ensure these settings are deployed to users before they are able to synchronize with Exchange Server.
iOS Device Configuration profiles can be distributed to users in a variety of ways, and it really comes down to the policies you have in place or infrastructure available to deploy the configuration profiles. If you are buying devices centrally and performing activation and setup before issuing them to users, your method for provisioning may be different from if you allow users to order devices themselves or buy and bring their own. Options include:
- Deployment via iTunes on an Apple Mac or Windows PC
- Deployment via the iPhone Configuration Utility
- E-mail the configuration profile to end users, typically for deploying updated profiles
- Deployment from a website using a static configuration profile
- Deployment from a website using a custom, dynamically generated configuration profile
- By using over-the-air certificate enrolment and configuration using SCEP (Simple Certificate Enrolment Protocol)
During the course of this book, we will cover how to use the various deployment methods outlined above so you can understand which will be the most applicable method for the environment you manage.