转:http://blog.sina.com.cn/s/blog_4b3c1f950102dspd.html
下面这个文章大致介绍了下配置描述文件从生成到安装的过程:
Over-the-air IPhone Setup Using a Signed .mobileconfig File
Note: this does not push your configuration to an iPhone. The user of the iPhone must go to a web address and install aconfiguration profile.
openssl smime
" to sign your .mobileconfig file, but no one seems to tell you how. We'll go over that here as well.
1) Create a configuration(.mobileconfig) file
Your .mobileconfig file will end up looking something likethis:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict><key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>LDAP Settings</string> <key>PayloadType</key> <string>com.apple.ldap.account</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>6df7a612-ce0a-4b4b-bce2-7b844e3c9df0</string> <key>PayloadIdentifier</key> <string>com.example.iPhone.settings.ldap</string> <key>LDAPAccountDescription</key> <string>Company Contacts</string> <key>LDAPAccountHostName</key> <string>ldap.example.com</string> <key>LDAPAccountUseSSL</key> <false /> <key>LDAPAccountUserName</key> <string>uid=username,dc=example,dc=com</string> <key>LDAPSearchSettings</key> <array> <dict> <key>LDAPSearchSettingDescrip tion</key> <string>Company Contacts</string> <key>LDAPSearchSettingSearchB ase</key> <string></string> <key>LDAPSearchSettingScope</key> <string>LDAPSearchSettingScopeSu btree</string> </dict> <dict> <key>LDAPSearchSettingDescrip tion</key> <string>Sales Departments</string> <key>LDAPSearchSettingSearchB ase</key> <string>ou=Sales,dc=example,dc=com</string> <key>LDAPSearchSettingScope</key> <string>LDAPSearchSettingScopeSu btree</string> </dict> </array> </dict> <dict> <key>PayloadDisplayName</key> <string>Email Settings</string> <key>PayloadType</key> <string>com.apple.mail.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>362e5c11-a332-4dfb-b18b-f6f0aac032fd</string> <key>PayloadIdentifier</key> <string>com.example.iPhone.settings.email</string> <key>EmailAccountDescription</key> <string>Company E-mail</string> <key>EmailAccountName</key> <string>Full Name</string> <key>EmailAccountType</key> <string>EmailTypeIMAP</string> <key>EmailAddress</key> <string>username@example.com</string> <key>IncomingMailServerAuthen tication</key> <string>EmailAuthPassword</string> <key>IncomingMailServerHostNa me</key> <string>imap.example.com</string> <key>IncomingMailServerUseSSL </key> <true /> <key>IncomingMailServerUserna me</key> <string>username@es2eng.com</string> <key>OutgoingPasswordSameAsIn comingPassword</key> <true /> <key>OutgoingMailServerAuthen tication</key> <string>EmailAuthPassword</string> <key>OutgoingMailServerHostNa me</key> <string>smtp.example.com</string> <key>OutgoingMailServerUseSSL </key> <true /> <key>OutgoingMailServerUserna me</key> <string>username@example.com</string> </dict> </array> <key>PayloadOrganization</key> <string>Your Organization's Name</string> <key>PayloadDisplayName</key> <string>Organization iPhone Settings</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>954e6e8b-5489-484c-9b1d-0c9b7bf18e32</string> <key>PayloadIdentifier</key> <string>com.example.iPhone.settings</string> <key>PayloadDescription</key> <string>Sets up Organization's LDAP directories and email on the iPhone</string> <key>PayloadType</key> <string>Configuration</string> </dict> </plist>
uuidgen
. You'll notice that I did not include any passwords above. With thesesettings, the iPhone will prompt the user for their e-mail password upon installation of the profile. (The LDAP password will beprompted on first use if logging in fails.)
Sign the .mobileconfig file
For this step, I'll use the following notations:
company.mobileconfig
is your unsigned configuration profileserver.crt
is your server's certificate to signthe profile withserver.key
is your server's private keycert-chain.crt
is the certificate bundle for the CA that issued your server's certificate.signed.mobileconfig
will be your signedconfiguration profile
openssl smime -sign -in company.mobileconfig -outsigned.mobileconfig -signer server.crt -inkey server.key -certfilecert-chain.crt -outform der -nodetach
The -outform der
and -nodetach
are your real tickets here in getting it into a form that the iPhone wants. Now you take signed.mobileconfig
and move on to the next step!
openssl_pkcs7_sign()
function with the $flags
field set to 0. This will create a file that isbase-64 encoded. After you strip off the e-mail headers at the top,you can base64_decode()
to get the same output. Forexample:
$mobileconfig = base64_decode(preg_replace('/(.+\n)+\n/', '',$signed, 1));
Serve up the file on your HTTPS server
application/x-apple-aspen-config
. You may be able to do this by adding a line to your server's configuration or.htaccess file in the folder with:
<IfModule mod_mime.c> AddType application/x-apple-aspen-config .mobileconfig </IfModule>
If serving the file from within PHP, you may do somethinglike:
header('Content-type: application/x-apple-aspen-config; chatset=utf-8'); header('Content-Disposition: attachment; filename="company.mobileconfig"'); echo $mobileconfig;
Try it out on your iPhone
Get your iPhone and load up Safari. Go to the web address of where your profile is saved, e.g. https://www.example.com/iphone/.Your phone should prompt you to install the profile.
You can see and remove profiles from Settings >General on your iPhone. Note, that it is possible to create aprofile that cannot be removed except for by the original profile identifier and signed by the same authority. Be careful that you don't lock yourself out.
Finished!
At this point, we are finished. See the Enterprise Deployment Guide for other configuration profiles that you can create. It doesn't let you create or set everything that I wish it did (especially when it comes to setting up IMAPdefaults), but it lets you do quite a bit.
I hope that this helps you! This is obviously a very brief guide and I glazed over a few details. If you have any comments, let me know. My e-mail address can be deduced from the very bottom of the document.
See Also
-----