Securing Mobile Config files

Question

Level 1

8 points

Securing Mobile Config files

I created a mobile config file that would set up wifi access for my companies various locations. I uploaded it to a webserver so that users can browse to it and install the file on the iphone. Everything worked perfect, but I noticed that if someone just downloads the file and opens it in notepad or textedit, our wifi's WPA2 key is just listed there plain as day. Not encrypted or hidden in any way. Is there a way I can do this but keep that information hidden? I want them to be able to do the install but not get information out of the mobile config file.

iPhone 3Gs, iPhone OS 3.1.3

Posted on Apr 29, 2010 1:21 PM

Reply

Answer 1

May 3, 2010 5:47 PM in response to arstacey

iPhone OS 3.0 and later allow encryption of configuration profiles. However, I believe that acquiring the encryption key (from the device) requires that you to connect the device to a computer running the iPhone Config Utility. You can also build some web infrastructure which generates config profiles on the fly.

Check out the iPhone Enterprise Deployment Guide for more info.

Reply

Answer 2

arstacey Author

Level 1

8 points

May 4, 2010 5:08 AM in response to arstacey

I looked at the Deployment Guide but did not really see a clear way to do this, at least one that I understood. Maybe I looked over it so I will look again. I do not have the ability to plug these devices in because they are in remote locations so I will have to do something web based.

Reply

Answer 3

arstacey Author

Level 1

8 points

May 4, 2010 7:21 AM in response to wjosten

Ok, it looks like I need a signed and encrypted mobileconfig file. Unfortunately, these devices are spread over three states. I cannot get my hands on them to plug them into my computer to store them as a device. Any idea how I can work around this?

Reply

Answer 4

arstacey Author

Level 1

8 points

May 18, 2010 9:12 PM in response to drahardja

I guess it is just over my head. I did figure out how to make an encrypted mobile config file but it required me to have each of my locations download the iphone configuration utility, connect the iphone, then export the device info file which I then imported into my own utility. The problem is that although we are geographically dispersed over a large area, my company is fairly small. We have very few servers (just a single domain controller, a very basic webserver, and a database server) and nothing I can use to set up for OTA management, not to mention I have no idea where to start to do so.

Reply

Answer 5

Oct 13, 2010 9:15 PM in response to arstacey

You can encrypt the payload information on a mobileconfig file. and put together a poor mans OTA enrollment.
Extract the payload <array> to </array> after<key>PayloadContent</key>
to
<key>PayloadDescription</key>
use openssl and encrypt the profile say aes128 use a cert to PEM format
paste it back using the new key
<key>EncryptedPayloadContent</key>
<data>Your encrypted payload stuff here</data>
you can then load a profile containing your cert using IPCU and ship your device
However you have to load the encrypted profile at the destination through Safari/SMS or email.
IPCU wont load encrypted profiles unless the same IPCU encrypted them.

Reply