配置描述文件是XML 文件，包含以下内容：设备安全策略、VPN 配置信息、Wi-Fi 设置、APN 设置、Exchange帐户设置、邮件设置以及允许 iPhone 和 iPod touch 与企业系统配合使用的证书。

  “iPhone配置实用工具”可让您轻松地创建、维护和安装配置描述文件及对配置描述文件进行加密，跟踪和安装预置描述文件与授权的应用程序，以及采集包括控制台日志在内的设备信息。（这个工具可以从官网上进行下载）

  目前所知的，安装这个配置文件除了上述的使用“iphone配置实用工具”之外，还可以通过邮件附件或通过使用safari浏览包含有下载的网页的方式激活安装（install profile窗口）。

   如何能在不联网的方式进行配置文件的安装呢？？？？这是个问题....

下面这个文章大致介绍了下配置描述文件从生成到安装的过程：

Over-the-air IPhone Setup Using aSigned .mobileconfig File

Note: this does not push your configuration to an iPhone. Theuser of the iPhone must go to a web address and install aconfiguration profile.

   Suppose that you have a fewiPhones that you need to support, but you don't want to spend thetime typing in all of the e-mail (IMAP or POP), LDAP, wirelessnetwork, or other settings into each phone. Perhaps you have foundApple's Enterprise Deployment Guide but you don't really feellike setting up a whole SCEP Certification Authority to get thingsdone either since your requirements are so simple. But you dorealize that it is much easier to tell your user to go tohttps://example.com/iphone/ on their iPhone than to step themthrough all the individual setup routines.

   Amazingly enough, there isnot much documentation out there on how to hand-roll a.mobileconfig file that you can pass out on an HTTPS server to yourusers. We also want it to be "Verified" by the iPhone so that yourusers can see it is from you. While they can install untrustedprofiles, it sure adds a nice touch to have the greencheckmark.

   Perhaps you've scoured theInternet since you've read that you can "just use opensslsmime" to sign your .mobileconfig file, but no one seems totell you how. We'll go over that here as well.

1) Create a configuration(.mobileconfig) file

   This file will contain allthe configuration you want for your users' iPhones. I believe youcan use Apple's iPhoneConfiguration Utility to create this file. You don't have to,but it'll probably save you some typing.

   The Enterprise Deployment Guide defines the syntax of the profilesin Appendix B. You can do some pretty fancy request/responsescripting between the phone and your server, but I'll just go overa simpler method that just sends a configuration file from your webserver to their phone.

Your .mobileconfig file will end up looking something likethis:

 PayloadContent
 
  
   PayloadDisplayName
   LDAP Settings
   PayloadType
   com.apple.ldap.account
   PayloadVersion
   1
   PayloadUUID
   6df7a612-ce0a-4b4b-bce2-7b844e3c9df0
   PayloadIdentifier
   com.example.iPhone.settings.ldap
   LDAPAccountDescription
   Company Contacts
   LDAPAccountHostName
   ldap.example.com
   LDAPAccountUseSSL
   
   LDAPAccountUserName
   uid=username,dc=example,dc=com
   LDAPSearchSettings
   
    
     LDAPSearchSettingDescription
     Company Contacts
     LDAPSearchSettingSearchBase
     
     LDAPSearchSettingScope
     LDAPSearchSettingScopeSubtree
    
    
     LDAPSearchSettingDescription
     Sales Departments
     LDAPSearchSettingSearchBase
     ou=Sales,dc=example,dc=com
     LDAPSearchSettingScope
     LDAPSearchSettingScopeSubtree
    
   
  
  
   PayloadDisplayName
   Email Settings
   PayloadType
   com.apple.mail.managed
   PayloadVersion
   1
   PayloadUUID
   362e5c11-a332-4dfb-b18b-f6f0aac032fd
   PayloadIdentifier
   com.example.iPhone.settings.email
   EmailAccountDescription
   Company E-mail
   EmailAccountName
   Full Name
   EmailAccountType
   EmailTypeIMAP
   EmailAddress
   username@example.com
   IncomingMailServerAuthentication
   EmailAuthPassword
   IncomingMailServerHostName
   imap.example.com
   IncomingMailServerUseSSL
   
   IncomingMailServerUsername
   username@es2eng.com
   OutgoingPasswordSameAsIncomingPassword
   
   OutgoingMailServerAuthentication
   EmailAuthPassword
   OutgoingMailServerHostName
   smtp.example.com
   OutgoingMailServerUseSSL
   
   OutgoingMailServerUsername
   username@example.com
  
 
 PayloadOrganization
 Your Organization's Name
 PayloadDisplayName
 Organization iPhone Settings
 PayloadVersion
 1
 PayloadUUID
 954e6e8b-5489-484c-9b1d-0c9b7bf18e32
 PayloadIdentifier
 com.example.iPhone.settings
 PayloadDescription
 Sets up Organization's LDAP directories and email on the iPhone
 PayloadType
 Configuration


          

   I'll talk just brieflyabout the configuration above. The iPhone, as far as I can tell,uses the UUIDs to know whether or not it is replacing or installinga new profile onto the phone. On a Mac or Linux box, you cangenerate a UUID with the command uuidgen. You'llnotice that I did not include any passwords above. With thesesettings, the iPhone will prompt the user for their e-mail passwordupon installation of the profile. (The LDAP password will beprompted on first use if logging in fails.)

   I actually wrote a PHPscript that would take a template .mobileconfig file for me andfill in the username fields for me depending on PHP_AUTH_USER.After you get the basics down, you can go back and do that. Thereis also a way to encrypt the .mobileconfig files, but we are notcovering that here.

Sign the .mobileconfigfile

   This is the part that noone else seems to go over. Signing your configuration profile is anoptional step, but it's not too hard if you already have an X.509web server or email certificate.

For this step, I'll use the following notations:

• company.mobileconfig is your unsignedconfiguration profile
• server.crt is your server's certificate to signthe profile with
• server.key is your server's private key
• cert-chain.crt is the certificate bundle for theCA that issued your server's certificate.
• signed.mobileconfig will be your signedconfiguration profile

   Once you have all the fileslisted above, you will run a command like the following:
openssl smime -sign -in company.mobileconfig -outsigned.mobileconfig -signer server.crt -inkey server.key -certfilecert-chain.crt -outform der -nodetach

The -outform der and -nodetach areyour real tickets here in getting it into a form that the iPhonewants. Now you take signed.mobileconfig and move on tothe next step!

   Help for those that willuse PHP scripting: You'll want to look atopenssl_pkcs7_sign() function with the$flags field set to 0. This will create a file that isbase-64 encoded. After you strip off the e-mail headers at the top,you can base64_decode() to get the same output. Forexample:
$mobileconfig = base64_decode(preg_replace('/(.+\n)+\n/', '',$signed, 1));

Serve up the file on your HTTPSserver

   Okay, it'll probably workon your HTTP server as well. Just another configuration I didn'tbother testing.

   There is just one caveatswhen it comes to serving up this file. It needs to be served upwith a MIME Content-Type ofapplication/x-apple-aspen-config. You may be able todo this by adding a line to your server's configuration or.htaccess file in the folder with:

        AddType application/x-apple-aspen-config .mobileconfig

If serving the file from within PHP, you may do somethinglike:

header('Content-type: application/x-apple-aspen-config; chatset=utf-8');header('Content-Disposition: attachment; filename="company.mobileconfig"');echo $mobileconfig;

Try it out on youriPhone

Get your iPhone and load up Safari. Go to the web address ofwhere your profile is saved, e.g. https://www.example.com/iphone/.Your phone should prompt you to install the profile.

You can see and remove profiles from Settings >General on your iPhone. Note, that it IS possible to create aprofile that cannot be removed except for by the original profileidentifier and signed by the same authority. Be careful that youdon't lock yourself out.

Finished!

At this point, we are finished. See the Enterprise Deployment Guide for other configuration profilesthat you can create. It doesn't let you create or set everythingthat I wish it did (especially when it comes to setting up IMAPdefaults), but it lets you do quite a bit.

I hope that this helps you! This is obviously a very brief guideand I glazed over a few details. If you have any comments, let meknow. My e-mail address can be deduced from the very bottom of thedocument.

See Also

• Retrieving an iPhone response using PHP