Microsoft Direct Push

The Exchange server automatically delivers email, contacts, and calendar events to iPhone and iPad Wi-Fi + 3G if a cellular or Wi-Fi data connection is available. iPod touch and iPad Wi-Fi dont have a cellular connection, so they receive push notifications only when theyre active and connected to a Wi-Fi network.
Microsoft Exchange Autodiscovery
The Autodiscover service of Exchange Server 2007 is supported. When you manually configure a device, Autodiscover uses your email address and password to automatically determine the correct Exchange server information. For information about enabling the Autodiscover service, see http://technet.microsoft.com/en-us/ library/cc539114.aspx.
Microsoft Exchange Global Address List
iPhone, iPod touch, and iPad retrieve contact information from your companys Exchange server corporate directory. You can access the directory when searching in Contacts, and its automatically accessed for completing email addresses as you enter them.
Additional Supported Exchange ActiveSync Features
In addition to the features and capabilities already described, iPhone OS supports: Creating calendar invitations. With Microsoft Exchange 2007, you can also view the status of replies to your invitations. Setting Free, Busy, Tentative, or Out of Office status for your calendar events. Searching mail messages on the server. Requires Microsoft Exchange 2007. Exchange ActiveSync client certificate-based authentication.
Unsupported Exchange ActiveSync Features
Not all Exchange features are supported, including, for example: Folder management Opening links in email to documents stored on SharePoint servers Task synchronization Setting an out of office autoreply message Flagging messages for follow-up
iPhone OS works with VPN servers that support the following protocols and authentication methods: L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID and CryptoCard, and machine authentication by shared secret. PPTP with user authentication by MS-CHAPV2 Password, RSA SecurID, and CryptoCard. Cisco IPSec with user authentication by Password, RSA SecurID, or CryptoCard, and machine authentication by shared secret and certificates. See Appendix A for compatible Cisco VPN servers and recommendations about configurations.

Additional Resources

In addition to this guide, the following publications and websites provide useful information: iPhone in Enterprise webpage at www.apple.com/iphone/enterprise/ iPad in Business webpage at: www.apple.com/ipad/business/ Exchange Product Overview at http://technet.microsoft.com/en-us/library/ bb124558.aspx Deploying Exchange ActiveSync at http://technet.microsoft.com/en-us/library/ aa995962.aspx Exchange 2003 Technical Documentation Library at http://technet.microsoft.com/ en-us/library/bb123872(EXCHG.65).aspx Managing Exchange ActiveSync Security at http://technet.microsoft.com/en-us/ library/bb232020(EXCHG.80).aspx Wi-Fi for Enterprise webpage at www.wi-fi.org/enterprise.php iPhone VPN Connectivity to Cisco Adaptive Security Appliances (ASA) at www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/ connectivity/guide/iphone.html iPhone User Guide, available for download at www.apple.com/support/iphone/; view the guide on iPhone, tap the iPhone User Guide bookmark in Safari or go to http://help.apple.com/iphone/ iPhone Guided Tour at www.apple.com/iphone/guidedtour/ iPod touch User Guide, available for download at www.apple.com/support/ipodtouch; view the guide on iPod touch, tap the iPod touch User Guide in Safari or go to http://help.apple.com/ipodtouch/ iPod touch Guided Tour at www.apple.com/ipodtouch/guidedtour/ iPad User Guide, available for download at www.apple.com/support/ipad; view the guide on iPad, tap the iPad User Guide in Safari or go to http://help.apple.com/ipad/ iPad Guided Tour at www.apple.com/ipad/guided-tour/
Deploying iPhone and iPod touch
This chapter provides an overview of how to deploy iPhone, iPod touch, and iPad in your enterprise.
iPhone, iPod touch, and iPad are designed to easily integrate with your enterprise systems, including Microsoft Exchange 2003 and 2007, 802.1X-based secure wireless networks, and Cisco IPSec virtual private networks. As with any enterprise solution, good planning and an understanding of your deployment options make deployment easier and more efficient for you and your users. When planning your deployment of iPhone, iPod touch, and iPad, consider the following: How will your companys iPhones and iPad (Wi-Fi + 3G models) be activated for wireless cellular service? Which enterprise network services, applications, and data will your users need to access? What policies do you want to set on the devices to protect sensitive company data? Do you want to manually configure devices individually, or use a streamlined process for configuring a large fleet? The specifics of your enterprise environment, IT policies, wireless carrier, and your computing and communication requirements affect how you tailor your deployment strategy.

Activating Devices

CalDAV Calendars

CalDAV support in iPhone OS provides global calendars and scheduling for organizations that dont use Microsoft Exchange. iPhone OS works with calendar servers that support the CalDAV standard.

Subscribed Calendars

If you want to publish read-only calendars of corporate events, such as holidays or special event schedules, iPhone OS devices can subscribe to calendars and display the information alongside Microsoft Exchange and CalDAV calendars. iPhone OS works with calendar files in the standard iCalendar (.ics) format. An easy way to distribute subscribed calendars to your users is to send the fully qualified URL in SMS or email. When the user taps the link, the device offers to subscribe to the specified calendar.

Enterprise Applications

To deploy enterprise iPhone OS applications, you install the applications on your devices using iPhone Configuration Utility or iTunes. Once you deploy an application to users devices, updating those applications will be easier if each user has iTunes installed on their Mac or PC.
Online Certificate Status Protocol
When you provide digital certificates for iPhone OS devices, consider issuing them so theyre OCSP-enabled. This allows the device to ask your OCSP server if the certificate has been revoked before using it.
Determining Device Passcode Policies
Once you decide which network services and data your users will access, you should determine which device passcode policies you want to implement. Requiring passcodes to be set on your devices is recommended for companies whose networks, systems, or applications dont require a password or an authentication token. If youre using certificate-based authentication for an 802.1X network or Cisco IPSec VPN, or your enterprise application saves your login credentials, you should require users to set a device passcode with a short timeout period so a lost or stolen device cannot be used without knowing the device passcode. Policies can be set on iPhone, iPod touch, and iPad in either of two ways. If the device is configured to access a Microsoft Exchange account, the Exchange ActiveSync policies are wirelessly pushed to the device. This allows you to enforce and update the policies without any user action. For information about EAS policies, see Supported Exchange ActiveSync Policies on page 8. If you dont use Microsoft Exchange, you can set similar policies on your devices by creating configuration profiles. If you want to change a policy, you must post or send an updated profile to users or install the profile using iPhone Configuration Utility. For information about the device passcode policies, see Passcode Settings on page 32.

If you use Microsoft Exchange, you can also supplement your EAS policies by using configuration policies. This can provide access to policies that arent available in Microsoft Exchange 2003, for example, or allow you to define policies specifically for iPhone OS devices.

Configuring Devices

You need to decide how youll configure each iPhone, iPod touch, or iPad. This is influenced in part by how many devices you plan on deploying and managing over time. If the number is small, you may find that its simpler for you or your users to manually configure each device. This involves using the device to enter the settings for each mail account, Wi-Fi settings, and VPN configuration information. See Chapter 3 for details about manual configuration. If you deploy a large number of devices, or you have a large collection of email settings, network settings, and certificates to install, then you may want to configure the devices by creating and distributing configuration profiles. Configuration profiles quickly load settings and authorization information onto a device. Some VPN and Wi-Fi settings can only be set using a configuration profile, and if youre not using Microsoft Exchange, youll need to use a configuration profile to set device passcode policies. Configuration profiles can be encrypted and signed, which allows you to restrict their use to a specific device, and prevents anyone from changing the settings that a profile contains. You can also mark a profile as being locked to the device, so once installed it cannot be removed without wiping the device of all data, or optionally, with an administrative passcode. Whether or not youre configuring devices manually or using configuration profiles, you also need to decide if youll configure the devices or if you will delegate this task to your users. Which you choose depends on your users locations, company policy regarding users ability to manage their own IT equipment, and the complexity of the device configuration you intend to deploy. Configuration profiles work well for a large enterprise, for remote employees, or for users that are unable to set up their own devices. If you want users to activate their device themselves or if they need to install or update enterprise applications, iTunes must be installed on each users Mac or PC. iTunes is also required for iPhone OS software updates, so keep that in mind if you decide to not distribute iTunes to your users. For information about deploying iTunes, see Chapter 4.
Over-the-Air Enrollment and Configuration
Enrollment is the process of authenticating a device and user so that you can automate the process of distributing certificates. Digital certificates provide many benefits to users. They can be used to authenticate access to key enterprise services, such as Microsoft Exchange ActiveSync, WPA2 Enterprise wireless networks, and corporate VPN connections. Certificate-based authentication also permits the use of VPN On Demand for seamless access to corporate networks. In addition to using the over-the-air enrollment capabilities to issue certificates for your companys public key infrastructure (PKI), you can also deploy device configuration profiles. This ensures that only trusted users are accessing corporate services and that their devices are configured according to your IT policies. And because configuration profiles can be both encrypted and locked, the settings cannot be removed, altered, or shared with others. These capabilities are available to you in the over-the-air process described below, and also by using iPhone Configuration Utility to configure devices while theyre attached to your administrative computer. See Chapter 2 to learn about using iPhone Configuration Utility. Implementing over-the-air enrollment and configuration requires development and integration of authentication, directory, and certificate services. The process can be deployed using standard web services, and once its in place, it permits your users to set up their devices in a secure, authenticated fashion.

Overview of the Authenticated Enrollment and Configuration Process
To implement this process, you need to create your own profile distribution service that accepts HTTP connections, authenticates users, creates mobileconfig profiles, and manages the overall process described in this section. You also need a CA (certificate authority) to issue the device credentials using Simple Certificate Enrollment Protocol (SCEP). For links to PKI, SCEP, and related topics see Other Resources on page 27. The following diagram shows the enrollment and configuration process that iPhone supports.
Phase 1 - Begin Enrollment

Profile service

Enrollment request Device information request User: Anne Johnson sample sample
Attributes required: UDID, OS version, IMEI Challenge token: AnneJohnson1 URL for response: https://profiles.example.com
Phase 1 Begin Enrollment: Enrollment begins with the user using Safari to access the URL of the profile distribution service youve created. You can distribute this URL via SMS or email. The enrollment request, represented as step 1 in the diagram, should authenticate the users identify. Authentication can be as simple as basic auth, or you can tie into your existing directory services. In step 2, your service sends a configuration profile (.mobileconfig) in response. This response specifies a list of attributes that the device must provide in the next reply and a pre-shared key (challenge) that can carry the identity of the user forward during this process so you can customize the configuration process for each user. The device attributes that the service can request are iPhone OS version, device ID (MAC Address), product type (iPhone 3GS returns iPhone2,1), phone ID (IMEI), and SIM information (ICCID). For a sample configuration profile for this phase, see Sample Phase 1 Server Response on page 84.
Phase 2 - Device Authentication

Signed response via POST

sample
Attributes: UDID, OS Version, IMEI Challenge token: AnneJohnson1
Phase 2 Device Authentication: After the user accepts the installation of the profile received in phase 1, the device looks up the requested attributes, adds the challenge response (if provided), signs the response using the devices built-in identity (Apple-issued certificate), and sends it back to the profile distribution service using HTTP Post. For a sample configuration profile for this phase, see Sample Phase 2 Device Response on page 85.
Phase 3 - Device Certificate Installation
Certificate issuing service
Challenge Key generation specs URL for response
Challenge Certificate Signing Request Public key Device certificate 2
RSA: 1024 Challenge: AnneJohnson1 URL:http://ca.example.com/ getkey.exe
Phase 3 Certificate Installation: In step 1, the profile distribution service responds with specifications that the device uses to generate a key (RSA 1024) and where to return it for certification using SCEP (Simple Certificate Enrollment Protocol). In step 2, the SCEP request must be handled in automatic mode, using the challenge from the SCEP packet to authenticate the request. In step 3, the CA responds with an encryption certificate for the device. For a sample configuration profile for this phase, see Sample Phase 3 Server Response With SCEP Specifications on page 85.

Restrictions Settings

Use this payload to specify which device features the user is allowed to use. Allow explicit content: When this is turned off, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. Allow use of Safari: When this option is turned off, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. Allow use of YouTube: When this option is turned off, the YouTube application is disabled and its icon is removed from the Home screen. Allow use of iTunes Music Store: When this option is turned off, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. Allow installing apps: When this option is turned off, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. Allow use of camera: When this option is turned off, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs. Allow screen capture: When this option is turned off, users are unable to save a screenshot of the display.

Wi-Fi Settings

Use this payload to set how the device connects to your wireless network. You can add multiple network configurations by clicking the Add (+) button in the editing pane. These settings must be specified, and must match the requirements of your network, in order for the user to initiate a connection. Service Set Identifier: Enter the SSID of the wireless network to connect to. Hidden Network: Specifies whether the network is broadcasting its identity. Security Type: Select an authentication method for the network. The following choices are available for both Personal and Enterprise networks. None: The network doesnt use authentication. WEP: The network uses WEP authentication only. WPA/WPA 2: The network uses WPA authentication only. Any: The device uses either WEP or WPA authentication when connecting to the network, but wont connect to non-authenticated networks. Password: Enter the password for joining the wireless network. If you leave this blank, the user will be asked to enter it. Enterprise Settings In this section you specify settings for connecting to enterprise networks. These settings appear when you choose an Enterprise setting in the Security Type pop-up menu. In the Protocols tab, you specify which EAP methods to use for authentication and configure the EAP-FAST Protected Access Credential settings. In the Authentication tab, you specify sign-in settings such as user name and authentication protocols. If youve installed an identity using the Credentials section, you can choose it using the Identity Certificate pop-up menu. In the Trust tab, you specify which certificates should be regarded as trusted for the purpose of validating the authentication server for the Wi-Fi connection. The Trusted Certificates list displays certificates that have been added using the Credentials tab, and lets you select which certificates should be regarded as trusted. Add the names of the authentication servers to be trusted to the Trusted Server Certificates Names list. You can specify a particular server, such as server.mycompany.com or a partial name such as *.mycompany.com. The Allow Trust Exceptions option lets users decide to trust a server when the chain of trust cant be established. To avoid these prompts, and to permit connections only to trusted services, turn off this option and embed all necessary certificates in a profile.

LDAP Settings

Use this payload to enter settings for connecting to an LDAPv3 directory. You can specify multiple search bases for each directory, and you can configure multiple directory connections by clicking the Add (+) button. If you select the Use SSL option, be sure to add the certificates necessary to authenticate the connection using the Credentials pane.

CalDAV Settings

Use this payload to provide accounts settings for connecting to a CalDAV-compliant calendar server. These accounts will be added to the device, and as with Exchange accounts, users need to manually enter information you omit from the profile, such as their account password, when the profile is installed. If you select the Use SSL option, be sure to add the certificates necessary to authenticate the connection using the Credentials pane. You can configure multiple accounts by clicking the Add (+) button.
Subscribed Calendars Settings
Use this payload to add read-only calendar subscriptions to the devices Calendar application. You can configure multiple subscriptions by clicking the Add (+) button. A list of public calendars you can subscribe to is available at www.apple.com/downloads/macosx/calendars/. If you select the Use SSL option, be sure to add the certificates necessary to authenticate the connection using the Credentials pane.

Web Clip Settings

Use this payload to add web clips to the Home screen of the users device. Web clips provide fast access to favorite web pages. Make sure the URL you enter includes the prefix http:// or https://this is required for the web clip to function correctly. For example, to add the online version of the iPhone User Guide to the Home screen, specify the web clip URL: http://help.apple.com/iphone/ To add a custom icon, select a graphic file in gif, jpeg, or png format, 59 x 60 pixels in size. The image is automatically scaled and cropped to fit, and converted to png format if necessary.

Credentials Settings

Use this payload to add certificates and identities to the device. For information about supported formats, see Certificates and Identities on page 11. When installing credentials, also install the intermediate certificates that are necessary to establish a chain to a trusted certificate thats on the device. To view a list of the preinstalled roots, see the Apple Support article at http://support.apple.com/kb/HT2185. If youre adding an identify for use with Microsoft Exchange, use the Exchange payload instead. See Exchange Settings on page 36. Adding credentials on Mac OS X: 1 Click the Add (+) button. 2 In the file dialog that appears, select a PKCS1 or PKSC12 file, then click Open. If the certificate or identity that you want to install in your Keychain, use Keychain Access to export it in.p12 format. Keychain Access is located in /Applications/Utilities. For help see Keychain Access Help, available in the Help menu when Keychain Access is open. To add multiple credentials to the configuration profile, click the Add (+) button again. Adding credentials on Windows: 1 Click the Add (+) button. 2 Select the credential that you want to install from the Windows Certificate Store. If the credential isnt available in your personal certificate store, you must add it, and the private key must be marked as exportable, which is one of the steps offered by the certificate import wizard. Note that adding root certificates requires administrative access to the computer, and the certificate must be added to the personal store. If youre using multiple configuration profiles, make sure certificates arent duplicated. You cannot install multiple copies of the same certificate. Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates directly to their device from a webpage. Or, you can email certificates to users. See Installing Identities and Root Certificates on page 54 for more information. You can also use the SCEP Settings, below, to specify how the device obtains certificates over-the-air when the profile is installed.

SCEP Settings

The SCEP payload lets you specify settings that allow the device to obtain certificates from a CA using Simple Certificate Enrollment Protocol (SCEP).
Setting URL Name Description This is the address of the SCEP server. This can be any string that will be understood by the certificate authority, it can be used to distinguish between instances, for example. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ [C US] ], [ [O Apple Inc.] ],., [ [ 1.2.5.3 bar ] ] ] , , , A pre-shared secret the SCEP server can use to identify the request or user. Select a key size, andusing the checkboxes below this fieldthe acceptable use of the key. If your Certificate Authority uses HTTP, use this field to provide the fingerprint of the CAs certificate which the device will use to confirm authenticity of the CAs response. during the enrollment process. You can enter a SHA1 or MD5 fingerprint, or select a certificate to import its signature.

User Installation of Downloaded Configuration Profiles
Provide your users with the URL where they can download the profiles onto their devices, or send the profiles to an email account your users can access using the device before its set up with your enterprise-specific information. When a user downloads the profile from the web, or opens the attachment using Mail, the device recognizes the.mobileconfig extension as a profile and begins installation when the user taps Install.
During installation, the user is asked to enter any necessary information, such as passwords that were not specified in the profile, and other information as required by the settings you specified. The device also retrieves the Exchange ActiveSync policies from the server, and will refresh the policies, if theyve changed, with every subsequent connection. If the device or Exchange ActiveSync policies enforce a passcode setting, the user must enter a passcode that complies with the policy in order to complete the installation. Additionally, the user is asked to enter any passwords necessary to use certificates included in the profile. If the installation isnt completed successfullyperhaps because the Exchange server was unreachable or the user cancelled the processnone of the information entered by the user is retained. Users may want to change how many days worth of messages are synced to the device and which mail folders other than the inbox are synced. The defaults are three days and all folders. Users can change these by going to Settings > Mail, Contacts, Calendars > Exchange account name.
Removing and Updating Configuration Profiles
Configuration profile updates arent pushed to users. Distribute the updated profiles to your users for them to install. As long as the profile identifier matches, and if signed, it has been signed by the same copy of iPhone Configuration Utility, the new profile replaces the profile on the device. Settings enforced by a configuration profile cannot be changed on the device. To change a setting, you must install an updated profile. If the profile was signed, it can be replaced only by a profile signed by the same copy of iPhone Configuration Utility. The identifier in both profiles must match in order for the updated profile to be recognized as a replacement. For more information about the identifier, see General Settings on page 31. Important: Removing a configuration profile removes policies and all of the Exchange accounts data stored on the device, as well as VPN settings, certificates, and other information, including mail messages, associated with the profile.
If the General Settings payload of the profile specifies that it cannot be removed by the user, the Remove button wont appear. If the settings allows removal using an authorization password, the user will be asked to enter the password after tapping Remove. For more information about profile security settings, see General Settings on page 31.

Authentication Methods

iPhone OS supports the following authentication methods: Pre-shared key IPSec authentication with user authentication via xauth Client and server certificates for IPSec authentication with optional user authentication via xauth Hybrid authentication where the server provides a certificate and the client provides a pre-shared key for IPSec authentication; user authentication is required via xauth. User authentication is provided via xauth and includes the following authentication methods: User name with password RSA SecurID CryptoCard
Appendix A Cisco VPN Server Configuration

Authentication Groups

The Cisco Unity protocol uses authentication groups to group users together based on a common set of authentication and other parameters. You should create an authentication group for iPhone OS device users. For pre-shared key and hybrid authentication, the group name must be configured on the device with the groups shared secret (pre-shared key) as the group password. When using certificate authentication, no shared secret is used and the users group is determined based on fields in the certificate. The Cisco server settings can be used to map fields in a certificate to user groups.

Certificates

When setting up and installing certificates, make sure of the following: The server identity certificate must contain the servers DNS name and/or IP address in the subject alternate name (SubjectAltName) field. The device uses this information to verify that the certificate belongs to the server. You can specify the SubjectAltName using wildcard characters for per-segment matching, such as vpn.*.mycompany.com, for more flexibility. The DNS name can be put in the common name field, if no SubjectAltName is specified. The certificate of the CA that signed the servers certificate should be installed on the device. If it isnt a root certificate, install the rest of the trust chain so that the certificate is trusted. If client certificates are used, make sure that the trusted CA certificate that signed the clients certificate is installed on the VPN server. The certificates and certificate authorities must be valid (not expired, for example.). Sending of certificate chains by the server isnt supported and should be turned off. When using certificate-based authentication, make sure that the server is set up to identify the users group based on fields in the client certificate. See Authentication Groups on page 68.

PayloadDisplayName

PayloadDescription
PayloadContent PayloadRemovalDisallowed

Payload Content

The PayloadContent array is an array of dictionaries, where each dictionary describes an individual payload of the profile. Each functional profile has at least one or more entries in this array. Each dictionary in this array has a few common properties, regardless of the payload type. Others are specialized and unique to each payload type.
Key PayloadVersion Value Number, mandatory. The version of the individual payload. Each profile can consist of payloads with different version numbers. For instance, the VPN version number can be incremented at a point in the future while the Mail version number would not. String, mandatory. This is usually a synthetically generated unique identifier string. The exact content of this string is irrelevant; however, it must be globally unique. String, mandatory. This key/value pair determines the type of the individual payload within the profile. String, optional. This value describes the issuing organization of the profile, as it will be shown to the user. It can be, but doesnt have to be, the same as the root level PayloadOrganization.
Appendix B Configuration Profile Format
Value String, mandatory. This value is by convention a dot-delimited string uniquely describing the payload. Its usually the root PayloadIdentifier with an appended subidentifier, describing the particular payload. String, mandatory. This value is a very short string displayed to the user which describes the profile, such as VPN Settings It does not. have to be unique. String, optional. This value determines what descriptive, free-form text is displayed on the Detail screen for this particular payload.
Profile Removal Password Payload
The Removal Password payload is designated by the com.apple.profileRemovalPassword value of PayloadType. Its purpose is to encode the password that allows users to remove a configuration profile from the device. If this payload is present, and has a password value set, the device will ask for the password when the user taps a profiles Remove button. This payload is encrypted with the rest of the profile.

Challenge Keysize Key Type Key Usage
SubjectAltName Dictionary Keys
The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA youre using, but might include DNS name, URL, or email values. For an example, see Sample Phase 3 Server Response With SCEP Specifications on page 85.
GetCACaps Dictionary Keys
If you add a dictionary with the key GetCACaps, the device uses the strings you provide as the authoritative source of information about the capabilities of your CA. Otherwise, the device queries the CA for GetCACaps and uses the answer it gets in response. If the CA doesnt respond, the device defaults to GET 3DES and SHA-1 requests.

APN Payload

The APN (Access Point Name) payload is designated by the com.apple.apn.managed PayloadType value. In addition to the settings common to all payloads, this payload defines the following:
Key DefaultsData DefaultsDomainName apns Value Dictionary, mandatory. This dictionary contains two key/value pairs. String, mandatory. The only allowed value is com.apple.managedCarrier. Array, mandatory. This array contains an arbitrary number of dictionaries, each describing an APN configuration, with the key/value pairs below. String, mandatory. This string specifies the Access Point Name. String, mandatory. This string specifies the user name for this APN. If its missing, the device prompts for it during profile installation. Data, optional. This data represents the password for the user for this APN. For obfuscation purposes, its encoded. If its missing from the payload, the device prompts for it during profile installation. String, optional. The IP address or URL of the APN proxy. Number, optional. The port number of the APN proxy.

apn username

password

proxy proxyPort

Exchange Payload
The Exchange payload is designated by the com.apple.eas.account PayloadType value. This payload creates a Microsoft Exchange account on the device. In addition to the settings common to all payloads, this payload defines the following:
Key EmailAddress Value String, mandatory. If not present in the payload, the device prompts for this string during profile installation. Specifies the full email address for the account. String, mandatory. Specifies the Exchange server host name (or IP address). Boolean, optional. Default YES. Specifies whether the Exchange server uses SSL for authentication. String, mandatory. This string specifies the user name for this Exchange account. If missing, the devices prompts for it during profile installation. String, optional. The password of the account. Use only with encrypted profiles. Optional. For accounts that allow authentication via certificate, a.p12 identity certificate in NSData blob format. String, Optional. Specifies the name or description of the certificate. Optional. The password necessary for the p12 identity certificate. Use only with encrypted profiles.