Friday 28 August 2015

Deploying iOS Custom Profiles with Microsoft Intune

EMS Landing page

Microsoft Intune is an excellent tool for managing mobile devices (Windows Phone, iOS and Android). We are given many options for deploying configuration settings to these devices. However, occasionally, we can encounter a requirement that is not supported natively. I had two such requirements today.
  • deploy WPA2 Personal Wifi profile with password to iOS device
  • deploy Cisco IPSec VPN profile to iOS device
Intune does not give us the options to configure these specific settings but it does give us the capability to import a custom iOS profile and deploy to devices. Great, I could easily create a custom profile using the Apple Configurator tool. This tool can only be used on a Mac device and the current version is only supported on OS X version 10.10.3 or later.

Launch the configurator tool.


"Prepare" is selected by default. We don't need to enter a name here. We are not provisioning a device. We only want to create a custom profile.

Turn "Supervision" on and click the + to "Create New Profile".


This will be our new iOS profile. In the General tab enter a name and description for the profile.


Open the Wi-Fi tab and click to Configure.


Enter the SSID, Security Type and password.


Open the VPN tab and click to Configure.


Enter a name for the connection. Select the "Connection Type". See that there are quite a lot to choose from here.


Enter the Group Identifier and Shared Secret. Save the profile.


This is the saved profile. Select the arrow to export it.


Save the profile and give the file a sensible name.


It is saved with a .mobileconfig extension.


Have a look at the contents of the file. It's just XML.


Now we will import the custom policy in Intune. Navigate to Policy > Configuration Policies. Click to Add a new policy.


Choose iOS > iOS Custom Policy and select "Create Policy".


Enter a name for the policy and a name for the profile which will be displayed to users.


Browse and choose the .mobileconfig file. The XML is displayed.


Choose to deploy the policy now.


Choose the group you want to deploy to.


We can now wait for the policy to get to the device or force a policy sync.


Our policy has been received. Open the policy.


Have a look at "More Details".


We can see the WiFi and VPN profiles.


This is the VPN configuration on the device.

The Apple Configurator tool allows us to deploy configurations to devices via Intune even though these configurations are not natively available with Intune.




4 comments:

  1. Hi Gerry,

    Will this method of deploying VPN profile works with CISCO anyconnect if the authentication method is certificate based.?
    How will the device gets authenticated?

    Your Quick response would be appreciated.

    Regards,
    Sakshi

    ReplyDelete
    Replies
    1. I haven't tested this but I don't see why this wouldn't work. Why would you do it this way though? Deployment of certificate based Cisco AnyConnect profiles is supported natively with Intune.

      Delete
    2. But it requires NDES server as well as the infrastructure setup for deploying the VPN profile. Do you have a link to set up the infra and the profile?

      Delete
    3. That's right. Intune certificate deployment required NDES. Ronny has a good guide here

      http://ronnydejong.com/2014/12/15/part-1-deploy-certificates-to-mobile-devices-using-microsoft-intune-ndes-overview/

      Delete