Task:
Manually create and edit a mobile-config script for iPhone IKEv2 VPNs.
Requirements:
- Script with a common XML editor -no need for Apple Configurator.
- Use secure cryptography algorithms.
- Include all certificates for mutual authentication: User certificate and private key, VPN server certificate, and trusted root certificate.
Solution:
- Preparation: Encode certificates (e.g., PFX and CER) with Base64:
http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html - Copy the mobile-config script (below) to an XML editor -I personally recommend Notepad+
- Edit the mobile-config script. Remove certificate payloads and replace them with output generated from Step 1.
(a) User certificate and private key: Lines 24 - 64.
(b) VPN server certificate: Lines 165 - 205.
(c) Private root certificate: Lines 225 - 245. - Change addition text fields to match your organization:
(a) Consent: Lines 9 - 10.
(b) PFX Password: Line 19.
(c) PFX file name: Line 21.
(d) PFX Payload Display Name: Line 69.
(e) IKEv2 Local Identifier String: Line 117. N.B., This string must be the same as the user certificate's DNS name listed under in its subject alternative name.
(f) Remote address (i.e., VPN FQDN): Line 123.
(g) Remote identifier (i.e., VPN FQDN): Line 125.
(h) Server certificate issuer (i.e., CA): Line 127.
(i) User Defined VPN Name (optional): Line 156.
(j) Server payload display name (e.g., VPN FQDN): Line 210.
(k) Root certificate file name (i.e., CER): Line 222.
(l) Root CA payload display name: Line 250.
(m) iPhone profile description: Line 262.
(n) iPhone profile payload display name: Line 264
(o) iPhone profile payload identifier (change prefix): 266
(q) iPhone profile organization name: 268 - Save file as: File_Name.mobileconfig
- Distribute.
Please note, this mobile-config contains the user certificate and private key. Ensure document is deleted from all sources after device configuration is complete.
No comments:
Post a Comment