Securing your iPhone 2.0
Apple chose wisely to offer support for modern 802.1X, which is called WPA Enterprise or WPA2 Enterprise. The older WEP (Wired Equivalent Privacy) encryption standard is broken, and few companies rely on it in combination with 802.1X. Rather, they use WPA (Wi-Fi Protected Access) or WPA2. WPA has one strong encryption key standard built in; WPA2 has a government-grade option as well.
To set up a WPA/WPA2 connection, you need to be trying to connect to such a network, or set up a network yourself. Software from Periodik Labs is an affordable way for a smaller company to add WPA/WPA Enterprise service, and it works with nearly any consumer or business Wi-Fi router.
The iPhone has its basic WPA/WPA2 Enterprise connection settings alongside normal Wi-Fi network connection tools. Tap Settings from the Home screen, and then tap Wi-Fi. Either select a network protected in this way from the list of networks that appears, or tap Other to create a network profile.
The iPhone should recognize when you’re connected to a network protected by 802.1X, and provide you the right fields. If you tap Other, you enter the network’s name in the Name field, and tap the Security field to select WPA Enterprise or WPA2 Enterprise. You then tap Other Networks at the top left to return to the profile setup. With either of those options selected, a Username and Password field appear in which you enter your 802.1X login information.
Now many corporate networks may require more security than is offered for an 802.1X login in this screen. This has puzzled some early iPhone 2.0 users, because Apple promised more elaborate 802.1X support and doesn’t show that support here. For that, you need to step up to iPhone Configuration Utility, a free program from Apple that includes the extra options, as well as providing tools for mass configuration of iPhones in an enterprise.
Creating an iPhone configure profile
Download the iPhone Configuration Utility, which requires OS X 10.5. There are Web 2.0 applications for Windows XP/Vista and OS X 10.5 as well that have a slightly smaller feature set.
The utility lets you create profiles for iPhones that include all the salient details for network connections for e-mail and Microsoft Exchange, device security (such as requiring a passcode and setting passcode policies), and network security profiles for Wi-Fi and VPN connections. The program also lets you distribute digital certificates, widely used in corporations to make sure that devices only connect to legitimate networked systems—a key factor in securing 802.1X connections. (iPhone Configuration Utility also handles the tasks involved in distributing iPhone applications developed for in-house use.)
The Wi-Fi tab contains all the details necessary to distribute profiles for any kind of secured or unsecured Wi-Fi network. A slightly subtle set of plus and minus buttons at right (below the row of configuration tabs) lets you add and remove Wi-Fi profiles.
Enterprises use certificates to confirm the authenticity of their 802.1X authentication servers. Before you start configuring the Wi-Fi connection, you might want to gather any certificates used on the network, click the Credentials tab, and select those certificates. This makes them available to other parts of the configuration profile.
Now follow these steps:
- Click the Wi-Fi tab.
- Click the Configure button.
- Enter the network name in Service Set Identifier (SSID), which is the 802.11 protocol’s name for a network.
- From Security Type, select WPA/WPA2 Enterprise. (It’s possible, but unlikely, that you’d be using WEP Enterprise or Any Enterprise, which encompasses WEP, WPA, and WPA2.)
Three tabs appear under Enterprise Settings.
- Protocols: 802.1X isn’t a secure protocol. It uses EAP (Encapsulated Authentication Protocol), a kind of generic version of PPP, to handle talking back and forth between the device that wants access and the access point. EAP can be secured using one of several methods. A network administrator would know which was used. PEAP (Protected EAP) is most common.
- Authentication: For whatever EAP methods were selected in Protocols, you enter the corresponding details here. For EAP-TLS, which requires a unique personal certificate, you install that certificate in Credentials, and then select it from the Identity Certificate here, for instance.
- Trust: The server you’re communicating with sends a certificate for all EAP methods. You can install the expected public certificate and the name found in the certificate in this tab, and that allows an iPhone to have full confidence in the integrity and validity of the connection that’s made.
There’s no “save” button needed in the tab; File -> Save saves the current state of the configuration profile. You can add multiple Wi-Fi profiles by tapping the plus (+) button at middle right just below and to the right of the Advanced tab.
You can do the same for setting up VPN profiles, although this is more to avoid the tedium of having users enter the details themselves, as the settings are the same on the iPhone as in the utility, unlike with 802.1X.
After settling any additional details, including filling out the Summary tab with a required name, you need to export or e-mail the profile so that an iPhone can use it. That requires a bit of caution. Even though the configuration profiles don’t contain passwords, they can contain a VPN shared secret stored in the clear, and Apple warns in its enterprise configuration guide that these profiles aren’t encrypted, just obscured. Best practices would suggest that you only allow users to download profiles from a secured SSL/TLS server where the user has to enter a username and password to gain access to the server.
In testing, I e-mailed a configuration profile to myself, and then selected that profile as an attachment in Mail. I was presented with a screen about the profile with an Install button if I wanted to add it to the iPhone. Tapping Details showed me the two Wi-Fi profiles I’d created. After tapping Install, I was warned that this wasn’t a signed profile, and tapped Install Now to proceed.
The iPhone then prompted me to enter the passwords associated with the two Wi-Fi profiles I’d created. Once entered, the profile appears in a new Settings item nearly at the bottom of the list, labeled Profiles. From there, you can select profiles and tap a Remove button to uninstall them.
New, improved, but room to grow
Apple has definitely ratcheted network security and configuration options up several marks with its latest iPhone releases. But there’s a way to go still. The company needs to consider finding a better way to offer continuous VPN access across networks while roaming, and it should centralize enterprise profile installation without using an export option for full remote management.
However, it’s far easier than it was at the beginning of July to make sure your iPhone activity remains private, confidential, and IT manager-approved.