apple已不再提供Windows上的apple configurator工具,所以只能自己手写了
文件模板
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Set the name to whatever you like, it is used in the profile list on the device -->
<key>PayloadDisplayName</key>
<string>hk ikev2 config</string>
<!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
<key>PayloadIdentifier</key>
<string>192.168.5.105</string>
<!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
<key>PayloadUUID</key>
<string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
<dict>
<!-- This is an extension of the identifier given above -->
<key>PayloadIdentifier</key>
<string>192.168.5.105</string>
<!-- A globally unique identifier for this payload -->
<key>PayloadUUID</key>
<string>29e4456d-3f03-4f15-b46f-4225d89465b7</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the name of the VPN connection as seen in the VPN application later -->
<key>UserDefinedName</key>
<string>hk ikev2 config</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<!-- Hostname or IP address of the VPN server -->
<key>RemoteAddress</key>
<string>192.168.5.105</string>
<!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
<key>RemoteIdentifier</key>
<string>192.168.5.105</string>
<!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
<key>LocalIdentifier</key>
<string></string>
<!-- The server is authenticated using a certificate -->
<key>AuthenticationMethod</key>
<string>Certificate</string>
<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed -->
<key>AuthName</key>
<string>test</string>
<!--<key>AuthPassword</key>
<string></string>-->
</dict>
</dict>
<!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
<dict>
<key>PayloadIdentifier</key>
<string>caCert.ca</string>
<key>PayloadUUID</key>
<string>64988b2c-33e0-4adf-a432-6fbcae543408</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the Base64 (PEM) encoded CA certificate -->
<key>PayloadContent</key>
<data>
MIIDVzCCAj+gAwIBAgIIUF9vCfksOkswDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UE
................................................................
m5YbMsFYzWq4YEIOxAk09/6VUdLAskOKW73PWmZdu/IWyivKuNy1wh+UYw==
</data>
</dict>
</array>
</dict>
</plist>
test.mobileconfig
不管证书认证还是用户名认证AuthenticationMethod的值都是Certificate,如果证书认证ExtendedAuthEnabled=0,并且
PayloadCertificateUUID=后面所附client证书的UUID,例如
<key>PayloadCertificateUUID</key> <string>d60488c6-328e-4944-9c8d-61db8095c864</string>
如果用户名认证ExtendedAuthEnabled=1,并在下面加入用户名密码,如果没有在安装配置时iphone会提示输入
<!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed -->
<key>AuthName</key>
<string>test</string>
<!--<key>AuthPassword</key>
<string></string>-->
末尾所附证书为pem格式,并且去掉begin,end行,不然证书不识别,把der证书转为pem格式
openssl x509 -in caCert.der -inform DER -out caCert.pem -outform PEM
最后用邮件发送或放到http服务器上,放在http服务器上时需要添加mime
/etc/apache2/mods-enabled/mime.conf
加入
AddType application/x-apple-aspen-config .mobileconfig
service apache2 restart
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Set the name to whatever you like, it is used in the profile list on the device -->
<key>PayloadDisplayName</key>
<string>hk ikev2 config</string>
<!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
<key>PayloadIdentifier</key>
<string>192.168.5.105</string>
<!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
<key>PayloadUUID</key>
<string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
<dict>
<!-- This is an extension of the identifier given above -->
<key>PayloadIdentifier</key>
<string>192.168.5.105</string>
<!-- A globally unique identifier for this payload -->
<key>PayloadUUID</key>
<string>29e4456d-3f03-4f15-b46f-4225d89465b7</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the name of the VPN connection as seen in the VPN application later -->
<key>UserDefinedName</key>
<string>hk ikev2 config</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<!-- Hostname or IP address of the VPN server -->
<key>RemoteAddress</key>
<string>192.168.5.105</string>
<!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
<key>RemoteIdentifier</key>
<string>192.168.5.105</string>
<!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
<key>LocalIdentifier</key>
<string></string>
<!-- The server is authenticated using a certificate -->
<key>AuthenticationMethod</key>
<string>Certificate</string>
<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed -->
<key>AuthName</key>
<string>test</string>
<!--<key>AuthPassword</key>
<string></string>-->
</dict>
</dict>
<!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
<dict>
<key>PayloadIdentifier</key>
<string>caCert.ca</string>
<key>PayloadUUID</key>
<string>64988b2c-33e0-4adf-a432-6fbcae543408</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the Base64 (PEM) encoded CA certificate -->
<key>PayloadContent</key>
<data>
MIIDVzCCAj+gAwIBAgIIUF9vCfksOkswDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UE
................................................................
m5YbMsFYzWq4YEIOxAk09/6VUdLAskOKW73PWmZdu/IWyivKuNy1wh+UYw==
</data>
</dict>
</array>
</dict>
</plist>
test.mobileconfig
不管证书认证还是用户名认证AuthenticationMethod的值都是Certificate,如果证书认证ExtendedAuthEnabled=0,并且
PayloadCertificateUUID=后面所附client证书的UUID,例如
<key>PayloadCertificateUUID</key> <string>d60488c6-328e-4944-9c8d-61db8095c864</string>
如果用户名认证ExtendedAuthEnabled=1,并在下面加入用户名密码,如果没有在安装配置时iphone会提示输入
<!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed -->
<key>AuthName</key>
<string>test</string>
<!--<key>AuthPassword</key>
<string></string>-->
末尾所附证书为pem格式,并且去掉begin,end行,不然证书不识别,把der证书转为pem格式
openssl x509 -in caCert.der -inform DER -out caCert.pem -outform PEM
最后用邮件发送或放到http服务器上,放在http服务器上时需要添加mime
/etc/apache2/mods-enabled/mime.conf
加入
AddType application/x-apple-aspen-config .mobileconfig
service apache2 restart