I'm not sure how old you are but congratulations on living this long without encoutering the unmitigated hell of Apple plist files.
I remember seeing when I first started using OSX 10.0 about two decades ago and my reaction was about the same as yours. At least now `plutil` can output (and read) JSON, along with lots of other enhancements to make it slightly less insane to use.
Oh it's not that bad, plus it's just an on-disk serialization format. You use it like you would Python's pickle by dumping/loading from NSDictionary/NSArray.
It's ordered, typed, can be validated by schema, and just takes the format you would write naturally and removes the boilerplate because your primitive collections in plist world aren't trees they're dicts and arrays just like in JSON.
Now imagine that the workspace/project format for the defacto IDE for all Apple related stuff uses this exact same format, mixed with some random binary blobs and it keeps track of all project settings and file structure. Now imagine merging that in your VCS of choice whenever another team member makes any change to any of the aforementioned things.
Good news! You don't have to imagine! You can live this fever dream yourself by using Xcode.
How a company with that much money can unironically produce such dumpster fire garbage of a so-called IDE is beyond my comprehension.
> Now imagine that the workspace/project format for the defacto IDE for all Apple related stuff uses this exact same format
It doesn’t. Xcode project files are something that look a bit like a cross between JSON and an INI file. This is unofficial documentation showing what it looks like:
That isn’t a property list; it’s something inherited from Project Builder from NeXTSTEP, which Xcode was originally based upon. Xcode project files would be a lot easier to deal with if they were property list files, because they are a standard, documented format with official tools to work with them. The Xcode project file format isn’t officially documented and doesn’t have generic manipulation tools like plutil.
Maybe you are mixing the project file up with the Info.plist file? That is a property list file, but its purpose is to tell the operating system about the application. It’s not the Xcode project file.
This is one of the unexpected externalities of Apple’s walled garden. You may not deal with Xcode directly if you use Xamarin et al. then some poor soul somewhere has to sacrifice their first born every year when Xcode received an update.
If Apple allowed other App Stores, they would have to make Xcode not suck.
As another cool trick, you can host a mobileconfig file and use QR codes for fairly quick (10 taps on iOS or so) enrolment.
I’ve used them for enrolling users to custom CardDAV/CalDAV servers and it is so cool - going from scanning a QR code to magically seeing new events and contacts showing up in the calendar and contact book.
Slightly related: If you're self-hosting your email, you can use autoconfiguration[1] and autodiscover[2] to help your users set up Thunderbird and Outlook correctly.
Is this a thing on any non-Apple systems too? Is it additive or does it overwrite, on clients you've seen? If you can just go places and add their caldav servers with events, that's a semi viable way to share calendars?
Would be perfect with a brief explanation of what this is and how to use the generated profile.
People who need profiles probably have better dedicated tools for the job. This website could be a nice educational resource for people who are unfamiliar but curious; it's just missing an explainer.
There are two primary purposes. Fundamentally .mobileconfig profiles are a standardized XML format that are an officially blessed way to bundle up a lot of various macOS, iOS, or tvOS configuration options into an easy standard format that can then be installed on various devices to apply a whole bunch of stuff all at once with no additional work. There are various GUIs to work with them, including Apple's free Apple Configurator, or iMazing does a nice one as well, they're the backbone of a lot of MDM usage for iDevices now, and they can also be created programmaticly. As well as closed there are lots of open source solutions for this and it's not particularly hard to roll your own or customize (though you probably want to save yourself the pain of dealing directly with the ancient format as much as you can).
So first, even for completely bog standard config it can be an easy timesaver, as well as way to make a change in a single place in a deterministic fashion and then apply it uniformly. I use it a great deal just purely for my own personal and family devices for example. I've got lots of email accounts, WiFi networks, and so on, that aren't special but sizable in number. I've made a few profiles for those, which I can then take and install on each Mac, iPhone, or iPad to have all the accounts loaded saving some manual config work. If I need to change a password, add or remove, I can do it in one single place, and then push it out to do the config. No need to jump back and forth to a password manager doing lots of copypaste of passwords on the phone. It's not a huge deal but it's a pretty simple time saver.
Secondly, .mobileconfig will let you do stuff that you can't (officially) do at all otherwise, particularly on iDevices, so in that case it's simply the only easy way to get at certain functionality. Some functionality is only available to "supervised" devices you setup fresh under supervision now, and can give you a much deeper level control. For HN types, it can be useful to load your own private root CA and cert chains, cert using WPA Enterprise networks, etc. It's another way to make it harder to do certain activities with a stolen device.
I think a lot of people with Apple devices who don't "need" profiles could still find them handy honestly. It's not exposed very well but it's also no some horribly complex thing to get some value out of. There are a lot more people with iDevices then Macs (so that rules out Apple Configurator), and typical serious MDM offerings are all subscription based sadly. So in turn free tools for other platforms are nice to see.
What is this for?
Apple offers tools, such as Apple Configurator that allow you to create your own iOS Configuration Profiles.
Apple Configurator is only availble for MacOS devices. This is useful if you do not have access to one but still need this.
This site will help generate a configuration profile based on the network information you provide.
Using this, you can import the profile into your mobile devices (via a method such as an MDM).
You can see all of the modified output in the bottom as aqua text.
All of this is run client-side, within the browser.
Based on it mentioning MDM, I assume profiles are the only way to join a network on some phones with MDM enabled? So maybe it's for companies that procure many iPhones and zero Macs?
Correct me if I am wrong, but won't iOS profiles work identically on macOS? If so, the tab at the top should be called "iOS & macOS" to be consistent with the "Android & Windows" tab.
It would be nice if this generator also added options for WPA3 and (disabling) MAC randomisation. Plus generating a per-SSID encrypted DNS (DoH/DoT) configuration, those profiles are actually tedious to assemble.
One thing that's bugging me currently in iOS is that I constantly see a "Privacy Warning" text in the wifi section because I turned of 'Private Wifi Address' since I'm on my own home network.
the purpose of this feature is primarily to encrypt unencrypted (http) traffic to stop both MITM &packet inspection by network admins (and compromised routers) as well as to prevent snooping by any ISP. Despite being on your home network, ISP snooping can still take place-- thus the privacy warning.
Is it? Afaik the _only_ thing that “Private WiFi Address” toggle changes is MAC randomization, so it uses a random MAC instead of the actual device MAC. Which is not what I want on my home network, I want the real address for firewall rules etc.
> Starting with iOS 14, iPadOS 14, and watchOS 7, your device improves privacy by using a different MAC address for each Wi-Fi network. This unique MAC address is your device's private Wi-Fi address, which it uses for that network only.
In some cases, your device will change its private Wi-Fi address:
If you erase all content and settings or reset network settings on the device, your device uses a different private address the next time it connects to that network.
Starting with iOS 15, iPadOS 15, and watchOS 8, if your device hasn’t joined the network in 6 weeks, it uses a different private address the next time it connects to that network. And if you make your device forget the network, it will also forget the private address it used with that network, unless it has been less than 2 weeks since the last time it was made to forget that network.
Unfortunately this is also an issue with the QR Code format which is underspecified, and this extends to a bug we've been begrudgingly waiting for apple to fix here.
The QR Code format is something like this
```
type = 'WPA'
return `WIFI:S:${_ssid};P:${password};T:${type};${hidden};`
```
So the long standing bug (feedback id 9991042) we have filed with Apple is about a downgrade issue with QR Codes. If an iOS devices connects with a QR Code it will successfully connect with WPA3. But when the device goes to reconnect it has saved the SSID as a WPA2 network only and will incorrectly only authenticate with WPA2. This is very unfortunate because the zero-knowledge aspect of dragonfly in wpa3 is a huge step forward for wifi security. Although I guess it's all still resting on AES CTR at the end of the day :-)
I'm pretty sure iOS also doesn't support GCM as the group cipher, so these downgrades are not all that uncommon with iOS unfortunately. Hopefully they'll improve it in the future though.
It’s overkill for personal networks, but as others mentioned if you manage a fleet of devices of various types (mobile vs desktop vs laptop). Then managing connections via profiles is the way to go.
Push updated profile via MDM. End user should transparently receive the updated profile before logging into corp network.
No reconfiguration required on the user end. Reduced or no calls to internal tech support.
Personally, I just use the method you describe. Post a QR code for my guest network and be done with it.
They're for automated deployment to many devices. In general, for personal use, QR codes for WiFi are more portable as they work on iOS, Android, etc. without any special magic or setup.
If you have MDM, then great, use these. Otherwise, I have a QR code and plaintext on the back of many pantry door with WiFi deets.
For personal networks this doesn’t make sense but does seem like a fun project to build.
The profiles are really most powerful for enterprise networks.
Neat. A tool like this but for VPN profiles would be nice. I had to manually create them to connect to my internet router. The number of available options is quite intimidating.
Imazing Profile Editor works well to generate VPN profiles, and a lot of other profiles I don't use. Runs on Mac or Windows and it's free. No personal stake, just a satisfied user.
https://imazing.com/profile-editor
