ios_config 1.0.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in apple_payloads.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2013 Taylor Boyko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,145 @@
+# ios_config
+
+This gem provides an easy way to generate profiles and configuration payloads for use with Apple iOS devices. These profiles and payloads can be delivered via Apple MDM or Apple's Configurator or iPhone Configuration Utility (IPCU).
+
+Not all of the possible configuration payloads have been implemented yet. Some options may be missing. If you need a particular payload or need additional support from an existing payload, please fork and implement it so that we can all benefit from your efforts!
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'ios_config'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ios_config
+
+## Usage
+
+Profiles contain basic identification and labeling information in addition to a collection of payloads. When you use this gem, you'll want to do two things:
+
+1. Create your payloads
+2. Create a profile that includes your payloads
+
+### Example
+
+Here is an example of how you might do this:
+
+```ruby
+# Create a payload
+
+vpn_payload = IOSConfig::Payload::VPN.new connection_name:     "My VPN",
+                                          authentication_type: :password,
+                                          connection_type:     :pptp,
+                                          encryption_level:    :auto,
+                                          proxy_type:          :none,
+                                          send_all_traffic?    true,
+                                          server:              "example.org",
+                                          username:            "macdemarco",
+                                          password:            "viceroy"
+
+payloads = [vpn_payload.build]
+
+# Create a profile instance
+
+profile = IOSConfig::Profile.new type:           "Configuration",
+                                 display_name:   "A Profile Name",
+                                 identifier:     "org.example.examplemdmservice.exampleprofile",
+                                 organization:   "A Company Name",
+                                 uuid:           SecureRandom.uuid,
+                                 allow_removal:  false,
+                                 client_certs:   [OpenSSL::X509::Certificate.new], # Array of client certificates
+                                 payloads:       payloads # must be an array when type is "Configuration" 
+
+
+# Generate a plist version of the profile, ready for delivery to the device
+
+unsigned_profile = profile.unsigned
+
+# Or, generate a signed plist version of the profile
+
+signed_profile = profile.signed( signing_cert_path,
+                                 signing_cert_intermediate_path
+                                 signing_cert_key_path )
+```
+
+### Profile
+
+```ruby
+# Create the profile
+
+profile = IOSConfig::Profile.new [parameters]
+
+# Then, generate your config one of two ways:
+
+profile_plist = profile.unsigned # OR
+profile_plist = profile.signed( [signing_cert_path], [intermediate_path], [key_path] )
+```
+
+#### Parameters
+
+```ruby
+allow_removal # if profile can be deleted by device user. defaults to true
+description   # (optional) displayed in device settings 
+display_name  # displayed in device settings
+identifier
+organization  # (optional) displayed in device settings
+type          # (optional) default is 'Configuration'
+uuid
+version       # (optional) defaults to '1'
+payloads      # (optional) payloads to be contained in the profile. should be an array if type is 'Configuration'
+client_certs  # (optional) certificates used to encypt payloads
+```
+
+### Payloads
+
+#### Common Parameters
+
+```ruby
+uuid
+identifier
+description
+```
+
+#### VPN
+
+```ruby
+payload = IOSConfig::Payload::VPN.new(parameters).build
+```
+
+Available parameters:
+
+```ruby
+connection_name    
+authentication_type  # :password, :rsa_securid
+connection_type      # :l2tp, :pptp, :ipsec, :anyconnect, :juniper_ssl, :f5_ssl, :sonicwall_modile_connect, :aruba_via
+encryption_level     # :none, :manual, :auto
+group_name           
+prompt_for_password  # true, false
+proxy_type           # :none, :manual, :auto
+proxy_port          
+proxy_server        
+send_all_traffic     # true, false
+server               
+proxy_url            
+group_or_domain      
+password             
+username             
+proxy_password      
+proxy_username       
+realm     
+role             
+shared_secret      
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/ios_config.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ios_config/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "ios_config"
+  spec.version       = IOSConfig::VERSION
+  spec.authors       = ["Taylor Boyko"]
+  spec.email         = ["taylorboyko@gmail.com"]
+  spec.description   = %q{Generate configuration profiles and payloads for Apple iOS devices}
+  spec.summary       = %q{This gen provides an easy way to generate profiles and configuration payloads for use with Apple iOS devices. These profiles and payloads can be delivered via Apple MDM or Apple's Configurator or iPhone Configuration Utility (IPCU).}
+  spec.homepage      = "https://github.com/tboyko/ios_config"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "CFPropertyList", "~> 2.2"
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+end

data/lib/core_ext/string.rb

@@ -0,0 +1,7 @@
+unless String.new.respond_to? 'blank?'
+  class String
+    def blank?
+      self.nil? || self.empty?
+    end
+  end
+end

data/lib/ios_config/payload/base.rb

@@ -0,0 +1,42 @@
+require 'securerandom'
+
+module IOSConfig
+  module Payload
+    class Base
+
+      attr_accessor :uuid, :identifier, :description
+
+      def initialize(attributes = {})
+        attributes ||= {}
+        attributes.each do |name, value|
+          begin
+            send("#{name}=", value)
+          rescue NoMethodError => e 
+            raise ArgumentError, %{"#{name}" is not a valid attribute}
+          end
+        end
+
+        @uuid         ||= SecureRandom.uuid
+        @identifier   ||= @uuid.downcase.delete("^a-z0-9\.")
+        @description  ||= ""
+      end
+
+      def build
+        p = { 'PayloadType'         => payload_type,
+              'PayloadVersion'      => 1,
+              'PayloadUUID'         => @uuid,
+              'PayloadIdentifier'   => @identifier,
+              'PayloadDescription'  => @description }
+
+        p.merge payload
+      end
+
+      private
+
+      def payload_type
+        raise NotImplementedError
+      end
+
+    end
+  end
+end

data/lib/ios_config/payload/vpn.rb

@@ -0,0 +1,155 @@
+module IOSConfig
+  module Payload
+    class VPN < Base
+
+      attr_accessor :authentication_type, # :password, :rsa_securid
+                    :connection_type,     # :l2tp, :pptp, :ipsec, :anyconnect, :juniper_ssl, :f5_ssl, :sonicwall_modile_connect, :aruba_via
+                    :encryption_level,    # :none, :manual, :auto
+                    :group_name,
+                    :connection_name,
+                    :prompt_for_password,
+                    :proxy_type,          # :none, :manual, :auto
+                    :proxy_port,
+                    :proxy_server,
+                    :send_all_traffic,
+                    :server,
+                    :proxy_url,
+                    :group_or_domain,
+                    :password,
+                    :username,
+                    :proxy_password,
+                    :proxy_username,
+                    :realm,
+                    :role,
+                    :shared_secret
+
+      private
+
+      def payload_type
+        "com.apple.vpn.managed"
+      end
+
+      def payload
+        p = { 'UserDefinedName' => @connection_name,
+              'IPv4'            => { 'OverridePrimary' => 1 } }
+
+        # Connection Type Specifics
+
+        case @connection_type
+        when :l2tp
+          p['VPNType'] = 'L2TP'
+          p_ipsec = { 'AuthenticationMethod'  => 'SharedSecret',
+                      'LocalIdentifierType'   => 'KeyID' }
+          p_ipsec['SharedSecret'] = StringIO.new(@shared_secret) unless @shared_secret.blank?
+          p['IPSec']  = p_ipsec
+          p['PPP']    = generate_ppp_config
+      
+        when :pptp
+          p['VPNType'] = 'PPTP'
+          p['PPP'] = generate_ppp_config.merge({  'CPPEnabled'        => @encryption_level != :none,
+                                                  'CCPMPPE128Enabled' => @encryption_level != :none,
+                                                  'CCPMPPE40Enabled'  => @encryption_level == :auto,
+                                                  'CommRemoteAddress' => @server })
+
+        when :ipsec
+          p['VPNType'] = 'IPSec'
+          p_ipsec = { 'AuthenticationMethod'  => 'SharedSecret',
+                      'LocalIdentifierType'   => 'KeyID',
+                      'RemoteAddress'         => @server }
+          p_ipsec['LocalIdentifier'] = @group_name unless @group_name.blank?
+          p_ipsec['SharedSecret']    = StringIO.new(@shared_secret) unless @shared_secret.blank?
+          unless @username.blank?
+            p_ipsec['XAuthEnabled'] = 1
+            p_ipsec['XAuthName']    = @username
+          end
+          p_ipsec['XAuthPasswordEncryption'] = 'Prompt' unless @prompt_for_password.blank?
+          p['IPSec'] = p_ipsec
+
+        when :anyconnect
+          p['VPNType']      = 'VPN'
+          p['VPNSubType']   = 'com.cisco.anyconnect.applevpn.plugin'
+          p['VendorConfig'] = @group_name.blank? ? {} : { 'Group' => @group_name }
+          p['VPN']          = generate_vpn_config
+
+        when :juniper_ssl
+          p['VPNType']    = 'VPN'
+          p['VPNSubType'] = 'net.juniper.sslvpn'
+          vendor_config   = {}
+          vendor_config['Realm']  = @realm unless @realm.blank?
+          vendor_config['Role']   = @role unless @role.blank?
+          p['VendorConfig'] = vendor_config
+          p['VPN']          = generate_vpn_config
+          
+        when :f5_ssl
+          p['VPNType']      = 'VPN'
+          p['VPNSubType']   = 'com.f5.F5-Edge-Client.vpnplugin'
+          p['VPN']          = generate_vpn_config
+          p['VendorConfig'] = {}
+
+        when :sonicwall_mobile_connect
+          p['VPNType']      = 'VPN'
+          p['VPNSubType']   = 'com.sonicwall.SonicWALL-SSLVPN.vpnplugin'
+          p['VendorConfig'] = @group_or_domain.blank? ? {} : { 'LoginGroupOrDomain' => @group_or_domain }
+          p['VPN']          = generate_vpn_config
+
+        when :aruba_via
+          p['VPNType']      = 'VPN'
+          p['VPNSubType']   = 'com.arubanetworks.aruba-via.vpnplugin'
+          p['VendorConfig'] = {}
+        end
+
+        # Send All Traffic
+
+        p['OverridePrimary'] = 1 if @send_all_traffic == true
+
+        # Proxy
+
+        case @proxy_type
+        when :none
+          p_proxy = {}
+        
+        when :manual
+          p_proxy = { 'HTTPEnable'  => 1,
+                      'HTTPPort'    => @proxy_port,
+                      'HTTPProxy'   => @proxy_server,
+                      'HTTPSEnable' => 1,
+                      'HTTPSPort'   => @proxy_port,
+                      'HTTPSProxy'  => @proxy_server }
+
+          p_proxy['HTTPProxyUsername'] = @proxy_username unless @proxy_username.blank?
+          p_proxy['HTTPProxyPassword'] = @proxy_password unless @proxy_password.blank?
+        
+        when :auto
+          p_proxy = { 'ProxyAutoConfigEnable'     => 1,
+                      'ProxyAutoConfigURLString'  => @proxy_url }
+        
+        end
+        p['Proxies'] = p_proxy
+
+        p
+      end
+
+      def generate_ppp_config
+        p_ppp = { 'CommRemoteAddress' => @server }
+        if @authentication_type == :password
+          p_ppp['AuthName']      = @username unless @username.blank?
+          p_ppp['AuthPassword']  = @password unless @password.blank?
+        else
+          p_ppp['AuthEAPPlugins'] = ['EAP-RSA']
+          p_ppp['AuthProtocol']   = ['EAP']
+        end
+
+        p_ppp
+      end
+
+      def generate_vpn_config
+        p_vpn = { 'AuthenticationMethod'  => 'Password',
+                  'RemoteAddress'         => @server }
+        p_vpn['AuthName']     = @username unless @username.blank?
+        p_vpn['AuthPassword'] = @password unless @password.blank?
+
+        p_vpn
+      end
+    end
+  end
+end

data/lib/ios_config/profile.rb

@@ -0,0 +1,72 @@
+require 'cfpropertylist'
+
+module IOSConfig
+  class Profile
+    require 'openssl'
+
+    attr_accessor :allow_removal, # if profile can be deleted by device user. defaults to true
+                  :description,   # (optional) displayed in device settings 
+                  :display_name,  # displayed in device settings
+                  :identifier,
+                  :organization,  # (optional) displayed in device settings
+                  :type,          # (optional) default is 'Configuration'
+                  :uuid,
+                  :version,       # (optional) defaults to '1'
+                  :payloads,      # (optional) payloads to be contained in the profile. should be an array if type is 'Configuration'
+                  :client_certs   # (optional) certificates used to encypt payloads
+
+    def initialize(options = {})
+      options.each { |k,v| self.send("#{k}=", v) }
+      
+      self.allow_removal  = true if self.allow_removal.nil?
+      self.type           ||= 'Configuration'
+      self.version        ||= 1
+      self.payloads       ||= []
+    end
+  
+    def signed(mdm_cert, mdm_intermediate_cert, mdm_private_key)
+      certificate   = OpenSSL::X509::Certificate.new(File.read(mdm_cert))
+      intermediate  = OpenSSL::X509::Certificate.new(File.read(mdm_intermediate_cert))
+      private_key   = OpenSSL::PKey::RSA.new(File.read(mdm_private_key))
+    
+      signed_profile = OpenSSL::PKCS7.sign(certificate, private_key, unsigned, [intermediate], OpenSSL::PKCS7::BINARY)
+      signed_profile.to_der
+    end
+  
+    private
+  
+    def unsigned
+      raise_if_blank [:version, :uuid, :type, :identifier, :display_name]
+    
+      profile = {
+        'PayloadDisplayName'        => self.display_name,
+        'PayloadVersion'            => self.version,
+        'PayloadUUID'               => self.uuid,
+        'PayloadIdentifier'         => self.identifier,
+        'PayloadType'               => self.type,
+        'PayloadRemovalDisallowed'  => !self.allow_removal
+      }
+      profile['PayloadOrganization']  = self.organization if self.organization
+      profile['PayloadDescription']   = self.description  if self.description
+          
+      if self.client_certs.nil?
+        profile['PayloadContent'] = payloads
+      else
+        encrypted_payload_content = OpenSSL::PKCS7.encrypt( self.client_certs, 
+                                                            payloads.to_plist, 
+                                                            OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), 
+                                                            OpenSSL::PKCS7::BINARY)
+      
+        profile['EncryptedPayloadContent'] = StringIO.new encrypted_payload_content.to_der
+      end
+
+      profile.to_plist
+    end
+  
+    def raise_if_blank(required_attributes)
+      required_attributes.each { |a| raise "#{a} must be set" if self.send(a).blank? }
+    end
+    
+  end
+
+end

data/lib/ios_config/version.rb

@@ -0,0 +1,3 @@
+module IOSConfig
+  VERSION = "1.0.0"
+end

data/lib/ios_config.rb

@@ -0,0 +1,2 @@
+require 'core_ext/string'
+Gem.find_files("ios_config/**/*.rb").each { |path| require path }

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: ios_config
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Taylor Boyko
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: CFPropertyList
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Generate configuration profiles and payloads for Apple iOS devices
+email:
+- taylorboyko@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .DS_Store
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- ios_config.gemspec
+- lib/.DS_Store
+- lib/core_ext/string.rb
+- lib/ios_config.rb
+- lib/ios_config/.DS_Store
+- lib/ios_config/payload/base.rb
+- lib/ios_config/payload/vpn.rb
+- lib/ios_config/profile.rb
+- lib/ios_config/version.rb
+homepage: https://github.com/tboyko/ios_config
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 2215369409629242488
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 2215369409629242488
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: This gen provides an easy way to generate profiles and configuration payloads
+  for use with Apple iOS devices. These profiles and payloads can be delivered via
+  Apple MDM or Apple's Configurator or iPhone Configuration Utility (IPCU).
+test_files: []