Summary: mobileconfig files allow enterprise (wi-fi) settings to be pushed to apple devices but the new Lion captive browser that takes over on captive portal networks, usually used to push out mobileconfigs, doest support them…
Ive been playing around with setting up mobileconfig files for our wireless users at Swansea University and testing with the new OSX 10.7 Lion has proven frustrating.
Some background: The mobileconfig file is a plist xml file that you can push out to clients to configure enterprise setting such as Wi-Fi, VPN and email. Its a great idea that works well, and as it works on the latest iPads, iPhones and OSX it will be really useful for our users.
Problem: Upon testing with Lion i discovered a new feature that has been introduced. A ‘special browser’ now appears upon connecting to a captive portal wireless network. This is similar functionality to the iPhones which was introduced a while back. It was useful on a iPhone as users could navigate to paywall or instructions page after connecting to a open captive portal network. See this blog post for a description of this.
The ‘special browser’ uses a User-Agent of CaptiveNetworkSupport wispr.
The problem is that most captive portal setup networks would push a mobileconfig file to usres through a web site on the portal. This mean users will get to the mobileconfig file on the ‘special browser’. And unfourtunatly the ‘special browser’ doesnt support the mobileconfig file type. fail. I dont think Apple thought this through…
Also, if you open a mobleconfig file from this new browser window, it open opens the default browser BEHIND itself. As the captive portal browser if forced to be on top, the browser appears behind it. If the default browser is Safari its no problem, but like many i had FireFox set as default which resulted with a save box you dont notice placed behind the captive browser.
Solution:The only neat solution i can think of atm is to stop the ‘special browser’ from loading when connecting to setup networks. The OS checks if the network is a captive portal by accessing:
So you can either fake a DNS entry for apple.com and host the success.html yourself or you can poke a hole through your captive portal for the url.
This will stop the captive browser from loading and will mean a user needs to load their browser themselves and navigate to your mobileconfig destination.
It a shame that this happens, as it doesnt with the iPhone. Hopefully Apple will fix this soon.
Ive documented all this on my SU1X site: https://su1x.swan.ac.uk/osx_mobileconfig.php
There is more info on setting up and hosting your own mobileconfig file there.