Configure an iOS device for network payload capture Learn how to configure an iOS device for network payload capture (NPC). Before you start You’ll need to: Decide which option to use for setting up the iOS devices. Make sure that the current deviceConnect version on the Mac mini hosting the device is at least 4.19.5. Update deviceConnect if the version is lower. Confirm your system administrator configured your local Kobiton server. Select an option to set up iOS devices for NPC Network payload traffic from iOS devices is captured by a proxy server. For secure (SSL) traffic, the proxy server’s certificate must be trusted by the devices. On iOS devices, you can establish trust using one of the following options: Option 1 (default): Supervise devices to install the certificate automatically This option is recommended for organizations that want an automated solution to import and trust the proxy server certificate. To use this option, the following requirements must be met: A single supervision identity exported into two files: organization.crt and organization.der. Copy both files to the Mac mini host at /usr/local/deviceconnect. Supervise iOS devices either: Automatically through Automated Device Enrollment (requires Apple School Manager or Apple Business Manager). Manually using Apple Configurator. Ensure all devices connected to one Mac mini host are supervised by the same supervision identity. If devices are supervised with an identity that doesn’t match the organization.crt and organization.der files on the Mac mini host, NPC can’t be enabled on those devices. If you supervise devices using Apple Configurator, you must use a Mac that isn’t running Kobiton software (including deviceConnect or deviceShare). Option 2: Manually import and trust the certificate This option is recommended for organizations that don’t want to supervise devices or that already supervise devices using multiple supervision identities. To use this option, the following requirements must be met: Manually import the proxy server’s SSL certificate to the device and trust it. Install and configure additional software on the Mac mini host: Apple Configurator and its Automation Tools. A trusted SSH connection to localhost. Update the dc.ini file to use option 2. Comparison: Option 1 vs. Option 2 Feature Option 1: Supervised (default) Option 2: Manual Certificate deployment Automatic Manual, device by device Recommended for Organizations wanting automation Organizations with multiple supervision identities or that don’t want supervision Setup complexity Higher (requires supervision setup) Lower for small groups, but manual per device Mac mini requirements organization.crt and organization.der in /usr/local/deviceconnect Apple Configurator, Automation Tools, SSH to localhost, dc.ini update Device enrollment Supervision required via either Automated Device Enrollment (automated) or Apple Configurator (manual) No supervision required NPC compatibility Works only if all devices share the same supervision identity Works even with multiple supervision identities Prepare the device based on the selected option. Option 1: Device supervision Install Apple Configurator on a Mac machine Use a Mac machine that is not running Kobiton software. Open the App Store, search for Apple Configurator, and install it. An Apple ID is required to download and install Apple Configurator. Create or import a supervision identity Check if there is already a supervision identity available on the Mac mini host. On the Mac mini host, open Finder. Press Shift + Command + G, enter /usr/local/deviceconnect, then press Enter. If the files organization.crt and organization.der are present, the supervision identity already exists. Return to the Mac that is not running Kobiton software and proceed according to the presence of a supervision identity. Existing supervision identity Non-existing supervision identity Open Apple Configurator. From the menu bar, select Apple Configurator > Settings. Select the Organizations tab. If there already is an organization listed, move on to supervising the device. If an organization is not listed, locate the .organization file saved when the supervision identity was created and transfer it to the non-Kobiton Mac. In Apple Configurator’s Settings, select the 3-dot icon > Import Organization. Select the .organization file and choose Import. Enter the password used to encrypt the file and select Submit. The imported organization appears in the list. Open Apple Configurator. From the menu bar, select Apple Configurator > Settings. In Settings, select the Organizations tab. Select the plus (+) icon to add a new organization. Select Next. Sign in with an Apple Business Manager or Apple School Manager account. If such an account is not available, select Skip. The following steps assume that Skip is selected. Enter the organization information, then select Next. Select Generate a new supervision identity, then select Done. In the pop-up, enter the administrator password and select Update Settings. The new organization now appears in the list. From this organization, 2 sets of file are created. One set is for backup, and one set must be transferred to the Mac mini host. Export the .organization file. Highlight the organization, then select the three-dot icon > Export Organization. Enter a strong password to encrypt the file and record the password in a secure location. Choose a name and location to save the file, then select Save. Store the exported .organization file securely. This file is not required on the Mac mini host but can be imported later to supervise the device if needed. Export the supervision identity (.crt and .der files) Highlight the same organization, then select the three-dot icon > Export Supervision Identity. In the export pop-up: Select a location to save the files. For Format, select Unencrypted DER. Select Save, then select Export. At the selected location, two files are created with the extensions .crt and .der. Rename them to organization.crt and organization.der. For newer versions of Apple Configurator, the exported files may be .crt and .cer. In that case, rename the .cer file to organization.der. Transfer the two files (organization.crt and organization.der) to the Mac mini host where Kobiton software is running. On the Mac mini host, open Finder. Press Shift + Command + G, enter /usr/local/deviceconnect, and press Enter. Copy the organization.crt and organization.der files into this folder. Confirm that Finder shows both files in the deviceconnect directory. Supervise the device The device will be unplugged from the Mac mini host during this process. All device data will be erased. Back up data if needed before continuing. Ensure all iOS devices in a Mac mini host are supervised by a single supervision identity. Disconnect the device from the Mac mini host. On the device, open Settings and sign out of any Apple ID. An active Apple ID prevents supervision. Connect the iOS device to the non-Kobiton Mac with Apple Configurator installed. Select Trust on the device when prompted. Open Apple Configurator. On the main screen, check the Supervised and Unsupervised tabs. If the device appears under Supervised. Right-click the device and select Get Info. Confirm that the supervising organization is correct. If the supervising organization is different, confirm with the team that the device can be erased and re-supervised. If approved, erase the device and follow the steps for unsupervised devices. If the device appears under Unsupervised. Right-click the device and select Prepare. Select Manual Configuration, enable Supervise devices, and choose Next. Ensure Allow devices to pair with other computers is checked. Select Do not enroll in MDM, then choose Next. Select the correct organization, then choose Next. For Setup Assistant, select Don’t show any of these steps, then choose Prepare. If a pop-up appears stating Configurator could not perform the requested action, select Erase. After the factory reset, complete on-screen prompts until the Home screen appears. Verify that the device now appears under the Supervised tab. Use Get Info again to confirm the supervising organization. Reconnect the supervised device to the Mac mini host. Follow the prepare and connect guides for connection steps. The device is now ready for Network Payload Capture. Option 2: import and trust proxy certificate Download and install proxy certificate On the iOS device, launch a manual session from Kobiton. Ensure the device has internet access. In Safari, open the certificate download link. Select Allow, then Close on the confirmation pop-ups. → Alternatively, use AirDrop from any macOS machine (including the Mac mini host) to send the certificate to the device. On the device, open Settings > General. Select VPN & Device Management (iOS 16 or later) or Profiles & Device Management (iOS 15 and earlier). Open Kobiton Certification Authority. Select Install through the prompts. When installation completes, select Done. Enable full trust for certificate On the device, open Settings > General. Select About. Select Certificate Trust Settings. Enable trust for Kobiton Certification Authority. Select Continue in the confirmation pop-up. The device is now ready for Network Payload Capture. Next steps Create a configuration for network payload capture, launch a manual or automation session with NPC enabled, then review the network payload data.