diff --git a/.gitignore b/.gitignore
index a8b42eb..2ffe569 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,4 @@
 *.retry
+users/*.mobileconfig
+users/*.p12
+users/*.crt
diff --git a/common.yml b/common.yml
index 396af7b..63a4707 100644
--- a/common.yml
+++ b/common.yml
@@ -23,6 +23,8 @@
       - git
       - screen
       - apparmor-utils
+      - uuid-runtime
+      - coreutils
 
   - name: Enable packet forwarding for IPv4
     sysctl: name=net.ipv4.ip_forward value=1
diff --git a/config.cfg b/config.cfg
index 1ff0dcd..2348265 100644
--- a/config.cfg
+++ b/config.cfg
@@ -8,6 +8,7 @@ easyrsa_dir: /opt/easy-rsa-ipsec
 easyrsa_curve: secp384r1
 easyrsa_ca_expire: 3650
 easyrsa_cert_expire: 3650
+easyrsa_p12_export_password: vpn
 
 # if True re-init all existing certificates. Boolean
 easyrsa_reinit_existent: True
diff --git a/templates/mobileconfig.j2 b/templates/mobileconfig.j2
new file mode 100644
index 0000000..fe8ba42
--- /dev/null
+++ b/templates/mobileconfig.j2
@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>PayloadContent</key>
+    <array>
+        <dict>
+            <key>IKEv2</key>
+            <dict>
+                <key>AuthenticationMethod</key>
+                <string>Certificate</string>
+                <key>ChildSecurityAssociationParameters</key>
+                <dict>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>19</integer>
+                    <key>EncryptionAlgorithm</key>
+                    <string>AES-128-GCM</string>
+                    <key>IntegrityAlgorithm</key>
+                    <string>SHA2-256</string>
+                    <key>LifeTimeInMinutes</key>
+                    <integer>1440</integer>
+                </dict>
+                <key>DeadPeerDetectionRate</key>
+                <string>Medium</string>
+                <key>DisableMOBIKE</key>
+                <integer>0</integer>
+                <key>DisableRedirect</key>
+                <integer>0</integer>
+                <key>EnableCertificateRevocationCheck</key>
+                <integer>0</integer>
+                <key>EnablePFS</key>
+                <true/>
+                <key>IKESecurityAssociationParameters</key>
+                <dict>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>19</integer>
+                    <key>EncryptionAlgorithm</key>
+                    <string>AES-128-GCM</string>
+                    <key>IntegrityAlgorithm</key>
+                    <string>SHA2-256</string>
+                    <key>LifeTimeInMinutes</key>
+                    <integer>1440</integer>
+                </dict>
+                <key>LocalIdentifier</key>
+                <string>{{ item.0 }}</string>
+                <key>PayloadCertificateUUID</key>
+                <string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+                <key>RemoteAddress</key>
+                <string>{{ server_name }}</string>
+                <key>RemoteIdentifier</key>
+                <string>{{ server_name }}</string>
+                <key>UseConfigurationAttributeInternalIPSubnet</key>
+                <integer>0</integer>
+            </dict>
+            <key>IPv4</key>
+            <dict>
+                <key>OverridePrimary</key>
+                <integer>1</integer>
+            </dict>
+            <key>PayloadDescription</key>
+            <string>Configures VPN settings</string>
+            <key>PayloadDisplayName</key>
+            <string>VPN</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
+            <key>PayloadType</key>
+            <string>com.apple.vpn.managed</string>
+            <key>PayloadUUID</key>
+            <string>D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
+            <key>PayloadVersion</key>
+            <real>1</real>
+            <key>Proxies</key>
+            <dict>
+                <key>HTTPEnable</key>
+                <integer>0</integer>
+                <key>HTTPSEnable</key>
+                <integer>0</integer>
+            </dict>
+            <key>UserDefinedName</key>
+            <string>{{ server_name }} IKEv2</string>
+            <key>VPNType</key>
+            <string>IKEv2</string>
+        </dict>
+        <dict>
+            <key>Password</key>
+            <string>{{ easyrsa_p12_export_password }}</string>
+            <key>PayloadCertificateFileName</key>
+            <string>{{ item.0 }}.p12</string>
+            <key>PayloadContent</key>
+            <data>
+            {{ item.1.stdout }}
+            </data>
+            <key>PayloadDescription</key>
+            <string>Adds a PKCS#12-formatted certificate</string>
+            <key>PayloadDisplayName</key>
+            <string>{{ item.0 }}.p12</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.pkcs12</string>
+            <key>PayloadUUID</key>
+            <string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
+        <dict>
+            <key>PayloadCertificateFileName</key>
+            <string>ca.crt</string>
+            <key>PayloadContent</key>
+            <data>
+            {{ PayloadContentCA.stdout }}
+            </data>
+            <key>PayloadDescription</key>
+            <string>Adds a CA root certificate</string>
+            <key>PayloadDisplayName</key>
+            <string>{{ server_name }}</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.root</string>
+            <key>PayloadUUID</key>
+            <string>32EA3AAA-D19E-43EF-B357-608218745A38</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
+    </array>
+    <key>PayloadDisplayName</key>
+    <string>{{ server_name }} IKEv2</string>
+    <key>PayloadIdentifier</key>
+    <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
+    <key>PayloadRemovalDisallowed</key>
+    <false/>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadUUID</key>
+    <string>743B04A8-5725-45A2-B1BB-836F8C16DB0A</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+</dict>
+</plist>
diff --git a/users/.gitinit b/users/.gitinit
new file mode 100644
index 0000000..e69de29
diff --git a/users/mr.smith b/users/mr.smith
new file mode 100644
index 0000000..e9e4819
--- /dev/null
+++ b/users/mr.smith
@@ -0,0 +1 @@
+qwe11
diff --git a/users/mrs.smith b/users/mrs.smith
new file mode 100644
index 0000000..e62415c
--- /dev/null
+++ b/users/mrs.smith
@@ -0,0 +1 @@
+qwe
diff --git a/users/qwe b/users/qwe
new file mode 100644
index 0000000..1241a80
Binary files /dev/null and b/users/qwe differ
diff --git a/vpn.yml b/vpn.yml
index 358cea9..0e9f01e 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -67,7 +67,7 @@
     notify:
     - restart strongswan  
     
-  - name: Build the server pair
+  - name: Build the server pair # TODO: IP and DNS for sertificate
     shell: |
       ./easyrsa build-server-full {{ server_name }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
@@ -88,13 +88,13 @@
 
   - name: Build the client's p12 
     shell: |
-      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:vpn
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
       creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
     with_items: "{{ users }}"
-  
+    
   - name: Copy the CA cert to the strongswan directory
     copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
     notify:
@@ -109,20 +109,38 @@
     copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
     notify:
     - restart strongswan    
+ 
+  - name: Register p12 PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+    register:  PayloadContent
+    with_items: "{{ users }}"
+
+  - name: Register CA PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+    register:  PayloadContentCA
+   
+  - name: Build the mobileconfigs
+    template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+    with_together:
+      - "{{ users }}"
+      - "{{ PayloadContent.results }}"
+      
+  - name: Fetch users P12
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=users/{{ server_name }}_{{ item }}.p12 flat=yes
+    with_items: "{{ users }}"
+
+  - name: Fetch users mobileconfig
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=users/{{ server_name }}_{{ item }}.mobileconfig flat=yes
+    with_items: "{{ users }}"
+    
+  - name: Fetch server CA certificate
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=users/{{ server_name }}_ca.crt flat=yes
     
   handlers:
     - name: restart strongswan
       service: name=strongswan state=restarted
 
     - name: restart apparmor
-      service: name=apparmor state=restarted      
-      
-      
-      
-      
-    
-    
-    
-    
-    
-    
+      service: name=apparmor state=restarted