Well, I’ve played with it a little bit, and automx really looks like the better tool to use here–static files like I’ve shown above don’t require any software installation, and only minimal configuration, but they don’t do the job for iOS, and they aren’t very flexible.
OTOH, automx only needs a few packages to be installed (mod_wsgi, python-ipaddr, and m2crypto, all of which are in the standard repos), takes a single config file, and can pull user information out of LDAP (so the user only needs to give email address and password–though I haven’t tested this feature on Neth yet). It will create configs for Thunderbird, Outlook, and iOS, and will sign the configs for iOS allowing them to be imported without warnings. It takes a few tweaks to the virtual host configuration, but nothing too bad.
It ships with a simple little HTML form that will take email address, full name, and password, and generate an iOS .mobileconfig profile. The ideal use of this would probably be to integrate a similar form into the server manager and have it accessible to all users (like the change password panel).
/etc/automx.conf
needs to be templated, but that shouldn’t be too tough of a chore. That would cover server names, LDAP configuration, organization name (to attach to the account), TLS cert/key paths, etc. And really, the whole thing probably should be packaged into an RPM.
Problem is that, in order to sign the iOS configuration, the script needs to be able to read the server’s private key, which is ordinarily only readable by root. Since it isn’t a daemon, (I assume) it can’t do the trick that Apache itself does to start up as root, read the key, then shed privileges. So either the script needs to run as root, or the private key needs to be readable by apache–neither sounds like an attractive proposition. I guess a third option would be to generate a separate cert just for the config signing–straightforward enough if using Let’s Encrypt, though rate limits can be a concern.
Edit: It does look like the last “official” release of automx, 0.10.2, is nearly four years old, while there’s a v1.1.2 that hasn’t been tagged as an official release on github but seems to make some significant changes.