4

We have a business that provides iPads (~1000 iPads) with our in-house iOS apps, which are managed by our MDM Apple Profile Manager.

We use Apple Developer Enterprise Program to build the in house apps with 3 year expiry certificate and 1 year expiry provisioning profile.

What we are struggling is the renewals of the certificate (every 3 year) and provisioning profiles (every 1 year) WITHOUT:

  1. Completely rebuilding the app with new provisioning profile and re-distributing it through MDM
  2. Anyone having to touch the iPads to install the new provisioning profile. (Providing that the new provisioning profile is renewed from the Developer Portal before it expires).

According to this post, Renew iOS Provisioning Profile on in-house app

They said

Alternatively, you could generate the provisioning profile and then distribute the profile to all the devices through MDM (if you're using an MDM solution) or by email (not a great experience).

So my questions are:

  1. Is it possible to install new provisioning profile via Apple Profile Manager? How do I go about doing it?
  2. I tried emailing the .mobileprovision file and opening that file from an iPad but it didn't install the profile at all. What have I done wrong?
  3. What is the best way to handle certificates (3 year expiry) and provisioning profiles (1 year expiry)?
Community
  • 1
  • 1
The Mach System
  • 6,703
  • 3
  • 16
  • 20

1 Answers1

3

Managing internal apps on iOS is unfortunately not a "set and forget" process. There is ongoing work, and planning needs to be done to make sure you keep your internal apps functioning when profiles and certificates are invalidated / expired.

  1. I do not have experience with the Apple Profile Mgr, but it is most certainly possible to simply regenerate the provisioning profile(s) for your apps and remotely deploy them to the devices which have the apps on them. This will help with profile expirations, but will not help for certificate expiration (more on this below).

  2. With newer version of iOS, Apple no longer allows installation of provisioning profiles through the mail app, or a Safari ling, etc. Basically at this point, provisioning profile need to be installed with the app installation, through MDM, or through Xcode "Devices" window.

  3. For profile expirations, the best strategy is to simply distribute the new profile(s) via MDM (if you have one). For certificate expirations, the best idea is to plan ahead. Starting well before the cert expires (enough time that you can deploy the newly signed apps to all your devices before the expiration date), you need to rebuild (or simply re-sign the existing ipa) your apps with the new certificate / signing identity. Since you are using MDM, it should be easy to deploy the newly re-signed apps to all your enterprise devices before the cert expires and the apps no longer run. Make sure you provide enough time to make this happen, as some devices may be off network for a while and may not check in to the MDM server every day. The good news is that this is only needed every 2.5 years or so.

Note, to re-sign an ipa, see my answer here: https://stackoverflow.com/a/25656455/3708242

Community
  • 1
  • 1
wottle
  • 13,095
  • 4
  • 27
  • 68
  • Thank you for your reply. It is unfortunate that you can't help me with question 1 which is my first priority at the moment :(. For question 3, do you mean resigning an ipa file is to change the provisioning profile inside without re-building the app? – The Mach System Nov 10 '16 at 22:22
  • Re-signing the app will replace both the provisioning profile AND the signing of the app (the signing is tied to the cert, so it is signing the app with the new cert), all without having to rebuild the app. This can be useful if you don't have access to the original source, or can't build the old project on new versions of Xcode without substantial changes.. If the provisioning profile is expiring, there is no need to re-sign the app, just deploy the new provisioning profile to the devices. – wottle Nov 11 '16 at 14:15
  • Ok. So let me sum it up to see if I understand it clearly. If the provisioning profile is due to expire, renew it and find a way to install the new profile to devices. If the certificate is due to expire, renew the certificate AND the provisioning profile, re-signing the app, then delete the old app and install the new (re-signed) ipa file to devices. – The Mach System Nov 13 '16 at 22:49
  • Yes, except there is no need to delete the old app, just install the newly re-signed app over the old one. – wottle Nov 14 '16 at 01:00
  • Thanks for sharing your valuable insights. I just gave you an upvote for that. However, as my main question is about installing Provisioning Profile through Profile Manager, I can't accept this as an answer. Sorry for that. – The Mach System Nov 14 '16 at 05:41
  • No problem. You're probably going to have a hard time getting an answer to that specifically at this point. I'd consider asking it as a standalong question with the `profile-manager` tag. – wottle Nov 14 '16 at 17:15
  • I did try to use the profile-manager tag when posting this question but the tag doesn't exist and I don't have enough reputations to create a new tag. :) – The Mach System Nov 14 '16 at 22:45