Provisioning Profiles Can Be Installed Using MDM - iphone

Apple's Mobile Device Management Protocol Reference states on page 44 at the bottom
Third-party enterprise applications require provisioning profiles in order to run them. You can use MDM to deliver up-to-date versions of these profiles so that users do not have to manually install these profiles, replace profiles as they expire, and so on.
To do this, deliver the provisioning profiles through MDM instead of distributing them through your corporate web portal or bundled with the application.
Does this mean that I should remove or unbundle the embedded.mobileprovision from the application before installation?
Or does it mean,
Installing the provisioning profile via an MDM server separately before installing the app?
If the answer is the first one, how does one remove the embedded.mobileprovision without breaking the app. If the answer is the 2nd, does subsequently updating the app mess up the profile installed by the MDM server?

Second one. The MDM server installs provisioning profiles on the device before installing the app. It's generally part of "setting up the device" with the MDM.
Installing or updating the app after that point would be done through the MDM, so everything stays hunky dory.
Updated provisioning profiles get put up on the MDM (by developer/admin), then the MDM app on the user's device notifies the user of an update. They tap the update button and the new profiles get downloaded and installed.
EDIT 3/12/14: Apple has introduced the Device Enrollment Program(DEP) which now allows for "no-touch" installation of MDM provisioning profiles, setting up supervision and silently installing apps without ever taking the device out of the box. The system is based around:
Company account buys all devices (Apple maintains list of which serial numbers belong to company/account)
Company tells Apple which MDM has permission to make changes.
Company links MDM to Apple.
MDM now sends requests to Apple, which sends requests to device.
This will allow us to only screw, er setup, devices we bought. There are ways to "switch" ownership of devices/serial numbers of they were not all bought under the same account.

Related

Do I need to rebuild and deploy the build again after expiration of provisioning profile?

My Enterprise application is having more than 1000 users in production. Yesterday my provisioning profile got expired. From yesterday I got many calls of users that they did not able to use their app.
Is there any way so that the existing user don't need to install the new build again. Because its very difficult to tell more than 1000 users to reinstall the app again.
Please help me. The issue is with production.
Unfortunately, you will need to get the new provisioning profile on the devices somehow. The provisioning profile must get on the device, and you can simply provide the new profile by itself, or you can rebuild the app and the profile will be included in the app's payload.
There are a couple of ways to do this, but here are the most popular methods:
If the devices are managed using an MDM product, you can push the new profile out to the devices using the MDM capabilities. Again, you can use the MDM system to push just the provisioning profile, or you can push the new app build with the new provisioning profile. Judging by the fact that you would be requesting users to re-download the app, I don't believe you are using MDM to manage the devices.
If you have older devices (iOS 7 and before), you can have the user manually install the new profile. You can email the provisioning profile to the users, and they will be able to open the profiles on their device. Or you can host the profile on a web server and direct the users to open the link to install the profile. The app will then work with the new, valid profile.
Rebuild the app and re-distribute. When the users download the app (or any other apps built with the profile if you are using a wildcard identifier on your profile), the new profile should replace the other one and the app will be able to launch.
Unfortunately, all of these methods require you to get the new profile downloaded from the developer site onto each of those devices.

Distributing App via client;s MDM solution

I have a customer that wants to distribute our non-public application via their internal application store.
I have attempted to sign the application for distribution as an "App Store" application and "Ad-Hoc" application, using our development account and profile, but keep having an issue with the provisioning certificate according to the user.
They have other applications that were deployed via the MDM and others just provided a signed IPA file. The client uses MAAS 360 as a MDM solution, does anyone know how to properly sign the application for distributing via MAAS360?
If you sign the app with 'Ad-Hoc' provisioning profile then it will be locked to the UDID's of the devices you have in the system. This should work just fine provided you:
unlock the phone with XCode
ensure same phone is part of the profile
enroll that phone
push the app
In order to push the apps to any device in the world via mdm you need the customer to be registered for ENTERPRISE developer program (this registration requires a DUNS number and costs 300 USD/year). Once you have that you will be able to create a provisioning profile that allows installation on any device.

Distributing iPhone apps under Enterprise program

I'm trying to figure out more details on how apps are distributed to users when under the Enterprise developer program. The Enterprise Deployment Guide states:
If you develop an application that you want to distribute yourself, it must be digitally signed with a certificate issued by Apple. You must also provide your users with a distribution provisioning profile that allows their device to use the application.
What I want to know is how is the provisioning profile is created so that a specific device is allowed to use the app? Is this done by adding device UDIDs into the profile as per the standard developer program? Or some other means?
Provisioning profiles are managed thanks a website provided by Apple. It will be possible to generate and download Provisioning profiles from this website.
Then, if you sign an application with the Enterprise program licence, you will be able to install it on any device. You just have to send to the user your application and the provisioning profile.
Regards,

Problem with Iphone distribution provision profile

I have a problem
There is one iphone software product of our company
and this product can recieve push_notification messages from our push_notification server
this product is going to be on live(namely it is going to be in the APPSTORE)
so recently we are doing some testing work,(the product use developer provision profile,and the server use the development certificate),it works well
but we want to test the product in the REAL Environment
the server should use production certificate ,
the iphone side product should use DISTRIBUTION PROVITION PROFILE
Now the problem is
1.how to install the product in the device using the DISTRIBUTION PROVITION PROFILE
instead of developer provision profile.
2.if I use the DISTRIBUTION PROVITION PROFILE,can i recieve the push notification message
I am now online waiting for your anwser
thank you all
You can only install builds that have been built for ad-hoc distribution on your device. Builds for app store distribution will not run on any device, unless approved and installed through the store, as their only purpose is being submitted to the app store.
1: Just build your app using an ad hoc provisioning profile. Delete previous versions of the app on the device. Install the ad hoc build and the ad hoc provisioning profile.
2: I have not tried that, but I think this should work, provided you're using the push enabled app-id for your ad hoc provisioning profile and the ssl key and certificate have been installed on your notification server.

Why not use development provisioning instead of ad hoc?

I was under the impression that when you use a development provisioning profile for a build of an app, only the specified developers can deploy that build to a phone.
But I just deployed a build that uses a development profile to a phone using Xcode Organizer, even though I'm not one of the valid developers for that profile. One of my colleagues, who doesn't even have Xcode installed, did the same with his phone using iTunes.
In that case, why not use a development provisioning profile for distributing your app to e.g. your QA team, instead of ad hoc distribution?
EDIT: Please read the part in bold carefully before answering. I'm not asking a basic "how does this work" question. I've made a lot of development, ad hoc, and app store builds, and now I find that I seem to have made some wrong assumptions.
There's one situation in which you need an Ad Hoc profile, and that's when you want to test Push Notifications.
If you test Push Notifications on a Development Provisioning Profile, your push notifications need to be sent using the Development Push Notification Certificate for your SSL connections to Apple's sandbox APNS server.
If you want to test Push Notifications using your Production Push Notification Certificate and the live APNS servers, you'll have to deploy your app to a device using a Distribution Certificate and Ad Hoc Provisioning Profile (which includes doing the Entitlement.plist steps, which you can ordinarily skip if you were only using Developer Provisioning Profiles).
Also note that when you deploy using an Ad Hoc profile, your device token will be different from the one you use when you're using the development profile. This the recommended way to test APN because there's no back end changes that need to be made between the Ad Hoc build and the final live deployment on the AppStore.
Ad-Hoc is not for developers, but for testers. Who do not have iPhone SDK / XCode, iTunes only.
(The answer is: you can install ad-hoc app without developer certificate, and can't do it with development app)
Method 1: Install from XCode
The Development Provisioning Profile requires you to run the app (initially) from within XCode.
This has the side-effect of marking the device as being used for development, but also requires you to connect the iPhone/iPod Touch to the machine running XCode. Once you run the app from XCode, the app is installed on the device and you no longer need to be connected to the machine to run it. (Until you want to update the app.)
Method 2: Install from iTunes
An Ad-Hoc provisioning profile allows you to give the app to anyone and let them install it themselves using iTunes. You send them:
the app, and
the Ad-Hoc Provisioning Profile
They select these two and drag them onto iTunes. Then sync.
Later, you can give them an updated version of the app only (without the Ad-Hoc Provisioning Profile, since they've already installed that on their device) and they can drag the new app onto the iTunes icon to install the new version.
One limitation to Ad-Hoc distribution, is that it requires you to enter each Device ID into the iPhone Development Portal. And there is a limit to 100 device IDs per year (you cannot erase any IDs, until your next year begins -- only add them). The 100-ID limit will not be a hindrance for most developers, just keep in mind that you need to get the device ID ahead of time, before you create the Ad-Hoc Provisioning Profile to send to the person you want to install your app.