We have a business that provides iPads (~1000 iPads) with our in-house iOS apps, which are managed by our MDM Apple Profile Manager.
We use Apple Developer Enterprise Program to build the in house apps with 3 year expiry certificate and 1 year expiry provisioning profile.
What we are struggling is the renewals of the certificate (every 3 year) and provisioning profiles (every 1 year) WITHOUT:
- Completely rebuilding the app with new provisioning profile and re-distributing it through MDM
- Anyone having to touch the iPads to install the new provisioning profile. (Providing that the new provisioning profile is renewed from the Developer Portal before it expires).
According to this post, Renew iOS Provisioning Profile on in-house app
They said
Alternatively, you could generate the provisioning profile and then distribute the profile to all the devices through MDM (if you're using an MDM solution) or by email (not a great experience).
So my questions are:
- Is it possible to install new provisioning profile via Apple Profile Manager? How do I go about doing it?
- I tried emailing the
.mobileprovisionfile and opening that file from an iPad but it didn't install the profile at all. What have I done wrong? - What is the best way to handle certificates (3 year expiry) and provisioning profiles (1 year expiry)?
Managing internal apps on iOS is unfortunately not a "set and forget" process. There is ongoing work, and planning needs to be done to make sure you keep your internal apps functioning when profiles and certificates are invalidated / expired.
I do not have experience with the Apple Profile Mgr, but it is most certainly possible to simply regenerate the provisioning profile(s) for your apps and remotely deploy them to the devices which have the apps on them. This will help with profile expirations, but will not help for certificate expiration (more on this below).
With newer version of iOS, Apple no longer allows installation of provisioning profiles through the mail app, or a Safari ling, etc. Basically at this point, provisioning profile need to be installed with the app installation, through MDM, or through Xcode "Devices" window.
For profile expirations, the best strategy is to simply distribute the new profile(s) via MDM (if you have one). For certificate expirations, the best idea is to plan ahead. Starting well before the cert expires (enough time that you can deploy the newly signed apps to all your devices before the expiration date), you need to rebuild (or simply re-sign the existing ipa) your apps with the new certificate / signing identity. Since you are using MDM, it should be easy to deploy the newly re-signed apps to all your enterprise devices before the cert expires and the apps no longer run. Make sure you provide enough time to make this happen, as some devices may be off network for a while and may not check in to the MDM server every day. The good news is that this is only needed every 2.5 years or so.
Note, to re-sign an ipa, see my answer here: https://stackoverflow.com/a/25656455/3708242