5

Apple's Mobile Device Management Protocol Reference states on page 44 at the bottom

Third-party enterprise applications require provisioning profiles in order to run them. You can use MDM to deliver up-to-date versions of these profiles so that users do not have to manually install these profiles, replace profiles as they expire, and so on. To do this, deliver the provisioning profiles through MDM instead of distributing them through your corporate web portal or bundled with the application.

Does this mean that I should remove or unbundle the embedded.mobileprovision from the application before installation?

Or does it mean,

Installing the provisioning profile via an MDM server separately before installing the app?

If the answer is the first one, how does one remove the embedded.mobileprovision without breaking the app. If the answer is the 2nd, does subsequently updating the app mess up the profile installed by the MDM server?

Dan
  • 5,153
  • 4
  • 31
  • 42
jbrown94305
  • 185
  • 2
  • 11

1 Answers1

2

Second one. The MDM server installs provisioning profiles on the device before installing the app. It's generally part of "setting up the device" with the MDM.

Installing or updating the app after that point would be done through the MDM, so everything stays hunky dory.

Updated provisioning profiles get put up on the MDM (by developer/admin), then the MDM app on the user's device notifies the user of an update. They tap the update button and the new profiles get downloaded and installed.

EDIT 3/12/14: Apple has introduced the Device Enrollment Program(DEP) which now allows for "no-touch" installation of MDM provisioning profiles, setting up supervision and silently installing apps without ever taking the device out of the box. The system is based around:

  1. Company account buys all devices (Apple maintains list of which serial numbers belong to company/account)
  2. Company tells Apple which MDM has permission to make changes.
  3. Company links MDM to Apple.
  4. MDM now sends requests to Apple, which sends requests to device.

This will allow us to only screw, er setup, devices we bought. There are ways to "switch" ownership of devices/serial numbers of they were not all bought under the same account.

DBD
  • 23,075
  • 12
  • 60
  • 84
  • What about the profile thats embedded in the app? Will subsequent installs/updates/upgrades of the app via MDM cause any problems/conflicts with the profile that is already there? – jbrown94305 Dec 20 '12 at 19:43
  • The profile in the app doesn't matter as long as it's using the enterprise distribution certificate. You bypass most of Apple's normal security limitations by using the enterprise distribution cert. You can install any app made with an enterprise distribution certificate on any device (even without provisioning profiles installed on the device). It's nice, flexible and trusting system which has made me never want to go back to the ad-hoc distribution and device list annoyances. – DBD Dec 20 '12 at 20:27
  • This is a helpful confirmation that what I want to do is possible, but I can't figure out where to put the new provisioning profile so Profile Manager will find it and push it to the devices. Perhaps, as you say, this works with MDM (the protocol), but I have been unable to find where it is supported by Apple's MDM implementation, i.e. Profile Manager. Does anyone know if there is indeed a way to push a provisioning profile (not a configuration profile) from Profile Manager, without giving it a new .ipa? – Phill Apley Mar 25 '14 at 19:07