Replacement enterprise distribution provisioning profile not adopted by device

1
votes

In this document,In the section, "In-house apps | Providing updated apps", it states:

For users who already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file so users won’t have to install the app again. The new provisioning profile will override the one that’s already in the app archive.

We tried this last week when our own in-house provisioning profiles all expired (to correspond with an expired enterprise certificate). Despite installing the new profiles (and leaving the expired profiles on the device), we found that our applications would not launch. The device refused to open the applications even after a hard reset (press and hold the lock and home buttons for a long time).

Eventually, I had to advise our team to install updates of the affected applications, all of which had deployed with the renewed provisioning profile. The newly installed apps successfully replaced the ones that didn't open, which to me is a proof that the new provisioning profile included the same bundle ID.

To conclude, I feel like the device refused a replacement profile for my applications, and I don't know why. My questions are:

  1. Under what conditions will the device accept a replacement provisioning profile?

  2. Is there any way to test that the replacement will be successful before the provisioning profile actually expires?

  3. Is there any restriction about whether the user must install the new provisioning profile before, or after, the old profile expires?

1
iosprovisioning-profileios-provisioning

1 Answers

0
votes

It's very simple:

When your distribution certificate expires, the app won’t launch. Your distribution certificate is valid for three years from when it was issued, or until your Enterprise Developer Program membership expires, whichever comes first. To prevent the premature expiration of your certificate, be sure to renew your membership before it expires. For information about how the distribution certificate is checked, see Certificate validation.

1. Under what conditions will the device accept a replacement provisioning profile?

I'm not sure what the exact requirements are, but it should be sufficient to have the same bundle seed/ID and the certificate that the app was signed with (I don't think profile name matters).

The docs say you're allowed two distribution certificates with overlapping validity; this should mean that you can add both of them to the profile and start signing apps with the new cert, while allowing old versions to run until the old cert expires.

2. Is there any way to test that the replacement will be successful before the provisioning profile actually expires?

Uninstall the old one and try to launch the app. You can also set the date on the phone.

3. Is there any restriction about whether the user must install the new provisioning profile before, or after, the old profile expires?

Not that I know of.

Previous OS versions (as late as iOS 5, I think) would take the first installed profile that "matched" the executable (by comparing bundle seed/ID/certificate perhaps?) and fail if the profile was no longer valid, so you sometimes had to remove expired profiles for it to pick up the new profile. I haven't seen this failure mode recently; it may have been fixed.