Understanding Provisioning Profiles and Airwatch MDM

3
votes

I support a handful of enterprise iOS apps that are distributed using AirWatch MDM. Initially, the first couple of apps were distributed all sharing the same wildcard provisioning profile.

We recently rolled out a series of apps that used the App Group capability which could not use the wildcard profile so each app created its own provisioning profile.

We have run into a couple of issues with these new apps now that the profiles are expiring. Trying to distribute the new profile via AirWatch has been unsuccessful and the only thing that has a worked for us is to deploy a new app update. I worry this approach is not really sustainable as some of these apps likely will not be updated within a year or 2 of profile updates.

I have a couple of questions from an Airwatch/MDM consulting perspective:

  • Is it best practice to have each app in an enterprise format have its own profile or share profiles if possible?

  • Is it possible to distribute a profile with capabilities remotely?

  • When the certificate expires, is there anyway to fix the apps without updating every app across the enterprise using the expiring certificate?

  • Can I revoke the active certificate that is used for internally published apps prior to the expiration date without impacting them?

  • From a certificate administration perspective, should we create a shared Apple ID with a generic login or tie it to one particular developer?

We have very few apps now but it has become a bit of a support issue each time these expiration dates roll around and I feel like there has to be a better way for an enterprise to manage this that has hundreds of internal apps.

1
iosios-provisioningairwatch

1 Answers

6
votes

Is it best practice to have each app in an enterprise format have its own profile or share profiles if possible?

Yes. I always use a specific provisioning profile for every app I manage. Using wildcard may seem easier, and it takes more time to set up every single profile, but it's more manageable.

Is it possible to distribute a profile with capabilities remotely?

Yes, but distributing the new profile via Airwatch doesn't always work. It's rather a problem of signing more than capabilities

  • If the new provisioning profile is signed with the same distribution certificate, pushing it via AirWatch may work. But sometimes it won't and the user will have to manually remove and reinstall the app.
  • If the new profile uses a new certificate the apps will NOT receive the update. Don't trust airwatch's information about app expiration in the apps list!

My advice is to create a new version of the app and sign the IPA with the new provisioning profile, then release it as an update. And additional advantage is that you'll keep track of who has the older version (which will stop working when the profile expires) while the new version will work just fine.

When the certificate expires, is there anyway to fix the apps without updating every app across the enterprise using the expiring certificate?

No, I usually increase the version number, create a new IPA, re-generate the provisioning prodile, use it to sign the IPA, and distribute the app as an update using AirWatch.

Can I revoke the active certificate that is used for internally published apps prior to the expiration date without impacting them?

No, if you revoke a certificate every app that uses it will stop working.

Source: https://help.apple.com/developer-account/#/dev7d381a7ff

See Apple documentation on managing expired certificates, it's long but exaustive.

From a certificate administration perspective, should we create a shared Apple ID with a generic login or tie it to one particular developer?

Use roles. The team Agent is the admin of the account and is used only when you have to accept new TOS, renew the membership, etc. Set up developer accounts (I prefer one for each developer, so that everyone has it's own developer certificate) and make the team leader admin of the develoepr account. This way the team leader can set up the apps for the deploy while the developer will focus on coding.

I understand it may seem complex, but once you get used to this structure you'll appreciate how manageable it is, and usually the team leader can manage many developer accounts with little work.

Supporting your mobile apps, releasing updates to follow new iOS releases and bug-fixing are time-consuming activity. And so is maintaining certificates and deploying apps. You should charge your customer for these services too, if you make B2B