What is a Provisioning Profile?
An iOS app provisioning profile is a file that connects an app's unique identifier with the developer's certificate, allowing access to services and verifying identity. It links the app to the Apple developer account, permits it on specific devices, and ensures it meets Apple's security standards. The profile needs to be created and downloaded from the Apple Developer Center and integrated into the app's build.
Upon deployment and launch, iOS/iPadOS verifies the app's integrity and enforces the provisioning profile's policies. The following checks are conducted:
Integrity of the installation file: iOS/iPadOS verifies the app's details match the enterprise signing certificate's public key. If they don't match, the app's content may have changed, and the app cannot run.
Enforcement of capabilities: The app's capabilities are enforced based on the enterprise provisioning profile included in the installation file.
Types of Provisioning Profiles
Development Provisioning Profile
Ad Hoc Provisioning Profile
App Store Provisioning Profile
Enterprise Provisioning Profile
What Occurs When a Provisioning Profile Expires or Fails
When a provisioning profile expires, users may face errors like "The app cannot be installed due to unverifiable integrity" or "The provisioning profile used has expired." This indicates that the current IPA file is not signed with a valid Ad-Hoc or Enterprise profile, or it is linked to an expired certificate. Updating these profiles promptly allows end users to continue working without interruption. However, this requires the developer to resign the IPA with a new provisioning profile and distribute it for deployment. Occasionally, the app might need retesting, but depending on its importance, we can simplify the process by deploying the provisioning profiles directly to users or devices using Microsoft Intune.
You can view the expiration details of LOB apps by signing into the Intune Admin Center at https://intune.microsoft.com. Once logged in, navigate to Apps, select iOS/iPadOS, and either search for the app or filter using LOB options. This will list out all line of business applications and their status.
Note: Apps that have already expired must be resigned and redeployed, but we can deploy iOS provisioning profiles for apps that are under warning or close to expiration.Step 1: Access the Intune admin center by visiting https://intune.microsoft.com, go to the iOS Provisioning profile under Apps within the iOS/iPadOS Platform, and click on Create.
Step 2: Enter a name that aligns with the application or adheres to the naming convention. If necessary you can include a description and upload the provisioning profile from its saved location. The provisioning profile will have a .mobileprovision extension.
Step 3: After selecting the provisioning profile, you'll notice that the expiration date is updated according to the profile. Tap "Next" to proceed. If necessary, select the scope tag. Under "Assignment," choose the group, either users or device group, and add any groups that need to be excluded. Then, tap "Next."
Step 4: Examine the given details and press Create to finalize the profile setup.
The admin can verify the deployment status by reviewing the status under App management for the devices or users to which it is deployed. If the status shows success, the deployment has been successful.
Conclusion
This blog offers a detailed guide on creating an iOS app provisioning profile with Microsoft Intune, enabling efficient management of iOS applications without the need to resign the IPA and deploy it.