22.2 Distributing iOS/iPadOS Configuration or Provisioning Profiles

You can deploy either an iOS Configuration Profile or Provisioning Profile using the iOS/iPadOS Profile bundle.

22.2.1 iOS/iPadOS Configuration Profile

iOS profiles are XML files consisting of payloads that will enable you to deploy configuration settings and restrictions to iOS devices. These XML files are exported from Apple Configurator and each individual configuration setting, such as the Wi-Fi configuration setting, VPN configuration setting, and certificate information, are called payloads. Using an iOS profile, you can deploy these configuration settings or restrictions, which are not available in ZENWorks, to the devices. While creating an iOS profile bundle, the XML file that is obtained from Apple Configurator is uploaded in ZENworks. When you assign this bundle to a device, on deployment of the iOS profile bundle, the encrypted version of the profile is installed on the device, thereby restricting users from changing the setting.

Creation and assignment of iOS profile bundles is supported on an experimental basis for Apple TV devices. You can configure and deploy iOS profiles, such as the app lock configuration profile, to Apple TV devices, to lock down the device to a particular app. An example of the app lock configuration file is as follows:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>PayloadContent</key> <array> <dict> <key>IsRemovable</key> <true/> <key>Label</key> <string>test</string> <key>PayloadDescription</key> <string>Configures App lock</string> <key>PayloadDisplayName</key> <string>App Lock</string> <key>PayloadIdentifier</key> <string>com.apple.webClip.managed.1F3066B4-1D92-4CE4-891F-C3E5D0153400</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadUUID</key> <string>E4242F0A-7872-4425-BF11-E1A269E9836D</string> <key>PayloadVersion</key> <real>1</real> <key>App</key> <dict> <key>Identifier</key> <string>com.google.ios.youtube</string> </dict> </dict> </array> <key>PayloadDisplayName</key> <string>App Lock</string> <key>PayloadIdentifier</key> <string>xyz.blr.com.</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>59C3C2*****</string> <key>PayloadVersion</key> <integer>1</integer></dict></plist>

NOTE:If you deploy an iOS configuration profile with a specific setting and if the same setting is applied using ZENworks but with conflicting values, then the setting that is applied will be based on the device’s operating system rules. For example, if you have uploaded a configuration profile that disables the device camera and if the device camera is enabled in the assigned Mobile Device Control Policy, then the setting that is applied will be based on the precedence set by iOS. To avoid such discrepancies, it is advisable that you apply a specific setting either through an iOS profile or through another feature in ZENworks.

22.2.2 iOS/iPadOS Provisioning Profile

A provisioning profile authorizes developers and devices to install apps meant for iOS or iPad devices. It is required to install and run an enterprise or a developer app on a managed iOS or iPad device.

Apple generates development certificates that expire within three years. However, the provisioning profiles for the applications made with the development certificates expire in one year. A notification is sent to the app developer before the expiry of the profile. As users will not be able to run apps with an expired provisioning profile, you need to ensure that the provisioning profile is renewed before it is due for expiry. ZENworks gives you a provision to renew the profile using the iOS/iPadOS Profile bundle. This ensures that the apps continue to work without the users having to re-install them.

For more information on deploying a provisioning profile to managed devices, see Procedure.

22.2.3 Prerequisites

  • To upload an iOS Configuration Profile, an XML file with the configuration settings should be exported from Apple Configurator. For more information on creating and importing iOS profiles, refer to the Apple Configurator documentation.

  • To renew an iOS Provisioning Profile that is due to expire, you need to modify the .mobileprovision file with an updated certificate and expiration date and obtain it from the iOS Developer Enterprise Program. If you distribute a new profile, then the apps that are already deployed on devices will not receive any updates. You also need to ensure that the same credentials as those of the embedded profile are used for generating the modified provisioning profile. For more information on updating a provisioning profile, see the Apple Documentation.

22.2.4 Procedure

  1. On the Getting Started with Mobile Management page, navigate to the Deploy Mobile Applications section and click Create Bundles. Alternatively, from the left hand side navigation pane of ZCC, click Bundles > New > Bundle.

  2. On the Select Bundle Type page, click iOS/iPadOS Bundle.

  3. On the Select Bundle Category page, click iOS/iPadOS Profile.

  4. On the Define Details page, specify a name for the bundle, select the folder in which to place the bundle, then click Next.

  5. On the Select Profile Type page, select the iOS Profile category that you want to upload.

  6. Based on the option selected in the previous page, browse and upload a configuration profile or a provisioning profile. Ensure that you read the Prerequisites section before uploading either of the two profiles.

  7. Click Create Sandbox, if you want to create a Sandbox only version of the bundle.

  8. Click Define Additional Properties if you want to view the summary of the bundle or want to navigate to the Details tab.

    NOTE:You can view or download the uploaded configuration or provisioning profile by navigating to the Details tab. This tab also lets you edit the upload configuration profile. However, you cannot edit the uploaded provisioning profile. For more information on editing the configuration profile, see Editing a Configuration Profile

  9. Click Finish to complete the activity.

You can continue to assign this bundle to an iOS or iPadOS device. For more information, see Assigning Bundles.

If you delete an iOS/iPadOS Profile bundle, as soon as the device syncs with the server, the profile is removed from the device.

Editing a Configuration Profile

To edit the configuration profile file that you uploaded, you can either select Define Additional Properties while creating the bundle or navigate to Bundles > <click the iOS profile bundle> > Details. Click Download, update the profile and upload it in the same bundle. For the modified or the new setting to take effect on all the devices, you need to republish the bundle. On republishing the bundle, the existing profile installed on the device is overwritten with the modified or new setting.