The first sign of trouble…
… appears when your MDM solution is working fine on Android devices but has stopped working on iOS devices. All the infrastructure is working correctly, servers are healthy, load balancers are up, no recent firewall changes…
A quick glance at the Apple Developer portal to check all the certificates and profiles are healthy shows that the enterprise developer account has expired.
Apple have four types of developer membership (details here). Prices range from 99USD to 299USD. Without an active Apple Developer membership your applications simply don’t work.
A quick Apple Developer account renewal
Fortunately it is a straight forward process to renew your expired Apple Developer account (details here). Once you have made your payment the account becomes live again almost immediately. However, there is a fair chance things will still not be working…
As a side note, it is possible to set your Apple Developer account to automatically renew ever year. For a large enterprise this avoids wasted time/effort lost when the account expires and things stop working.
Picking up the pieces
With an active developer account you can now inspect the provisioning profiles and certificates linked to the developer account. Like the Apple Push Notification Service (APNS) certificates, provisioning profiles and application certificates are only valid for one calendar year.
You can see in the screen grab below that a number of the provisioning profiles have expired. These profiles can be renewed inside the developer portal. Select the expired line then select “edit”.
It is important to keep the App ID (drop down) the same as the existing application already deployed. If you change this field then the provisioning profile will not work with the app that is already installed on the users devices.
Finally, select the certificate (also check it hasn’t/isn’t due to expire!). Once generated save the new provisioning profile to your local machine.
Citrix MDM (XenMobile)
In the previous section we kept the App ID the same as the current deployed application. This avoids the need to rewrap the application for use in our MDM environment. Instead, we can use the existing wrapped app and push the new provisioning profile “over the top” of it to “re-enable” the application.
Citrix provide a really helpful guide here so there is no need to repeat things in full here… In short, you need to create or update the Provisioning Profile. This is a neat template that allows you to attach the profile you created and downloaded in the previous step.
Once you have created a new Provisioning Profile inside the Citrix console, attached the profile you generated in the Apple Developer portal you need to select the distribution groups.
The “All Users” delivery group is tempting as it will hit all users, however, this means you are pushing profiles out for applications which users may not have. For example, if only the sales team have “App A” then do you really need to push the profile for “App A” out to all the finance team? They cant access the app but they get the profile anyway… Using delivery groups on a per app basis is a much cleaner way of managing this. This is especially true if the delivery groups are linked back to Active Directory groups.
Once the profile is created the iOS devices will start to update. This can take a couple of hours as the devices “randomly” check in every few hours. To speed things up (and for testing) you can delete the app in question and re-install form the Worx App Store. This will force it to check/get the latest profile.
All of the above is pretty straight forward. However, when any system is down it can be quite stressful. Given the time APNS takes to check in and pull updates, having an outage can last for a couple of hours even if you fixed it within minutes of expiry.
A couple of tips to avoid getting into the above mess:
- Citrix MDM has a number of alerts built in for expiring certificates and profiles. It is well worth setting these up to email out in advance thus giving you time to update profiles and certificates before they expire.
- Apple Developer accounts can be set to automatically renew. For the relatively low price (in the business world) of 299 USD this can save a lot of hassle and disruption.
- When you re-wrap the Citrix Worx applications (normal updates are released three or four times a year) take the chance to update the profiles used to wrap the apps. This avoids the need to push out profiles separately.