Product Documentation

To add a provisioning profile device policy for iOS

Jul 13, 2015

When you develop and code sign an iOS enterprise app, you usually include an enterprise distribution provisioning profile, which Apple requires for the app to run on an iOS device. If a provisioning profile is missing—or has expired—the app crashes when a user taps to open it.

The primary problem with provisioning profiles is that they expire one year after they are generated on the Apple Developer Portal and you must keep track of the expiration dates for all your provisioning profiles on all iOS devices enrolled by your users. Tracking the expiration dates not only involves keeping track of the actual expiration dates, but also which users are using which version of the app. Two solutions are to email provisioning profiles to users or to put them on a web portal for download and installation. These solutions work, but they are prone to error because they require users to react to instructions in an email or to go to the web portal and download the correct profile and then install it.

To make this process transparent to users, in XenMobile you can install and remove provisioning profiles with device policies. Missing or expired profiles are removed as necessary and the up-to-date profiles are installed on users' devices, so that tapping an app simply opens it for use.

Before you can create a provisioning profile policy, you must create a provisioning profile file. For more information, see Creating Provisioning Profiles on the Apple Developer site.

1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

localized image

2. Click Add to add a new policy. The Add a New Policy page appears.

localized image

3. On the Add a New Policy page, click More and then under Apps, click Provisioning Profile. The iOS Provisioning Profile Policy information page appears.

localized image

4. In the Policy Information pane, enter the following information:

  • Policy Name: Type a descriptive name for the policy.
  • Description: Optionally, type a description of the policy.

5. Click Next. The iOS Platform information page appears.

localized image

6. In the iOS Platform Information page, select the provisioning profile file to import by clicking Browse and then navigating to the file's location.

7. Expand Deployment Rules and then configure the following settings:

localized image

The Base tab appears by default.

8. In the lists, click options to determine when the policy should be deployed.

  • You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
  • Click New Rule to define the conditions.
  • In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
  • Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.

9. Click the Advanced tab to combine the rules with Boolean options.

localized image

The conditions you chose on the Base tab appear.

10. You can use more advanced Boolean logic to combine, edit, or add rules.

  • Click ANDOR, or NOT.
  • In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.
  • At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.
  • Click New Rule again if you want to add more conditions.
localized image

In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

11. Click Next. The iOS Provisioning Profile Policy assignment page appears.

12. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the Delivery groups to receive app assignment list.

localized image

13. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF. Note that this option applies when you have configured the scheduling background deployment key in Settings >Server Properties. The always-on option is not available for iOS devices.


The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

localized image

14. Click Save to save the policy.