The line-of-business Apple iOS/iPadOS apps assigned to iPhones and iPads are created with a provisioning profile that is included and is code signed with a certificate. IOS/iPadOS verifies its integrity and applies any provisioning profile-defined policies when the app runs. The following validations happen:
- Installation file integrity – iOS/iPadOS compares the app’s details with the enterprise signing certificate’s public key. If they differ, the app’s content might have changed, and it is not allowed to run.
- Capabilities enforcement – iOS/iPadOS attempts to enforce the app’s capabilities from the enterprise provisioning profile (not individual developer provisioning profiles) in the app installation (.ipa) file.
The enterprise signing certificate used to sign the apps typically lasts three years. However, the provisioning profile expires after a year, and the app needs to be packaged again with the new provisioning profile.
The Pain Area
There is now out of the box solution to set-up alerting to notify about the expiry of the provisioning profiles for the iOS apps. Intune portal has the functionality to the show the alert if provisioning profile or certificate is about to expire. The alert is just displayed as informational message, so that you know that one part of the LOB app is expired or close to expire and then you can take the required action.
Due this missing functionality, there are high chances of human error and it quite evident that the team managing Intune infrastructure may miss these notifications, leading to non-functioning apps on end user’s devices.
There multiple ways to achieve this functionality of creating automated email notifications few days prior to the provisioning profile expiry so that you have ample time to react and get the new build created.
The possible options you have to automate it are:
- Automate the flow using ServiceNow
- Automate the flow using Power Automate
- Automate the flow using Logic Apps
Which ever option you choose, you will be relying on Graph API calls to get the data about managed apps and their properties.
For this article, I have used Power Automate to create the flow and get automatic emails for notifying on the provisioning profile.
- Sign in to Power Automate.
- Select My flows > New flow > Scheduled cloud flow.
- In the fields next to Starting, specify the date and time when your flow should start.
- In the fields next to Repeat every, specify the flow’s recurrence.
- Select Create.
- Select Recurrence > Show advanced options. When you select Show advanced options, the dropdown name changes to Hide advanced options and then configure the time/days to run the flow.
- Click on “Add Action” and search for “Get Secret” and the connection can be with a managed identity
- Click on add action and add HTTP connection to make a Graph request in which we will query LOB apps.
- Next, In the search box under Choose an operation, enter variable as your filter. From the Actions list, select Initialize variable – Variable. I will use this variable for comparing the expiry date of provisioning profile.
- Save the flow right here and execute it as we need the response from the GET request. Run the flow and then copy the body from the result. It will be like this
- As a next step, again initialize a variable to call for expiry date value from the response.
- Now, map the properties using expressions.
- Click Add step and add condition to compare and validate provisioning profile expiry date with a check that if the expiry date is less than 90 days from today then an auto-generated email should be sent to concerned team.
All done! Save the flow and execute it.
You will receive the email with details of the app’s provisioning profile.
The idea behind this post was to show how easily you can automate the notifications for expiry of your business critical applications. There are endless possibilities to modify the requirements as per your business requirements. Feel free to use it and modify it.