Programmatically verify an MDM profile (configuration) has been successfully pushed to an iOS device?
Asked Answered
M

1

6

I am writing an iOS client app that sends a request to a server who turns around and requests that an updated configuration profile be pushed to my device via external MDM (AirWatch). I believe the profile shows up in Settings -> General -> Profiles. When the MDM finishes processing the profile push (sent or queued, I'm not sure), it responds to the calling server saying 'yes the profile was pushed' who echoes that response to my client app.

The problem is that it takes about 30 seconds for the profile to actually get pushed / installed on the device, while the web service response is much shorter than that. So my client app believes the configuration profile has been installed, and it allows the app to continue while the profile is still unavailable. I would like to be able to detect when the profile is successfully pushed to my device, and not allow the app to continue until afterwards. My other option is to make a pop-up saying the profile was successfully pushed, but I would still need to detect the profile being installed.

Most of the 2013 Q&A on stackoverflow appears to say it is not possible to query configuration profiles, but I was wondering if there are any work-arounds people have recently tried. I thought of the following possibilities - but I don't know which is preferred, or if it is even possible with iOS7 (as of 2/12/2014).

  1. Query the installed profiles for the one I need (sounds impossible from most Q&A I've seen; don't know if updates to iOS7 has changed this)
    • What if I knew the exact profile name I was looking for?
  2. Add a notification listener for MDM pushes
    • Use registerForRemoteNotificationTypes / didReceiveRemoteNotification or didFinishLaunchingWithOptions
    • The MDM push may happen outside of my app, so sandboxing may get in the way
    • Can you listen to the port the MDM is using?
  3. Listen for changes to the profile configuration settings
  4. Add a request at the server to query the device for the installed profile, and call that prior to sending a response to the client
  5. Do certificate validation by including a self-signed cert in the profile and verifying it
    • Seems a little hacky and I’m not sure if my MDM will allow me to do it
  6. Use reachability methods

As a note I have looked at the following links plus more:

Thanks in advance!

Mccafferty answered 13/2, 2014 at 1:6 Comment(2)
I assume the profile you are referring to pushing is a device configuration profile (such as a passcode requirement) as opposed to managed app settings that became available in iOS 7. Is this correct?Halm
@Halm Correct, it is a VPN setting/configuration profile for use outside of my app.Mccafferty
H
5

It will not be possible for your app to determine whether a configuration profile has been installed as no (public) APIs exist that allow an app to query it's installed profiles nor will you be able to determine whether an MDM push notification has been sent to the device. You will have to rely on your MDM (AirWatch) to determine with certainty that the profile has been installed.

When AirWatch pushes the profile to the device it will receive an acknowledgement that the profile has been installed but it's not until AirWatch re-queries all installed profiles that it will report that the profile has been installed. What I have seen is that soon after AirWatch sends a profile installation command it will re-query the list of profiles on the device so it may be feasible to just poll the server a few times and wait until you see that the profile has been installed. I have not spent much time in the AirWatch REST API in detail but I assume this is possible.

Other than this, the only other option I can see is for you to do something with Reachability to detect whether the VPN tunnel is being setup.

Halm answered 18/2, 2014 at 3:59 Comment(1)
I did verify with Airwatch support that the best option would be to re-query the installed profiles on the device, and that their initial web service response is just that the profile push has been queued in their system, not that it was actually sent/installed. Thanks again!Mccafferty

© 2022 - 2024 — McMap. All rights reserved.