Programmatically verify an MDM profile (config

2019-03-21 15:27发布

问题:

I am writing an iOS client app that sends a request to a server who turns around and requests that an updated configuration profile be pushed to my device via external MDM (AirWatch). I believe the profile shows up in Settings -> General -> Profiles. When the MDM finishes processing the profile push (sent or queued, I'm not sure), it responds to the calling server saying 'yes the profile was pushed' who echoes that response to my client app.

The problem is that it takes about 30 seconds for the profile to actually get pushed / installed on the device, while the web service response is much shorter than that. So my client app believes the configuration profile has been installed, and it allows the app to continue while the profile is still unavailable. I would like to be able to detect when the profile is successfully pushed to my device, and not allow the app to continue until afterwards. My other option is to make a pop-up saying the profile was successfully pushed, but I would still need to detect the profile being installed.

Most of the 2013 Q&A on stackoverflow appears to say it is not possible to query configuration profiles, but I was wondering if there are any work-arounds people have recently tried. I thought of the following possibilities - but I don't know which is preferred, or if it is even possible with iOS7 (as of 2/12/2014).

  1. Query the installed profiles for the one I need (sounds impossible from most Q&A I've seen; don't know if updates to iOS7 has changed this)
    • What if I knew the exact profile name I was looking for?
  2. Add a notification listener for MDM pushes
    • Use registerForRemoteNotificationTypes / didReceiveRemoteNotification or didFinishLaunchingWithOptions
    • The MDM push may happen outside of my app, so sandboxing may get in the way
    • Can you listen to the port the MDM is using?
  3. Listen for changes to the profile configuration settings
  4. Add a request at the server to query the device for the installed profile, and call that prior to sending a response to the client
  5. Do certificate validation by including a self-signed cert in the profile and verifying it
    • Seems a little hacky and I’m not sure if my MDM will allow me to do it
  6. Use reachability methods

As a note I have looked at the following links plus more:

  • WWDC 2013 MDM slides - didn't see anything that stood out
  • iOS get Configuration Profiles that are installed
  • Verify/Check to see if a Configuration Profile has been installed on iPhone (from 2010)

Thanks in advance!

回答1:

It will not be possible for your app to determine whether a configuration profile has been installed as no (public) APIs exist that allow an app to query it's installed profiles nor will you be able to determine whether an MDM push notification has been sent to the device. You will have to rely on your MDM (AirWatch) to determine with certainty that the profile has been installed.

When AirWatch pushes the profile to the device it will receive an acknowledgement that the profile has been installed but it's not until AirWatch re-queries all installed profiles that it will report that the profile has been installed. What I have seen is that soon after AirWatch sends a profile installation command it will re-query the list of profiles on the device so it may be feasible to just poll the server a few times and wait until you see that the profile has been installed. I have not spent much time in the AirWatch REST API in detail but I assume this is possible.

Other than this, the only other option I can see is for you to do something with Reachability to detect whether the VPN tunnel is being setup.