iOS enterprise app trust expires when offline

When using enterprise distribution on iOS the devices will need to be able to periodically connect to the host ppq.apple.com in order to validate the provisioning profiles.

Hi

We are experimenting the same issue and would like to set up a procedure to periodically have offline iPads reconnecting, to validate provisioning profiles.

And, here is the billion dollar question: how often do we need to do that? Is there a way to know how long validation will last?

Kindest regards

Marcello

There isn't a published revalidation time for apps, although iOS now should attempt to revalidate more often when it is online.

If you deploy the apps with MDM, you can have the MDM server explicitly tell the devices to validate the installed applications. If you can get an MDM push, then you can probably validate the apps to PPQ as well to ensure your trust remains intact.a

If a user keeps their device offline for an extended period (say 18 months), will their apps continue to work?

Assume the apps were purchased through Apple's custom B2B store and does not require online resources?

No, there is an onboard profile that has a max life of one year.

>assume the apps were purchased through Apple's custom B2B store and does not require online resources?

Then this isn't about Enterprise, which doesn't involve store-purchased apps? Store/purchased apps do not expire. Users can enjoy them as long as they are device/OS compatible.

Hi to all,

We came to the same problem with our enterprise application that is running on iPads connected to isolated WiFi network (without internet connection).

It seems that the period is around 30 days (few days more actually), after which you get the error notification and application will stop working (our application is running all the time in guided access (kiosk) mode).

When you connect the iPad to internet it revalidates the profile and application starts normally.

If there is no way to prevent this behaviour (Apple - please change this - why don't you trust your enterprise users ???), the workaround for us would be to every 30 days connect the iPads to WiFi with internet connection to revalidate the profile.

But, I would like to revelidate it before the notification error occurs, so my question is: is it enough just to connect iPad to internet and start my appliction and revalidation will be done automatically, or is there some manuall action that I can do to make sure the profile is validated ?

Thanks

Damir

Its been this way for a while. The device needs to reach out to Apple for a certificate revocation check every 30 days or so. the actual number of days seems rubbery. Its enough to let the iPad out for air on the internet, but its very lightweight in terms of traffic. You could build an enclave network that was locked down to get DNS and PPQ access if you were really paranoid. In some situations, you can switch to Custom App deployment (formerly known as B2B) via the public App store, and they don't expire. The problem with that is that a) the App needs to go through App Review, so you lose some flexibility how bad your App can be and b) you need to connect to the internet to update it.