We have a scenario in our current iPhone app development project.
We need to restrict our app to run only in our Maas360 MDM provisioned devices. Ours is an in-house app for our certain employees.
If somebody got the IPA and tried to run the app in a private device (not provisioned by MDM), app should fail to start. Our app use a Prod distribution certificate and a prod profile to prepare the IPA. Is it possible to link the certificate and profile to the MDM? If that happens, can somebody manage to get the MDM related profile and run the app in their private device? Please share your knowledge and thoughts for this scenario.
There is an option specify device info along with provisioning profile. we cannot do that as there will be new devices provisioned through MDM. we need all control through the single point – our MDM.
Best Answer
Have you considered using Managed App Configuration to 'signal' to your app that it is running on a managed device?
Here's how you might implement:
The Managed App Configuration will only be sent to the device and made available to the app if it has been installed as a Managed App from the MAAS360 App Store. If the app is installed unmanaged or from the Apple AppStore, it won't receive it. If the MAAS360 MDM profile is removed, the app can be removed with it (although this may be depend on your MDM settings).
Note this should only be considered a somewhat secure solution as it relies on security-by-obscurity and it would be fairly trivial for a determined hacker to reverse-engineer your IPA and extract the expected key/value pair.
More information on Managed App Configuration here:
https://developer.apple.com/library/ios/samplecode/sc2279/Introduction/Intro.html