AirWatch not updating internal apps on locked supervised devices


#1

We have been struggling with AirWatch not updating internal applications on locked supervised devices, the device needed to be unlocked before application will update.

We have tested this from AirWatch 9.1 - 9.4.0.1 and observed identical behaviour.

After some troubleshooting we have identified the root cause.

When a new application is published to the devices two commands are queued.

  • Install Provisioning Profile
  • Install Application

The Install Provisioning Profile command is first in queue and Install Application is second.
The Install Application command is ONLY issued after Install Provisioning Profile command is successful.

From Xcode logs we can clearly see that Install Provisioning Profile command CANNOT be issued to locked devices.
The device will respond with NotNow if locked.


2018-05-16_14-55-33

If a command is Queued in AirWatch it will be sent to the device every 5 minutes by default.

We have manually deleted the Install Provisioning Profile queued for the device from the database.

Avoid issuing database commands unless you are sure of what you are doing

SELECT * FROM [Airwatch].[deviceCommandQueue].[DeviceQueue] WHERE  DeviceID IN (12345) AND StatusID = 1
DeviceQueueID DeviceID CommandID StatusID TransactionID CreatedBy CreatedOn ModifiedBy ModifiedOn DeviceProfileVersionID CommandTarget RecommendedExternalApplicationID Message AppIdentifier ContentID ApplicationID InternalBookID ProductAssignmentID ValidationToken WorkflowID VppAccountID
4210508 12345 13 1 0C5C6FD1-199F-4195-88E7-4FEB0F26B971 352 24:40.9 4 39:41.7 7965 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL
4210509 12345 21 1 82040DAB-CCE7-4113-BD3F-984F7C1CDAA6 352 24:40.9 4 39:41.7 NULL NULL NULL NULL NULL NULL 1156 NULL NULL NULL NULL NULL
delete FROM [Airwatch].[deviceCommandQueue].[DeviceQueue] WHERE  DeviceID = 12345 AND DeviceQueueID = 4210508

Once deleted the command has disappeared from the troubleshooting tab in the console and application successfully updated on a locked the device in ~5 minutes.


#2

Nice! Sounds like a feature request for VMWare :slight_smile:


#3

Further info:

According to Airwatch, it is a feature not a bug; “Install Provisioning Profile” command pushed when assignment has “Remove On Unenroll” enabled.


#4

So if we don’t want the Install Provisioning Profile command pushed, then we can’t remove on unenroll, kinda defeats the purpose of an internal app, at least for my org.


#5

Latest from AW - product request PR-196866 to unbind setting “remove on unenroll” and application provisioning profile push been created on 04/04/2018. AW provided no ETA on it.

Currently we trying to get an acceptable workaround from them.

Will keep this post up to date.


#6

So just a thought, but I know that internal apps require provisioning profiles to be installed for the application to launch and function normally since they don’t go through the normal Apple App Store process. If the Provisioning Profile command is not sent as part of the install, does anyone have logs of when the profile command is sent down to the device for the application to function?


#7

The provisioning profile is already a part of the application, it’s built into the IPA. What AirWatch does is actually unzip the IPA pull out the provisioning profile and deploy it alongside the app. This behaviour is unique to AirWatch and is not really required for the application to run on the device (unless provisioning profile is different to what is built into the app).


#8

AirWatch have updated the description of the “Remove on Unenroll” setting in AirWatch 9.5 however the deployment behaviour is identical to previous versions
upload


#9

That’s what I was thinking, but wasn’t really aware about the “unzipping” portion. Thanks for the explanation @daniil_michine

@Grego - We’ll talk to our TAM/TAS/whatever they’re called now and let them know that we support this request as well.


#10

A bit of info from yesterday’s testing (AW v9.1):

Confirmed the “Remove on unenroll” behavior, this flag is only set on application deployment.
Meaning that if an app deployed with this flag as disabled the only way to enable the flag is to update/redeploy the application.


#11

Another small update:

Say you have 2 internal apps to update, one with “Remove on unenroll” flag enabled (let’s call it app A) another with disabled (app B).

If you deploy 2 about the same time (time window short enough for probability user unlocking supervised device being low) then result on locked supervised device will depend on sequence:

(1) B
(2) A
result - app B update got to locked device, A caused AW issuing “Install application profile” and stuck

(1) A
(2) B
result - app A update caused AW issuing “Install application profile” and stuck, B also wont install on locked supervised device.

Stumbled into this issue updating multiply apps at the same time.


#12

Issue can be avoided by splitting assignments for the same app based on tagging:

  1. tag all supervised devices
  2. create assignment with “Remove on unenroll” disabled and place this assignment at the top (highest priority)

Wrote powershell script to place tags on devices, tested deployment - solution seems sufficient for a time that we are waiting for vendor to introduce proper fix.