Prerequisites: a client must be a member of the Apple Developer Program (up to 100 devices) or the iOS Developer Enterprise Program.

How to sign a distribution package when there is no Apple MDM server in the network

• In MAC OS, download and run SigningUtility.zip in the command line with the following parameters:
  

make_container [-h libhook_path flist_path] [-v --increase|--timestamp] [-a app_id] [-k keychain_id] [-r path1 ...] [-g team_id app_id debugable] [-m title subtitle app_url large_icon_url small_icon_url] [-s --remove-signature] [-s --sign cert_identity app_id profile] [-o output_app_path] app_path 

Utility launch parameters:
    -a - allows replacing the Application ID;
    -m - allows generating the application manifest;
    -s, --sign - allows signing the packet;
    -o - allows specifying the path to the .ipa file (app or app.zip) that will be created and signed.

• Install this .ipa file on your device in a regular way, using iTunes.
  

How to sign a distribution package when there is an Apple MDM server in the network

• Make sure that the device is connected to Apple MDM and displayed among the managed devices.
  
• In MAC OS, download and run SigningUtility.zip in the command line with the following parameters:
  

make_container [-h libhook_path flist_path] [-v --increase|--timestamp] [-a app_id] [-k keychain_id] [-r path1 ...] [-g team_id app_id debugable] [-m title subtitle app_url large_icon_url small_icon_url] [-s --remove-signature] [-s --sign cert_identity app_id profile] [-o output_app_path] app_path

utility launch parameters:
    -a - allows replacing the Application ID;
    -m - allows generating the application manifest;
    -s, --sign - allows signing the packet;
    -o - allows specifying the path to the .ipa file (app or app.zip) that will be created and signed.

As a result, a signed distribution package and a manifest file (.plist) are created. The .plist file should be indicated in the MDM profile.

• In the Administration Console, open Remote installation > Installation packages > Manage packages of mobile applications.

• Upload the created .ipа file and the manifest file of the application without repacking to the Kaspersky Security Center web server. To do so, publish the .ipa file first, and then copy its link to the .plist file.
  
• The link to the .plist file should be indicated in the MDM profile. Then the required applications are automatically added to the mobile devices.  

Creating a containerized application

• To pack an application in a container, you should first obtain the application's distribution package as an .ipa file or an .app file from its developer or distributor.
  
• In the Administration Console, open Remote installation > Installation packages > Manage packages of mobile applications to create a containerized application.
• Click New.
  

• Define name and click Next.

• Select app and click Next.
  

• Then sign the file using one of the above methods.
  
• To manage the policies for containerized applications, the policy created by the Application Management Plug-in of Kaspersky Security 10 for Mobile is used.

make_container -s --sign 58bee7ad48ec9bfd5ae62b9e418a1712fd7570e5 com.kaspersky.kes.container ./AppDistribProf.mobileprovision -o ./output.ipa ./input.ipa, where:

• 58bee7ad48ec9bfd5ae62b9e418a1712fd7570e5 - keychain certificate name or hash.
  
• com.kaspersky.kes.container - application id (appid). As regards containerized applications, it is displayed in Kaspersky Security Center, while the ID of the unsigned agent is com.kaspersky.KES. Using an additional utility parameter of -a com.kaspersky.newID allows assigning any name as the agent's ID. Appid of containerized application should not be changed, as otherwise the policies will not apply. Appid is created on iOS provisioning portal where its .mobileprovision profile should be also generated.
  
• ./AppDistribProf.mobileprovision - path to the generated .mobileprovision profile.
  
• ./output.ipa - path to .ipa file (app or app.zip) that will be created and signed.
  
• ./input.ipa - path to the initial unsigned file.