Second. The MDM server installs provisioning profiles on the device before installing the application. This is usually part of the “device setup” using MDM.
Installing or updating the application after this point will be done through MDM, so everything will remain complicated.
Updated training profiles are laid out on MDM (developer / administrator), then the MDM application on the user device notifies the user of the update. They press the refresh button, and new profiles are downloaded and installed.
EDIT 3/12/14: Apple introduced the Device Registration Program (DEP), which now allows you to install “without touch” MDM provisioning profiles, configure controls, and silently install applications without ever taking the device out of the box. The system is based on:
- A company account buys all devices (Apple maintains a list of serial numbers belonging to the company / account).
- Apple says MDM has permission to make changes.
- The company associates MDM with Apple.
- Now MDM sends requests to Apple, which sends requests to the device.
This will allow us to only connect the devices that we bought. There are ways to “switch” ownership of devices / serial numbers that they did not all buy in the same account.