Apple-App-Site-Association (AASA) behind VPN but Phone is in VPN

Hi,


we are currently trying to test universal links also on our development server which is behind a VPN. From my understanding, correct if I am wrong, I thought it is enough that during app installation, the corresponding device (iPhone) is also connected via VPN so that iOS is able to download the AASA file?


But at the moment I am not able to test this successfully. So my question is, is that possible in general to put the file on a server which is only reachable via VPN, and if yes, what could be the error?


Best regards

Chris

Hello,

Having the same issue. My apple-app-site-association file is hosted on an internal dev server that's only accessible through VPN. The Cisco VPN on my phone is turned on. However each time I try to hit any of the links specified in the AASA file, the website opens instead of my app, and there is no native app banner on top, meaning: the AASA mapping is not working for all URLs on a server that's behind VPN. Are there any suggestions on how to get AASA links testable by QA, behind VPN on the test environment?
I've been looking in to this recently as we have the same situation. My understanding so far…

As of iOS 14, devices will go to an Apple hosted CDN to obtain your AASA file. This is discussed here: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains

As also mentioned in the note, it is possible to bypass the CDN is two ways by using an "alternative-mode". The options are developer and managed. These are activated by appending to your associated domain in your entitlements file.

For the developer mode you need to allow the bypassing in the Settings App -> Developer. You also need to sign the app with a developer distribution profile.

The managed mode is suitable for enterprise signed apps. To use this you must instal a managed device profile (an MDM .mobileconfig file) to authorise use of the CDN bypass.

This needs you to create the profile. Apple have some MDM background documentation.

You can create a skeleton profile with Apples Configurator II tool. This tool only supports a small number of widely used MDM payload-types though, and that doesn't include the com.apple.associated-domains payload that we need to specify.

Every payload uses a standard set of generic properties described here under "Define a Profile". 

The specific com.apple.associated-domains payload we need to use is introduced in device management of Associated Domains, which defined that we need to use a PayloadType of com.apple.associated-domains.

It's then necessary to add specific properties to the payload shown here:
  • <key>ApplicationIdentifier</key> – string with the full app id, such as <string>your-app-id</string> – the App id is the same as in your AASA file.

  • <key>EnableDirectDownloads</key> – boolean </true>

  • <key>AssociatedDomains</key> – an <array>…</array> having a list of the <string>…</string>, one for each domain that we want to bypass Apple's CDN. To find these I simply took the domains from the "*_Debug.entitlements" file. My assumption is all the domains the app wants to be "entitled" to for universal linking must be included in the AASA CDN bypass list.

Actually installing a profile is easy. You can email it to yourself at the device and start the instal from Mail App.

However, I've installed a profile, put my device on the VPN, installed a build of the App with the modified entitlements, and a test link in to the App still fails. So it still doesn't work.

I'm now investigating why it might not be working…

Leads on this are:
  • Get a sysdiagnose, note that it seems to be necessary to hold the buttons less than the advertised 1.0 to 1.5 seconds. About half a second seemed correct, and after longer the device shows the turn off / emergency call screen. Look in "swcutilshow.txt" in the sysdiagnose file. More details <link blocked my apple's site, sorry>. This is all very interesting, but it doesn't seem_ to show errors with obtaining the AASA file.

  • Look in the console when the device is attached. Search for swcd.

One thought is: perhaps the MDM needs to be signed by the domain? Perhaps it needs lots of other things in it? Is there any way to debug or validate it?

Any help with this from Apple would be super appreciated as I feel fairly lost! Are you there Quinn?

Thank you,
Benjohn

For those of you who tried reading all the documentation and steps described above but things are still not working, make sure you check your device under Settings -> Developer and flip the Associated Domains Development switch to ON.

Apple-App-Site-Association (AASA) behind VPN but Phone is in VPN
 
 
Q