I've been looking in to this recently as we have the same situation. My understanding so far…
As of iOS 14, devices will go to an Apple hosted CDN to obtain your AASA file. This is discussed here:
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domainsAs also mentioned in the note, it is possible to bypass the CDN is two ways by using an "alternative-mode". The options are
developer and
managed. These are activated by appending to your associated domain in your entitlements file.
For the
developer mode you need to allow the bypassing in the Settings App -> Developer. You also need to sign the app with a developer distribution profile.
The
managed mode is suitable for enterprise signed apps. To use this you must instal a managed device profile (an MDM .mobileconfig file) to authorise use of the CDN bypass.
This needs you to create the profile. Apple have some
MDM background documentation.
You can create a skeleton profile with
Apples Configurator II tool. This tool only supports a small number of widely used MDM payload-types though, and that doesn't include the
com.apple.associated-domains payload that we need to specify.
Every payload uses a standard set of generic properties
described here under "Define a Profile".
The specific
com.apple.associated-domains payload we need to use is introduced in
device management of Associated Domains, which defined that we need to use a
PayloadType of
com.apple.associated-domains.
It's then necessary to add specific properties to the payload
shown here:
<key>ApplicationIdentifier</key> – string with the full app id, such as <string>your-app-id</string> – the App id is the same as in your AASA file.
<key>EnableDirectDownloads</key> – boolean </true>
<key>AssociatedDomains</key> – an <array>…</array> having a list of the <string>…</string>, one for each domain that we want to bypass Apple's CDN. To find these I simply took the domains from the "*_Debug.entitlements" file. My assumption is all the domains the app wants to be "entitled" to for universal linking must be included in the AASA CDN bypass list.
Actually installing a profile is easy. You can email it to yourself at the device and start the instal from Mail App.
However, I've installed a profile, put my device on the VPN, installed a build of the App with the modified entitlements, and a test link in to the App still fails. So
it still doesn't work.
I'm now investigating why it might not be working…
Leads on this are:
Get a sysdiagnose, note that it seems to be necessary to hold the buttons less than the advertised 1.0 to 1.5 seconds. About half a second seemed correct, and after longer the device shows the turn off / emergency call screen. Look in "swcutilshow.txt" in the sysdiagnose file. More details <link blocked my apple's site, sorry>. This is all very interesting, but it doesn't seem_ to show errors with obtaining the AASA file.
Look in the console when the device is attached. Search for swcd.
One thought is: perhaps the MDM needs to be signed by the domain? Perhaps it needs lots of other things in it? Is there any way to debug or validate it?
Any help with this from Apple would be super appreciated as I feel fairly lost! Are you there Quinn?
Thank you,
Benjohn
