Provisioning Profile
Also known as: ios provisioning profile, mobileprovision, provisioning profile
A provisioning profile is a signed Apple file that ties an app's bundle ID, signing certificate, entitlements, and (for development) allowed device UDIDs together, authorizing that build to install and run on iOS/iPadOS.
- Stored as a signed `.mobileprovision` plist and embedded inside the app's `.ipa`.
- Links bundle ID, signing certificate, entitlements, and (for dev/Ad Hoc) allowed device UDIDs.
- Development and Ad Hoc profiles expire and must be regenerated; Xcode can manage signing automatically.
What a provisioning profile contains
A provisioning profile (a `.mobileprovision` file) is a property list signed by Apple that bundles four things: the App ID (your bundle identifier, e.g. `app.cleanor`), one or more signing certificates (development or distribution), the entitlements the app is allowed to use, and—for non-App-Store builds—a list of authorized device UDIDs. At install time iOS checks that the app's code signature, bundle ID, and requested capabilities all match the embedded profile.
There are several profile types: Development (run on registered test devices via Xcode), Ad Hoc (distribute to a fixed UDID list outside the store), App Store (submit to App Store Connect), and Enterprise (in-house distribution under the Apple Developer Enterprise Program). The profile is embedded inside the `.ipa` and validated by the system on every launch.
Entitlements and capabilities
The profile is where an app's entitlements are authorized—things like push notifications, iCloud, App Groups, the Photos library access keys, and background modes. If your bundle ID is configured in the Apple Developer portal (Certificates, Identifiers & Profiles) with a capability but the profile is stale, the entitlement check fails and the app is rejected at install or upload.
For a storage-cleaning app, the practically relevant capabilities are Photos (`PHPhotoLibrary`) access and any iCloud/App Group entitlements used to share scan results between an extension and the main app. The provisioning profile is what grants the binary permission to request those entitlements at runtime—the user-facing permission prompt is a separate, later layer.
Expiry, renewal, and signing flow
Development and Ad Hoc profiles expire (typically within a year) and must be regenerated; App Store profiles are managed by Apple. Xcode's Automatically manage signing option creates and refreshes profiles for you, while teams shipping via CI usually manage them explicitly (often with tools like fastlane match) so the same certificate and profile are reused across machines.
When a build is signed, the toolchain matches the signing certificate's private key to the certificate listed in the profile. A mismatch—wrong certificate, expired profile, or a device not in the list—produces the familiar 'no matching provisioning profile found' or 'unable to install' errors.