https://developer.apple.com/library/archive/qa/qa1745/_index.html#//apple_ref/doc/uid/DTS40011636
One way to provision an identity is via email. When you provision a device, send the associated user an email with their client identity attached as a PKCS#12 file. Except don't give it the standard PKCS#12 MIME type or extension, give it a MIME type and extension claimed by your app. (The extension ".p12" is claimed by iOS and cannot be claimed by another app.) The user can then open the attachment, which will launch your app, at which point you can offer to import the identity. This same technique will work if you host the identity as a web download.