We are getting ready to release the iOS version of our application in the app store. The current model is a free, limited functionality base version with additional functionality unlocked with an in-app purchase or, alternatively, with a code that the customer received when they purchased the software on a different platform.
However, we also have institutional customers who purchase site licenses directly from us and are given access to our software on all of our supported platforms (Windows, macOS, etc). Once the iOS version is released, we also want to allow them to install it to their iOS devices using their current MDM system.
In the Microsoft store we were able to distribute a signed license file to the organizations IT group, who was then able to include that file with the app when it was pushed out to their devices. The license file contained the domain identifier for the organization, so the device had to be connected to their domain in order to be able to run the application. Is there something similar in iOS for devices that are managed by an organization (i.e. an identifier that apps can access that says if they are being managed by a specific organization)? And can MDM systems specify a file or other data that is included with an app?
As a second potential option, I see in App Store Connect we can specify specific organizations to give the app to. I suppose we could create a second, free, unlocked version of the app that only specific organizations can access. However, it seems like a bit of a nightmare to manage long term (especially when it comes to things like time limited site licenses). Apple's documentation says that this options is only available before the app is approved. Does that mean that organizations can't be added or removed at will once the app has been released?
Any guidance on how to handle this situation would be greatly appreciated!
Most major MDM solutions support the AppConfig.org standards that allow you to distribute an XML file as part of a managed configuration. This XML file can be read through UserPreferences.
Presumably you could supply your license as a base 64 encoded cryptographic object that the client could add to the managed configuration. Your app can then check for this value, decode it and provide the appropriate functionality.
Related
I want to know if it's possible to put an application, on the apple store, that only the company employees can log into.
I know that I can distribute the application in-house only, but my question is about putting an app that won't be accessible to the general user, even if he downloads it, could cause any problems with the validation process ?
Probably that's what you looking for
http://www.apple.com/business/vpp/
or you can distribute your application using one of the many third‑party services:
https://www.apperian.com/
http://ubertesters.com/
http://hockeyapp.net/
https://www.installrapp.com/
etc.
You need Apple Enterprise Developer Program, you'll be given a certificate with which you can install it to multiple devices.
For restricted installation, only for Employees, you might use
Third party MDM
Develop your own server (not complex) with Over-The-Air installation. That is not difficult at all, you just need secure web server (dropbox e.g), special manifest file for your app, and special link in html. When a user taps on it, the app will be installed. Note: you can implement user authorisation/authentication before you show that link.
That could be your solution.
UPDATE
You can use over-the-air installation with developer program as well. You don't necessarily need enterprise program.
The problem is when you prevent other users from using your app.
I'm pretty sure that Apple won't like it.
We're developing an app for an enterprise customer (approx. 1500 of its users are going to use it). At the moment the most likely way we're going to charge them is on a per-usage basis (every time an employee uses the app, we get a small amount), so it's important that the app is distributed only among employees. I'm considering using iOS Developer Enterprise Program ( https://developer.apple.com/programs/ios/enterprise/ ) or releasing an app via a regular iTunes Store with some basic marketing functionality and then letting users to log in and use the real functionality the customer is paying for.
Edit: perhaps the B2B Volume Purchase Program ( https://developer.apple.com/programs/volume/b2b/ ) is the answer?
Are there any other possibilities?
What's the most convenient way of distributing such app?
If I go with iOS Dev Enterprise Program, who should create the account? Us or them? (I'm betting the latter).
I'm pretty sure your per-usage model is against Apple's Ts&Cs in any deployment space (B2B, App Store, etc). I'm also fairly confident that deploying through the App Store will get you flagged eventually when they dive into your code. Either of those deployment models is going to get you shut down and your Enterprise Cert revoked if they ever catch on. Either way you likely want to have someone fluent with legalese look at what you're attempting to do.
The point of using B2B to circumvent the App Store is to allow you to provide a private deployment of an app at a minimal cost without supplying source code. To that point the customer should be the one maintaining the Enterprise account. You would join their account as a Member, compile the code using one of their dev certs and dev provisioning profiles, supply the customer with the .XCArchive file and they can re-sign it with their Enterprise Cert. It's a pretty streamlined process.
The Enterprise Developer program is convenient because you don't need to go through the store review process. Just put up new builds for installation from your own www site. The enterprise whose employees will be using the app needs to get the license. They will need a DUNS number and the application process may take a week or so. They may get a phone call from Apple to verify their intentions and eligibility.
Is it possible to deploy an APP to apple app store, but only allow internal company user to download the APP by their own? Thanks.
Yes it is possible with Apple Enterprise Developer Program.
The Apple Developer Enterprise Program allows large organizations to develop and deploy proprietary, internal-use apps to their employees. This program is for specific use cases that require private distribution directly to employees using secure internal systems or through a Mobile Device Management solution.
Just to augment what others have said there. The Enterprise program is what you want. It allows you to distribute your app to as many devices as you like. But as it's not going through the Apple app store, you will have to work out how you want to do it. There are third party servers out there for doing this sort of thing.
You can also simply "roll your own" by simply creating a web page on your LAN with a like to the downloadable app. The Apple documentation has the details on doing that.
Also note one difference between an Enterprise app and a app store app, is that the Enterprise app certificates will need to be renewed every year. Which means that you will need to update the app every year or it will stop working.
We are a small IT team that needs to purchase between 20-100 iOS devices (iPhones) to hand out to external partners. These devices will be setup once, and then leave the premises to pretty much never ever come back physically.
The devices needs to be fully locked to our application. We won't allow surfing, emailing, phonecalls, text messages etc.
I need to set this up as easy as possible. Then I need to install our application (developed in-house) and once I create an update for this app all devices needs to be updated OTA. Updates to the iOS firmware should only be available if I say so. I don't want the user to be prompted to update iOS in case our application is not compatible yet.
From my understanding, I know I need some kind of MDM solution (Preferably Apple Configurator or the MDM server built into OS X Server in Yosemite) as well as an Apple Enterprise Developer account.
I'm looking for step by step instructions on how to set this up to be failproof. If any certificate is messed up, or expired at a later stage and the devices would end up "useless" it is nearly impossible for me to get to the devices physically.
Thank you for any responses, I'm in charge of quite a important part of the business, and I have no previous experience of this (I don't want to f' up)
Your question is very large, so I'm going to only address a few specific points that should get you going in the right direction.
If the devices are bought by a company or institution, you should look into supervising the device (a process which asserts that this device is owned by a company or institution and so certain restrictions normally unavailable to BYOD are available on this device for MDM). Ideally, you'll purchase your devices straight from Apple in the US and then enroll them in the Device Enrollment Program (https://www.apple.com/education/it/dep/). This will allow you to configure the devices so that every time they are erased, they will become supervised again and re-enrolled with your chosen MDM server and configuration (and also give you the option to lock MDM so that it is unremovable).
Configurator is not your friend if you're not going to have physical access to the device. You'll want to use a MDM server and should look at a third-party vendor for the best experience (see AirWatch and MobileIron to start with). An MDM server will be able to push install and update profiles and apps on the devices and so you should look heavily into this.
If the devices will be locked into a single application, look at Single App Mode. By pushing down a profile by MDM, you can lock the device into a single app, but only on SUPERVISED devices. You'll also want to look at the restrictions available for disabling things like Safari and such. The Mobile Device Management Protocol Reference and the Configuration Profile Reference are both your friends here.
You will NOT be able to prevent devices from updating iOS itself. This is a purposeful design choice from Apple and so you need to be testing your software against the developer betas to ensure it works before release or else you're out of luck.
Go check out the Apple Enterprise page (https://developer.apple.com/enterprise/). Some good videos are the WWDC 2014 "Managing Apple Devices" and "Building Apps for Business and Education".
I was asked to do a recruitment app that will recruit people for the company, so of course it will be free. When I released it, it got rejected for being very basic.
Now the client want to just release it through their site if apple don't want to accept it.
I know how to create the .ipa file through adhoc disribution which is what I use to give them copy and test it by putting it on a test site so that they can download it on their iphones.
But this is only for testing purposes, only the phones registered as devices on the dev account can download the file successfully.
So is it possible to release an app that will be used by users successfully without submitting it to apple?
With an Enterprise account you can more or less host your own private app store for an unlimited amount of devices and distribute in-house without Apple.
With a Developer account you can run ad-hoc installs via TestFlight or comparable services for up to 100 devices.
The new iTunes TestFlight integration announed at WWDC14 allows for 1000 devices.
The only solution that will look truly professional is the Enterprise App Store and it requires you to have a DUNS and an approval from Apple, but generally with a DUNS you're set. It's $299 instead of $99, but that's not so much money for most companies that have a DUNS. Also you can't use that account for publishing apps to the public App Store.
In general, yes it is possible: you can release an enterprise app outside the app store, provided that your company has the requisite enterprise agreement.
However, this is intended for internal use, and while I haven't read the agreement myself, I believe that distribution to the public at large would likely be in breach. (EDIT: As Zaph points out, this is in fact explicitly disallowed.)
The situation you're describing would fall outside this.
Moreover, from a user experience standpoint, it's unreasonable to expect prospective employees to download an application from outside the app store.
This is not only technically difficult for a lot of people, but it would look incredibly unprofessional, which is the opposite of what you're after in a recruitment app.
No. Apple restricts the apps available to users only to those on App Store.
(Actually, not 100% true - you could release the app on Cydia and target only jailbroken phones, but I suspect this is not what you mean to do.)
Alternately, make a web application, using JavaScript/HTML/CSS. Anyone can use a web application, it can be installed on the launcher screen, and it does not require App Store, just a web server somewhere. If you need persistence, you might also want to look into manifest files and offline apps. Especially if your app is basic, you can make it look and feel almost as a native app using one of the very nice web frameworks such as jQuery Touch.
However, you might just leave it as a webpage - why would you restrict your recruitment pool only to people willing to install your app?
tl;dr: You can't release an ObjC app except on AppStore.
There are already multiple answers to this question, probably because it is not specific enough.
Let's gather all the information that's necessary here:
If you want an app for a company (given that you recruited people through the app, i.e. people who used the app would join the company), you should use the Enterprise Program.
If the app is meant for the general public (in this case, possibly, you would like the app as a branding, promoting app for the company), you cannot use the Enterprise account, since it violates Apple's terms. As an example, see this funny case: http://www.imore.com/how-gameboy-emulator-finding-its-way-non-jailbroken-devices
AdHoc and TestFlight should not be used for a release app. AdHoc only is meant to be used for testing purposes. Introducing non-developer related devices into your AdHoc profile would mean termination of your dev account (e.g. this aggressive and also funny case: http://www.intomobile.com/2012/07/09/apple-goes-after-sites-selling-activations-ios-6-beta/).
Finally, two interesting notes:
There is no limit to the number of devices in an Enterprise Program app. It's not 1K, at least the information out there says the opposite (e.g. the case with the link in 1). The 1k device limit will be for beta testers with TestFlight (according to http://www.neglectedpotential.com/2014/06/testflight/).
An Enterprise account cannot publish apps to the public on the AppStore (see this FAQ: https://developer.apple.com/support/ios/enterprise.html -if it doesn't work, you can load the cached version from Google, etc.). Thanks to Departamento B for this information I didn't know about.