I have an Apple Enterprise membership and develop apps for In-House distribution.
I don't understand in which cases I need to rebuild my apps because of expired certificates and/or provisioning profiles.
Do I need to rebuild the App when the distribution certificate expires?
Do I need to rebuild the App when the provisioning profile expires?
Does the provisioning profile expire/become invalid when the included certificate expires?
Whether you need to rebuild when the provisioning profile expires depends on how you are distributing your apps.
If you are following best practice and using an MDM to distribute your apps then you can distribute a new provisioning profile when the old one expires.
If you are using some other distribution method (such as a plain web server) then you will need to rebuild your apps when the provisioning profile expires.
Regardless of the distribution method you need to build a new version and update the installed apps when the distribution certificate expires.
If the distribution certificate expires then the app will stop working, even if the provisioning profile is still valid.
You need to update the app with a new version, signed with the new distribution certificate before the old one expires.
This WWDC session has a good explanation of the process.
Related
I have an app in enterprise appstore and the provisioning profile with which I created iPa is due to expire next month. If I go to developer account and renew the provisioning profile, what happens to the app in appstore which was created with old provisioning profile? Should I create a new iPa with new renewed provisioning profile and submit it? Is it enough to just renew the expiring provisioning profile or should we renew, create iPa with new one and upload it to appstore again?
Any help would be appreciated. Thanks!
You will need to provide a new provisioning profile, that has a new expiration date, to the devices with your app or existing installations of the app will stop working.
You can do this by packaging a new version of your app that includes the new provisioning profile and then having your users install the update.
Alternatively, if your devices are managed by an MDM (which is best practice) then you can have the MDM server push the updated provisioning profile to the devices. The advantage of this approach is that it doesn’t require any user action.
The process of certificate and provisioning profile expiration is explained quite well in this WWDC video
As an example, here are the instructions for Microsoft InTune
We have a business that provides iPads (~1000 iPads) with our in-house iOS apps, which are managed by our MDM Apple Profile Manager.
We use Apple Developer Enterprise Program to build the in house apps with 3 year expiry certificate and 1 year expiry provisioning profile.
What we are struggling is the renewals of the certificate (every 3 year) and provisioning profiles (every 1 year) WITHOUT:
Completely rebuilding the app with new provisioning profile and re-distributing it through MDM
Anyone having to touch the iPads to install the new provisioning profile. (Providing that the new provisioning profile is renewed from the Developer Portal before it expires).
According to this post, Renew iOS Provisioning Profile on in-house app
They said
Alternatively, you could generate the provisioning profile and then
distribute the profile to all the devices through MDM (if you're using
an MDM solution) or by email (not a great experience).
So my questions are:
Is it possible to install new provisioning profile via Apple Profile Manager? How do I go about doing it?
I tried emailing the .mobileprovision file and opening that file from an iPad but it didn't install the profile at all. What have I done wrong?
What is the best way to handle certificates (3 year expiry) and provisioning profiles (1 year expiry)?
Managing internal apps on iOS is unfortunately not a "set and forget" process. There is ongoing work, and planning needs to be done to make sure you keep your internal apps functioning when profiles and certificates are invalidated / expired.
I do not have experience with the Apple Profile Mgr, but it is most certainly possible to simply regenerate the provisioning profile(s) for your apps and remotely deploy them to the devices which have the apps on them. This will help with profile expirations, but will not help for certificate expiration (more on this below).
With newer version of iOS, Apple no longer allows installation of provisioning profiles through the mail app, or a Safari ling, etc. Basically at this point, provisioning profile need to be installed with the app installation, through MDM, or through Xcode "Devices" window.
For profile expirations, the best strategy is to simply distribute the new profile(s) via MDM (if you have one). For certificate expirations, the best idea is to plan ahead. Starting well before the cert expires (enough time that you can deploy the newly signed apps to all your devices before the expiration date), you need to rebuild (or simply re-sign the existing ipa) your apps with the new certificate / signing identity. Since you are using MDM, it should be easy to deploy the newly re-signed apps to all your enterprise devices before the cert expires and the apps no longer run. Make sure you provide enough time to make this happen, as some devices may be off network for a while and may not check in to the MDM server every day. The good news is that this is only needed every 2.5 years or so.
Note, to re-sign an ipa, see my answer here: https://stackoverflow.com/a/25656455/3708242
The company i work for have a few iOS apps distributed through the Enterprise program. We dont update these apps very frequently. So making sure that the certificates and provisioning profiles dont expire until we've had the chance to renew and redistribute the apps can be easy to forget. How does your team ensure this doesn't happen?
There's really not much you can do to prevent this, other than trying to keep all your apps being created with the same certificate / profiles, as up to date as possible. I have yet to find a good automated solution.
To manage it, I think the best solution is to create a reminder each time you generate a new certificate that will remind you in 11.5 months to renew the certificate (using the original cert signing request file). Then generate your certificate and new provisioning profile to be distributed to the developers (either by hand or by having them all signed into their Apple developer accounts as team members).
Once you have your new certificate and profiles, you'll need to regenerate the IPAs through xCode, or simply re-sign the ipa using the instructions found here: https://stackoverflow.com/a/25656455/3708242
For our internal apps using our enterprise distribution profile, we have put in self-update logic that allows us to push updates so that the users won't end up with an app that won't launch due to an expired provisioning profile or certificate.
Although I know many developer frown upon the use of wildcard ids in provisioning profiles, they do have one advantage here. If you have one app that is on all the devices, you could potentially get by with only updating that one app, as long as the new app has a provisioning profile and certificate that are not expired, and the provisioning profile has a wildcard id that matches all the internal apps you have. Once the valid profile is on the device, it will allow older apps to run. For more details about what I am talking about, see this answer: https://stackoverflow.com/a/29121777/3708242
My client has a few apps in the app store that were submitted using a certain App Store profile which I have access to the account. We also have those apps installed Ad Hoc signed with the same Distribution Profile. Now I am taking care of one of this apps and I need to code sign to make a few changes and then submit it Ad Hoc for some testers. No one knows where the .developerprofile backup is. Can I revoke the existing certificate and recreate a new one without affecting the apps on the App Store. If I revoke, any other developer using this key pair will stop working, right? Any other problem I am not remembering. Can I revoke the certificate?
Thanks in advance.
Yes, you can safely revoke the developer and AdHoc distribution certificates without affecting any App Store apps. Be careful not to revoke any Push Notification certificates if your app uses push.
Generate a new certificate signing request on your machine and use that to generate the new certificates. Remember to edit the provisioning profiles after you create the new certificates, especially if you've added any additional devices to the provisioning list. Then download the new provisioning profiles and you should be good to go.
Any other developers (if they still have access) will be able to download the new profiles if they need them. If they also need to sign builds, they should generate their own keys/certificates as well for their developer certificates.
I manage the iOS Enterprise distribution for several clients. We have come to a situation where a distribution certificate is near expiration and are curious as to the ramifications of cert renewal. The goal is maintain application integrity and not require app reinstallation. Is there a way to renew the certificate and regenerate the provisioning profiles, without impacting the end user?
If I renew the certificate and regenerate the provisioning profiles, will the end user be required to reinstall the application?
Thank you,
From the apple enterprise FAQ:
Distribution provisioning profiles expire 12 months after they’re issued. Two months before expiration, the iOS device begins displaying notifications about the impending expiration. After the expiration date, the app won’t launch.
Before to a provisioning profile expires, use the iOS Development Portal to create a new profile for the app. Create a new app archive (.ipa) with the new provisioning profile, for users who are installing the app for the first time.
For users who already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file so users won’t have to install the app again. The new provisioning profile will override the one that’s already in the app archive.
Source: http://help.apple.com/iosdeployment-apps/mac/1.1/#app43ad802c