I have an Individual Apple Developer Program and I want my friend to help me to develop my app. My friend, himself has an Individual Apple Developer Program, so he created a new Apple ID and I added his new Apple ID to App Store Connect > Users and Access with Developer role.
But, when he added this new Apple ID in Xcode, it seems this account is DOES NOT belong to my Developer Program and he CANNOT build the project.
Xcode failed because of this:
How can I fix this? Is there any other step(s) to do?
To the best of my knowledge, only organizations and not individual Apple developer accounts are eligible for adding an additional member who has access to certificates, identifiers and provisioning profiles.
Role Permissions: Access to Certificates, Identifiers & Profile is an additional privilege for users with the App Manager, or Developer role that are members of an organization’s team. If this privilege is added, the user sees certificates, identifiers, and profiles associated with all of your apps.
A few workarounds:
This requires some trust, but you can login on the 2nd developer's Xcode with your own account which would allow Xcode to automatically manage the certificates. This is a super simple, quick way of working around this for small companies. You could also share your password, but this would require more trust.
You can request to upgrade your membership to an organization. This requires you to have a D-U-N-S numbers, which depending on the process, would take from days to months.
You can have the 2nd developer to develop on their own account with their own bundle identifier then switch it to yours. This is super slow and annoying since you may have to duplicate some of the services (like Firebase) that bind to a bundle ID.
I am looking into the possibility of signing certs and preparing provisioning profiles on my computer and emailing them over, but so far, haven't found a working solution here.
Overall, this is an unfortunate decision by Apple. It shouldn't require a creation of a legal entity and go through a month long process just to add an additional iOS engineer to the team. The situation is also exacerbated by their half-baked team management system for Individual Apple Developer program, where you can add developers, but you can't actually have them develop on device 😢
Related
So I have a client who I’ve built this app for. The app had reached its MVP so we launched it and transferred the app to their developer account. Now I want to continue working on the app for them but I don’t have the proper certificate on my device to make changes to the project on the clients developer account. How do I go about getting the proper certificates set up so I can upload new app versions of the app to their App Store Connect account?
There is two solutions I can think of :
They can add your Apple developer account into their new developer account and give you the developer access (or admin access to have a bigger freedom). Therefore you will be able to recreate certificates for you in order to work on your project. (for me this is the best approach and it keep things clean). To do so, just ask one of the admin of the itunesconnect account on your client side, and he will add you as a Developer Manager in the account.
you can ask them to export their new certificates as a .p12 file (which contain the private and public keys) and their provisioning profile from their Mac OS key chain (the developer or team from your client that is handling the app nowadays if any). Then you will have no issue at all. (I do not recommend this one and vouch for the first one even if second one seems easy). Also if tomorrow they changed it or revoke it will require to do again the same update..
I support a handful of enterprise iOS apps that are distributed using AirWatch MDM. Initially, the first couple of apps were distributed all sharing the same wildcard provisioning profile.
We recently rolled out a series of apps that used the App Group capability which could not use the wildcard profile so each app created its own provisioning profile.
We have run into a couple of issues with these new apps now that the profiles are expiring. Trying to distribute the new profile via AirWatch has been unsuccessful and the only thing that has a worked for us is to deploy a new app update. I worry this approach is not really sustainable as some of these apps likely will not be updated within a year or 2 of profile updates.
I have a couple of questions from an Airwatch/MDM consulting perspective:
Is it best practice to have each app in an enterprise format have its
own profile or share profiles if possible?
Is it possible to distribute a profile with capabilities remotely?
When the certificate expires, is there anyway to fix the apps without
updating every app across the enterprise using the expiring
certificate?
Can I revoke the active certificate that is used for internally published apps prior to the expiration date without impacting them?
From a certificate administration perspective, should we create a shared Apple ID with a generic login or tie it to one particular developer?
We have very few apps now but it has become a bit of a support issue each time these expiration dates roll around and I feel like there has to be a better way for an enterprise to manage this that has hundreds of internal apps.
Is it best practice to have each app in an enterprise format have its
own profile or share profiles if possible?
Yes. I always use a specific provisioning profile for every app I manage. Using wildcard may seem easier, and it takes more time to set up every single profile, but it's more manageable.
Is it possible to distribute a profile with capabilities remotely?
Yes, but distributing the new profile via Airwatch doesn't always work.
It's rather a problem of signing more than capabilities
If the new provisioning profile is signed with the same distribution certificate, pushing it via AirWatch may work. But sometimes it won't and the user will have to manually remove and reinstall the app.
If the new profile uses a new certificate the apps will NOT receive the update. Don't trust airwatch's information about app expiration in the apps list!
My advice is to create a new version of the app and sign the IPA with the new provisioning profile, then release it as an update.
And additional advantage is that you'll keep track of who has the older version (which will stop working when the profile expires) while the new version will work just fine.
When the certificate expires, is there anyway to fix the apps without updating every app across the enterprise using the expiring certificate?
No, I usually increase the version number, create a new IPA, re-generate the provisioning prodile, use it to sign the IPA, and distribute the app as an update using AirWatch.
Can I revoke the active certificate that is used for internally published apps prior to the expiration date without impacting them?
No, if you revoke a certificate every app that uses it will stop working.
Source: https://help.apple.com/developer-account/#/dev7d381a7ff
See Apple documentation on managing expired certificates, it's long but exaustive.
From a certificate administration perspective, should we create a shared Apple ID with a generic login or tie it to one particular developer?
Use roles. The team Agent is the admin of the account and is used only when you have to accept new TOS, renew the membership, etc.
Set up developer accounts (I prefer one for each developer, so that everyone has it's own developer certificate) and make the team leader admin of the develoepr account.
This way the team leader can set up the apps for the deploy while the developer will focus on coding.
I understand it may seem complex, but once you get used to this structure you'll appreciate how manageable it is, and usually the team leader can manage many developer accounts with little work.
Supporting your mobile apps, releasing updates to follow new iOS releases and bug-fixing are time-consuming activity. And so is maintaining certificates and deploying apps. You should charge your customer for these services too, if you make B2B
i have some doubt to how distributing for clients that have an Enterprise Developer account works.
Here is the situation:
-My company have its own developer account (normal one not enterprise).
-My client wants to distribute an app using their own account.
-My company have to develop this app.
Now, how do i setup my xcode for this? Which solution is the best? Should i use directly the clients account or there is a way in which they add my account as developer in their team?
I'm concerned about this because i'm going to use my company account to test this app on devices during the development and xcode , to me, is pretty hard to understand when it comes to change certificates and accounts.
Thanks a lot.
As Alessia already wrote the easiest way is to build the app with the enterprise certificate of your customer. For that your customer has to provide you the private/public key pair or give you access to their enterprise program so you can create and download it.
If your customer do not want to provide it to you (maybe for security reasons) there is another way. It's more complicated especially if your customer has no experience with iOS development. In that case you have to develop and test your app with your own developer program. If your release version successfully passes your quality tests you deliver it to your customer and they need to resign your app. see: example for resign
i think the easiest thing is to make the build with the certificates in enterprise.
So you should ask identity and mobile provisioning created from enterprise account of your client, and then build your app with this certificates.
Your client can also enable (in developer mode) your apple account so you can create yourself certificates (in enterprise).
You can also create multiple target for this management.
There has been a lot of questions on this already that answer some of my questions. I am looking for someone who has direct experience with setting up and managing both accounts.
I have a situation where I need to send a private Beta test to more than 100 people (the ad-hoc device limit for iOS), but I still want to be able to publish publicly to the app store.
My solution is to obtain both an enterprise account and a regular developer account. The enterprise account allows me to distribute to anyone within my company, privately with no limit. The regular account gives me the ability to publish to the app store. Unfortunately this means I have two create two different apple developer accounts.
I am worried about the hidden caveats that are involved with this process.
Is there any caveats with managing two separate apple developer accounts for the same application?
Any problem with packaging names for applications? I'm assuming the identifier needs to be different.
I hear that you cannot test the storekit with the enterprise program. Any other problems similiar to that?
I have experience with managing both Developer and Enterprise a/c. We have multiple applications in appstore. We mainly use the enterprise a/c for testing and developer's a/c for publishing the application to app store. This has worked fine for us for more than a year now.
That being said, managing two accounts is cumbersome. I have no idea why Apple won't allow us to create App Store distribution profile using the Enterprise a/c! Here are few recommendations:
Choose the names of the accounts so that you could easily distinguish them e.g. "xxx developer" and "xxx enterprise".
It is possible to create the developer and ad-hoc distribution profiles in both the accounts. Overtime it can become messy especially if you have multiple developers and applications. So I would recommend forming some guidelines for the accounts usage beforehand.
You can use the Wildcard App Id when creating the distribution profile. So you can avoid changing the Apple Id for the same application in these accounts. However, if you use Push Notifications and/or In App Purchase then you will have to use explicit App Id, and App Id needs to be different in each account.
I am a member of two development teams in the Developer Portal. One team is no longer in existence and is not being maintained by the team's "Agent".
Now herein lies my problem. I am trying to refresh my provisioning profiles in Xcode, but continually get a message telling me to have the team agent for the non-existent team to agree to current terms. Again, that team is no longer active, the developer no longer works for the company, etc., etc.
On the other hand, the team for which I am trying to do work has all agreements current. Is there any workaround for getting past this message then?
This is happening because your Apple ID is associated with more than one developer account. The refresh operation first hits the developer portal and runs refresh on each developer program that it finds you associated with. Unfortunately, if the un-maintained account lists first then it will fail the entire refresh operation.
Now given that the agent is not maintaining the program, I'd hazard a guess that getting in touch with that individual to remove you from the program is also off the table. Your next best bet is to contact Apple Developer Support and let them know that the Team Agent is not reachable and as a result you are unable to remove yourself from that un-maintained account which is causing you pain when it comes to Xcode Organizer operations. Once you get removed from that account, that should resolve the problem with the refresh operation as it will then only find your single maintained account to refresh. It would also be a good idea to remove any stray Certificates and Provisioning Profiles associated with the unmaintained account so that Xcode doesn't have an opportunity to spaz over not being authorized for the un-maintained account.
In the interim, your only option is to use the Certificates, Identifiers, and Profiles tool to download provisioning profiles manually. When you download new files, take an extra moment to delete the old ones to minimize confusion between older and newer versions of the profiles.