Why iOS ad-hoc distribution still need to trust enterprise developer? - ios

We have an enterprise account and need to distribute the App with ad-hoc distribution.
But with the ad-hoc distribution, the testers were still asked to trust enterprise developer and we cannot find the profile & device management in the Setting. Why does iOS ad-hoc distribution still need to trust enterprise developer?
Is there anyone who encountered the similar issue?

Once you installed application,
1: Go to setting -> General
2: Profile and Device Management
3: Click on "Untrusted app"
4: There is option for "trust"

As described here: https://discussions.apple.com/thread/7611217 , the "profile and device management" setting only shows up when a profile has been installed. If it is not showing up it means the tester did not install the profile.
The ad-hoc requires the user to trust it because it has not gone through the apple approval process. This is a security feature to make sure users are not installing random, potentially malicious apps on their phones. Its meant to make them aware that this isn't a verified app yet and they need to be sure they trust the person who sent it to them

I had this issue since 3 weeks. After xcode 9.3 update, I couldn't run ad-hoc build on the device with enterprise account. It was asking to trust developer on settings but you don't need to trust developer on ad-hoc build, you just need to add device uuid to provision profile. Also there is not an option about it on device management section on settings, if ipa file was generated via ad-hoc distribution.
I tried with newly generated ad-hoc provision profile but there was no luck. I tried newly created project with new app id and still no luck.
I think there are some changes about ad-hoc distribution on enterprise account or some bugs.
I used company account to export ad-hoc build to workaround the issue.

Related

Appcenter iOS install error "this app cannot be installed because its integrity could not be verified"

I see that this question has been asked many times but I see no solution that works for me so I'm hoping that providing more info might shed some light.
We use appcenter.ms to test iOS apps. Until our iOS certificate expired this method worked fine. We generated a new enterprise certificate and ad hoc provisioning profile for new releases of the iOS app. Which led to the first curiosity.
I see how to upload a certificate on appcenter.ms but not a provisioning profile. I thought there was an option to do this in the past but perhaps I am mistaken. However, the app is signed with a provisioning profile before upload, so perhaps this is not needed now.
Once the app is uploaded, it can't be installed. It remains grey and when you tap it, you get the "this app cannot be installed because its integrity could not be verified" error. Again, that the .ipa is created with an ad hoc certificate and profile in Xamarin (VS for Mac).
Also, I can't install the provisioning profile on a device from appcenter.ms. You basically get stuck in a loop where you seem to successfully install the profile but have to keep doing it because it never actually installs.
I hope this is enough info for some insight and thanks in advance for any feedback.
We were able to solve this by redoing and downloading development certs and via
And also downloading and double clicking the apple development certificate here
After that our keychain showed both as trusted and we could build to the iPhone again.
The issue can be the your device is simply not registered on the developer portal and/or that ad-hoc provisioning profiles have not been regenerated.
You need to register your device, regenerate a provisioning profile with this device in it and rebuild your app using this profile.
This can also happen because of
Developer ID Notary Service - Outage
which can be checked on https://developer.apple.com/system-status/
Notarization is well explained here:
Notarization gives users more confidence that the Developer ID-signed
software you distribute has been checked by Apple for malicious
components. Notarization is not App Review. The Apple notary service
is an automated system that scans your software for malicious content,
checks for code-signing issues, and returns the results to you
quickly. If there are no issues, the notary service generates a ticket
for you to staple to your software.
Work around fix:
Select your app.
Navigate to TextFlight tab
Create External Testing group
Add one tester
Add build which you want to download using TestFlight
Open TestFlight and download an app.
In my case this was caused by trying to include an entitlement for aps-environment "development" when using an Ad-Hoc provisioning profile. The value for this environment in Entitlements.plist must match what is hard coded into the provisioning profile file - if you open an Ad-Hoc profile in a text editor you will see it expects the "production" environment.
The possible solutions depending on your requirements are to either use the Development profile/certificate, or change the aps-environment to "production" to continue using an Ad-Hoc provisioning profile.
It can also happen if you have other incorrect entitlements - worth checking what entitlements are enabled under the Identifier in Apple Developer portal and removing unnecessary ones.
I had this issue because when building the app on xCode for distribution (Product->Archive then Distribute App), I chose automatic signing. After manually signing the app and choosing my own generated certificate and profile, everything worked again fine.
I removed the Entitlements file from the Addition Resources in iOS Bundle Signing and it worked.
I think the MSAL configuration was set to debug in entitlements.plist
I have also face this issue before but for me the reason was little different
First the build was enterprise one and the build was made on the earlier Xcode version on which the iOS version you are using on the device was not supported by the Xcode.
All I did was to update my Xcode and make a new build and shared the build. After that we were able to install that build over device Hope it works for you as well
This is how I solved for myself.
In you iPhone Settings > General > VPN & Device Management you should see your company name (if an app from it is installed), and if you click on it, you will see a button like "Verify" above the list of apps installed provided by the company. Just click on "Verify".

IOS Enterprise In-house distribution account to use

In years gone by we found that we could only have 1 distribution certificate per logged on user so we created as many accounts as was need, 3 in our case, 1 for each developer program and logged onto the mac using the required account.
So anytime an app was developed and need to be distributed in-house I would log onto the mac using the enterprise account and archive and distribute for in-house and sent the resulting .ipa file and the provisioning profile to the users.
I have now discovered I can have multiple distribution certificates on the mac and am trying to see if I can distribute via in-house logged on to the mac as me and use my own profile or the team profile that link to the enterprise developer program.
The app build ok and generates the ipa file and I can install using iTunes but I get a faded icon on the iphone and when tapped it says installing but never does?
So, my two part question is:
a) is it possible to distribute in-house using my enterprise linked account logged on as me and using my profile or team profile
b) I read you do not need to give the user the profile, but I have always done this as was the requirement when I first learned to do this?
Thanks
a) Yes. I have 10 or so certificates (dev & dist) on my computer for various clients. I keep them in separate keychains for peace of mind. When it comes to time distribute your in-house binary, you archive in Xcode then hit the Distribute… button in the Xcode organizer, choosing the correct Enterprise profile.
b) This is no longer necessary as the Distribute… step mentioned above embeds the profile in the app. Things are much easier than they used to be.
NB: I avoid wildcard provisioning profiles as they can cause heartache, even in simpler situations than yours (e.g. if Xcode chooses a wildcard Ad Hoc profile during Archive, then your entitlements may be wrong once you Distribute), so for this reason I recommend you always use explicit profiles.

Enterprise provisioning profile. Sign devices without adding them

please correct me. I had apple developer account and worked as individual developer. Right now I have access to the enterprise account. I have information that I can build app using an enterprise profile even without adding UDID to it. So it means I can build apps on all my devices without signing them on portal. Am I right?
Can someone link to some topic or tutorial how to make the profile like I've described of course it it makes sense. I am not sure maybe I am confused about it.
Yes in case of enterprise profile you don't need to add UDID of your device[or any one else's] in it, you can make build with it and can install it in any iOS device.
You can see some questions and answers about enterprise account
Here
No using an iOS Enterprise Program distribution deployment method need not to enter every device id.
All you need is a distribution certificate for signing and a provisioning profile built for it. Note that ANYONE that has the profile can run the app on their device, although you can revoke the profile if necessary.
You are also given the standard test and Ad Hoc deployment mechanisms as with the standard Development Program. The Ad Hoc is limited to 100 devices, which I don't understand, but anyway, there it is.
You can visit this link for your reference

iOS Developer Builds vs Distribution Builds

I've been under the impression for some time that for iOS, signing a build with a developer provisioning profile allows the app to run (and get debugged) on an authorized device (listed in the development provisioning profile) through an XCode build, whereas signing with a distribution profile allows the app to be run (but not debugged) on other iOS devices that have been specifically added to the distribution provisioning file for the purposes of QA/beta testing/etc (and installed via iTunes sync or OTA distribution), without the need for those QA/beta-testers to even know what an XCode is.
Seems to match several of Apple's own docs:
"When you’re ready to share your app for user testing [...], you need
to create an archive of the app using a distribution provisioning
profile and send it to app testers" (source)
and
Code Signing with a development profile allows your app to run on
device through Xcode, and signing with a distribution profile allows
you to create distribution builds.
The certificate named "iPhone Developer" allows you to run/debug your
app on iOS devices through Xcode, and the certificate named "iPhone
Distribution" allows testing your submission build with Ad Hoc
distribution (source)
This seems to imply that using a distribution profile is necessary to do app sharing outside of the App Store, and for years I've always assumed this to be true. Recently however, I've been shown a use case from another colleague where they've been able to share builds with many other people using only a development provisioning file. Another user has described a similar discovery here: Why not use development provisioning instead of ad hoc?
I'm worried I might be missing something here, I'm now suspicious that there are cases where as long as another user has access to a relevant developer provisioning profile that includes their device's UUID, and installs it on their device (drag into iTunes, config utility, etc), that they would be able to sync Developer builds through iTunes as well, without the need for making separate Distribution builds.
This has led me to question some of the assumptions I've had about the nature of the differences between developer and distribution builds in general. I'm starting to think that it's more about debug support and general ease of installation, rather than the nature of how it's installed (XCode vs iTunes/OTA explicitly).
In short, if a device has it's UUID included in a developer provisioning profile, do I really need to make separate distribution builds, or can I simply share a Release Development build and assume that will work with an iTunes sync as well? Does the "Use for Development" button in organizer have any real relevance to this?
More broadly: what are the fundamental differences between Developer and AdHoc builds in terms of how they can be shared among other people within an organization in the development/testing phase before being submitted to the App Store?
Check this SO Post for the differences listed out between developer and distribution builds. From a developer perspective, there is not much difference whether you want to distribute your app either by signing it with a developer profile or distribution profile, provided you are not testing push notifications.

Showing beta versions of an app to a customer

Can I send to my customer a beta version of my iOS app that he can run in the Simulator ?
Can I install Simulator only (without Xcode) on a Mac ?
I actually need an efficient methodology to send him the beta versions of the app, without having to meet him at each update.
Also, (3.) is there a way to install a beta version of the app, I developed in my xCode on its iOS device without app store ?
Thanks
No, I do not believe you can.
No, I don't think so. If you could, however, you'd also have to put all your source code on that machine and build your app there, just to run it in the simulator.
Yes, it's called an Ad Hoc build. You create a special provisioning profile through the provisioning portal on Apple's Developer portal. You then sign the build with that provisioning profile (actually, "Build and Archive"). Then you can, through the Xcode Organizer, share that build via e-mail with your customer. The Organizer creates an .ipa file and includes it along with the provisioning profile into an e-mail message which you can then compose and send.
Edit: The Ad Hoc provisioning profile will, of course, need to include the UDID's of your customer's device(s) on which they would like to test. That is the missing piece here that ties it all together: UDIDs, Ad Hoc profile, signed app with that profile, e-mail it to the customer and they can install both files (ipa and profile) via iTunes.
Lots of documentation on this, right in the Developer portal.
TestFlightApp.com is a great way to easily manage and distribute beta tests and ad-hoc builds. It's nothing you couldn't do yourself, manually, but it really helps make it easy, and is free.

Resources