SCENARIO
Our team is working on an enterprise application that we have delivered to one of our clients via HockeyApp. This particular client is having issues logging in. The issue does not happen when we use our environment, but it always happens to our client who is on a VPN using their own environment and data. The issue must be debugged by us. The client has deployed the application using Airwatch and
WHAT'S BEEN DONE
I create IPA to deploy over HockeyApp to the client.
The client has resigned the application and deployed it over Airwatch.
I have downloaded the app from their Airwatch catalog to my device.
Built+Run from Xcode to run the app to debug on my device.
WHAT HAPPENS
Before it installs to my device I get the following message:
"This application's application-identifier entitlement does not match that of the installed application. These values must match for an upgrade to be allowed."
QUESTIONS
1) "application-identifier entitlement". What is this?
2) (broader question) How do I debug an application that was installed from Airwatch?
Go to Entitlements.plist and verify the application identifier, that should match what is already installed.
I remember using Airwatch which has lot of issues, Ask the client to run your app directly without using Airwatch, If that works fine Airwatch is the culprit.Airwatch modifies your app to make it controllable, that might have caused the issue.
The client should not have to re-sign the app for it to work in their environment. I suspect that is the issue, as I've run into something similar. If you are using an enterprise iOS account, you can sign the app and send them that. Have them try installing/deploying without re-signing (no need for them to do so using their enteprise iOS acct).
If it works with the signed app from your side, problem solved. AirWatch does not require the client to 'sign' from their iOS developer account at all. It just needs to have the app and matching provisioning profile from 'a' developer account. Using your own signed app should work without any issue. That was the fix to a very similar issue where a vendor repeatedly told our team it was an 'AirWatch' problem and had our devs repeatedly resign unnecessarily. Once they sent us their signed .ipa and provisioning profile everything worked without any further problem.
AirWatch does not 'modify' any app to make it manageable unless your client is using app wrapping which is likely unnecessary. If just providing an app that requires zero modification, the most likely culprit is the re-signed app the client has; and the solution is simply providing the client with the signed app you have already with the provisioning profile already embedded in the .ipa from your own enterprise iOS dev account. Again, no resigning should be necessary and is typically the root cause of the issue for these types of problems.
Related
I see that this question has been asked many times but I see no solution that works for me so I'm hoping that providing more info might shed some light.
We use appcenter.ms to test iOS apps. Until our iOS certificate expired this method worked fine. We generated a new enterprise certificate and ad hoc provisioning profile for new releases of the iOS app. Which led to the first curiosity.
I see how to upload a certificate on appcenter.ms but not a provisioning profile. I thought there was an option to do this in the past but perhaps I am mistaken. However, the app is signed with a provisioning profile before upload, so perhaps this is not needed now.
Once the app is uploaded, it can't be installed. It remains grey and when you tap it, you get the "this app cannot be installed because its integrity could not be verified" error. Again, that the .ipa is created with an ad hoc certificate and profile in Xamarin (VS for Mac).
Also, I can't install the provisioning profile on a device from appcenter.ms. You basically get stuck in a loop where you seem to successfully install the profile but have to keep doing it because it never actually installs.
I hope this is enough info for some insight and thanks in advance for any feedback.
We were able to solve this by redoing and downloading development certs and via
And also downloading and double clicking the apple development certificate here
After that our keychain showed both as trusted and we could build to the iPhone again.
The issue can be the your device is simply not registered on the developer portal and/or that ad-hoc provisioning profiles have not been regenerated.
You need to register your device, regenerate a provisioning profile with this device in it and rebuild your app using this profile.
This can also happen because of
Developer ID Notary Service - Outage
which can be checked on https://developer.apple.com/system-status/
Notarization is well explained here:
Notarization gives users more confidence that the Developer ID-signed
software you distribute has been checked by Apple for malicious
components. Notarization is not App Review. The Apple notary service
is an automated system that scans your software for malicious content,
checks for code-signing issues, and returns the results to you
quickly. If there are no issues, the notary service generates a ticket
for you to staple to your software.
Work around fix:
Select your app.
Navigate to TextFlight tab
Create External Testing group
Add one tester
Add build which you want to download using TestFlight
Open TestFlight and download an app.
In my case this was caused by trying to include an entitlement for aps-environment "development" when using an Ad-Hoc provisioning profile. The value for this environment in Entitlements.plist must match what is hard coded into the provisioning profile file - if you open an Ad-Hoc profile in a text editor you will see it expects the "production" environment.
The possible solutions depending on your requirements are to either use the Development profile/certificate, or change the aps-environment to "production" to continue using an Ad-Hoc provisioning profile.
It can also happen if you have other incorrect entitlements - worth checking what entitlements are enabled under the Identifier in Apple Developer portal and removing unnecessary ones.
I had this issue because when building the app on xCode for distribution (Product->Archive then Distribute App), I chose automatic signing. After manually signing the app and choosing my own generated certificate and profile, everything worked again fine.
I removed the Entitlements file from the Addition Resources in iOS Bundle Signing and it worked.
I think the MSAL configuration was set to debug in entitlements.plist
I have also face this issue before but for me the reason was little different
First the build was enterprise one and the build was made on the earlier Xcode version on which the iOS version you are using on the device was not supported by the Xcode.
All I did was to update my Xcode and make a new build and shared the build. After that we were able to install that build over device Hope it works for you as well
This is how I solved for myself.
In you iPhone Settings > General > VPN & Device Management you should see your company name (if an app from it is installed), and if you click on it, you will see a button like "Verify" above the list of apps installed provided by the company. Just click on "Verify".
We have a series of iOS Enterprise applications that were built with Telerik Cordova (discontinued in May 2018). Those apps are in the process of being converted to a new platform, but in the mean time they must continue to service client needs.
The distribution certificate the apps were built with is valid for another 14 months or so, but the provisioning profiles expire in a few days. Since these are Enterprise apps they will expire with the profiles.
Unfortunately, Telerik can no longer rebuild the apps using an updated profile for us. We have re-signed the apps using new provisioning profiles (using both iReSign and Terminal). When we try to side-load the resulting IPAs through the XCode Devices panel, we get an error stating that the entitlements do not match and the apps are not installed.
The question was raised as to whether or not we not need to re-sign the apps since the certificates are still valid. Perhaps it would be possible to just replace the .mobileprovision file on the device somehow? I gave it a try using iTunes Sync but I cannot confirm whether the file actually went to the device or not.
Question: Is it possible to just update the *.mobileprovision on the device without re-signing the app? If so, could someone please give me the steps or direct me to a link to perform the steps?
Alternate Question: Otherwise, any thoughts on how to resolve my Entitlements issue? The app only needs Push Notifications, but Game Center and In-App Purchases are also enabled. These are reflected in the App ID and provisioning profile, and the distribution certificate is of type Apple Push Services.
I should point out that I am not an admin on the Apple Developer portal for the project as I am an outside consultant, so my portal access is strictly read-only.
Thanks in advance for any direction provided!
If the applications were distributed to the devices by an MDM, then you can push a new provisioning profile to them using the MDM.
If the applications were installed over the air from a web server or directly using iTunes or Apple Configurator, then you need to replace the entire application package on the device. This requires the app to be re-signed, since the changed .mobileprovision file will change the package signature.
If you don't have the original, app ID with matching entitlements in the developer portal, then you will need to delete the existing application from the device before installing the new, re-signed application. You won't be able to do an in-place upgrade.
I'm building an iPad app (Adobe AIR 28.0) for a corporate client, and I'm struggling to get it working when signing it using their enterprise certificate.
What works:
The IPA builds correctly and is successfully signed with their enterprise certificate and provisioning profile. The app is set to Ad Hoc, doesn't use a wildcard bundle ID (although their certs do: my app is com.companyname.thing, and their provisioning profiles/certs are com.companyname.*).
If I use iTunes to install the application while connected via USB, it works correctly. Additionally if I select to install to a connected device during compilation in Adobe Animate it also works fine.
Once installed, on the first run of the app it complains about not trusting the certificate (this is expected), and if I then go to Settings on the device and manually trust the cert, the application runs as expected. All fine and in line with what I'd expect with an enterprise application.
What doesn't work:
However: when uploading the same IPA to a remote location, the application will download but fails to install completely, giving me the "[appname] could not be installed" message. This occurs on my test devices, but also on the corporate devices which have the required certificate installed. This happens when I upload the build to HockeyApp, and also the client's corporate distribution system (I'm unsure what system this is, but the end result is the same when users download the app)
Can anyone shed any light on why this might be occurring?
EDIT:
I tried to pull the app down from a remote location while observing the XCode console, and found this error:
This is a start but isn't descriptive, what could be causing this? The profile is a valid Distribution one.
I thought I'd post the solution I found, in case any future folk encounter this. My issue was caused by a script that was modifying the IPA and not re-signing it.
The app went into a build system that strips out certain files for certain versions of the application, and then should re-sign it. The system was doing things in the wrong order - if you modifying the internals of a compiled IPA and then fail to re-sign it, it'll fail to install. This also explained why it worked locally. Whew.
I am creating an in house MDM solution and have managed to create everything I need in terms of the MDM server, SCEP server etc in order to gather information about our devices.
However, I am having an issue pushing the Enterprise Apps that we create. I can push the apps to the device (and they install without issue) but I am still presented with the 'Do you Trust this developer' prompt.
I was under the impression that Enterprise Apps should be trusted by default when deployed by MDM. I have tested this using Apples Profile Manager and indeed the application is installing without issue and does not require the user to trust the developer.
I am obviously missing something obvious but have been chasing my tail trying to find out what it is!
Any help would be greatly appreciated.
Thanks in advance
David
OK. Turns out the issue was actually not much better that a typo!
Having uploaded the app to my server, I had a manual creation of the manifest for installation. The app identifier in the manifest did not mach the actual app!
So... weirdly the app was pushed via MDM, the manifest was downloaded (and appeared under the control of MDM briefly) then iOS realised mad things were afoot so booted the app out to the normal enterprise installation process (untrusted developer dialogue etc).
Fixing the manifest bundle identifier to match the app fixes the issue.
That's many hours I'll never get back!
I am guessing you are missing a CA certificate/root certificate that you used to sign your app. Due to this iOS might have been unable to trust the app since it was not able to confirm the validity of the signing cert.
I have developed an app in the in-house, enterprise mode. While testing i was using the iPad provided to me by my company. I tested on it. I had certificates from developer member center. Tested just fine.
Now I have deployed the files on our secure server.I have a link where the ".ipa" files are present. So i used my same testing iPad and downloaded the app from that link via safari on the iPad. It installed and ran successfully. Now i gave that link to another member of my team and he has his own iPad. When he clicks that link it starts installing but it doesn't finish.He gets an error.The error he gets is
"Unable to download Application.XYZ app could not be installed at this time. Done .Retry."
Same thing with another iPad. These iPads are NOT registered under testing on member center. So i have a thought. Since while testing i had certificates and all on my testing iPad, it might have recognized it and installed it.But the other completely new iPads are not identified. So how do i do it?How can i say my app that it is safe to install on so-so iPad that belongs to my co-worker. If i am not clear please ask.Thanks.
bobnoble is correct. You need to have an Enterprise Distribution certificate to use with this. Development certs are similar to ad-hoc certs in that you need to individual identify the device UDID's that will be used.
We do a lot of work with enterprise customers and I never use the development certs, mainly just to cut down on the confusion. It might be a problem if one of our devs goes rouge :), but it is a chance we are willing to take.
In xcode you can select the Project or the Targets when assigning the provided profiles.
Make sure you sign the target.
There is a nice tutorial on the testflight site:
http://help.testflightapp.com/customer/portal/articles/494413-how-to-create-an-ipa-xcode-4-3-
You are getting confused between a Distribution Certificate and an Enterprise Certificate. In your case you should use Enterprise or Adhoc Certificate. Enterprise certificate is not given to a person but organization and it is not created where other certs are created.