We have a business that provides iPads (~1000 iPads) with our in-house iOS apps, which are managed by our MDM Apple Profile Manager.
We use Apple Developer Enterprise Program to build the in house apps with 3 year expiry certificate and 1 year expiry provisioning profile.
What we are struggling is the renewals of the certificate (every 3 year) and provisioning profiles (every 1 year) WITHOUT:
Completely rebuilding the app with new provisioning profile and re-distributing it through MDM
Anyone having to touch the iPads to install the new provisioning profile. (Providing that the new provisioning profile is renewed from the Developer Portal before it expires).
According to this post, Renew iOS Provisioning Profile on in-house app
They said
Alternatively, you could generate the provisioning profile and then
distribute the profile to all the devices through MDM (if you're using
an MDM solution) or by email (not a great experience).
So my questions are:
Is it possible to install new provisioning profile via Apple Profile Manager? How do I go about doing it?
I tried emailing the .mobileprovision file and opening that file from an iPad but it didn't install the profile at all. What have I done wrong?
What is the best way to handle certificates (3 year expiry) and provisioning profiles (1 year expiry)?
Managing internal apps on iOS is unfortunately not a "set and forget" process. There is ongoing work, and planning needs to be done to make sure you keep your internal apps functioning when profiles and certificates are invalidated / expired.
I do not have experience with the Apple Profile Mgr, but it is most certainly possible to simply regenerate the provisioning profile(s) for your apps and remotely deploy them to the devices which have the apps on them. This will help with profile expirations, but will not help for certificate expiration (more on this below).
With newer version of iOS, Apple no longer allows installation of provisioning profiles through the mail app, or a Safari ling, etc. Basically at this point, provisioning profile need to be installed with the app installation, through MDM, or through Xcode "Devices" window.
For profile expirations, the best strategy is to simply distribute the new profile(s) via MDM (if you have one). For certificate expirations, the best idea is to plan ahead. Starting well before the cert expires (enough time that you can deploy the newly signed apps to all your devices before the expiration date), you need to rebuild (or simply re-sign the existing ipa) your apps with the new certificate / signing identity. Since you are using MDM, it should be easy to deploy the newly re-signed apps to all your enterprise devices before the cert expires and the apps no longer run. Make sure you provide enough time to make this happen, as some devices may be off network for a while and may not check in to the MDM server every day. The good news is that this is only needed every 2.5 years or so.
Note, to re-sign an ipa, see my answer here: https://stackoverflow.com/a/25656455/3708242
Related
Quick sanity check - I've read through several related questions and I'm still confused about this topic.
I have build the app with a provisioning profile(in-house) with enterprise account.
That provisioning profile is getting expired in next few days and the distribution certificate used for that provisioning profile expires in next year.
If the provisioning profile gets expires will the apps which were distributed stops working or they will keep working as distribution cert is intact?
The answer is: MAYBE (but they will probably stop working)
So, the thing you need to realize is that, while your provisioning profile is installed with the app, at install time, it is simply added to the set of installed profiles on the device. When you go to run an app, iOS simply checks if there is a valid profile that works for the app. It doesn't have to be the one installed with the app.
So, let's say you have an enterprise provisioning profile that uses a wildcard app ID. You install your app (app A) with a provisioning profile that is set to expire on 4/12/2020. If that is the only enterprise app you have on the device, and you do not install a new provisioning profile through another means (like MDM - mobile device management), the app will not run on 4/13.
However, let's say your organization uses a wildcard id in their provisioning profile, and you (or another team) builds a second app (app B) that is installed afterwards, but it is installed with a provisioning profile that is set to expire on 1/1/2021. If that app is installed on the same device as app A, when the user launches app A, and it will check for a valid provisioning profile on the device, find the one installed with app B, and be allowed to run. This scenario is likely why #Shubham thinks that the app will continue to run - he has probably experienced this, but thought it was due to the certificate expiration. It definitely was NOT!
So, I would recommend you get a new provisioning profile installed on devices running those apps as soon as possible. The easiest way to do that is to create a new build of the app with the new provisioning profile and install the new version. If these are managed devices and your MDM software allows it, you could simply install a new provisioning profile directly.
But, whatever you do, don't believe that you don't need to worry about it because the certificate is still good. You need to get a newer profile on your devices or you will have a lot of apps that appear to crash on start up. Believe me, I've been there.
However, when you get close to the certificate expiring, you will definitely need to rebuild a new binary, so plan ahead for that. Pushing a new profile onto the device won't work then, because the binary on the device is signed with the cert, so the only way to fix an expired cert is to build a new binary signed by the new cert.
Your enterprise app needs to contain a valid provisioning profile. This means that it will need to be updated at least once every 12 months.
If your enterprise app is distributed by MDM then you can use your MDM to distribute a new provisioning profile without updating the entire app. A new app version will be required at least once every 2 years as the signing certificate will expire.
For more information refer to this 2014 WWDC session - Transcript
It was also covered briefly in this 2019 WWDC Session
Context: A provisioning profile(PP) is nearly expired. The distribution certificate linked to it, will not expire for the next 2 years. The corresponding app is distributed over a MDM. All i read about renewing a PP is also including renewing the distribution certificate. But i just want to extend the PP with as little effort as possible.
Approaches: Either i would just press the "Generate" (on apple developer site while editing the PP) without changing anything or i would create a new one besides this one with same settings.
Questions: Which approach do you recommend? Is there a way, that i don't have to reinstall the app? What happens if i update this PP? Will the app run until the old PP is expired and then i have to install the new app with new PP?
I'd appreciate your input.
Yes, if the certificate is still good for a while, the best approach is to simply generate a new provisioning profile. Your existing deployments of the app will not be affected (as long as you don't revoke the certificate) because the existing profile is technically still valid until it expires.
Then, before the old profile expires, you have two options.
You can re-build the app with the new provisioning profile and push to the devices with your MDM solution. This will install the app AND the new provisioning profile on the devices. The app doesn't need to have changed - you are just using it to carry the payload of the new provisioning profile. The app will then work until the new provisioning profile expires (and you'll repeat this process next year).
If your MDM solution offers the ability to push the provisioning profile to your devices directly, take your new provisioning profile and deploy it to all the devices with the app. Once you have done this, the app will continue to run after the original, embedded provisioning profile has expired, because all iOS cares about is if there is a valid provisioning profile for the app ID on the device. No need to re-build the app, so this is preferable if there is no other reason to update the app.
Note that when your certificate expires, however, you will need to rebuild (or at least re-sign) the apps and redeploy them to the devices, so there will be no easy fix of just pushing a new provisioning profile when that happens. Plan ahead and give yourself enough time before the cert expires to make sure all necessary apps are re-built and redeployed.
My iOS Provisioning Profile will expire soon and I need to know the smoothest way to renew that profile. My certificate doesn't expire for another couple of years, so the certificate itself should be fine.It is an in-house (non-App Store) app and is installed on a number of devices.
Which is why I'm wondering if the app will stop working if I do the following:
Let the provisioning profile expire.
Click generate inside the existing profile.
If so, is there any way to update/renew the profile without taking down the app or releasing a new version? If I have to release a new version, is the best option to create a new profile to reduce downtime?
So generating a new provisioning profile will not invalidate any of the apps out there on devices. Basically, you should choose option 2. Generate the new provisioning profile, build a new version of the app with the new provisioning profile, and just make sure all your users / testers update to the new version of the app.
Alternatively, you could generate the provisioning profile and then distribute the profile to all the devices through MDM (if you're using an MDM solution) or by email (not a great experience). Basically the app will continue to run as long as the new provisioning profile gets on the device before the old one expires, whether that's through MDM, manually, or by installing a new version of the app with the provisioning profile in the .app payload. Or if your users download any app with the new provisioning profile, assuming that provisioning profile is set up with a wildcard app ID, that will also correct it (see information about that here: https://stackoverflow.com/a/29121777/3708242).
But option 1 will certainly result in your app refusing to launch once the expiration date arrives.
The company i work for have a few iOS apps distributed through the Enterprise program. We dont update these apps very frequently. So making sure that the certificates and provisioning profiles dont expire until we've had the chance to renew and redistribute the apps can be easy to forget. How does your team ensure this doesn't happen?
There's really not much you can do to prevent this, other than trying to keep all your apps being created with the same certificate / profiles, as up to date as possible. I have yet to find a good automated solution.
To manage it, I think the best solution is to create a reminder each time you generate a new certificate that will remind you in 11.5 months to renew the certificate (using the original cert signing request file). Then generate your certificate and new provisioning profile to be distributed to the developers (either by hand or by having them all signed into their Apple developer accounts as team members).
Once you have your new certificate and profiles, you'll need to regenerate the IPAs through xCode, or simply re-sign the ipa using the instructions found here: https://stackoverflow.com/a/25656455/3708242
For our internal apps using our enterprise distribution profile, we have put in self-update logic that allows us to push updates so that the users won't end up with an app that won't launch due to an expired provisioning profile or certificate.
Although I know many developer frown upon the use of wildcard ids in provisioning profiles, they do have one advantage here. If you have one app that is on all the devices, you could potentially get by with only updating that one app, as long as the new app has a provisioning profile and certificate that are not expired, and the provisioning profile has a wildcard id that matches all the internal apps you have. Once the valid profile is on the device, it will allow older apps to run. For more details about what I am talking about, see this answer: https://stackoverflow.com/a/29121777/3708242
I manage the iOS Enterprise distribution for several clients. We have come to a situation where a distribution certificate is near expiration and are curious as to the ramifications of cert renewal. The goal is maintain application integrity and not require app reinstallation. Is there a way to renew the certificate and regenerate the provisioning profiles, without impacting the end user?
If I renew the certificate and regenerate the provisioning profiles, will the end user be required to reinstall the application?
Thank you,
From the apple enterprise FAQ:
Distribution provisioning profiles expire 12 months after they’re issued. Two months before expiration, the iOS device begins displaying notifications about the impending expiration. After the expiration date, the app won’t launch.
Before to a provisioning profile expires, use the iOS Development Portal to create a new profile for the app. Create a new app archive (.ipa) with the new provisioning profile, for users who are installing the app for the first time.
For users who already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file so users won’t have to install the app again. The new provisioning profile will override the one that’s already in the app archive.
Source: http://help.apple.com/iosdeployment-apps/mac/1.1/#app43ad802c