My iOS Provisioning Profile will expire soon and I need to know the smoothest way to renew that profile. My certificate doesn't expire for another couple of years, so the certificate itself should be fine.It is an in-house (non-App Store) app and is installed on a number of devices.
Which is why I'm wondering if the app will stop working if I do the following:
Let the provisioning profile expire.
Click generate inside the existing profile.
If so, is there any way to update/renew the profile without taking down the app or releasing a new version? If I have to release a new version, is the best option to create a new profile to reduce downtime?
So generating a new provisioning profile will not invalidate any of the apps out there on devices. Basically, you should choose option 2. Generate the new provisioning profile, build a new version of the app with the new provisioning profile, and just make sure all your users / testers update to the new version of the app.
Alternatively, you could generate the provisioning profile and then distribute the profile to all the devices through MDM (if you're using an MDM solution) or by email (not a great experience). Basically the app will continue to run as long as the new provisioning profile gets on the device before the old one expires, whether that's through MDM, manually, or by installing a new version of the app with the provisioning profile in the .app payload. Or if your users download any app with the new provisioning profile, assuming that provisioning profile is set up with a wildcard app ID, that will also correct it (see information about that here: https://stackoverflow.com/a/29121777/3708242).
But option 1 will certainly result in your app refusing to launch once the expiration date arrives.
Related
I have developed a couple of applications in iOS. Few days before my provisioning profile got expired. I renewed and downloaded it from apple developer portal. Now my question is how this new profile will get reflected in existing applications? Since there are many applications I won't be able to build it again with a new provisioning profile. So please let me know how to add this new profile with existing applications without a rebuild.
Thanks in advance.
The answer depends on what kind of builds you're concerned about:
App Store: expired provisioning profiles don't affect builds that have been downloaded from the App Store. You don't need to make a new build with the provisioning profile. You will, however, need to use the new provisioning profile if you update the app on the App Store.
Ad Hoc: builds will stop running if the provisioning profile used to create them has expired. You will need to make new builds and distribute them again.
Enterprise: you can update the profiles using the MDM protocol. See the "Provisioning Profiles Can Be Installed Using MDM
" section in the MDM Protocol Reference.
I have an app in enterprise appstore and the provisioning profile with which I created iPa is due to expire next month. If I go to developer account and renew the provisioning profile, what happens to the app in appstore which was created with old provisioning profile? Should I create a new iPa with new renewed provisioning profile and submit it? Is it enough to just renew the expiring provisioning profile or should we renew, create iPa with new one and upload it to appstore again?
Any help would be appreciated. Thanks!
You will need to provide a new provisioning profile, that has a new expiration date, to the devices with your app or existing installations of the app will stop working.
You can do this by packaging a new version of your app that includes the new provisioning profile and then having your users install the update.
Alternatively, if your devices are managed by an MDM (which is best practice) then you can have the MDM server push the updated provisioning profile to the devices. The advantage of this approach is that it doesn’t require any user action.
The process of certificate and provisioning profile expiration is explained quite well in this WWDC video
As an example, here are the instructions for Microsoft InTune
I maintain an internal iOS app for a client who has an Apple Developer Program account (not Enterprise). They routinely give new devices access to the app by adding the UDIDs to the Devices list in their Apple Developer account and updating their Distribution provisioning profile. Then they deploy the app to the new devices through Airwatch.
When they add new devices in this way, they don't want to have to rebuild the app in Xcode with the updated profile. Instead, they believe they should be able to export the updated profile from their developer account, upload the profile to Airwatch, and push the app to the new devices, without ever generating a new IPA.
Is it possible to do this without an Enterprise Apple Developer account?
As long as you can get the new provisioning profile on the devices through MDM, you don't need to publish a new build. You just need to make sure the profile is installed on the device before they try to install the app. iOS doesn't necessarily care if the valid provisioning profile is bundled with the app when it was packaged. It just cares if a valid provisioning profile is installed on the device when an app is installed / run on the device.
I have used a similar technique with some internal apps we have, since we use a wildcard bundle ID in our profile. If the profile bundled with app A expires, it doesn't matter as long as the user has installed app B, which has a newer, still valid profile.
In my opinion, the workflow should look like this:
new device(s) received
add devices to provisioning profile on developer site
download updated profile and distribute it to all devices, including new device(s) via MDM
have users of new device install app (which should work since they now have a valid profile on their device for the bundle ID in question)
This works for profiles, however, when the certificate expires, you will need to rebuild the app(s).
Context: A provisioning profile(PP) is nearly expired. The distribution certificate linked to it, will not expire for the next 2 years. The corresponding app is distributed over a MDM. All i read about renewing a PP is also including renewing the distribution certificate. But i just want to extend the PP with as little effort as possible.
Approaches: Either i would just press the "Generate" (on apple developer site while editing the PP) without changing anything or i would create a new one besides this one with same settings.
Questions: Which approach do you recommend? Is there a way, that i don't have to reinstall the app? What happens if i update this PP? Will the app run until the old PP is expired and then i have to install the new app with new PP?
I'd appreciate your input.
Yes, if the certificate is still good for a while, the best approach is to simply generate a new provisioning profile. Your existing deployments of the app will not be affected (as long as you don't revoke the certificate) because the existing profile is technically still valid until it expires.
Then, before the old profile expires, you have two options.
You can re-build the app with the new provisioning profile and push to the devices with your MDM solution. This will install the app AND the new provisioning profile on the devices. The app doesn't need to have changed - you are just using it to carry the payload of the new provisioning profile. The app will then work until the new provisioning profile expires (and you'll repeat this process next year).
If your MDM solution offers the ability to push the provisioning profile to your devices directly, take your new provisioning profile and deploy it to all the devices with the app. Once you have done this, the app will continue to run after the original, embedded provisioning profile has expired, because all iOS cares about is if there is a valid provisioning profile for the app ID on the device. No need to re-build the app, so this is preferable if there is no other reason to update the app.
Note that when your certificate expires, however, you will need to rebuild (or at least re-sign) the apps and redeploy them to the devices, so there will be no easy fix of just pushing a new provisioning profile when that happens. Plan ahead and give yourself enough time before the cert expires to make sure all necessary apps are re-built and redeployed.
I manage the iOS Enterprise distribution for several clients. We have come to a situation where a distribution certificate is near expiration and are curious as to the ramifications of cert renewal. The goal is maintain application integrity and not require app reinstallation. Is there a way to renew the certificate and regenerate the provisioning profiles, without impacting the end user?
If I renew the certificate and regenerate the provisioning profiles, will the end user be required to reinstall the application?
Thank you,
From the apple enterprise FAQ:
Distribution provisioning profiles expire 12 months after they’re issued. Two months before expiration, the iOS device begins displaying notifications about the impending expiration. After the expiration date, the app won’t launch.
Before to a provisioning profile expires, use the iOS Development Portal to create a new profile for the app. Create a new app archive (.ipa) with the new provisioning profile, for users who are installing the app for the first time.
For users who already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file so users won’t have to install the app again. The new provisioning profile will override the one that’s already in the app archive.
Source: http://help.apple.com/iosdeployment-apps/mac/1.1/#app43ad802c