As per my understanding, to create an IPA for distribution for testing or sharing with others, I need to sign my application with AdHoc profile. For uploading the IPA to App Store, I need to sign the application using App Store Distribution profile.
But I have an application for which even if I create an IPA with the App Store distribution profile, I can install it on my test device (no it is not jail broken and yes it has the AdHoc Profile installed on the device). This particular profile was created during iOS 6.
Now when I create a new App Store distribution profile and I try to install on the test device with the AdHoc profile being present I am unable to do so.
Any idea as to how is it possible? Technically as per my understand App Store Distribution profile signed IPA should never be possible to be installed on devices directly using iTunes. It has to be installed through App Store (after Apple's approval).
It is not possible to do so. Somehow the old certificate allowed me to install the app in one of the device, after renewing the certificate it no longer allows me to install the app signed with the appstore certificate in the device.
So the final answer is that, it is not possible. It can only be installed on jailbroken devices (which is a different question altogether).
Related
I currently have my iPhone (iOS 16.3) in developer mode, but when trying to install an apple device application file that I developed, I am getting the "Unable To Install [app]: This app cannot be installed because its integrity could not be verified". The only other way I know of to rectify this is to get a distribution provisioning profile and submit it on a test flight on the app store, but this is not an app I intend to distribute - it's for my own personal testing purposes. Is there a way to hard-bypass this restriction? I own the phone, I take full responsibility if I break it, especially if I break it with an application that I wrote myself.
Did you generate the IPA with a development profile, an ad-hoc, or a distribution profile? For development, you need a development profile that has your device's UUID enabled on it. You do not need to create a distribution profile.
I maintain an internal iOS app for a client who has an Apple Developer Program account (not Enterprise). They routinely give new devices access to the app by adding the UDIDs to the Devices list in their Apple Developer account and updating their Distribution provisioning profile. Then they deploy the app to the new devices through Airwatch.
When they add new devices in this way, they don't want to have to rebuild the app in Xcode with the updated profile. Instead, they believe they should be able to export the updated profile from their developer account, upload the profile to Airwatch, and push the app to the new devices, without ever generating a new IPA.
Is it possible to do this without an Enterprise Apple Developer account?
As long as you can get the new provisioning profile on the devices through MDM, you don't need to publish a new build. You just need to make sure the profile is installed on the device before they try to install the app. iOS doesn't necessarily care if the valid provisioning profile is bundled with the app when it was packaged. It just cares if a valid provisioning profile is installed on the device when an app is installed / run on the device.
I have used a similar technique with some internal apps we have, since we use a wildcard bundle ID in our profile. If the profile bundled with app A expires, it doesn't matter as long as the user has installed app B, which has a newer, still valid profile.
In my opinion, the workflow should look like this:
new device(s) received
add devices to provisioning profile on developer site
download updated profile and distribute it to all devices, including new device(s) via MDM
have users of new device install app (which should work since they now have a valid profile on their device for the bundle ID in question)
This works for profiles, however, when the certificate expires, you will need to rebuild the app(s).
I was under the impression that it was impossible to install an app store distribution build directly on a test device (without going through the actual App Store). I found multiple references to the following note by Apple (though I could not find the note itself in the current version of the iOS App Distribution Guide):
"App Store provisioning profiles do not allow for a distribution built application to be installed on an Apple device. To install your distribution ready application on a device, you must create an Ad Hoc provisioning profile."
Now consider the following: I have an Ad Hoc Distribution provisioning profile and an App Store Distribution provisioning profile. The ad hoc profile contains a list of provisioned devices, the app store profile doesn't. My (no jailbrake) device is included in the provisioned devices in the ad hoc profile. My build was signed with the app store profile. The resulting .ipa file was submitted to the App Store (and approved - but it is not publicly available yet). When I view the package contents of the .ipa file, I see that the embedded.mobileprovision is indeed the app store profile (without the provisioned devices list). When I drag this profile to my Xcode Organizer, I get an error that the profile cannot be installed because the device is not included in the profile (as expected). However, when I drag the .ipa file to my Xcode Organizer, the app installs on the device (and can be opened on the device afterwards). I tried this after making sure there were no other copies of the same app installed on the device. The same thing does not work when I use a different device that is not included in the provisioned devices of the ad hoc profile (even though the .ipa contains the app store profile without provisioned devices list).
Does anyone have a possible explanation for this? It seems that somehow a build signed with an app store profile can still be installed on a device included in the corresponding (same app identifier? same team identifier?) ad hoc profile. But if this would be the case, what is the point of making separate ad hoc builds?
I noticed this too and always meant to find out why it worked.
It used to be true that you couldn’t install an App Store build but that appears to have changed, I’m guessing either in iOS6 or 5.
I found that I could only install App Store provisioning profile builds when a compatible Ad Hoc profile was already installed. Developer profiles did not work. I did not try wildcard profiles. So it looks like the Ad Hoc rules changed.
I can’t find the rules for installing an Ad Hoc build, but on the topic of launching the “Ad Hoc Provisioning Profiles in Depth” section of Apple’s App Distribution Guide says that
The app successfully launches if the app’s bundle ID matches the App ID, the signature matches the distribution certificate, and the device is in the device list of the ad hoc provisioning profile.
So I guess technically an AppStore builds meet these Ad Hoc requirements because it too is signed with the same distribution certificate. The use of “the” is misleading here because it makes it sound like iOS consults your embedded.mobileprovision, which is untrue. It should read “an” ad hoc profile.
NB: The install only worked when the Ad Hoc profile was already installed on the device, so that’s one reason to make separate ad hoc builds.
NB: This is all conjecture, another explanation could be that Xcode handles the installation of the embedded.mobileprovision and now continues when the AppStore profile installation fails.
This raises another question for me: why does iOS DWIM for App Store builds yet refuses to launch Ad Hoc builds with expired provisioning profiles when a perfectly valid replacement is installed?
For one of company we have created iPhone app as in-house. This app is not on app store. We provide them updated provision file everytime.
When client tries to installing app on one of iPhone, it keep on saying Installing... But installation never occurs.
Any idea why this is happening?
I have iOS 7 on client iPhone.
This could be for many reasons but the most common are:
Did not sign with the right provisioning profile.
The users device is not set up in an ad hoc distribution profile.
Is it signed using a proper enterprise provisioning profile?
The information in the plist if downloading from a site does not match the file being downloaded.
Poor internet connection.
I would go down the list and doubly check everything. Make sure that if you're building an adhoc profile from an app store account that it is actually being refreshed and not duplicated in Xcode when building with the provisioning profile that contains the proper UDID for the device they want to install it on.
This might have been asked lots of times, but still I couldn't find info on why are they needed. I use DEVELOPER prov profiles to test apps on my device, that makes sense.
The Provisioning Portal explains prov profiles like this:
A Provisioning Profile is a collection of digital assets that uniquely ties
developers and devices to an authorized iOS Development Team and enables
a device to be used for testing.
By this logic they are only needed for testing, eg not for distribution. Do we need one to deploy the app on the AppStore?
Absolutely yes. The distribution profile is used for submission to the App Store. It does not have the 100 device limit that the development profiles have.
From the Tools Workflow Guide:
When you’re ready to share your app for user testing or for general distribution through the
App Store, you need to create an archive of the app using a distribution provisioning
profile and send it to app testers or submit it to iTunes Connect. This chapter shows
how to perform these tasks.
The distribution profile prevents the attackers from submitting a modified version of your app to the store - only you, who hold the private key of the distribution certificate, can submit and update your app.
Once your app is submitted, your embedded.mobileprovision and your binary will be checked and compared to make sure that you are the legitimate author. embedded.mobileprovision file is then discard and the app is signed again by Apple using their own certificate (which is by default accepted by all iDevices), so that all iDevices can run it.
When an iDevice downloads the app, the executable binary is then encrypted with an encryption key associated that device. At run time, only that device can decrypt the executable binary and run it.
There are two types of distibution profiles, the first one is to submit your app to the appstore and the other one (Ad-Hoc) is necessary if you can´t connect a device to your mac(developer profile). Then you can share your app wit the Ad-Hoc profile to someone else e.g. via mail.
Distribution Provisioning Profile
Distribution Provisioning Profile is used by Apple to publish an application to App Store. When Apple approve the application it is signed by Apple and became public.
Distribution Provisioning Profile contains:
Application ID - application which are going to run
Distribution certificate - who can debug the app
[Development Provisioning Profile]
[Certificate]