Recently, I had an experience of expiring profile & certificate and my all distributed apps were stopped running. So i want to go in depth of this logic. I have few question listed below. Anyone please answer because most iOS developers still don't know the answers.
Why apple is expiring certificates and profiles exact after one year ?
Can we extend the limit of expiration year from one year to any ?
How iOS decide, The particular app certificate is expired so it should not be run in the device ?
When installed app life is deciding by iOS i.e. When app is installed first time OR when Certificates and Profiles created ?
Most iOS developers are wondering for knowing the logic behind this certificate expiration process so please answer who knows the truth behind this.
Thanks in advance.
Why apple is expiring certificates and profiles exact after one year ?
So that you don't set up a parallel app store(IMO)
Can we extend the limit of expiration year from one year to any ?
For Enterprise licenses, 'in-house' distribution profiles have a validity of 3 years. Here is an old thread you may refer.
How iOS decide, The particular app certificate is expired so it should not be run in the device ?
From Apple docs: The first time an application is opened on a device, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run.
When installed app life is deciding by iOS i.e. When app is installed first time OR when Certificates and Profiles created ?
Same as above, certificate and PP expiry dates are taken in account before running the app. Try installing an app which was signed with old certificate and you'd see.()
Related
So, my first App is on the AppStore for almost a year now. I started receiving notices from Apple that my iOS Distribution Certificate will expire in 30 days time. That's fine — they expire.
But, the email says to go to Certificates, Provisioning and Identities to renew — only there is nothing there that specifically guides me through such a process that I can see — and it's a very clean, spartan portal so I imagine I would see something especially if I was directed to go there specifically for this reason.
As I've never renewed a certificate, I wonder if anyone might be able to guide me through the process? There seems to be no clear answer.
My concern is that the expired certificate would somehow break the App currently in the store? (I don't know that it will, or will not — but I'm not excited to find out in real time.)
Am I meant to create a new certificate in Xcode? Does it need to be somehow applied to the current version of the App, or the one in the App Store, meaning I may need to publish a new version of the App for hygiene?
Any pointers or help are greatly appreciated.
Julian
If your Apple Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to upload new apps or updates signed with the expired or revoked certificate to the App Store.
https://developer.apple.com/support/certificates/
For updating the app you need to generate new certificate.
I have an enterprise app out in the field signed with a distribution certificate 3 years ago that is due to expire next month. Ideally I would like to not have to redeploy my app to my users and according to the apple docs Re-Creating Certificates and Updating Related Provisioning Profiles, it appears I can create a new dist cert, update my profile with the new cert and my app out in the field will not be effected. I have read some conflicting posts on the matter from a few years ago now admittedly that say I will need to re-deploy my enterprise app so was wondering would anyone be able to confirm for me what teh latest state of play is.
Any information would be greatly appreciated.
No, you don't need to redeploy an app if your bundler identifier is same.
You can revoke current certificate and create a new one. This action can result into 'stop' usage of app in mobile device (if or when it has connection to apple server). The reason for this is, user needs to accept/trust developer of new certificate from device's settings.
Once user accepts/trust new certificate, your app will continue working as it was.
You can ask me, if you still have any confusion or problem in understanding this scenario.
Recently, I practically tested this scenario for one of my enterprise app and it was successful.
Hope it would work for you also !!!
We have different enterprise applications distributed via Airwatch MDM. When some distribution profile was expiring after 1 year earlier we could see a popup on the iOS devices. Now its not showing due to some reason. I'm not sure why. Also I can't find the profiles section in the iOS 8 settings section. There it used to show the expiration dates for all the profiles.
If the developer is not noticing the expiration date, apps getting crashed after the expiration date.
I want to know the best optimum solution for this.
How do we get the notifications for this?
Is there any solution without redistributing a new binary?
Or do we have any reminder notification system for this?
You can update the provisioning profile without redistributing a new binary. If you go to the app and click on the "files" tab and select "edit" this will allow you to upload the new profile.
I'm going to tackle your questions with in-line answers:
If the developer is not noticing the expiration date, apps getting crashed after the expiration date.
Speaking frankly it's up to your Enterprise Agent to maintain and track when provisioning profiles are expiring. Likewise they should be planning your required yearly release in conjuncion with the expiring profile. It is not the developer's job to maintain that part of the app development process unless you're specifically paying them to do so.
How do we get the notifications for this?
See above. All profile expiration dates are in your Enterprise Portal.
Is there any solution without redistributing a new binary?
This won't always work, especially if your Enterprise Distribution cert is also expiring. If your Enterprise Cert expires you MUST deploy a newly signed binary.
My client's iOS In-House provisioning profiles are about to expire in 2 weeks.
So to renew them, I wanted to create a new In-House certificate. But when clicking "Add" the In-House and Ad Hoc option is disabled. What could be the cause of this?
I renewed the client's enterprise license yesterday. Could it be that it takes some time before i can create In-House certificates again? (On all my other client's (non enterpriese) accounts it works)
I'm an Agent for my company's Enterprise account and your issue is mainly as laid out above: the existence of two Enterprise certs. Where I'm slightly confused is why you have multiple folks working as your Agent. Apple has setup the Enterprise account & portal in such a way that there is to be one company-wide Agent that has complete control over that Enterprise Distribution certificate and it is paired with his/her CSR/private key. If you really want to do this properly you need to get a hold of the actual Agent in charge of the account and get him to export his private key used to sign the CSR & Distribution Cert so you can develop against it. If you're NOT the entity doing the final production builds for Enterprise deployment I would suggest better coordinating your efforts with the Agent as he may have a plan you're not aware of.
Regarding the multiple certificates Apple started doing that over a year ago so that you can smoothly cutover to a new Distribution Cert in your apps without scrambling to update all apps on the previously singular cert simultaneously.
Lastly one point to note is that while the certificate is good for 3 years your provisioning profile will still expire in 12 months time to make sure your client is scheduling their update & maintenance cadence appropriately.
Feel free to shoot me any questions on this. Good luck!
EDIT
Enterprise Overview
Developer Roles
The Agent role is meant for one person to act as a gatekeeper for that company. It's does create a problem for a large company pumping out multiple in-house apps but the control factor helps maintain a cohesive environment.
Where you're going to start getting into trouble is when your original cert is set to expire and you need to roll them over to the newer cert the other person who has Agent access created. He/she is going to have to either compile your code for you or export their private key out of keychain access so that you can use that newer Enterprise Dist Cert.
What should typically happen is an Agent creates the first cert and all in-house apps are signed to it. That cert may expire in 2016 as an example. The prov profiles will expire every year, though so each app needs to take an update at least every 12 months to refresh itself with a new prov profile. Fast fwd to the end of 2015 and you're staring down an expiring cert. You'd create the replacement cert, update the provisioning profiles for each active app with the new cert (expires in say 2019), then update each app with the new prov profile attached to the new cert before the 2016 cert goes stale.
Make sense?
I’ve a question I just opened my business, trying to get certified container homes in the USA (Florida), do I need an Engeniere or just an architect ?
My client's iOS In-House provisioning profiles are about to expire in 2 weeks.
So to renew them, I wanted to create a new In-House certificate. But when clicking "Add" the In-House and Ad Hoc option is disabled. What could be the cause of this?
I renewed the client's enterprise license yesterday. Could it be that it takes some time before i can create In-House certificates again? (On all my other client's (non enterpriese) accounts it works)
I'm an Agent for my company's Enterprise account and your issue is mainly as laid out above: the existence of two Enterprise certs. Where I'm slightly confused is why you have multiple folks working as your Agent. Apple has setup the Enterprise account & portal in such a way that there is to be one company-wide Agent that has complete control over that Enterprise Distribution certificate and it is paired with his/her CSR/private key. If you really want to do this properly you need to get a hold of the actual Agent in charge of the account and get him to export his private key used to sign the CSR & Distribution Cert so you can develop against it. If you're NOT the entity doing the final production builds for Enterprise deployment I would suggest better coordinating your efforts with the Agent as he may have a plan you're not aware of.
Regarding the multiple certificates Apple started doing that over a year ago so that you can smoothly cutover to a new Distribution Cert in your apps without scrambling to update all apps on the previously singular cert simultaneously.
Lastly one point to note is that while the certificate is good for 3 years your provisioning profile will still expire in 12 months time to make sure your client is scheduling their update & maintenance cadence appropriately.
Feel free to shoot me any questions on this. Good luck!
EDIT
Enterprise Overview
Developer Roles
The Agent role is meant for one person to act as a gatekeeper for that company. It's does create a problem for a large company pumping out multiple in-house apps but the control factor helps maintain a cohesive environment.
Where you're going to start getting into trouble is when your original cert is set to expire and you need to roll them over to the newer cert the other person who has Agent access created. He/she is going to have to either compile your code for you or export their private key out of keychain access so that you can use that newer Enterprise Dist Cert.
What should typically happen is an Agent creates the first cert and all in-house apps are signed to it. That cert may expire in 2016 as an example. The prov profiles will expire every year, though so each app needs to take an update at least every 12 months to refresh itself with a new prov profile. Fast fwd to the end of 2015 and you're staring down an expiring cert. You'd create the replacement cert, update the provisioning profiles for each active app with the new cert (expires in say 2019), then update each app with the new prov profile attached to the new cert before the 2016 cert goes stale.
Make sense?
I’ve a question I just opened my business, trying to get certified container homes in the USA (Florida), do I need an Engeniere or just an architect ?