I manage the iOS Enterprise distribution for several clients. We have come to a situation where a distribution certificate is near expiration and are curious as to the ramifications of cert renewal. The goal is maintain application integrity and not require app reinstallation. Is there a way to renew the certificate and regenerate the provisioning profiles, without impacting the end user?
If I renew the certificate and regenerate the provisioning profiles, will the end user be required to reinstall the application?
Thank you,
From the apple enterprise FAQ:
Distribution provisioning profiles expire 12 months after they’re issued. Two months before expiration, the iOS device begins displaying notifications about the impending expiration. After the expiration date, the app won’t launch.
Before to a provisioning profile expires, use the iOS Development Portal to create a new profile for the app. Create a new app archive (.ipa) with the new provisioning profile, for users who are installing the app for the first time.
For users who already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file so users won’t have to install the app again. The new provisioning profile will override the one that’s already in the app archive.
Source: http://help.apple.com/iosdeployment-apps/mac/1.1/#app43ad802c
Related
I have an Apple Enterprise membership and develop apps for In-House distribution.
I don't understand in which cases I need to rebuild my apps because of expired certificates and/or provisioning profiles.
Do I need to rebuild the App when the distribution certificate expires?
Do I need to rebuild the App when the provisioning profile expires?
Does the provisioning profile expire/become invalid when the included certificate expires?
Whether you need to rebuild when the provisioning profile expires depends on how you are distributing your apps.
If you are following best practice and using an MDM to distribute your apps then you can distribute a new provisioning profile when the old one expires.
If you are using some other distribution method (such as a plain web server) then you will need to rebuild your apps when the provisioning profile expires.
Regardless of the distribution method you need to build a new version and update the installed apps when the distribution certificate expires.
If the distribution certificate expires then the app will stop working, even if the provisioning profile is still valid.
You need to update the app with a new version, signed with the new distribution certificate before the old one expires.
This WWDC session has a good explanation of the process.
I have an app in enterprise appstore and the provisioning profile with which I created iPa is due to expire next month. If I go to developer account and renew the provisioning profile, what happens to the app in appstore which was created with old provisioning profile? Should I create a new iPa with new renewed provisioning profile and submit it? Is it enough to just renew the expiring provisioning profile or should we renew, create iPa with new one and upload it to appstore again?
Any help would be appreciated. Thanks!
You will need to provide a new provisioning profile, that has a new expiration date, to the devices with your app or existing installations of the app will stop working.
You can do this by packaging a new version of your app that includes the new provisioning profile and then having your users install the update.
Alternatively, if your devices are managed by an MDM (which is best practice) then you can have the MDM server push the updated provisioning profile to the devices. The advantage of this approach is that it doesn’t require any user action.
The process of certificate and provisioning profile expiration is explained quite well in this WWDC video
As an example, here are the instructions for Microsoft InTune
We have a business that provides iPads (~1000 iPads) with our in-house iOS apps, which are managed by our MDM Apple Profile Manager.
We use Apple Developer Enterprise Program to build the in house apps with 3 year expiry certificate and 1 year expiry provisioning profile.
What we are struggling is the renewals of the certificate (every 3 year) and provisioning profiles (every 1 year) WITHOUT:
Completely rebuilding the app with new provisioning profile and re-distributing it through MDM
Anyone having to touch the iPads to install the new provisioning profile. (Providing that the new provisioning profile is renewed from the Developer Portal before it expires).
According to this post, Renew iOS Provisioning Profile on in-house app
They said
Alternatively, you could generate the provisioning profile and then
distribute the profile to all the devices through MDM (if you're using
an MDM solution) or by email (not a great experience).
So my questions are:
Is it possible to install new provisioning profile via Apple Profile Manager? How do I go about doing it?
I tried emailing the .mobileprovision file and opening that file from an iPad but it didn't install the profile at all. What have I done wrong?
What is the best way to handle certificates (3 year expiry) and provisioning profiles (1 year expiry)?
Managing internal apps on iOS is unfortunately not a "set and forget" process. There is ongoing work, and planning needs to be done to make sure you keep your internal apps functioning when profiles and certificates are invalidated / expired.
I do not have experience with the Apple Profile Mgr, but it is most certainly possible to simply regenerate the provisioning profile(s) for your apps and remotely deploy them to the devices which have the apps on them. This will help with profile expirations, but will not help for certificate expiration (more on this below).
With newer version of iOS, Apple no longer allows installation of provisioning profiles through the mail app, or a Safari ling, etc. Basically at this point, provisioning profile need to be installed with the app installation, through MDM, or through Xcode "Devices" window.
For profile expirations, the best strategy is to simply distribute the new profile(s) via MDM (if you have one). For certificate expirations, the best idea is to plan ahead. Starting well before the cert expires (enough time that you can deploy the newly signed apps to all your devices before the expiration date), you need to rebuild (or simply re-sign the existing ipa) your apps with the new certificate / signing identity. Since you are using MDM, it should be easy to deploy the newly re-signed apps to all your enterprise devices before the cert expires and the apps no longer run. Make sure you provide enough time to make this happen, as some devices may be off network for a while and may not check in to the MDM server every day. The good news is that this is only needed every 2.5 years or so.
Note, to re-sign an ipa, see my answer here: https://stackoverflow.com/a/25656455/3708242
My iOS Provisioning Profile will expire soon and I need to know the smoothest way to renew that profile. My certificate doesn't expire for another couple of years, so the certificate itself should be fine.It is an in-house (non-App Store) app and is installed on a number of devices.
Which is why I'm wondering if the app will stop working if I do the following:
Let the provisioning profile expire.
Click generate inside the existing profile.
If so, is there any way to update/renew the profile without taking down the app or releasing a new version? If I have to release a new version, is the best option to create a new profile to reduce downtime?
So generating a new provisioning profile will not invalidate any of the apps out there on devices. Basically, you should choose option 2. Generate the new provisioning profile, build a new version of the app with the new provisioning profile, and just make sure all your users / testers update to the new version of the app.
Alternatively, you could generate the provisioning profile and then distribute the profile to all the devices through MDM (if you're using an MDM solution) or by email (not a great experience). Basically the app will continue to run as long as the new provisioning profile gets on the device before the old one expires, whether that's through MDM, manually, or by installing a new version of the app with the provisioning profile in the .app payload. Or if your users download any app with the new provisioning profile, assuming that provisioning profile is set up with a wildcard app ID, that will also correct it (see information about that here: https://stackoverflow.com/a/29121777/3708242).
But option 1 will certainly result in your app refusing to launch once the expiration date arrives.
I'm currently using iOS Developer Enterprise Program for Enterprise Deployment. I want to know what happen when the Certificate and/or the Provisioning profile expire. For now I created a bunch of provisioning profiles to be as far as I can to the expiration date. I want to know if I can securely delete old provisioning profiles that are possibly linked to an app or the apps will stop working. Is it possible in some way that a user who has already download an app will not be able to open it or a new user not be able to download it.
Thanks
The only requirement for an app to run on an iOS device is that there is at least one valid (non expired) provisioning profile on the device that is signed with a valid certificate (non expired / deleted) that has a bundle ID that matches the bundle id of the app you are trying to run.
So let's say I have 2 provisioning profiles I've created over the year for one app. The app's bundle ID is "com.example.testapp". One of the provisioning profiles was created with the app id "com.example.testapp" and it expires in 1 month. Another provisioning profile was created with a wildcard app id "com.example.*" and it expires in 3 months. You can safely delete the provisioning profiles and create a new one at any time, without affecting currently deployed apps from being able to run on devices. They will stop working once they hit the expiration date.
Continuing this example, let's say you have another app installed on the same device with a bundle id of "com.example.testapp2" and it was originally installed with a provisioning profile that specifically used the app id "com.example.testapp2" and the provisioning profile expires tomorrow. After tomorrow, the app will still work, because even though the "com.example.testapp2" provisioning profile is expired, there is another prov. profile on the device with a wildcard app id that matches, and that profile has not yet expired.
On another device that only has test app 2, and never had the wild card provisioning profile installed, the app will stop working. You can either manually install the new provisioning profile (email it to the device user), or install a new app (or the same app again) bundled with the new provisioning profile.
So long story short, deleting provisioning profiles is generally safe, but do not invalidate the certificate until you are ready to re-package all your internal apps.
If you let either your Enterprise Distribution Certificate or the associated Provisioning Profiles expire your apps will no longer load. The user will see the app start to load followed by an immediate crash. You have to renew your Enterprise Dist Cert every 3 years (you can have two concurrent / overlapping certs) and your Prov Profiles every year.
Seeing how the Provisioning Profile is the "weak link" in the chain at a yearly renewal what we do is refresh/renew our Enterprise Dist Prov Profiles every 9 months (at a minimum) to keep those suckers fresh. Likewise we renew our overlapped Enterprise Dist Cert no later than 9 months prior to the other Enterprise Dist Cert's expiration AND update the Dis Prov Profiles at the same time.
Answering your question more directly I wouldn't risk killing the Provisioning Profile and tanking your deployed app. Since you're renewing that guy yearly, re-baseline everyone at the same time to restart the clock.