We have an iPad app that we would like to distribute internally. We're looking into "Enterprise Distribution". The set of requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.
Users who do not have access to the website should not have access to the application. We can easily prevent them from downloading the app by forcing them to log in. However, it is not obvious to me that after they download the app (via an .ipa file?), that they couldn't just give it to someone else, something that is not allowed.
It looks like a way around this is to have Distribution Provision Profiles, which determine whether a given app will run on the device. However, it's not obvious to me that those couldn't just be copied as well.
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
Once you create the enterprise distribution provisioning profile, download the
.mobileprovision file, and then securely distribute it and your application.
Sadly, I don't know enough to know exactly what I should be asking, but here goes:
Can ipa files just be copied from one Ipad to another, allowing anyone to use any given app? (assuming there is no other protection on the app)
If the answer to 1 is yes, is there any reason to believe that .mobileprovision files will help me?
Every device has a UDID, a unique identifier. This is how Apple enforces the 100 development devices rule for individual developers. You collect UDIDs as part of the download process, issuing the provisioning profiles to registered users.
To answer your questions:
Yes, theoretically, without DRM or provisioning, an ipa can be synced to iTunes (or manually copied with third party tools) and then moved to another dewvice.
Yes, .mobileprovision files include UDIDs in them which are pretty much unique to a given device. (The exception may be on jailbroken devices, which, if I recall correctly, can spoof a UDID.)
EDIT:
Just to clarify, in response to your requirements:
The set of requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.
I would add a middle step.
User logs in.
User submits device info
You create a provision for the device
The user then downloads the app and the provision.
This does not stop the user from giving out the app to others, but it's the best you've got. You can also require the user to log in inside the app, with the same email as the one used to register the UDID, theoretically.
It's now July 2012. Apple's documentation on how to create and distribute an Ad-Hoc iOS application remains stuck at iOS 3, is over-complicated, overwhelming, and often wrong.
With an Developer Enterprise Program license (and a fair bit of patience), you can create an .ipa file, which you can stick on your website.
Your users can then navigate to this webpage on their iPad's Safari, click on a download link to download and install your app onto their device. No iTunes required.
Your app will need (amongst other things) to be signed with a distribution certificate, which you create on the Apple Developer website, but my point is that once you have jumped through all of these badly documented hoops, you can just stick an .ipa and .plist file on a webpage, and ANY user can install your app with it.
Even your Aunt Gladis, who lives 200 miles away and doesn't work for your company.
Mind you, if Apple finds out that you have distributed your app to anyone who doesn't work in your company, they will pull your license.
Getting the Enterprise Account takes a lot of work. Apple will want your DUNS and possibly other proof that you're who you say you are (and that you're an enterprise).
Going the other route (individual developer) will allow you to post your app (make it free so your users will not have to pay!) in the store. Your app can require an account on your local service that no one outside your company will be able to acquire, which will prevent people outside the company from using it. The risk here is that Apple will reject your app for this reason.
Related
EDIT: see conclusion at the end of this post.
First off, let me clarify I've found a few similar questions/answers on SO, but none that apply to my particular situation. The one that came closest is this one but it doesn't address the AirWatch aspect.
So I'll try to be very specific.
Background
I have an iOS application that's free. I also have the same app for Android and Windows 10 but those are not my concern.
The iOS app is available to anyone from the App store. But I have a few large corporate customers who use AirWatch to manage the installation/update cycle of their devices. They either have Enterprise or VPP Apple accounts. They want me to provide them with the IPA file so they can distribute it themselves through AirWatch.
In my mind, that's a perfectly legitimate request: they just want to have better control over what gets installed on their devices.
Problem
From what I understand, an Enterprise account requires that the application be signed with the customer's certificate. But if I have several such customers, that means I have to re-sign each application for each customer, every time I have a new update available. And those customers that have VPP accounts cannot use them because the VPP program only applies to paid apps, not to free ones.
Note: keep in mind that at that stage when I'm ready to provide the app to these customers, the app has already been reviewed and accepted by the App Store. So it's deemed legit.
After googling this matter for a while, I know it's possible for someone else to resign an app or to sign it for the first time if it is provided in unsigned form to start with. However, resigned apps are apparently not supported by AirWatch (and, I assume, other MDM's as well).
If that information is incorrect, then I guess all I would need to know is the recipe that I, as a coder, have to follow before providing the app to my customers and what kind of steps they have to take in order to deploy using AirWatch.
Question
So how do I get my free app to my customers so they can manage the distribution themselves, without me having to go through yet another set of hassles every time I change something.
Remember: if I only had a single corporate customer I wouldn't give it a second thought and I would just use their own certificates but I have several potential customers with the same requirements, so the point is to make it easy for all of them and for myself.
I hope my question was clear enough, thanks in advance for any help.
EDIT - Conclusion: I was able to validate that an unsigned IPA file can be signed with the customer's certificate and uploaded to their AirWatch distribution app. Which means I simply have to provide the unsigned version to any customer with the same issue and they will be able to distribute the app themselves with their MDM. Hope this information helps others.
If your customers really can't re-sign your IPA, I believe the best solution for you to do would be to sign up yourself for an enterprise account, then use your own enterprise provisioning profile to sign a single ipa for distribution to the companies that need the app. Their MDM platforms should be able to handle the "trusting" of your enterprise signing identity, so the experience for the end users would be no different than if they were installing and running one signed by their own enterprise account.
The downside of this is that you will then be on the hook for providing your customers new versions when your cert of profile is about to expire. If you have them re-sign your IPA, it would be their responsibility to keep track of that and resign / redistribute a new provisioning profile when they expire.
Also, I have never heard of any restrictions on MDM's distributing re-signed IPAs. I don't even understand how they could prevent it, as a properly re-signed IPA should look no different than an IPA that was build and signed using the new signing identity and profile. I would challenge that, as many MAM (Mobile App Management) vendors offer wrapping of apps that do re-sign the binaries and allow you to distribute those resigned IPAs through MDM systems. I would really expect any corporation with Airwatch to know how to resign an IPA using something like iReSign. That really is your easiest option. Build an IPA for each release, send it out to all your clients, and each can re-sign it with their own signing identity. That way if you stop doing development, they aren't reliant on your signing identity and profile to keep the application running.
because the VPP program only applies to paid apps, not to free ones.
You can manage free apps with VPP. It's maybe free but it's still a license. VPP manages licenses for an organization and allows admins to give and tack back these licenses.
I have right now free Apps in my AirWatch Console, in the tab "Purchased". This tab is only available if VPP is configured and displays only apps from the VPP. I can't go check in the VPP myself because I don't have any access but theses free apps wouldn't be in the tab "Purchased" if they weren't bought with the VPP.
They want me to provide them with the IPA file so they can distribute it themselves through AirWatch.
If you are ready to do that, your customers can upload the ipa file as an internal application and then deploy it to their iOS devices. As AirWatch customers, they should have access to the document VMware AirWatch Mobile Application Management (MAM) Guide with the Chatper 4 "Internal Applications". There is a particular process for iOS apps described.
Is there any way to distribute ios applications through my own website, not using app store?
I mean is there any way that enables end users to download the .ipa file from my website with their browser application and install it directly on their iOS devices?
I have looked around in the web and googled it, but it doesn't seem to be any option for it out there, I just want to make sure of it.
Thank You
There are several possibilities, which probably won't match your needs:
Since last month it's possible to test apps on a device without the need of a paid membership.
There's a possibility to deploy an app through a service like TestFlight, but this needs either a profile installed on the device (like HockeyApp) or always new build since the old ones expire after 30 days.
You could deploy an app with the Enterprise Program
The easy way you describe is not possible.
Apart from the options mentioned above there are 2 more methods.
Method 1:
You could ask the user to open a webpage in safari browser with the following link in it.
href="itms-services://?action=download-manifest&url=url of the manifest file"
The app is installed as soon as the user clicks the link.
Method 2:
You can also leverage iOS mdm solutions like Hexnode MDM though its bit of an overkill.
here is a link on how to distribute app without app store
UPDATE:
BuddyBuild service will stop on 1-3-2018, the other alternative I know is https://www.diawi.com
Old ANSWER:
Try BuddyBuild , after making a build you can take link to IPA file and distribute it as shown.
The options include:
App Store (free or paid)
Enterprise Distribution (must be within an organization)
Open source distribution
It does not sound like any of these will meet your requirements, so no.
Further explanation:
Just to be clear, the limitation is not in distributing your .ipa file, it is the ability for users to install it on their phone. iOS requires an app be signed by Apple (from the App Store), from an Enterprise certificate, or from a developer certificate when a valid provisioning profile includes the target device.
Basically there are three ways
App store
With this method anyone with an iPhone can have access to the application. You can distribute an unlimited number of applications like this. Apple gets a 30% cut. Of course, Apple must approve your application.
Ad hoc
You can distribute applications using ad hoc without going through the app store, but you are limited to a maximum of 100 devices. With this method you can distribute your application from a web site, email, etc.
Enterprise
The method is for internal distribution in companies with more than 500 employees. Apple does not provide any more public detail that I could find on this method.
It doesn't sound like any of these methods meet your criteria unless you have fewer than 100 customers and don't plan to exceed that number. It sounds like from the question your customers are not internal to your company.
I would advise contacting Apple. They might be able to arrange some kind of custom distribution deal.
You if don't want to upload your files to the already mentioned web services, you can host your IPA in your own computer and distribute over the internet using ngrok and the approach given by jithin.
I've created a server that does exactly that and also is protected by password. You can check it out here:
https://github.com/Edudjr/IPAServer
To send build to testers or client I am generally using installonair.com which allows to upload IPA file and generate short URL which we can provide to other users and they can download and install easily from that link.
There are other options as well like Apple Testflight, hockeyapp but I found installonair.com is the quick one.
If you have and Enterprise membership you can do this, but it really isn't what they want you to do on a large scale.
Take a look at this question: Deploying an iOS Application Using Apple Enterprise Developer Program
You can use enterprise distribution services like BuildCannon, but you still need an apple enterprise account. I use a custom solution, but it's a pain to maintain.
I am aware that this question has been rattled like an empty can in a trunk for a long time yet I still am not sure how to approach this problem.
Intention
Allowing my client to download my app by providing a code. So my client can go to a webpage through his iPad, enter in a code, and the downloading of the App starts.
Solution/Problem
I can do it through AdHoc Distribution, where I can make a webpage that can only show a link to download the App, only after a specific code is authenticated. The only problem here is that I need UDID of the device nonetheless. So here is the problem, how can I let the user download the app, when he just enters a correct code on some webpage, without having his/her UDID?
I'd really appreciate if you could help me in anyway.
Best.
You'll have to create a web based authentication mechanism yourself for allowing a user to download the ipa. Because you wish to be UDID independant, you'll have to enroll to the enterprise program - a simple iOS developer program will not suit your needs (limited to 100 specific devices).
This is what the iOS Enterprise Developer Program is for.
Get tools and resources for developing proprietary, in-house iOS apps that you can distribute to your employees.
No UDID needed. No 100 device limit.
This is possible now using redemption links with private app distribution. You still need to go through App Review, but users will be able to download your app without you needing to know their device UDID and without the app publicly being available on the App Store.
I'm currently developing an iOS app for a company as a consultant and they explicitly asked that the app should not be visible in the public app store but I need to distribute to the employees and contractors.
What are the necessary steps in order to achieve this goal? I've found info on the web about the Apple Enterprise program but the procedure for the distribution is somewhat unclear to me, as the documentation I found is messy.
Could someone please explain what do I need and what are the steps to follow in order to distribute the app in such fashion? I've made clear the steps to get to the .ipa file, I need to put the file on the devices.
Thank you.
You can build your own server and host the application there itself.
You need to uploaded the IPA file on the server and create an HTML page through which it can be installed directly in the device.
This method is called Over The Air distribution. TestFlight uses the same method to do so.
Please refer this link for complete process:
http://aaronparecki.com/articles/2011/01/21/1/how-to-distribute-your-ios-apps-over-the-air
Create a distributed provision file for you app(You need to add the device identifier who want to install the app).
Build you app and distributed with ad hoc
Then the employee can install the app from itunes.
You can also enable the employee to install from safari, please refer here for more detail information.
If you release only a file.ipa to install that you need the jailbreak on the device, that's if is a big company is impossible, but you have a 2 possible ways:
1) huge an slow but is effective, finish you app and pass the project on a laptop, create new buy a new developer program only for this company, setUp the laptop with new certificate and install the app on all company device manually one by one, ins very slow and huge process, but it work, no app on appStore, and no body know that your project exist.
2) publish on app store with AdHoc provisioning profile, have 100 device per App, but you can publish more same app with different name ex: App1, App2 ext.
The app is on appstore, but not visible, only the device with AdHoc Provisioning Profile can install the app.
3) make a jailbreak on a device company heheheh
Hope this help you
Firstly, the app store is the the primary route for App distribution for iOS.
That said, I have done beta app distribution in the past using test flight.
http://testflightapp.com/
This size has usually been small, but you are usually limited by Apple to 100 ad-hoc devices per year. If your install base is going to exceed that, then you may need to look into other methods. Such as enrolling in the Apple's enterprise Program, which depending on the size of the company you're working for, might be a better option.
https://developer.apple.com/programs/ios/enterprise/
I'm working on an iOS app and would like to make it easy for a selected group of non-technical users to quickly download and try it. I won't have their UDIDs ahead of time, nor is TestFlight a viable option because it takes too long to set up. My company isn't large enough to qualify for the Enterprise option, either.
What I'm wondering is: can I submit an app to Apple that requires the user to enter a code at launch? Then I can simply give that code to my demo users (and to Apple for review) and submit it to the store. Or will Apple reject something like that?
Thanks.
The entering of a PIN is not a problem (lots of apps use PIN numbers to protect a user's own data, such as a password vault), but it seems that if the intent is to limit the audience of the app, then that that might run afoul of section 2.22 of the app store guidelines.
If the purpose is testing for a limited number of users, can you just do ad hoc distribution?
For demonstrating our apps to clients, my company uses our iOS Enterprise account. With that account (which costs $299/year instead of $99/year), we can make builds that we can distribute through our own restricted channels, instead of the App Store. Those builds are signed with an Enterprise Distribution provisioning profile, which does not require specifying which devices will be used.
After that, we simply restrict who has access to download our app. We use Testflight for this. It enables us to upload our provisioned app, and allows us to invite specific users to download the app. The process of downloading the app is easy enough even for our non-technical clients.
But since you said you don't want to use Testflight, you can distribute your Enterprise apps however you find to be easiest.