Rectangle 27 6

Unfortunately, yes. For enterprise distributed apps, the devices will regularly check with apples servers whether the certificate which has been used to sign them is still valid. So revoking the certificate will make those installations fail. Maybe not until the next reboot, maybe not when there is no internet connection available, but sooner or later, the app will refuse to launch.

If availability of the app must not be interrupted, you need to take precautions - for example by preparing the new version and notifying all users ahead of time that at a certain date, the old version will stop working and the new one must be installed.

Update: I kept investigating and it appears like you can have two distribution certificates at the same time now. This is meant to eliminate gaps in app availability by allowing you to phase from one cert to another, way before the first one expires.

If this is still true, you might be able to simply create another distribution certificate without revoking the existing one. You will need to create new provisioning profiles as well (or update the old ones to use the new cert), but that shouldn't invalidate those already deployed. You would then be able to distribute the new / updated app and the existing installations will remain unaffected.

It has been some time since I last worked with enterprise distribution and right now, I don't have access to an enterprise dev account, so I can't try. But I don't think there is any risk if you just go ahead and try it - I assume the portal will either let you create a second cert or it just won't...

Are you sure of this? I know that with apps in the App Store, revoking the signing certificate has no impact on applications either in the App Store or already installed. It's possible that it's different with an Enterprise application, but it seems unlikely that the certificate is checked except when installing.

Yes, I am. See this apple support page under "What happens if my certificate expires or has been revoked": developer.apple.com/support/technical/certificates There was another apple document somewhere, which explained how validity of certificates would be checked only occasionally and the server response cached on the device for several days, but I can't find it right now...

Found it - not the original document, but this SO answer is citing it...: stackoverflow.com/a/9386400/416600

ios - Will revoking In-House Distribution certificate affect applicati...

ios provisioning-profile
Rectangle 27 160

There is no problem doing this unless you are on an enterprise account. Distribution certificates expire anyway, so eventually it will happen that you need a new one. Go ahead and delete away.

You can also find this question asked, answered, and asked again many times over on the Apple Dev forums (e.g. here's one), so google around there if you're still hesitant.

*See the comments about Enterprise Developer accounts

Just a note for others coming here: this is only good advice for app store apps. Do not revoke a certificate if you are managing an enterprise account.

@MikeWeller can you explain why?

@Horak An App store app gets resigned with an Apple certificate when it goes on the store. Revoking the cert in the provisioning portal therefore won't affect it. Enterprise apps use the original certificate, which means revoking it will cause the app to stop functioning on all devices it is installed on. If you revoke an enterprise account's certificate, all apps installed on all employee devices will stop working.

@MikeWeller Ok so if we are managing enterprise apps and revoked the certificate to create a new one, how do we get those enterprise apps to use the new certificate so their app isn't broken so I don't loose my job?

@BrandonA, happened to me too. You have to resign all apps and redistribute. Learning process. What I'm wondering though is if I delete a development cert, will it affect production apps? So If I leave the production cert untouched

iphone - If I revoke an existing distribution certificate, will it mes...

iphone distribution submission
Rectangle 27 4

Short: Revoke the oldest distribution certificate at https://developer.apple.com/account/ios/certificate/certificateList.action and create a new one with a "CertificateSigningRequest" (you'll see) generated on your own computer. All provisioning profiles that used that certificate will be invalidated, this will probably affect ad-hoc builds (not Apple TestFlight or App Store) and enterprise distributed apps.

Long: If you want to keep the certificate (especially useful for teams with more than three people that wants to be able to upload builds, and enterprise distributions where all the apps might stop working on a revoke), you'll have to find the computer it was generated on and export the private key for the certificate that probably only exists on that computer, and import it on your own. Now you should be able to download the distribution certificate from the developer portal and use it as usual. See more: No provisioning profiles with a valid signing identity (i.e. certificate and private key pair) were found

Will this effect the apps that are currently on the store?

According to this source from Apple, it only affects submission of new apps and updates. In my experience it also prevents TestFlight users from installing the app, though I don't have a source.

ios - Why is the App Store and Ad Hoc button greyed out when I try to ...

ios iphone app-store ad-hoc-distribution
Rectangle 27 1

Toastor is correct - I recently had a discussion with Apple about this and it intentionally differs from App Store apps. When the distribution certificate is revoked (or expired) for an Enterprise app, the app stops working after expiration is reached, or revocation information is retrieved from Apple.

However if you manage several Enterprise apps, instead of requiring users to install a recompiled version of every single app with the new certificate, you may:

  • Push the new Provisioning Profile(s) to users over MDM (like Airwatch) **
  • Use a wildcard App ID for your apps and then as long as the user installs one app with the updated cert, it will apply to all apps that share that App ID
  • Allow users to download the updated Provisioning Profile without requiring an app install **

** CAVEAT: I don't code apps but do manage our certs, App IDs, and Provisioning Profiles. I haven't yet tested these approaches - it's my best effort based on notes from my recent discussion with Apple.

ios - Will revoking In-House Distribution certificate affect applicati...

ios provisioning-profile
Rectangle 27 2

As documented in Distributing Enterprise Apps for iOS 4 Devices the App will refuse to work if the certificate expires. You'll need to rebuild your app with new certificate and re-distribute, e.g. "over the air".

How come I can delete the enterprise certificate on the device, and the app then continues working?

Caching. Restart device and the app shouldn't start. The caching of certs is documented by apple.

Expiration certificate iPhone "in house" enterprise deployment - Stack...

iphone deployment enterprise certificate
Rectangle 27 4

The problem is that the Certificate Authority needs to be known by the iPad.

If you distribute Apps with HTTPS and the CA Server is your own, you need to install the certificate on the iPad. Otherwise iOS will try to download it.

You can install it sending it via email to your iPad or create a .pem File from the Keychain Access program and host it on your server for installation purposes. Then open it with Safari and iOS will ask you to accept it.

Then the installation works. But beware of using .htaccess as using HTTPS and HTTP together in the installation process seems to trigger the login/password for every request, which are 4 for images, .ipa and .plist, which is really annoying.

[EDIT] Please keep in mind that you need to refer to the .plist file only with HTTPS since Apple introduced iOS 7.1.

I don't understand what you mean by using .htaccess file. I am not using that file and I still get prompted for login/password 4 times. Can you please explain why that would happen?

I failed to mention that authentication is required for the server where these files are hosted.

You can use HTTP basic auth in .htaccess files on Apache. But the authentication can also be in the server config itself. Maybe the virtual host config is set to authenticate

I have a tomcat server with 4 end points serving up those files. These endpoints needs basic auth against a user database. It keeps asking the password again and again. I did not setup any sort of authentication in Apache site configuration.

It asks up to 3 or 4 times for every file in your .plist. This would be the application .ipa, the icons for every size, in my cas 2 .png files. Makes 3 requests and 3 logins to enter. iOS sadly doesn't store login credentials. You could put an .htaccess file in the directory you serve your .plist from and put Satisfy Any in it :D

ipad - App Over-The-Air Installation with HTTPS not working - Stack Ov...

ipad enterprise over-the-air
Rectangle 27 4

The problem is that the Certificate Authority needs to be known by the iPad.

If you distribute Apps with HTTPS and the CA Server is your own, you need to install the certificate on the iPad. Otherwise iOS will try to download it.

You can install it sending it via email to your iPad or create a .pem File from the Keychain Access program and host it on your server for installation purposes. Then open it with Safari and iOS will ask you to accept it.

Then the installation works. But beware of using .htaccess as using HTTPS and HTTP together in the installation process seems to trigger the login/password for every request, which are 4 for images, .ipa and .plist, which is really annoying.

[EDIT] Please keep in mind that you need to refer to the .plist file only with HTTPS since Apple introduced iOS 7.1.

I don't understand what you mean by using .htaccess file. I am not using that file and I still get prompted for login/password 4 times. Can you please explain why that would happen?

I failed to mention that authentication is required for the server where these files are hosted.

You can use HTTP basic auth in .htaccess files on Apache. But the authentication can also be in the server config itself. Maybe the virtual host config is set to authenticate

I have a tomcat server with 4 end points serving up those files. These endpoints needs basic auth against a user database. It keeps asking the password again and again. I did not setup any sort of authentication in Apache site configuration.

It asks up to 3 or 4 times for every file in your .plist. This would be the application .ipa, the icons for every size, in my cas 2 .png files. Makes 3 requests and 3 logins to enter. iOS sadly doesn't store login credentials. You could put an .htaccess file in the directory you serve your .plist from and put Satisfy Any in it :D

ipad - App Over-The-Air Installation with HTTPS not working - Stack Ov...

ipad enterprise over-the-air
Rectangle 27 13

You can't install a build that was signed with the app store distribution provisioning profile and certificate (I'm assuming your release scheme is set to use your app store cert and profile). It will fail to install on the device if you try. You need to use either a development profile, or an enterprise distribution profile to install on test devices. The iOS Distribution certificate can only be used to build an app that will be installed via the App Store.

OK, you specifically called out your release scheme. Can you plug in the device and run it with Xcode 8's automatic code signing. You can't do a build with automatic code signing and then load the build onto the device. In order for Xcode to add the device to the provisioning profile, you have to try to build to the device from Xcode. When you do that,Xcode will add the device identifier to the provisioning profile.

Can you look at your certificate in the Keychain Access app. You should find one under your name. Make sure when you click on it it says it is valid and has a green check mark. Also, make sure you can expand it and see a private key under it. (example: stackoverflow.com/a/33651921/3708242)

Also, make sure you have the WWDRCA file in your keychain as found here: stackoverflow.com/a/35949577/3708242

ios - XCode 8 A valid provisioning profile for this executable was not...

ios xcode provisioning-profile
Rectangle 27 11

You can't install a build that was signed with the app store distribution provisioning profile and certificate (I'm assuming your release scheme is set to use your app store cert and profile). It will fail to install on the device if you try. You need to use either a development profile, or an enterprise distribution profile to install on test devices. The iOS Distribution certificate can only be used to build an app that will be installed via the App Store.

OK, you specifically called out your release scheme. Can you plug in the device and run it with Xcode 8's automatic code signing. You can't do a build with automatic code signing and then load the build onto the device. In order for Xcode to add the device to the provisioning profile, you have to try to build to the device from Xcode. When you do that,Xcode will add the device identifier to the provisioning profile.

Can you look at your certificate in the Keychain Access app. You should find one under your name. Make sure when you click on it it says it is valid and has a green check mark. Also, make sure you can expand it and see a private key under it. (example: stackoverflow.com/a/33651921/3708242)

Also, make sure you have the WWDRCA file in your keychain as found here: stackoverflow.com/a/35949577/3708242

ios - XCode 8 A valid provisioning profile for this executable was not...

ios xcode provisioning-profile
Rectangle 27 5

It occurred on my side when building an app in the command line via xcodebuild and xcrun PackageApplication, signing the app with an enterprise profile. On our CI build servers, the certificate was set to "Always Trust" in the keychain (select certificate -> Get Info -> Trust -> "Use System Default" can be changed to "Always Trust"). I had to set it back to "Use System Default" in order to make this work. Initially we set this to "Always Trust" to work-around the keychain dialogs that appear after software updates and certificate updates.

ios - Reason: no suitable image found. - Stack Overflow

ios iphone xcode
Rectangle 27 5

It occurred on my side when building an app in the command line via xcodebuild and xcrun PackageApplication, signing the app with an enterprise profile. On our CI build servers, the certificate was set to "Always Trust" in the keychain (select certificate -> Get Info -> Trust -> "Use System Default" can be changed to "Always Trust"). I had to set it back to "Use System Default" in order to make this work. Initially we set this to "Always Trust" to work-around the keychain dialogs that appear after software updates and certificate updates.

ios - Reason: no suitable image found. - Stack Overflow

ios iphone xcode
Rectangle 27 0

You do not need to submit the app. Or even validate it when using your own over the air distribution. Some of our worldwide clients have users in areas that aren't or weren't eligible for the VPP program(Mexico for instance not that long ago). Trust me Apple will know the app exists. You need to be in the Enterprise Developer program. You still need to sign and provision as an enterprise developer. You don't get the app store smart update service. You manage that. And most important, if you modify the provisioning profile or certificates associated with the bundle ID or they expire, the app stops working on all devices where it is installed. This is a big difference from submitted approved apps which are on iTunes Connect. And as of Xcode 6 you must also use an explicit App ID. No wildcards. see my answer here: 0 Entitlements when Exporting App for Enterprise Distribution

You can serve the .ipa file with a .plist file as mentioned in another answer.

<a href="itms-services://?action=download-manifest&url=https://www.yourserver.com/yourapp.plist">Download</a>

Notice the https, it has to be SSL though. You can use dropbox to handle this if you need, as described here:Enterprise app deployment doesn't work on iOS 7.1 Xcode 5 generates this .plist file but Xcode 6 will no longer create the .plist for you. You can use this template. https://gist.github.com/alexcristea/4d922de3d416910dc847 if I think of any other caveats from over the years Ill update(or if they change anything else without telling us)

Very straight forward. Link right to the .apk file on a server. Users can click the link from the device in email or a website etc. And or use a QR code that uses that link they can just scan. Tell your users how to enable security something like amazon describes it to their users here: http://www.amazon.com/gp/help/customer/display.html?nodeId=201482620 I do nothing more than that.

Download iOS and Android APPs from my website? - Stack Overflow

android ios html5 cordova
Rectangle 27 0

If you let either your Enterprise Distribution Certificate or the associated Provisioning Profiles expire your apps will no longer load. The user will see the app start to load followed by an immediate crash. You have to renew your Enterprise Dist Cert every 3 years (you can have two concurrent / overlapping certs) and your Prov Profiles every year.

Seeing how the Provisioning Profile is the "weak link" in the chain at a yearly renewal what we do is refresh/renew our Enterprise Dist Prov Profiles every 9 months (at a minimum) to keep those suckers fresh. Likewise we renew our overlapped Enterprise Dist Cert no later than 9 months prior to the other Enterprise Dist Cert's expiration AND update the Dis Prov Profiles at the same time.

Answering your question more directly I wouldn't risk killing the Provisioning Profile and tanking your deployed app. Since you're renewing that guy yearly, re-baseline everyone at the same time to restart the clock.

ios - Enterprise Deployment certificat and profiles - Stack Overflow

ios certificate provisioning-profile ios-provisioning ios-enterprise
Rectangle 27 0

When you publish your app for Enterprise distribution, the .plist file you are concerned about will be produced for you (along with the .ipa). If you actually want to distribute with an Ad Hoc certificate, just use the Ad Hoc certificate when signing the app for Enterprise distribution.

hi, the problem here i have is don't have any XCODE dev iDe nor i use MAC platform. How can i get this while using a pure windows environment? The problem is when some one sends me an ipa file and i want to prepare this for oTA w/o mac environment?

The person who send you just an .ipa file should read the instructions I reference, then send you both the .ipa and .plist file that they created. It gets created for you already. Tell that person to send it your way.

javascript - IPA file + plist required for Overthe air installation? -...

javascript ios html5 ios5
Rectangle 27 0

Yes, an enterprise license will solve your problem. But since the app is being deployed for 10 different companies, each company should have the app build using their one certificates and profiles.

Is it legal if I share distribution provisioning profiles with companies.

Actually with your provisioning profile, you are supposed to distribute apps only to employees of your enterprise and not other companies. That would be a license violation.

@Kai this is in the enterprise license agreement.

iOS Developer Program - Stack Overflow

ios iphone-developer-program
Rectangle 27 0

Thanks so much!That was exactly what I was looking for!

certificate - If I revoke iOS Enterprise will the app still work? - St...

ios certificate
Rectangle 27 0

If you let either your Enterprise Distribution Certificate or the associated Provisioning Profiles expire your apps will no longer load. The user will see the app start to load followed by an immediate crash. You have to renew your Enterprise Dist Cert every 3 years (you can have two concurrent / overlapping certs) and your Prov Profiles every year.

Seeing how the Provisioning Profile is the "weak link" in the chain at a yearly renewal what we do is refresh/renew our Enterprise Dist Prov Profiles every 9 months (at a minimum) to keep those suckers fresh. Likewise we renew our overlapped Enterprise Dist Cert no later than 9 months prior to the other Enterprise Dist Cert's expiration AND update the Dis Prov Profiles at the same time.

Answering your question more directly I wouldn't risk killing the Provisioning Profile and tanking your deployed app. Since you're renewing that guy yearly, re-baseline everyone at the same time to restart the clock.

ios - Enterprise Deployment certificat and profiles - Stack Overflow

ios certificate provisioning-profile ios-provisioning ios-enterprise
Rectangle 27 0

If provisioning file is regenerated for same certificates i.e.., same bundle Id then it will be considered as an newly signed identity rather than an update. But if you revoke the certificates then the previous apps built with existing certificate will stop irrespective of provisioning files regenerated.The above situation applies only for Enterprise builds and not for Ad-Hoc builds.

ios - Regenerating a Provisioning Profile - Stack Overflow

ios xcode provisioning-profile ipa
Rectangle 27 0

It occurred on my side when building an app in the command line via xcodebuild and xcrun PackageApplication, signing the app with an enterprise profile. On our CI build servers, the certificate was set to "Always Trust" in the keychain (select certificate -> Get Info -> Trust -> "Use System Default" can be changed to "Always Trust"). I had to set it back to "Use System Default" in order to make this work. Initially we set this to "Always Trust" to work-around the keychain dialogs that appear after software updates and certificate updates.

ios - Reason: no suitable image found. - Stack Overflow

ios iphone xcode
Rectangle 27 0

If the company has a developer Enterprise license, then you can take your source code and build and sign using certificates created from their account. This version of the app can then be distributed within the company. Note that if this company does not currently have an Enterprise developer account, they will have to sign up for one (requires a D-U-N-S number) and will need to incur the annual cost of $299.

There are a number of things that you need to deal with. You will need to deal with ownership of your code, ongoing support and recompiling the app for them annually when the certificate expires, etc. since you are not an employee of this company.

This question will probably get closed for being off-topic, but hopefully gives you something to think about.

Ur awsome! thats right, What If i license the app to them for a period of one year? and periodically support the app for a period of one year. Its a hassle.. but would is it that big of a deal? One thing though All this would be work only if they give me their provisions and certificates else, me giving my code to them would be stupidity

If anyone can tell me, After the distribution provision expires after 1 year (of enterprise dev account), can the enterprise renew its certificate and continue to use the app or should the app be built again with the renewed provision?

For an enterprise app, when the distribution certificate expires, the app will no longer run. The app needs to be rebuilt with a new valid certificate and an update deployed. Also, an existing certificate can be revoked at any point of time which will also stop the app from running.

I plan to license my app to an enterprise, but i want the license to last one year, from the date of build. But I heard some guys re-packaging the app with their distribution certificates when ever they want, that would be painful!

ios - Distributing to different enterprise accounts AppStore - Stack O...

ios enterprise in-house-distribution