Menu
Our customer has just joined the iOS Developer Enterprise Program. They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM.
As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple’s OCSP server.
Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism.
So with my developer program I can't have two valid distribution certificates at the same time. Ok, as developers we can live with that.
Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program?
According to Apple:
Certificate Validation
The first time an application is opened on a device, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server is not interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See“Network Configuration Requirements”(page 9).
The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days. The validity of the certificate will not be checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app will be prevented from running. Revoking a distribution certificate will invalidate all of the applications you have distributed.
An app will not run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS DevCenter, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See “Providing Updated Apps” (page 10)
Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can't open their applications while they wait for the resigned apps?
469
Distribution Certificates Must Be Renewed Periodically To continue distribution, navigate to the Devices organizer in Xcode. Select the expired profile and click Renew Profile in the red bar at the top. This will renew your expired certificate and add it to the provisioning profile.
If your certificate expires, passes that are already installed on users' devices will continue to function normally. However, you will no longer be able to sign new passes or send updates to existing passes. If your certificate has been revoked, your passes will no longer function properly.
Click Apple Push Certificates portal. In the new tab, sign in to the Apple portal with the Apple ID and password you used when you created the certificate. Next to the certificate you want to renew, click Renew and accept the terms of use.
You are responsible for managing your team's certificates and provisioning profiles. Apple Developer Enterprise Program certificates expire after three years and provisioning profiles expire after one year.
This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.
For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.
I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.
EDIT: The above mentioned bug is closed now. Here's the official response:
Distribution certs for enterprise are now 3 years in duration.
167
The "missing" link is now http://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3
A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users.
The document describes also how to update Apps. There are frameworks that include the update mechanism easily into your app. Eg "Hockey", https://github.com/therealkerni/HockeyKit
Quoting the full article:
Certificate validation
The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server isn’t interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See Network configuration requirements.
The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between 3 and 7 days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app is prevented from running. Revoking a distribution certificate invalidates all of the apps you’ve distributed.
An app won’t run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See Providing updated apps.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
