What is the best way of deploying enterprise iOS app with AirWatch

Question

EDIT: see conclusion at the end of this post.

First off, let me clarify I've found a few similar questions/answers on SO, but none that apply to my particular situation. The one that came closest is this one but it doesn't address the AirWatch aspect.

So I'll try to be very specific.

Background

I have an iOS application that's free. I also have the same app for Android and Windows 10 but those are not my concern. The iOS app is available to anyone from the App store. But I have a few large corporate customers who use AirWatch to manage the installation/update cycle of their devices. They either have Enterprise or VPP Apple accounts. They want me to provide them with the IPA file so they can distribute it themselves through AirWatch. In my mind, that's a perfectly legitimate request: they just want to have better control over what gets installed on their devices.

Problem

From what I understand, an Enterprise account requires that the application be signed with the customer's certificate. But if I have several such customers, that means I have to re-sign each application for each customer, every time I have a new update available. And those customers that have VPP accounts cannot use them because the VPP program only applies to paid apps, not to free ones.

Note: keep in mind that at that stage when I'm ready to provide the app to these customers, the app has already been reviewed and accepted by the App Store. So it's deemed legit.

After googling this matter for a while, I know it's possible for someone else to resign an app or to sign it for the first time if it is provided in unsigned form to start with. However, resigned apps are apparently not supported by AirWatch (and, I assume, other MDM's as well).

If that information is incorrect, then I guess all I would need to know is the recipe that I, as a coder, have to follow before providing the app to my customers and what kind of steps they have to take in order to deploy using AirWatch.

Question

So how do I get my free app to my customers so they can manage the distribution themselves, without me having to go through yet another set of hassles every time I change something. Remember: if I only had a single corporate customer I wouldn't give it a second thought and I would just use their own certificates but I have several potential customers with the same requirements, so the point is to make it easy for all of them and for myself.

I hope my question was clear enough, thanks in advance for any help.

EDIT - Conclusion: I was able to validate that an unsigned IPA file can be signed with the customer's certificate and uploaded to their AirWatch distribution app. Which means I simply have to provide the unsigned version to any customer with the same issue and they will be able to distribute the app themselves with their MDM. Hope this information helps others.

Answer 1

If your customers really can't re-sign your IPA, I believe the best solution for you to do would be to sign up yourself for an enterprise account, then use your own enterprise provisioning profile to sign a single ipa for distribution to the companies that need the app. Their MDM platforms should be able to handle the "trusting" of your enterprise signing identity, so the experience for the end users would be no different than if they were installing and running one signed by their own enterprise account.

The downside of this is that you will then be on the hook for providing your customers new versions when your cert of profile is about to expire. If you have them re-sign your IPA, it would be their responsibility to keep track of that and resign / redistribute a new provisioning profile when they expire.

Also, I have never heard of any restrictions on MDM's distributing re-signed IPAs. I don't even understand how they could prevent it, as a properly re-signed IPA should look no different than an IPA that was build and signed using the new signing identity and profile. I would challenge that, as many MAM (Mobile App Management) vendors offer wrapping of apps that do re-sign the binaries and allow you to distribute those resigned IPAs through MDM systems. I would really expect any corporation with Airwatch to know how to resign an IPA using something like iReSign. That really is your easiest option. Build an IPA for each release, send it out to all your clients, and each can re-sign it with their own signing identity. That way if you stop doing development, they aren't reliant on your signing identity and profile to keep the application running.

Answer 2

because the VPP program only applies to paid apps, not to free ones.

You can manage free apps with VPP. It's maybe free but it's still a license. VPP manages licenses for an organization and allows admins to give and tack back these licenses.

I have right now free Apps in my AirWatch Console, in the tab "Purchased". This tab is only available if VPP is configured and displays only apps from the VPP. I can't go check in the VPP myself because I don't have any access but theses free apps wouldn't be in the tab "Purchased" if they weren't bought with the VPP.

They want me to provide them with the IPA file so they can distribute it themselves through AirWatch.

If you are ready to do that, your customers can upload the ipa file as an internal application and then deploy it to their iOS devices. As AirWatch customers, they should have access to the document VMware AirWatch Mobile Application Management (MAM) Guide with the Chatper 4 "Internal Applications". There is a particular process for iOS apps described.