The enterprise developer program for iOS has always been a bit of a second class citizen to Apple. Today they went a long way to righting that wrong.
Where’s the Beef?
So what’s the problem? Enterprise developers can just make and distribute apps right? Well, sorta. There are a lot of issues that go along with the Enterprise Developer program for iOS. I’ll break them down into two different categories.
App Store Services
When you make an enterprise iOS app it’s up to you to provision and distribute it via MDM. That means that enterprise devs simply stare at all the goodies that the App Store devs get to use on iOS. For a quick list of things that you don’t get with enterprise apps…
- App thinning
- On-Demand resource hosting
- Energy logs
- Crash logs
- Worldwide IPA hosting
Using enterprise iOS apps is a very manual process. Not having access to these services was just the icing on the cake for the real pain of enterprise iOS apps.
The Real Pain of Enterprise iOS Apps
The real pain is the provisioning. Not only do you need to manage the signing of the apps on your own but you also need to update the certificates and provisioning profiles.
With enterprise apps on iOS…
- Certificates expire every three years
- Certificates are only issued to the program agent (Who often isn’t a dev)
- Provisioning Profiles expire every 12 months
- Apple revalidates the apps on device via the cursed PPQ service on a regular basis.
You have two enterprise signing certificates and it’s up to you to migrate apps from one to the other as the older one approaches expiration. It’s up to you to handle the CSRs, certificate issuance, and private keys. If the certificate for a deployed app expires, the app stops working.
You can update provisioning profiles via MDM, but not all MDMs support the feature and then you have built apps and separate profiles to manage. If the profile for a deployed app expires, the app stops working.
The PPQ service requires an internet connection, which means that enterprise apps can’t function behind air gapped networks for very long. Without an internet connection the apps will eventually stop working.
App Store apps don’t deal with any of this jazz. They just update and run because Apple signs them after they get uploaded to the store.
The B2B App Store allows developers to publish apps that are only available to certain VPP or DEP ID numbers. These apps go through app review, but it reviews apps on a different scale than the public store does. If your app just launches to a username/password entry screen you will get rejected from the public App Store. This same app can be approved for the B2B store.
The frustrating thing with B2B was that you couldn’t, with a few special exceptions, issue an app to yourself. You could only provide custom apps to a different DUNS number account. this is what Apple has changed and you can now assign B2B apps to yourself.
Since B2B apps are App Store apps that means that you get all of the awesome App Store services for your in-house apps. Almost more importantly, you never need to mess with signing certificates again!
How to Do Self-B2B
The first thing is that you need to publish your app on the B2B store. To do this you submit it for review like any other iOS app, but you specify that is is “Available privately as a custom app for business.”. The other item here is that you will probably want to set the price at $0.00 for yourself.
Once you get the notification that the review is finished you can assign the app to your own org. You do this using your DEP ID from Apple Business Manager.
After that you will need an Administrator level account to enable Custom Apps in the Settings of ABM. Once that is done you will be able to purchase the licenses and they will show up on the MDM servers that your VPP token is installed on.
From there it’s just deploying apps like you would with MDM for any other App Store app, except that it’s your in-house app. Signed and distributed by Apple just for you.