How to export “in-house” developed iOS app as an enterprise application

Organizations can use the Apple Developer Enterprise Program to create proprietary enterprise apps for iOS devices and to distribute them to employees for internal use. Apple recommends using an (MDM) solution to distribute the apps because it is secure and requires no user interaction. Users can also install these custom apps from a secure website operated by their organization.

The intention of this article is to provide necessary steps to create iOS enterprise applications for internal use. However, this article is not going to explain about the ways of developing application; rather it focuses on distribution aspects of enterprise application once an app is developed.

First of all, lets get to know about the basic concepts of Apple application development.

Managing Developer Account Team

Once an organization gets enrolled and receives the membership of Apple Developer Enterprise Program, the organization will be considered as a team and will be able to invite people to the team and assign roles. There are 3 roles such as agent, admin and member, thereby granting them levels of access to team assets. Team members have roles and privileges that pertain to the development and distribution process. These roles define who is allowed to enable certain app services, who is allowed to create identifiers, who is allowed to create distribution assets, and so on. After adding team members, they are responsible for performing other tasks on their behalf. For example, developer (a team member) may need to enable capabilities for the App ID and create client SSL certificates for APNs, Pass Type IDs, and iCloud containers.

Signing Identities and Certificates

Code signing of app allows the operating system to identify who signed the app and to verify that app hasn’t been modified since it is signed. The app’s executable code is protected by its signature because the signature becomes invalid if any of the executable code in the app bundle changes. Code signing is used in combination with App ID, provisioning profile, and entitlements to ensure that:

• App is built and signed by a developer or a trusted team member.
• Apps signed by a developer or your team run only on designated development devices.
• Apps run only on the specific test devices.
• App does not use app services which are not added to app.
• If choose to distribute outside of the store, the app cannot be modified and distributed by someone else.

Xcode uses signing identity to sign an app during the build process. This signing identity consists of a public-private key pair that Apple issues. The public-private key pair is stored in the keychain, and used by cryptographic functions to generate the signature. The certificate stored in developer account contains just the public key. An intermediate certificate is also required to be in keychain to ensure that certificate is issued by a certificate authority. When installing Xcode, Apple’s intermediate certificates are added to keychain. Xcode can be used to create signing identity and sign app. The signing identity is added to keychain, and the corresponding certificate is added to developer account.

Team accounts (Ref [3])

Signing identities are used to sign app or installer package. A development certificate identifies developer, as a team member, in a development provisioning profile that allows apps signed by developer to launch on devices. A distribution certificate identifies team or organization in a distribution provisioning profile and allows organization to submit their app to the store. Only a team agent or an admin can create a distribution certificate.

From Xcode 8 onwards, there’s an option “Automatically manage signing” which creates a development provisioning profile so that it allows apps to be signed by the developer to launch on devices very easily without bothering about provision profile creation.

Automatically manage signing: Xcode 8

However it is necessary to keep in mind that when an app is signed by a development provisioning profile and pushed to a device, some services that app is going to use will only work in sandbox environment. For an example, if an app uses APNs and has a production SSL certificate. After it is signed by a development provisioning profile the push token that is generated and use to send notifications to a device will only work in sandbox APN server (gateway.sandbox.push.apple.com). The reason is, because the generated APN token is different from development profile to distribution profile.

Exporting an app as an Enterprise App

In order to export and distribute an app as an enterprise app, as mentioned before it is required to have an iOS distribution certificate beforehand. To obtain a certificate, first log into the apple developer account and navigate to Certificate, Identifiers & Profiles section. There, click on the Certificates menu item on the left pane and press (+) icon to create new distribution certificate.

Create new certificate: Apple development portal

In the given wizard, under Production section, select “In-House and Ad-hoc” radio button and hit continue.

In-house application development: Apple development portal

Then create a Certificate Signing Request (CSR) using Keychain Access utility tool in the Mac and submit. Once it is done, the newly generated certificate will be prompt. Hit download button and double click the downloaded certificate. It will automatically install into the computer and can be seen in the Keychain Access.

Distribution profile: Apple Keychain Access tool

Then it is the time to create a distribution provisioning profile. Under the Provisioning Profile section, click Distribution and (+). Then select “In House” radio button under distribution section and hit continue.

In house application provisioning: Apple development portal

Then the wizard will move to a page where it is required to select the App ID of the app that is going to be exported as the enterprise app. After, it will show the distribution certificate which is just created. Select it and hit continue. Then set a profile name and continue. On the last page of the wizard will show a button to download the distribution provisioning profile just created. Once it is downloaded, double click on the item and it will automatically get installed to the Xcode.

Now, select the provisioning profile which is just created from both release and debug signing selectors under project’s general settings.

Application’s general settings: Xcode

Then Xcode will automatically verify the relevant certificates with regard to this profile and validate.

Finally, the exporting process. Navigate to Product -> Archive from Xcode and hit export.

Archive: Xcode

Select “Save for Enterprise Deployment” as the method of export in the given menu and click next.

Method of export: Xcode

Now it will search and prompt a window to select a development team to use for provisioning that is to save for Enterprise Deployment. Choose the development team and in the next window select “Export one app for all compatible devices” and hit next. As the result it will create an enterprise application that can be distributed and installed into devices. Finally set the location to export the app. That’s it..!

Summary

The primary objective of this article is to provide a basic idea about Apple application development/deployment concepts such as teams, distribution certificates, provisioning profiles and finally the way of exporting in-house developed app as an enterprise app.

References

[1] https://developer.apple.com/programs/enterprise/

[2] https://support.apple.com/en-us/HT204460

[3] https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html

[4] https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html