How to export “in-house” developed iOS app as an enterprise application

Organizations can use the Apple Developer Enterprise Program to create proprietary enterprise apps for iOS devices and to distribute them to employees for internal use. Apple recommends using an (MDM) solution to distribute the apps because it is secure and requires no user interaction. Users can also install these custom apps from a secure website operated by their organization.

The intention of this article is to provide necessary steps to create iOS enterprise applications for internal use. However, this article is not going to explain about the ways of developing application; rather it focuses on distribution aspects of enterprise application once an app is developed.

First of all, lets get to know about the basic concepts of Apple application development.

Managing Developer Account Team

Signing Identities and Certificates

  • App is built and signed by a developer or a trusted team member.
  • Apps signed by a developer or your team run only on designated development devices.
  • Apps run only on the specific test devices.
  • App does not use app services which are not added to app.
  • If choose to distribute outside of the store, the app cannot be modified and distributed by someone else.

Xcode uses signing identity to sign an app during the build process. This signing identity consists of a public-private key pair that Apple issues. The public-private key pair is stored in the keychain, and used by cryptographic functions to generate the signature. The certificate stored in developer account contains just the public key. An intermediate certificate is also required to be in keychain to ensure that certificate is issued by a certificate authority. When installing Xcode, Apple’s intermediate certificates are added to keychain. Xcode can be used to create signing identity and sign app. The signing identity is added to keychain, and the corresponding certificate is added to developer account.

Team accounts (Ref [3])

Signing identities are used to sign app or installer package. A development certificate identifies developer, as a team member, in a development provisioning profile that allows apps signed by developer to launch on devices. A distribution certificate identifies team or organization in a distribution provisioning profile and allows organization to submit their app to the store. Only a team agent or an admin can create a distribution certificate.

From Xcode 8 onwards, there’s an option “Automatically manage signing” which creates a development provisioning profile so that it allows apps to be signed by the developer to launch on devices very easily without bothering about provision profile creation.

Automatically manage signing: Xcode 8

However it is necessary to keep in mind that when an app is signed by a development provisioning profile and pushed to a device, some services that app is going to use will only work in sandbox environment. For an example, if an app uses APNs and has a production SSL certificate. After it is signed by a development provisioning profile the push token that is generated and use to send notifications to a device will only work in sandbox APN server ( The reason is, because the generated APN token is different from development profile to distribution profile.

Exporting an app as an Enterprise App

Create new certificate: Apple development portal

In the given wizard, under Production section, select “In-House and Ad-hoc” radio button and hit continue.

In-house application development: Apple development portal

Then create a Certificate Signing Request (CSR) using Keychain Access utility tool in the Mac and submit. Once it is done, the newly generated certificate will be prompt. Hit download button and double click the downloaded certificate. It will automatically install into the computer and can be seen in the Keychain Access.

Distribution profile: Apple Keychain Access tool

Then it is the time to create a distribution provisioning profile. Under the Provisioning Profile section, click Distribution and (+). Then select “In House” radio button under distribution section and hit continue.

In house application provisioning: Apple development portal

Then the wizard will move to a page where it is required to select the App ID of the app that is going to be exported as the enterprise app. After, it will show the distribution certificate which is just created. Select it and hit continue. Then set a profile name and continue. On the last page of the wizard will show a button to download the distribution provisioning profile just created. Once it is downloaded, double click on the item and it will automatically get installed to the Xcode.

Now, select the provisioning profile which is just created from both release and debug signing selectors under project’s general settings.

Application’s general settings: Xcode

Then Xcode will automatically verify the relevant certificates with regard to this profile and validate.

Finally, the exporting process. Navigate to Product -> Archive from Xcode and hit export.

Archive: Xcode

Select “Save for Enterprise Deployment” as the method of export in the given menu and click next.

Method of export: Xcode

Now it will search and prompt a window to select a development team to use for provisioning that is to save for Enterprise Deployment. Choose the development team and in the next window select “Export one app for all compatible devices” and hit next. As the result it will create an enterprise application that can be distributed and installed into devices. Finally set the location to export the app. That’s it..!







Devices are part of the world we are living in. How these devices connect to the world and management is problem worth solving. WSO IoT aims to solve this —

Milan Harindu Perera

Written by

Senior Software Engineer @ WSO2



Devices are part of the world we are living in. How these devices connect to the world and management is problem worth solving. WSO IoT aims to solve this —