Enterprise deployment on iOS

From Resco's Wiki
Jump to navigation Jump to search
Security Guide


Due to limitations imposed by Apple, it is impossible to distribute and install just any app onto the mobile device. Typically, the app is installed via App Store, where Apple approves it beforehand. If you want to distribute the app within your enterprise without App Store and Apple’s approval, the process gets a bit more complex.

Generally, the app needs to be signed with your Apple Development / Enterprise team distribution certificate to allow the app to run without installation through the App Store. Since Resco has built the application for distribution through the store, you will need to resign the app with the Enterprise certificate in order to distribute it.

This is necessary if you want to:

  • Use an MDM solution to distribute the app
  • Wrap the app for an MDM solution (and then distribute it as above)
  • Side-load the app to your testing device
  • Distribute a custom-build branded application

This document doesn’t explain the distribution process itself, but rather the steps required before the actual distribution and deployment takes place.

Prerequisites

To deploy the Mobile CRM application within your enterprise environment, you will need:

During the testing stage, you can use the Developer Account without enterprise enrollment. Such an account can be used with up to 100 devices that have to be specified before the application is resigned.

Creating the distribution certificate

First of all, you must prepare for distribution by creating a distribution certificate. It can be done easily from Xcode (Preferences / Accounts / Manage Certificates...) or manually via the Apple Developer portal (Certificates / Add / Apple Distribution). In both cases, a Mac OS computer is required. Keep in mind that the distribution certificate consists of two parts – a certificate and a private key. The private key is stored solely on the computer which created it (either from Xcode or when creating certisigningrequest file). If you want to migrate it to another Mac, it must be exported from Keychain Access as .p12 file and imported into Keychain Access on another Mac. Please refer to Apple documentation for more details.

If you want to verify that your distribution certificate is valid and it contains the private key, open the Terminal app and enter the following command:

security find-identity -v -p codesigning

Creating the provisioning profile: App ID

Once you have the distribution certificate, you have to register new App ID in your iOS Developer portal. iOS Developer portal is used for generating all the profiles and certificates, registering your app and more. It can be found here: https://developer.apple.com/

As a first step, you will need to create new App ID, which will identify your app. (For detailed help see https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingProfiles/MaintainingProfiles.html)

To do that:

  1. Go to Member Center, select Certificates, Identifiers & Profiles.
  2. Select Identifiers, then App IDs.
  3. Click on ‘+’ to add a new App ID.
  4. Choose the „Explicit App ID“ and type the unique bundle ID (let’s say com.yourcompany.mobilecrm)
Apple enterprise deployment - register app ID

Since there can be only one unique App ID in the universe and ‘net.resco.mobilecrm’ is already taken, we strongly suggest using ‘com.yourcompany.mobilecrm’ as the App ID. This will be used later in the process to identify your app. It will be used for granting the installation rights to the app with this bundle ID only.

In the case of a custom mobile app, the bundle ID must match the Package Name from Woodford Mobile Apps definition:

Apple enterprise deployment:Package name in mobile app configuration

Creating the provisioning profile: Provisioning Profile

After that you can create the provisioning profile. (iOS uses Provisioning Profile to verify that the app being installed is from the right developer and its content is unchanged.)

  1. On the same page (certificates, identifiers, and profile).
  2. Select Distribution under Provisioning Profiles on the left.
  3. Click ‘+’ to add new.
  4. Choose „In-House“ distribution and specify the App ID you just created and your company certificate. The in-house distribution option will not be available if you haven’t enrolled in Apple Developer Enterprise program (see prerequisites).
  5. Finally, download the newly created provisioning profile (.mobileprovision file).
Apple enterprise deployment - provisioning profile

During the testing stage (or if you don’t have the enterprise enrollment), you can use „Ad-Hoc“ provisioning profile. In this case, you will have to specify the list of devices on which the application will be entitled to work. Each time you will update this list, you will need to re-download the provisioning profile and resign the application once more to apply the changes.

Resigning IPA

Since the standard Resco application – the one Resco provides to you – is signed for distribution via App Store, you will need to re-sign the app. This will remove the information which allows the app to install and run only from the store and will add the info that you have enrolled in the Enterprise program and the app can be distributed this way.

Here is what you have to do:

  1. Download the iReSign application from https://www.resco.net/downloads/iReSign.app.zip
  2. Unpack it and run iReSign.app included in the ZIP package
  3. Browse the MobileCRM.ipa file as the app package
  4. Browse provisioning profile file that you have previously created and downloaded
  5. You can leave entitlements section blank
  6. Do one of the following:
    • Enable Change ID and enter the bundle ID you specified during the App ID creation.
    • Disable Change ID for custom mobile apps that already have the right bundle ID.
  7. Choose your company distribution certificate (if you don’t have it see Common Problems) and click ReSign!.

Resulting IPA should be suitable for your company deployment. The file can be then distributed using the tool of your choice.

Apple enterprise deployment - resigning

Common problems

I am missing the distribution certificate in iReSign app

To obtain it, follow these steps:

  • Open the „Keychain Access“ application
  • Choose „login“ keychain and „My Certificates“ category
  • The „iPhone Distribution: Your Company“ certificate item should be listed under this category
  • Make sure that it has the private key included (it should be possible to expand the certificate, and the private key item should be included as its child)

If you are missing the certificate, please open the Xcode/Preferences/Accounts and log in with your company admin/agent credentials. Make sure that you have the iOS Distribution channel created.

If you have the certificate in the Keychain and it misses the private key, go to the Xcode/Preferences/Accounts, open the Details of your account and press the „Reset“ button next to the iOS Distribution item. This action will create the new private key for your distribution channel, and any previous keys will be discarded (!!!). This might result in the invalidity of other apps signed with this certificate.

I am missing the private key for the distribution certificate, but I have it on another Mac

In this case, you have to export the whole Xcode account from Xcode/Preferences/Accounts and import it on another Mac. Alternatively, you can export the distribution certificate from „Keychain Access“ (export it as .p12 file, otherwise the private key is not included) and import it on another Mac (just click on it and pass the Keychain wizard).

If everything fails

The subject is too complex to cover here each and every problem you may encounter. However, the chances are good that somebody has the answer you seek and published the solution on the web. Consider searching Google, asking on http://www.stackoverflow.com or at the Apple Developer Forum – just to mention obvious choices.