AppManager allows you to re-sign an iOS app, so that you can change the app's provisioning profile and certificate without rebuilding it. This article explains what are certificates and provisioning profiles for iOS apps and how they are involved in publishing an iOS app in AppManager.
- Code Signing iOS Apps
- Code Signing and AppManager
To run an app on an iOS device, you need to code sign it. To be able to code sign your iOS apps, you need to obtain a certificate, an App ID, and a provisioning profile. You need to enroll in the Apple iOS Developer Program or the Apple iOS Developer Enterprise Program, if you are not already enrolled, to create certificates, App IDs, and provisioning profiles.
You need a certificate signed by Apple to code sign an app in order to deploy it on a device during development or to distribute it to user devices. You need a development or distribution certificate to be able to create a development or distribution provisioning profile.
With a development certificate, you can code sign an app during development in order to deploy it on a device.
With a production certificate, you can code sign an app for publishing to the App Store, for in-house distribution, or for distribution to limited number of devices.
You can create a certificate in the iOS Dev Center only.
You cannot use a development certificate in combination with a distribution provisioning profile and vice versa.
To run an app on an iOS device, you need to sign it with a provisioning profile. The provisioning profile is a
mobileprovision file that contains information about the app identity, the certificate provided by Apple for signing your apps, a list of the UDIDs of provisioned devices (where applicable), the name of the team that owns the current provisioning profile, etc. There are four kinds of provisioning profiles:
Development - Used only during app development.
When you build an app with a development provisioning profile, you can debug it on a device. The development provisioning profile is the only provisioning profile that enables debugging on a device. With this type of provisioning profile, you can run your apps only on the devices included in the provisioning profile and you cannot publish apps to end users.
App Store - Used to distribute apps in the Apple App Store only.
You can publish apps created with an App Store distribution provisioning profile only in the Apple App Store. App Store distribution provisioning profiles do not contain provisioned devices.
App Store distribution is available only in the Apple iOS Developer Program.
Ad Hoc - Used to distribute apps to a limited number of users.
You can use an ad hoc provisioning profile if you want to distribute your app for testing to selected users or to develop a private app which is available to a limited number of devices. This profile ensures that only the provisioned devices can run the app.
When distributing an app in AppManager, that uses an ad hoc provisioning profile, you must ensure that the UDIDs of all user devices, that should be able to run the app, are listed in the provisioning profile.
In-house - Used for private deployment of apps within an enterprise.
This profile is especially useful for distributing an app to a bigger number of users within the same enterprise. It does not require you to register user devices and there is no limit on their number. Instead, all devices owned by the enterprise can run the app created with this profile.
In-house distribution is only available if you are enrolled in the Apple iOS Developer Enterprise Program.
Using AppManager, you can distribute apps signed with an Ad Hoc or an In-house provisioning profile.
You can also add apps built with a Development provisioning profile in AppManager but you should do this only during the development stage, for testing and debugging purposes.
You can create a provisioning profile in the iOS Dev Center only.
Apple Watch bundles consist of three components—a host app running on your iOS device, a WatchKit extension which takes care of the communication between the iOS device and the Apple Watch and a watch app running on the Apple Watch. Each component must have a unique, explicit App ID and a separate provisioning profile needs to be generated for each App ID. This means that you need to generate three App ID's and a set of three provisioning profiles if your iOS app is an Apple Watch bundle.
There are again four types of provisioning profiles—Development, App Store, Ad Hoc, In-house—the same as the ones listed in the previous section. All three provisioning profiles for the Apple Watch bundle must be of the same type. For example, you cannot combine an Ad Hoc provisioning profile for the host app with Development provisioning profiles for the WatchKit extension and the watch app.
When you are ready to add your iOS app to AppManager, it is already code signed and in most cases good for distribution. However, there are a couple of scenarios when you may need to re-sign your app:
- The provisioning profile that your app uses does not include all the devices to which you want to distribute the app. This can happen if the app has been developed outside of your organization or if you used an ad hoc provisioning profile to a point but then upgraded to an in-house (enterprise) one.
- The app's current provisioning profile is about to expire or has already expired.
You can find information in AppManager regarding the app's provisioning profile in the last section of the App Details page named Provisioning method. There are three types of iOS provisioning profiles that work with AppManager - Developement, Ad-Hoc and In-house. When your app is signed with an Ad Hoc or a Developerment provisioning profile, AppManager will provide a grid with information regarding the provisioned devices in the profile. The devices are separated into three groups:
- Registered devices in the provisioning profile - This is a list of devices along with their users that are provisioned in the app's provisioning profile. These users will be able to see and install the app on the listed devices.
Registered devices not in the provisioning profile - This is a list of devices, which users are in the app's distribution group and will be able to see the app, but their device is not provisioned in the app's provisioning profile and will not be able to install the app. You can get these device UDIDs by clicking the Export UDIDs button below the grid and add them in the provisioning profile. You can add users to a provisioning profile in the iOS Dev Center only.
After you add new devices to a provisioning profile, you should re-sign the app with the provisioning profile anew.
Unknown devices in the provisioning profile - This is a list of device UDIDs that have been added into the app's provisioning profile, but are not added in any of the groups that see the app. You may need to invite these users to your AppManager store, so that they can get the published app.
In-house provisioning profiles provision an app for all devices and provide the ideal solution if you want to distribute apps internally in your company. If your app is signed with an In-house provisioning profile, you won't see the provisioned devices grid.
Re-signing apps in AppManager happens on the App Details page. Click Re-sign and AppManager lets you choose whether you want to use already stored certificate and provisioning profile or upload new ones. Once you choose the provisioning profile and certificate and input the certificate password, click Re-sign. The Provisioning method section is automatically updated to display information about the new provisioning profile.
If AppManager recognizes your app as an Apple Watch bundle, it will require you to provide two additional provisioning profile files—for the WatchKit extension and the watch app. You need to upload all required provisioning profiles to re-sign the app successfully.
When using the secure storage in AppManager, if your app is recognized as an Apple Watch bundle, you will still see all available provisioning profiles, but you will not be able to select one that does not include the two additional provisioning profiles for the WatchKit extension and the watch app. AppManager notifies you about this with a message saying "Watch provisioning profiles not found". In this case, you need to use the Browse for files option to upload all required provisioning profiles.