15

There is a lot of information about iOS distribution. I think I understand the different distriubution models, but I am looking for best practice for distributing an app to a client.

I have a client who has an Enterprise developer account and uses AirWatch for MDM. Here is how I am going to recommend to them that we distribute the app to their organization since they have no one technical on staff that has any experience with Xcode or iOS development and they will not be given access to the source code:

  1. Add me as a member of their developer account
  2. I build the app using their certificate
  3. I give them the .ipa and plist file to distribute either through MDM or website.

Is this the correct way to do this? What if I am going to sell this same app to three clients - would I do it a different way? Is there anything else that needs to be done to distribute through AirWatch?

Again, looking for best practice and how others are handling this situation. Please clarify if I have anything wrong.

UPDATE: Thank you all for the answers. From what I have learned how this is done depends directly on how the client wants to handle the situation. In the end the client added me as an admin on their account (we have worked together quite a bit). I was able to create the distribution profile, build, and deploy the app to them. Not all clients will do this for security reasons. In that case, they will need to provide you will a cert as stated below, or you will need to build the app on one of their machines as Buckeye said below...or go through Apple to distribute the app to them.

Feel free to correct any of this info if it is incorrect. I really think this is helpful information for a lot devs.

I am accepting Patrick's answer because it is the closest to what I actually did.

digthewells
  • 657
  • 5
  • 17
  • Sounds about right - although you don't need to be a member of their account. They could just provide you with a certificate and private key. – Robert Jul 15 '13 at 15:27
  • Thanks Robert. Would that be the better way to go? Just ask them for the certificate and private key? – digthewells Jul 15 '13 at 15:40
  • It really depends on the client. Giving you access to the development portal is quite permissive. Its much quicker to do it yourself rather than talking them though creating provisioning profiles and certificates. My best advice is to get them to talk to their IT security department (if they have one?) If they are ok with giving you access (as a team agent) then its the best way to go. – Robert Jul 15 '13 at 16:23

4 Answers4

5

There are two ways you can do this, but for both you must be added as a member of your client's developer team. Once you have done this, you (or more likely your client) will choose weather to use their in-house certificate or your own distribution certificate that you will manage.

It can be done either way, it is only a matter of who will have authority in the future to submit apps with the same certificate under the same account. That authority resides in the possession of the associated key pair of the certificate. If you are added to the client's dev team and download their distribution certificate, you will NOT have this key and cannot sign distribution builds with associated provisioning profiles.

Therefore, you must either get a .p12 export of the certificate (which contains the key) from the client to install on your machine so that you may sign with it. This will allow you to submit from your machine, but you are then in possession of your clien'ts private key, which they would like to protect. Your other option is to use your own Certificate Signing Request to create a Distribution Certificate on the client's developer account. In this situation, only you have control over the certificate and the client must create new ones if they wish to work with other developers in the future.

Once you have done that, here is an informative guide for enterprise distribution.

Patrick Goley
  • 5,397
  • 22
  • 42
2

As an Enterprise Agent I will tell you that unless your client lives under a rock (technically speaking regarding the Apple dev portal) I doubt they're going to give up the private key and cert. If they have zero legal/contractual access to the source code you've created the only course of action, speaking from experience, would be for you to visit their facility with the source code, compile it on their box that houses the private key & enterprise distribution cert, build & deliver the IPA and finally take the source back with you. That is how I have compiled every build with a 3rd party vendor where we don't own the source and need to deploy internally.

On the flip side of this argument if the client is, for some wild reason, willing to give up the keys to their enterprise castle and export the private key & enterprise distribution cert for you to use... for YOUR sake I would get in writing what the scope of your usage is with that cert and somehow document the fact you have deleted the key & cert after the process is over. Don't open yourself up to liability because if they share it with you there's a chance they may also share it with someone else and as we all know, not all development entities play by the rules. You wouldn't want to get accused of creating some rogue app under their name.

Regarding re-signing the IPA file... AirWatch won't let you do it. AW interrogates the IPA when you upload it and it will note that the embedded provisioning profile doesn't match the re-signed IPA and tank. It becomes a chicken & egg situation where you need the provisioning profile on the device before you install the app however AirWatch won't let you deploy the app unless the aforementioned embedded profile is correct.

Also, @Caleb is correct regarding B2B but the pricing model goes from the project to per-seat (iOS device). In other words if your contract is "you can install this app on an unlimited number of devices" the B2B approach is going to blow up in everyone's faces.

EDIT: Below are your options when editing a Development Provisioning Profile in an Enterprise iOS Account: Development Profile

Obviously here you can pick & choose developers and their devices from within the portal that can compile to that profile.

Now here are your "options" for editing the Enterprise Provisioning Profile: Enterprise Profile

As you can see you don't get an option to edit which portal users or devices can use this profile because it's tied to the Agent's CSR/private key and is deployed globally.

Dan
  • 5,153
  • 4
  • 31
  • 42
  • Why not just be invited to the client's developer team and create your own distribution certificate on their account to which only you have access to the key pair or CSR file? This would prevent rogue applications from being published because it would be signed by your own certificate. – Patrick Goley Jul 16 '13 at 00:27
  • @D80Buckeye - you make valid points as to the problem of getting a certificate from client. What would the best solution be? Patrick is thinking exactly what I was thinking. Why not ask them to add me to the development team. Is there a reason this is not a good idea? – digthewells Jul 16 '13 at 01:09
  • The Enterprise Distribution Cert (and subsequent distribution provisioning profile) doesn't work like that as it's tied to the Agent's CSR. Even if they invite you onto the development team as an admin it still doesn't give you the ability to compile the app with the Enterprise Cert. The farthest you can get is compiling the app to a provisioning profile tied to the 100 test devices in their portal. What you're stuck with here is the only way to utilize the Enterprise Cert is to have the Agent's private key exported to your box. (1/2) – Dan Jul 16 '13 at 03:21
  • (2/2) As an example, we had a 3rd party developer on-site (who were admins in our portal) that would work late into the night and bother me at all hours on Sunday nights to compile our weekly builds for distribution. I eventually got sick of it and got permission from out Information Security team to allow me to export my Enterprise Cert to another box within the building. Moral of the story, for better or worse: that Enterprise Cert is tied to the agent's box where the CSR originated from until you start exporting it for others to use which is frowned upon. – Dan Jul 16 '13 at 03:28
1

You would need:

  1. Their certificate.
  2. Their provisioning profile.

It's a quite common practise to do this.

Community
  • 1
  • 1
Rui Peres
  • 25,741
  • 9
  • 87
  • 137
1

My question is, is this the correct way to do this?

Yes.

What if I am going to sell this same app to 3 clients, would I do it a different way?

No, you'll do the same thing. You'll need to build the app separately for each client using each client's distribution certificate.

Another option is to build the app and sell it to your clients using the B2B distribution mechanism.

Caleb
  • 124,013
  • 19
  • 183
  • 272