6

I am having a 'member' role in an 'Apple Developer Enterprise Program' team. When I try to export for deployment, it comes with message - You are not allowed to perform this operation, Please check with one of your Team Admins. Based on limited knowledge, I understand that in order to export for deployment I need to have 'admin' role. Am I correct? Is there something like my team admin sending me some certificate / key and then I could use it? If yes, how?

UPDATE (Based on responses)

Simplifying the question:

Can a Team 'member' make a request for distribution signing certificate? Yes or No. If yes, how?

If answer of the above is yes, once a member get a certificate from admin - how is he supposed to use it? The way I export for deployment as admin - Product > Archive > Export and I get the IPA. The reason I asked this question because I am not able to do the same in a team for which I am just a member. Is it even possible that I can do it, or only an admin can do it?

P.S. A one or two line answer will help a lot instead of another website link.

Paul R
  • 208,748
  • 37
  • 389
  • 560
Prasoon
  • 435
  • 1
  • 9
  • 23

3 Answers3

8

A team member cannot request distribution signing certificates, only development signing certificates. You need to ask an admin (or another person who has got access to the distribution cert from an admin) to hand you a distributions signing certificate. They can export their certificate from their keychain or Xcode (Settings->Accounts->Signing Identities) in .p12 format and send it to you.

A team member is probably meant for persons not trusted to sign code in the name of the company. This is how Apple intended the roles to work:

https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW10

Team agent A team agent is legally responsible for the team and acts as the primary contact with Apple. The team agent can invite team members and change the access level of any other team member. There’s only one team agent.

Team admin A team admin can set the privilege levels of other team members, except the team agent. Team admins manage all assets used to sign your apps, either during development or when your team is ready to distribute an app. Team admins are the only people on a team who can sign apps for distribution on nondevelopment devices. Team admins also approve signing certificate requests made by team members.

Team member A team member can sign apps during development, but only after he or she makes a request for a development signing certificate and has that request approved by a team admin.

Stefan
  • 1,496
  • 1
  • 13
  • 26
  • So a team member can make a request for development signing certificate, but can he/she do the same for distribution signing certificate? Or is it something only admin can do? If a member can do it, then what is he supposed to do after getting a certificate? How to use that while exporting for deployment in organizer? – Prasoon Jul 28 '15 at 18:07
  • 1
    A member cannot request distribution signing certificates or download existing ones from the portal. I think the point with members are that they shouldn't be allowed to publish apps as the company. But I guess there's no stopping admins from exporting their certificates from Xcode or their keychain and hand it over to you so you can sign for distribution anyway. – Stefan Jul 29 '15 at 11:50
  • Thanks for clarification. Let's say admin go to keychain access to export distribution certificate. Which format to choose - .cer or .p12. Is there any other file needed? Once admin sends (may be by email?) that file to member, I assume member will need to install that in his keychain access? What after that? I, as admin, go to Organize > Archive > Export - then choose my Team - It then checks my team for all rights and generates IPA. I don't think just putting that in keychain access will work in this way. Or do I need to change the way to export for deployment? – Prasoon Jul 29 '15 at 13:26
  • 2
    .p12 will certainly work, but I guess that .cer works too. .p12 is what Xcode uses if you export from inside Xcode (Settings->Accounts->Signing Identities) The admin can send you the file in any way (mail etc), it's protected by a passphrase on export. Just double click the .p12, enter the passphrase and import into your keychain. You also need the provisioning profile, but that you have access to as a member. Xcode even downloads it automatically for you if you're lucky. – Stefan Jul 29 '15 at 14:13
  • 1
    Hi @Prasoon, I am facing the same situation. So basically just import the .p12 file into keychain, and then archive and upload the binary in Xcode as usual? Do I need to check off the "Automatically manage signing" in my project first? Thanks – Jack Guo Jun 12 '18 at 15:10
3

Yes, it is possible to sign apps for distribution as a team member. You do not need to be a team admin in order to sign apps for distribution. However, it is necessary for you to have the appropriate distribution certificate (and private key) in your keychain in order to do this. (Also - your bundleid, distribution certificate and provisioning profile must be consistent.)

You will not be able to create your own distribution certificate, only admins or above can do that. So you will need to obtain the distribution cert. from someone who already has it. Have them export it from their keychain as a p12 file. When you receive that file, double click it, enter the password, and the distribution cert. and private key will be installed on your keychain.

Bradley Thomas
  • 4,060
  • 6
  • 33
  • 55
1

I believe only Team Admin (and of course Team Agent) can create distribution certificates, however they are allowed to request multiple distribution certificates so you need to get one generated for you.

What it says in the App Distribution Guide is

A team admin can set the privilege levels of other team members, except the team agent. Team admins manage all assets used to sign your apps, either during development or when your team is ready to distribute an app. Team admins can edit the App ID to enable app services and create technology specific identifiers used throughout the system. Team admins can sign apps for distribution on nondevelopment devices.

Bradley Thomas
  • 4,060
  • 6
  • 33
  • 55
Bamsworld
  • 5,670
  • 2
  • 32
  • 37
  • So, team admin will generate a distribution certificate for me? Csr file? Any other file needed? How should I use that certificate while exporting from organizer? – Prasoon Jul 28 '15 at 18:09
  • 1
    Have a look in the App Distribution Guide under -> Distributing Apple Developer Enterprise Program Applications. Im fairly sure it will answer all those questions fairly well. But basically you need app id, provisioning profile and distribution certificate. It mentions 'If necessary, Xcode creates a distribution certificate, provisioning profile, and explicit App ID for you.' But this is why you need team admin to generate these for you to install on your own key chain etc. Once again though I recommend reading through that App Dist Guide to assist in a better understanding. – Bamsworld Jul 29 '15 at 13:31
  • That quote, especially the part in bold, is no longer accurate – Bradley Thomas Nov 18 '16 at 16:41
  • I've made an edit so that the quotation now matches the text at the referenced link. What should be noted is that team members can also sign apps for distribution, provided a distribution certificate is shared with them and installed on their keychain. – Bradley Thomas Nov 19 '16 at 00:51