Enterprise app deployment doesn't install on iOS 8.1.3

Asked 28/1, 2015 at 15:6 Answered 31/3, 2015 at 15:58

After updating iOS 8.1.3, I tried to download, but getting error "Unable to download app" and "could not be installed at this time" messages appears.

What are changes between 8.1.2 and 8.1.3 which i have to take into consideration?

Download mode:
< a href="itms-services://?action=download-manifest&url=https://****.plist">

Thanks!

Expediency answered 28/1, 2015 at 15:6 Comment(4)

Have you tried uninstalling the app from your phone first? Are you sure it was signed with the right profile? – Emersonemery 28/1, 2015 at 15:10

Hi, thanks for your answer. Yes, since few hours i have tried with my Ipad (8.1.2) uninstalling and installing then, and the same steps after updated (8.1.3) finish with the this issue. – Expediency 28/1, 2015 at 15:14

I'm running into the exact same problem on 8.1.3. Even app updates fail to install. So far we suspect we'll have to change the signing process or something along those lines. The issue is that apps that were installed while in < 8.1.3 continue to work in 8.1.3, which is unexpected. – Twinberry 28/1, 2015 at 20:57

I'm also having enterprise-signed apps that installed in iOS 8.1.2 not install in iOS 8.1.3. I get this error message in XCode's log: "Application is missing the application-identifier entitlement." – Colitis 28/1, 2015 at 22:28

After a few hours wracking braincells, here's how I did it:

NOTE: I haven't currently tested this against iOS 8.1.2 or lower (proceed with caution!)

For apps that have ALREADY been signed with your OWN enterprise certificate, all you have to do (as mentioned by RAStudios in his edit) is to edit the manifest.plist:

Before:

<key>bundle-identifier</key>
<string>uk.co.acme.AcmeApp</string>

After:

<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>

For apps that have been signed by a third party that you're resigning with your enterprise certificate (this walkthrough is assuming the ipa file is AcmeApp.ipa, your entitlements file is entitlements.plist and your provisioning profile is provProvile.mobileprovision; all files are in the Desktop folder (Mac OSX), and S836XXACME is your team identifier):

Create a new entitlements.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>

Unzip the ipa:

cd ~/Desktop

unzip AcmeApp.ipa

Remove the Code Signature:

rm -r Payload/AcmeApp.app/_CodeSignature/

Copy in the mobileprovision file:

cp provProfile.mobileprovision Payload/AcmeApp.app/embedded.mobileprovision

Codesign:

codesign -f -s "iPhone Distribution: ACME Corporation Limited" --entitlements entitlements.plist Payload/AcmeApp.app

Zip it up as the resigned ipa:

zip -qr AcmeApp_resigned.ipa Payload/

You also need to amend the manifest.plist file as per the 'ALREADY' signed part earlier:

<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>

Issuant answered 30/1, 2015 at 11:57 Comment(5)

Hi, i've tried changing manifest.plist and both tried with and without entitlements.plist, but nothing changed. I still can not download the app. Could you please send a full example? Or is there anything to do else? – Beverleybeverlie 3/2, 2015 at 7:31

This fix got me on the right track. I had to include application-identifier inside my Entitlements.plist file using the prefixed application id, and use the prefixed application id as my bundle identifier inside Info.plist. – Colitis 3/2, 2015 at 21:57

@JefferyGrajkowski can you share your entitlements.plist file? (or a modified/example of it)? I'm having trouble getting these solutions to work. My app uses a wildcard App ID com.mycompany.* and it was signed with our own Enterprise profile ... but I'm not sure what my entitlements.plist file should look like. – Anthracene 3/2, 2015 at 22:25

@ChrisEmerson mine looks exactly like the one attached to this solution but with my own app id. I don't have a wildcard in my app id and do include the prefix (eg: S836XXACME.uk.co.acme.AcmeApp). Check that Info.plist has the same app id. If you're still stuck post a new question with the errors in the console log. – Colitis 3/2, 2015 at 22:35

Just in case anyone has two provisioning profiles with the same name (like when one is about to expire and you grab a new one) there will be a conflict. In that case, instead of the -s "iPhone Distribution: ACME Corporation Limited" one can write -s 00112233445566778899 (the SHA1 of the correct provisioning profile, can be seen in keychain with Get Info). – Velamen 28/5, 2015 at 11:9

After investigating..

Edit: After further testing, I found that simply matching the bundle ID in the Info.plist and the bundle ID in the manifest.plist worked for installing apps over-the-air on iOS 8.1.3. If this solution does not work, try the solution below.

Original Solution

Fix to the problem:

Your application must have a valid entitlements.plist, which includes correct the valid bundle identifier of an application.

If you are distributing an application signed with a iOS development certificate, here is an example of a entitlements.plist you should include with your app.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>com.yourbundleidhere.mycoolapp</string>
    <key>com.apple.developer.team-identifier</key>
    <string>com.yourbundleidhere.mycoolapp</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>com.yourbundleidhere.mycoolapp</string>
    </array>
</dict>
</plist>

If you are using a wildcard profile, replace com.yourbundleidhere.mycoolapp with yourwildcardappid.*. In both instances, you can use iResign to properly resign applications and include the now required, entitlements.plist.

Explanation of the problem

Due to security patches (see here under CVE-2014-4493), without the entitlements.plist, the application will not install. The security patch keeps applications from overriding existing apps and installing over the top of them/replacing them.

Urinate answered 29/1, 2015 at 7:21 Comment(9)

Thanks for the info.. I've been trying so many combinations of entitlements with no luck (I have a wildcard enterprise cert). What generates the manifest.plist file you're referring to? – Twinberry 29/1, 2015 at 20:49

also, is your setup working with com.mybundleid.myappname as opposed to ABC123ABC.com.mybundleid.myappname? (where ABC123ABC is the team id) – Twinberry 29/1, 2015 at 21:3

@thatjuan I realised I made some typos, the code above should be in a file named entitlements.plist in the Payload folder. My setup is using an iOS developer certificate and a Wildcard provisioning profile, using mywildcardid.* – Urinate 29/1, 2015 at 21:6

@thatjuan As an extra step, I matched the bundle ID in my Info.plist and manifest.plist (the manifest.plist is the file in your itms-services:// link) – Urinate 29/1, 2015 at 21:8

@RAStudion: After much testing, it ended up just working by adding the application-identifier to the entitlements. Nothing else was needed. ;) – Twinberry 30/1, 2015 at 5:17

By reading around on the web, it says that in almost all cases, you should not need a entitlements file, and the link you are referring to does not say anything about having an entitlements file. It says that they prevented Enterprise applications to override already installed applications in specific scenarios. – Principle 30/1, 2015 at 12:4

@Principle Yes, this is what I thought. That is why I posted the new updated information after more investigation of the strange behaviour. – Urinate 30/1, 2015 at 12:19

@RAStudios Good write-up. I found the same thing. Adding these basic entitlements via a codesign --entitlements command worked for me. I believe that some version of Xcode (>= 5.1 maybe) started adding entitlements with every IPA export (regardless if they were needed.) It may have been early Xcode 5.x and below based on my affected apps. Enterprise-signed apps originally exported from those versions of Xcode and that didn't have any special capabilities/did not use keychain could potentially have this issue. – Perforation 30/1, 2015 at 14:55

@Perforation and RAStudios I can't understand: shall I add Entitlemetns into my XCodeproj or just resign after IPA is ready? – Ski 5/2, 2015 at 12:13

I've done quite a few experiments with this. In my experience the bundle identifier in the manifest.plist file isn't actually that critical. The most important thing to do is to get the entitlements.plist correct.

Rather than creating this manually I would recommend generating it from the provisioning profile using the following script (credit):

# Create an entitlements file
# parse provision profile
security cms -D -i "provProfile.mobileprovision" > ProvisionProfile.plist 2>&1

# generate entitilements.plist
/usr/libexec/PlistBuddy -x -c "Print Entitlements" ProvisionProfile.plist > Entitlements.plist 2>&1

You can then use this entitlements file with the --entitlements option on the codesign utility.

Downbow answered 23/2, 2015 at 12:19 Comment(1)

Dug through tons of advices and in the end this one worked. Many thanks for the script on Symantec's site. Reading it step by step did it for me. – Velamen 28/5, 2015 at 11:6

I have the same issue and this happens for the applications that doesn't have any entitlements.

Re-signing the app with entitlement solved the issue for me, but this is going to be pain as all the applications that are already deployed need to be re-signed and deployed.

This is a weird issue because these apps which failed for me doesn't use anything like keychain sharing or push notifications and hence doesn't need an entitlement at all (as per my understanding). Now when I just add an entitlement with keychain-sharing it starts working.

Mispickel answered 29/1, 2015 at 1:52 Comment(0)

I have answered this here, this worked for me without having to do anything else

Veroniqueverras answered 9/2, 2015 at 9:32 Comment(0)

In addition to @Mark's and @RaStudio's answers, I have seen two more causes for the 'Unable to download application' message; one of which is new to iOS 8.1.3.

New failure cause on iOS 8.1.3

This error occurs when trying to install an application that has an expired provisioning profile. When signing an application, both the certificate and the provisioning profile must be valid and not expired. It seems as though an application with an expired provisioning profile and non-expired certificate can be installed on iOS 8.1.2 in some circumstances. Ensure that the provisining profile is not expired by going to Apple's developer center.

Old failure cause

This error occurs when trying to download an application signed with a development certificate and provisioning profile if the device has not been added to the development provisining profile on Apple's developer center.

Ensure device is added to provisioning profile

Manaker answered 18/2, 2015 at 17:54 Comment(0)

I have sovled this problem.

Since Apple has changed provisioning profiles, please RENEW the provisioning profiles (File 1) and copy it into the "Payload/".
Make sure there's a Entitlements.plist (File 2) in the "Payload/", and this plist file MUST be PLAIN TEXT which is created by a text editor.
Make sure there's a Info.plist (File 3) in "Payload/", and this is created by XCode;
Copy the Entitlements.plist (File 4) anywhere else except the "Payload/".
Be sure "Bundle identifier" in File 1-4 should be the same.
Use this Entitlements.plist (File 4) to Re-Sign the IPA file.

You can resign it like this

codesign -fs "iPhone Distribution: Your Company Name" --entitlements=/Users/SenTR/Downloads/codesign/Entitlements.plist /Users/SenTR/Downloads/codesign/Payload/Your_Project_name.app

Entitlements.plist sample

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>application-identifier</key>
        <string>PREFIX.yourappBundleID</string>
        <key>aps-environment</key>
        <string>production</string>
        <key>get-task-allow</key>
        <false/>
        <key>keychain-access-groups</key>
        <array>
            <string>PREFIX.yourappBundleID</string>
        </array>
    </dict>
</plist>

If you know Chinese, this will be helpful.

http://hennry.com/2015/03/fail-to-resign-ipa-since-ios8/

Counseloratlaw answered 31/3, 2015 at 15:58 Comment(0)

-1

ios 8.1.3: inhouse app need distribute with MDM.

MobileInstallation

Impact: A malicious enterprise-signed application may be able to take control of the local container for applications already on a device

Description: A vulnerability existed in the application installation process. This was addressed by preventing enterprise applications from overriding existing applications in specific scenarios.

from apple release note

Admetus answered 29/1, 2015 at 1:15 Comment(1)

Hi, thanks for your first answer on stackoverflow. Just a note to help with some guidance on answering questions. Read the question carefully. What, specifically, is the question asking for? Make sure your answer provides that – or a viable alternative. The answer can be “don’t do that”, but it should also include “try this instead”. Any answer that gets the asker going in the right direction is helpful, but do try to mention any limitations, assumptions or simplifications in your answer. Brevity is acceptable, but fuller explanations are better. – Soloman 29/1, 2015 at 1:25

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

After investigating..

Original Solution

New failure cause on iOS 8.1.3

Old failure cause

Recommended topics

Hot tags