Enterprise Deployment certificate and profiles

Asked 17/3, 2015 at 11:50 Answered 18/3, 2015 at 12:14

ios certificate provisioning-profile ios-provisioning ios-enterprise

I'm currently using iOS Developer Enterprise Program for Enterprise Deployment. I want to know what happen when the Certificate and/or the Provisioning profile expire. For now I created a bunch of provisioning profiles to be as far as I can to the expiration date. I want to know if I can securely delete old provisioning profiles that are possibly linked to an app or the apps will stop working. Is it possible in some way that a user who has already download an app will not be able to open it or a new user not be able to download it.

Thanks

Daina answered 17/3, 2015 at 11:50 Comment(0)

The only requirement for an app to run on an iOS device is that there is at least one valid (non expired) provisioning profile on the device that is signed with a valid certificate (non expired / deleted) that has a bundle ID that matches the bundle id of the app you are trying to run.

So let's say I have 2 provisioning profiles I've created over the year for one app. The app's bundle ID is "com.example.testapp". One of the provisioning profiles was created with the app id "com.example.testapp" and it expires in 1 month. Another provisioning profile was created with a wildcard app id "com.example.*" and it expires in 3 months. You can safely delete the provisioning profiles and create a new one at any time, without affecting currently deployed apps from being able to run on devices. They will stop working once they hit the expiration date.

Continuing this example, let's say you have another app installed on the same device with a bundle id of "com.example.testapp2" and it was originally installed with a provisioning profile that specifically used the app id "com.example.testapp2" and the provisioning profile expires tomorrow. After tomorrow, the app will still work, because even though the "com.example.testapp2" provisioning profile is expired, there is another prov. profile on the device with a wildcard app id that matches, and that profile has not yet expired.

On another device that only has test app 2, and never had the wild card provisioning profile installed, the app will stop working. You can either manually install the new provisioning profile (email it to the device user), or install a new app (or the same app again) bundled with the new provisioning profile.

So long story short, deleting provisioning profiles is generally safe, but do not invalidate the certificate until you are ready to re-package all your internal apps.

Mikvah answered 18/3, 2015 at 12:14 Comment(6)

So what happens when the certificate expires after 3 years? Is there basically an inherent outage for all pre-existing builds until new versions can be published? Or is there some way to renew without revoking the certificate before the expiration? – Alvy 24/2, 2020 at 20:27

You can have a new certificate that overlaps the new one, but you will need to re-build the application with the new certificate as the existing binaries will stop working when the cert expires. – Mikvah 25/2, 2020 at 0:46

Yes, that seems to be the prevailing wisdom. Unfortunately, for those of us with 2 dev teams signing and deploying enterprise apps with the same account (but different certs), that strategy is near impossible. – Alvy 26/2, 2020 at 16:53

That being said, sharing the private keys of the certs between the teams is one workaround (via export/import from keychain or xcode). The other thing we're trying right now is applying new provisioning profile (based on new cert) to the old-cert versions in Airwatch/MDM. It works well pre-expiration - I'll try and update if it continues to work post-expiration. My experience in the past is that if you can keep valid profiles there, you can keep the app alive. But if you ever end up with a revoked or expired profile or cert, the app dies and it can't be resolved without the update. – Alvy 26/2, 2020 at 16:53

Ultimately, the cert needs to be valid (like you said, not expired/revoked) and there needs to be a valid provisioning profile for the app on the device. It doesn't matter if the provisioning profile bundled with the app when it was originally built has expired, as during install, the profile is installed on the device and then that is used at launch. If you deploy a new profile to the device later (as you have with MDM), it will extend the usable life of the app. Unfortunately, that binary was signed with the cert, so if that cert expired/ isevoked, the binary itself is no longer launchable. – Mikvah 27/2, 2020 at 0:8

Yep. So I think it's settled then that 2 certs must be used for each full lifecycle of an enterprise app, and if 2 teams of devs need to deploy independently, private key sharing is the only way to keep everyone's apps alive with no downtime. – Alvy 17/6, 2020 at 19:29

If you let either your Enterprise Distribution Certificate or the associated Provisioning Profiles expire your apps will no longer load. The user will see the app start to load followed by an immediate crash. You have to renew your Enterprise Dist Cert every 3 years (you can have two concurrent / overlapping certs) and your Prov Profiles every year.

Seeing how the Provisioning Profile is the "weak link" in the chain at a yearly renewal what we do is refresh/renew our Enterprise Dist Prov Profiles every 9 months (at a minimum) to keep those suckers fresh. Likewise we renew our overlapped Enterprise Dist Cert no later than 9 months prior to the other Enterprise Dist Cert's expiration AND update the Dis Prov Profiles at the same time.

Answering your question more directly I wouldn't risk killing the Provisioning Profile and tanking your deployed app. Since you're renewing that guy yearly, re-baseline everyone at the same time to restart the clock.

Anatola answered 17/3, 2015 at 17:37 Comment(1)

This sounds like what I've seen, but basically what you're saying is that you need to use 2 certs to accomplish what a normal developer would expect from 1 cert. For us, we are trying to use 2 certs to be able to give independence to different teams of devs in the same account - we don't want to have to sign each others apps to fill the gaps in the cert expirations, though. Seems like it's currently not intended for that type of use. – Alvy 24/2, 2020 at 20:31

Recommended topics

Hot tags