Will revoking In-House Distribution certificate affect applications which are currently distributed?

StackOverflow https://stackoverflow.com/questions/23504010

  •  16-07-2023
  •  | 
  •  

Question

I am updating in-house app for a client which they have a previous version currently on over 100+ iPads. I want to push an update, but when i try to sign the app with the distribution provisioning profile it asks me for the private key. After searching, people suggested to revoke the old certificate and generate a new one on the machine i'm using so i can have the private key. I don't know if this is the best approach or not, but my client is concerned if I will be revoking the current In-House Distribution certificate, it will affect the applications which are currently distributed on those 100+ iPads? Thanks!

Was it helpful?

Solution

Unfortunately, yes. For enterprise distributed apps, the devices will regularly check with apples servers whether the certificate which has been used to sign them is still valid. So revoking the certificate will make those installations fail. Maybe not until the next reboot, maybe not when there is no internet connection available, but sooner or later, the app will refuse to launch.

If availability of the app must not be interrupted, you need to take precautions - for example by preparing the new version and notifying all users ahead of time that at a certain date, the old version will stop working and the new one must be installed.

Update:
I kept investigating and it appears like you can have two distribution certificates at the same time now. This is meant to eliminate gaps in app availability by allowing you to phase from one cert to another, way before the first one expires.

If this is still true, you might be able to simply create another distribution certificate without revoking the existing one. You will need to create new provisioning profiles as well (or update the old ones to use the new cert), but that shouldn't invalidate those already deployed. You would then be able to distribute the new / updated app and the existing installations will remain unaffected.

It has been some time since I last worked with enterprise distribution and right now, I don't have access to an enterprise dev account, so I can't try. But I don't think there is any risk if you just go ahead and try it - I assume the portal will either let you create a second cert or it just won't...

OTHER TIPS

Toastor is correct - I recently had a discussion with Apple about this and it intentionally differs from App Store apps. When the distribution certificate is revoked (or expired) for an Enterprise app, the app stops working after expiration is reached, or revocation information is retrieved from Apple.

However if you manage several Enterprise apps, instead of requiring users to install a recompiled version of every single app with the new certificate, you may:

  1. Push the new Provisioning Profile(s) to users over MDM (like Airwatch) **
  2. Use a wildcard App ID for your apps and then as long as the user installs one app with the updated cert, it will apply to all apps that share that App ID
  3. Allow users to download the updated Provisioning Profile without requiring an app install **

** CAVEAT: I don't code apps but do manage our certs, App IDs, and Provisioning Profiles. I haven't yet tested these approaches - it's my best effort based on notes from my recent discussion with Apple.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top