Provision iOS IPA App for In-House Enterprise Distribution

EDIT: Please make sure at first that you are using an enterprise account and not a normal account before following any guidelines!

Provisioning an iOS app for in-house distributione is damn complicated. As my efforts to do so were eventually successful, I decided to prepare this comprehensive tutorial documenting my best practice approach for future reference.

You found the right tutorial if you want to be able installing an app on an arbitrary iOS device from Safari, without putting it on the App Store, without installing it via iTunes and without using the MDM approach (although for the MDM approach you should be able using the IPA and the manifest that are created in this tutorial). After performing the steps of this tutorial, you will just enter an URL in Safari on the iOS device, click a link on the site and an app automagically installs on your device.

Before you get started with enterprise provisioning, you need the following:

  1. You have to be (at least an admin) team member of the iOS Developer Enterprise Program. Which costs 299$ a year. The normal iOS Developer Program is NOT enough for this. Oh, and you have to apply for the enterprise program because Apple wants to be extra sure that customers can trust you and your company. And – AFAIK – the CEO has to sign the contract with Apple.
  2. You need a valid SSL certificate for the domain where you want to put the app. Otherwise your iOS device will not install the app from the site. Such a SSL certificate can also be fairly pricey.

The following presents the approach that worked with my setup. I used Xcode 5.1 and devices with iOS 7.1. I was also an admin member in an iOS Developer Program team. I found a lot of the settings performing the good old try and error approach. If you find something in the post that is wrong or you come up with a better solution, please post it in the comments!

To apply this post’s information, you need to have the following as a starting point:

  1. Your project in Xcode that you want to provision for enterprise distribution.
  2. An App ID for this project that you created in the iOS Developer Enterprise Program team. You will use that ID in the provisioning later on. If you have not already done so, create an appropriate App ID here. I will not go into detail on how to create the App ID.

In this post, we will create the following:

  1. A distribution certificate. (Jump link to the explanation how to create the certificate.)
  2. A provisioning profile. (Jump link to the explanation how to create the profile.)
  3. An IPA file and a manifest plist file that we can deploy directly from the web on an iOS device. (Jump link to the explanation how to create the IPA and manifest files.)

Create the distribution certificate

For the enterprise provisioning, you need a distribution certificate (the distribution certificate is different from the development certificate!) with which you can sign your code. This certificate is only useful for creating an app for distribution. You cannot use it for development purposes in Xcode. With this certificate active, I started the app from Xcode on my iPad, the app started but the debugger could connect to the app.

How to get the distribution certificate: Navigate to the Certificates section of the iOS Dev Center. You need to be logged in to the Enterprise Dev Center! And you need to have at least an admin role. (More on roles in the dev center.) After clicking on ‘Production‘, you will see this (sensitive parts blackened):
EnterpriseAppDistribution

In the image above all existing certificates are listed. If you have already created a distribution certificate here, you can reuse that. However, it is important that you have created the certificate with YOUR certificate signing request file. Otherwise you will not have the private key for this certificate in your Keychain and cannot use the certificate to sign your code. If you do not know if you created the certificate, you can download the certficate in question, double-click it and watch it in the Keychain Access application. If it has got a little arrow on the left side, then you have stored the private key on your Mac and can use the certificate for the provisioning. You expand the certificate by clicking on the arrow. It should look like this:

Keychain AccessScreenSnapz001

If the arrow is missing. You do not own the private key. Either you have stored the key on another Mac. Then you should be able to transfer it to the current Mac. Or you do not have the private key. In this case you cannot use this certificate for the provisioning. Instead, you can either try it with another certificate from the developer site or you create a new one with a certificate signing request file from your Mac.


Therefore, if you have not already done so, create your distribution certificate by clicking the plus button in the upper right. You will see (something hopefully slightly different from) this:
FirefoxScreenSnapz012

Push the radio button for ‘In-House and Ad Hoc’. I do not know why, but when creating the screenshots for this post, I could not click this button. Maybe the button was disabled because I have had already created such a distribution certificate. Anyway, you should be able to click this button.


In the next screen you see this:
FirefoxScreenSnapz013
This screen basically tells you how to create a CSR file that you need for the creation of the certificate. If you do not know whether you already have created such a file, I recommend entering ‘certSigningRequest’ in the Spotlight search on your Mac. If such a file turns up, you can most probably use it for the creation of the distribution certificate. If not, create one according to the manual.


After you have created the CSR file, head to the next site:
FirefoxScreenSnapz015
Choose your CSR file and click ‘Generate’.


Now your certificate has been created:
FirefoxScreenSnapz014
Download it and double-click it to install it in the Keychain.


Create the provisioning profile

To create the distribution provisioning profile, head over to the ‘Distribution’ section of the ‘Provisioning Profiles’. Tap the big plus button on the upper right. Now you see this:
FirefoxScreenSnapz016


Choose ‘In House’ and click ‘Continue’. Choose the App ID that you have created for your app:
FirefoxScreenSnapz017
Click ‘Continue’. Now select the correct distribution certificate:
FirefoxScreenSnapz018
Click ‘Continue’. Finally, name your provisioning profile and click ‘Generate’.


Download the generated profile and doubleclick it to install it:
FirefoxScreenSnapz020


Create the IPA file and the manifest

Switch to Xcode to create the IPA file. Click the project name in the upper left. Select the project name in the targets in the center area. Select ‘General’ on the top. In ‘Team’, choose the name of the team of the iOS Developer Enterprise Program. (For this article’s purposes I have selected the team from my private account. Use the enterprise team instead!):
XcodeScreenSnapz011


Click on the project name under ‘Project’ in the center area. Click ‘Build Settings’ on the top. In ‘Code Signing’ select your distribution certificate in all fields:
XcodeScreenSnapz019


Back to the targets in the center area. Click on the project name under ‘Targets’. Click ‘Build Settings’ on the top. Choose the distribution certificate in Debug, Any iOS SDK, Release and Any iOS SDK. Under provisioning, choose the provisioning file that you have created:
XcodeScreenSnapz012


Keep in mind that with these settings you cannot run the app from Xcode on you device anymore. These settings are for distribution only. (You can still click on ▶ and Xcode builds the project and tries to start the app on the device or the simulator. However, you will see an error message shortly afterwards.) Now, click on ‘Product’ -> ‘Archive’ in the menu bar. If ‘Archive’ is disabled, you have to choose a real iOS device in your run scheme in order to enable the ‘Archive’ menu entry. Run scheme means this:

XcodeScreenSnapz025

Choosing ‘Archive’ will create an archive of the app. In order to be able to create an archive, you need to have the appropriate provisioning profile installed as explained above. After the archiving has been performed, Xcode shows the archive in the Organizer:
XcodeScreenSnapz013


Click on ‘Distribute…’, and choose ‘Save for Enterprise or Ad Hoc Deployment’:
XcodeScreenSnapz014


Choose the provisioning file that you have created in the drop-down menu in the next step:
XcodeScreenSnapz015


In the next screen, tick ‘Save for Enterprise Distribution’. Some text fields will appear that allow you to enter information that will be included into an app manifest that will be created in parallel to the actual IPA file. This manifest is a plist file that you can edit with a text editor. So do not worry, you can change the information that you enter into the text fields later on. I filled the fields with the following information:
XcodeScreenSnapz016
URL is the address of the IPA file where it will be accessible on the Internet. Beware: Although in the following of the process everything takes place under HTTPS, somehow the IPA URL had to use plain HTTP.


Now you have got two files, the IPA file and the plist manifest. Upload them to your server (most probably using FTP) to the folder that you specified in the manifest (in this example to ‘mydomain.com/apps’). Now create an html file into which you include the following html tag:

1
<a href="itms-services://?action=download-manifest&url=https://mydomain.com/apps/MyInHouseApp.plist" id="text">Install the In-House App</a>

The link to the manifest HAS TO USE HTTPS! Put the html file next to the IPA and manifest file on your server.

Back to HTTPS/SSL: In order to be able to install the IPA file over the Internet, navigate to the html file using HTTPS. This is mandatory since iOS 7.1. As mentioned above, the manifest file has to be loaded via HTTPS also. Contrary to that and as mentioned above as well, in my experience, the IPA file has to be loaded using plain HTTP. Strange thing…

In order to allow the IPA installation, the HTTPS connection needs to be certified by an SSL certificate that is registered for your domain and signed by a trust center. As introduced, such certificates can be pricey. But if you coughed up the 299$ for the iOS Enterprise Developer Program, this will possibly be not an issue for you.

To install the IPA, enter the URL (starting with HTTPS) of the html file in Safari on your iOS device, tap the link and answer the installation dialogs appropriately.

If an error message comes up, the message will most certainly tell you next to nothing. To figure out what is wrong, hook up your iOS device to Xcode and go to the device in the Organizer and analyze the log messages:
xcodeiPadConsole
In the example above, I tried to install an app from my domain johannesluderschmidt.de via HTTPS using a self-signed certificate. But after tapping the link, all I saw was an error message stating »Cannot connect to johannesluderschmidt.de«. After connecting my iPad to my Mac, I saw this message in the iPad’s console in Xcode: »NSErrorFailingURLStringKey=https://johannesluderschmidt.de/app/appName.plist, NSUnderlyingError=0x165c7f30 “The certificate for this server is invalid. You might be connecting to a server that is pretending to be “johannesluderschmidt.de” which could put your confidential information at risk.”« You see, while the message in Safari was quite meaningless, the information in the console was quite useful.

So that’s it. Fairly easy, isn’t it? It took me only one day and approx. a million stackoverflow articles to figure all this out 😉

So, I wish you good luck! Questions and remarks are welcome in the comments section below.

Posted in apple, In-House Provisioning, iOs, iPad, iPhone
  • The last part of your article (about self-signed cert errors) probably just saved me days and days of fruitless hunting, so thank you! 🙂

  • Jagprit

    Your Blog has given me some hopes 🙂 since I plan to publish my App to my users outside Appstore

    Just a few points which I need to clarify

    I checked out a couple of blogs such as

    http://aaronparecki.com/articles/2011/01/21/1/how-to-distribute-your-ios-apps-over-the-air

    I followed this tutorial and was able to distribute my app using Distribution Provisioning Profile and Standard developer account ,but it didnt work well,the ipa never used to get installed outside my network.
    In your blog it says that I should have an Enterprise account for the same,so please tell me whether getting the same would fulfill my requirement or not considering that I wont register any UDID in the Profile and App should install on any random device.

    Your early reply will be really appreciated
    Thanks….

  • hi jagprit,
    as far as i know, with a standard developer account, you always have to register the udids of the devices on which you want to install an app ‘over-the-air’ (i.e. manually) in the provisioing profile if you do not want to distribute the app via the app store.

    regarding the linked blog post, what aaron does there looks pretty similar to what i described in my post above. however, aaron has written his post 2 years ago and for iOS 4. i don’t know how much apple changed the enterprise provisioning process, but as to my knowledge, nowadays you can’t do the enterprise provisioning that aaron perfoms in his post without having the suitable enterprise developer account.

    so, if you want to install an app without providing a list of UDIDs and without putting it on the app store, the only way that i know about is using the enterprise provisioning. (another approach would be using jailbroken iPhones but i think this is out of the option).

    cheers,
    johannes

  • Alex Affonso

    Hi Johannes,

    I have the same problem as yours. I had to update a project that was built using Xcode 4 to Xcode 5.1. After generating the IPA for Enterprise In-House distribution, I can’t make it to install anymore. The app installs if I run the project from Xcode to my connected iPad, but when I try to install it from the HTTPS server, it downloads and stops with the error message saying it cannot transfer the app. And the console wasn’t that useful in my case. I couldn’t find a error like yours and it seems it’s nothing to do with the domain/ server.

    Do you have any clue on what I’m missing? I spent the whole day creating and recreating certificates and provisioning profiles, code signing the app and nothing seems to work anymore.

    Best Regards,
    Alex

  • hi alex,
    sorry for the late answer.

    i do not have an instant solution to your problem. what does the console say that is not useful? is the ssl certificate valid and not self certified? is the IPA url starting with http? these are just a few things that could prevent the app from installing remotely…

    cheers,
    johannes

  • Alex Affonso

    Thank you for your feedback, Johannes. I did a lot of tests and found that everything was configured correctly indeed. The problem was happening with iOS 5.1.1 (and still is), even though I deployed the target to such iOS. Since my client won’t use iOS 5.1.1 I guess it’s not something I really need to worry about that much. But it drives me nuts because I can’t stand with issues.

    Kind regards,
    Alex

  • haha, i know that feeling 😉

    could it be that iOS 5.1.1 does not support https? have you tried the old, ‘plain’ http approach with it?

  • Alex Affonso

    Yeah, I tried the old http method with no success too. The app downloads and gets stuck during installation. Odd behavior. I’ll do more tests and let you know if I find the gap.

  • pravi jay

    have you found any solution regarding this alex

  • Ahmad

    Hi there,

    I have a question about creating distributed application with in-house provisioning profile.

    I purchased apple iOS developer account for 99$ for first time and then try to buy enterprise account (in-house), but I see that the link which lead to purchase in-house account for about 299$ just return to the same panel for buying developer account.
    at all I purchase it with new apple ID and have new developer panel but no “in-house and add-hoc” choice which you mention in above. I just want to know, what should I do to access this part. I have agent role in developer panel. I see add-hoc option but no in-house.

    thanks in advanced

  • hi ahmad,
    i did not buy the enterprise account, so i don’t know how to buy it. so i can’t help you there.

    i shortly went here https://developer.apple.com/programs/start/enterprise/create.php and read this: »You can enroll in the iOS Developer Enterprise Program with the same Apple ID you use for other services like iCloud and the Apple Online Store. However, if you are already enrolled in an Apple Developer Program or have an iTunes Connect account for distributing another media type (music, TV, movies, or books), you need to use a different Apple ID for your enrollment.«

    it seems like you need another apple account for the enterprise account.

    cheers

  • Sylvain

    Hi everybody,

    I encounter exactly the same problem as Alex since iOs 7.1.

    Alex, did you solve this problem ? I’m losing my patience, my brain and my customers!!

    Thanks in advance

    Sylvain

  • Hi Johannes,
    Great article! As an iOS noob, this saved me days of fooling around. However, one question – in XCode 6, there’s no option to edit the plist manifest file when I export the IPA file. In fact I can’t find the manifest file anywhere…any idea where this would be?
    Thanks!

  • hi namso,
    unfortunately i have not tested Xcode 6, yet.

  • Michael

    Very helpful, thank you very much. It begs the question why Apple don’t have this kind of documentation available…

  • Chris

    Thank you for this very helpful article. Is there any chance to get rid of the message Are you sure you want to open the application “Application Name” from Developer “iPhone distribution certificate name” when starting the app the first time?

  • unfortunately, i cannot remember that i have seen such a message. but if such is there, i do not know about a possibility to get rid of the message…

  • John

    Does the universal distribution support ‘push notification’?

  • i have not worked with push notifications and apps created for enterprise distribution. so, i cannot answer this question. but after a quick googling, if i had to guess, i would say, yes, you can do that. for instance, https://www.apple.com/iphone/business/it/deployment.html search for ‘push notifications’. or http://stackoverflow.com/questions/8243049/apple-push-notification-with-an-enterprise-application

  • Rakshit Doshi

    Is the last part of Web Site necessary. How to deploy the ipa file using a MDM solution.
    Can you please guide through on this.

  • no sorry, i cannot help you with MDM problems. i have never worked with this technology.

  • Kang Chian Gim

    Thanks. Much clear than Apple documentation.

  • MDM Systems have their own tools delivered with the system. These tools will wrap the .ipa-file into a container so it fits into the MDM Platform.

  • thanks, jonas!

  • Have you done this process using iOS 8 and Xcode 6? If so, were you successful?

  • well, yes. one thing i recognized is that in xcode 6 the checkbox ‘Save for Enterprise Distribution’ is missing. when ‘Save for Enterprise Distribution’ is checked, an additional plist is generated that is necessary for the deployment using, for instance, a webserver. i haven’t found a way in xcode 6 that generates this plist file. maybe, apple has simply forgotten this feature.

    you can use this plist file instead and fill in the necessary information: dummy.plist. be sure to replace the content in the squared brackets with your information. additionally, rename the plist file accordingly (for instance, use the app name).

  • Peter

    I have a problem when doing the archive in XCode 6 for IOS 8 that the distribute button isn’t their, I get the submit and export buttons instead. I’m an Enterprise developer and have created the In-house provisioning profile and a Production In-house distribution cert.

  • Peter

    Update – I installed X Code 5.1 and my problem solved after a day. 🙂

  • well, yes, as annoying as it is, re-installing the old xcode has also proven useful for me in terms of provisioning. for this purpose i have created a virtual machine with 10.9 and xcode 5.1. however, i have not set up the VM for the enterprise provisioning but instead for another project. besides the issue with the missing ‘Save for Enterprise Distribution’ checkbox, enterprise provisioning did work fine for me using xcode 6.

  • Olivier

    very useful after my certificate had expired, thank you

  • Hi Johannes,
    I think there is still some issues around Enterprise AdHoc distribution using Xcode, I have exact same setup as you described in this article (BTW: Great Work thanks), The only missing part is I don’t have Admin privileges for Enterprise account, so when i create Archive file and hit Export and select ‘Save for AdHoc Distribution’, I get error “Failed to locate or generate matching signing assets:”
    NOTE: I can’t select (3)option i.e. export to Enterprise Deployment as the profiles are different for AdHoc vs Internal distribution.

    Thanks,
    Vid

  • Great article!

  • Johannes,

    Thanks for this excellent article. Also, thanks for the dummy.plist in your comments. We were using Xcode 6.1 and this solution of manually creating a dummy.plist saved the day.

  • Sylvain

    Hello,

    What type of SSL certificate needs to be implemented on the server ?

    Thanks !

    Best

    Sylvain

  • as far as i know, you need a valid ssl certificate that is signed by an approved trust center. so you cannot use one that you issue yourself. usually, your hosting provider can issue a certificate that is signed by a trust center for you. but such a certificate is usually not cheap.

    furthermore, take care that you get a certificate that is isssued for the correct subdomain (if you store the ipa under an url using a subdomain). alternatively, you can buy a wildcard certificate for your domain that is valid for subdomains as well. however, such a certificate usually is really pricey.

  • Hi Johannes,
    Can you look this question on stackoverflow.

    http://stackoverflow.com/questions/25913834/ios-8-openurl-itms-services-does-not-exit-current-app

    Thanks.

  • mmmh, i gave it a look but i do not know of a better answer as those that are written there. so far, i have not tried updating my enterprise provisioned app using an itms direct link. therefore, i have neither experienced the problem outlined in the stackoverflow question under iOS 7 nor on iOS 8. sorry.

  • Anders Hyldahl

    There is a great explanation on http://cases.azoft.com/how-to-fix-certificate-is-not-valid-error-on-ios-7/ – Especially with reference to http://www.StartSSL.com

  • Rodrigo

    Hi Johannes.

    Great article. I’m facing a problem with my enterprise account. I have a distribution certificate, actually I have 2. But, I’m not able to create a In house provision profile for distribution. It only show me App Store and Ad hoc options.

    Any ideas of whats wrong?

    Regards,

  • did you choose the enterprise provisioning profile in targets -> code signing -> provisioning profile before archiving the app?

  • Rodrigo

    Thanks for the quick reply.

    I think I didn’t explained well.

    When I’m logged in the iOS member center, in the provision profiles section, when I hit plus to create a new provision profile, there’s no option to create a In House provision profile, only App Store or Ad Hoc.

    Something changed in the member center since you published this article?

    Regards,

  • i’ve just visited developer.apple.com and took a screenshot when creating a new provisioning profile on the enterprise account. this is what it looked like:

    are you sure that you are using the enterprise account?

  • Rodrigo

    Yes, my account type is: Company/organization.

    I logged as admin and agent but I see the same screen.

    Don’t know whats happening.

  • Rodrigo

    As I told you, I have to distribution certificates. Could be that the problem?

  • when choosing your account, do you choose the account with the type “iOS Developer Enterprise Program”? for me the choice looks like this:

  • the choice of the provisioning types doesn’t have to do anything with the certificates you are using, as the choice of the profile type comes before choosing the app and the certificate that should be used in the provisioning profile.

  • Rodrigo

    When I choose the account there is no such details. Just a select box with the name of the teams.

    Anyway, when I saw my account details there was only iOS Developer Program em Memberships.

    That is strange because my account type is company/organization.

  • selecting the account comes one step before the step shown in the last image. my acount is assigned to different teams. so after selecting my account, i have to choose the team where i want to perform the changes in the developer center.

    anyway, you have to resolve where your enterprise account is at first. as soon as you find it, i am sure that you can create your in-house profiles.

    could it be that your developer user has to be assigned to the enterprise account initially in order that you can do any changes in the developer center for this account?

  • Rodrigo

    There are developers assigned to the enterprise account. Anyway, I’m talking to Apple to figure out what is wrong.

    Thanks a lot for your help

    Regards,

  • eirikkos

    This is really priceless. Thanks so much.

    FYI, I skipped ahead a few of the certificate generation steps, since you can do that from XCode.

    Things generally just seem to… work… Fantastic!

    Thanks again!

  • Thanatos

    Can I use dropbox links for .ipa and .plist files?

  • Thanks .IT is really very helpful to us .I am using XCode 6 ,i want to send iPA file in email for testing purpose.So in XCode 6 i am not getting URL details while saving for enterprise edition.

  • as far as i know, you cannot use the dropbox to store the ipad and plist files. the files have to be on the same server as the html page containing the link to the plist file.

  • hariprasad, i do not understand what you exactly want to know from me. if you want to use email to distribute the ipa file you do not need any ‘URL details’. simply send the file and the receiver can install it on their device using iTunes.

  • Rick Sanders

    Johannes, YOU ROCK!! I’m a iOS Noob and the original developer of an internal app left the company. Well, last week the certificate expired and we needed to figure out why the app couldn’t download, etc., etc., Well, everything you noted in your article will be put to the test tomorrow and I hope we can get this app up and running again. Many thanks for the many details!!

  • John Haro

    Johannes – excellent write up. Very helpful thank you. The issue that Rodrigo mentioned earlier, where he did not have an in-house option for provisioning is because he has a corporate account not an enterprise account.
    Essentially – you can set up a corporate or team account so that a team of people or a company can produce apps for sale in the app store. An enterprise account for in-house distribution is ANOTHER type of account… that type of account can provision for enterprise distribution but can NOT actually publish apps to the app store.

  • Thank you, John, for clearing up matters.

  • Hugo

    Great! Great! Really very good article! It helped a lot! Thank you!

  • Pingback: Enterprise Application : Android vs iOS applications | 我爱源码网()

  • Gracias! Muy Bueno.

  • Doug

    Hello,
    I am also getting a “cannot connect to [website]”. Was it a provisioning profile issue that was causing this? I’m not sure why it’s still happening when I am able to push out the app fine via a MDM, but not with the web link. What did you do to fix?

    Thanks!

  • do you have a valid ssl certificate?

  • Doug

    Yes – I even purchased and registered a domain on network solutions to host the site.

  • no, it was not a provisioning problem. if it was a provisioning problem for you, you would most certainly not be able installing the app via MDM. for me, it was as described above the problem that i used a self-signed SSL certificate.

    i’m curious: what does xcode say in the console what is causing the cannot connect problem?

  • Doug

    It says:
    Feb 9 17:34:49 Brand-Test-iPad CommCenter[69] : com.apple.CommCenter.Prox – Declared system activity to prevent sleep
    Feb 9 17:34:50 Brand-Test-iPad itunesstored[86] : Could not load download manifest with underlying error: Error Domain=SSErrorDomain Code=109 “Cannot connect to ###.####.com” UserInfo=0x144689750 {NSLocalizedDescription=Cannot connect to ###.####.com, SSErrorHTTPStatusCodeKey=404}

  • sounds like the url to your manifest plist file in your html file is wrong.

  • Dragon

    Great article, save me so much time and effort 🙂
    From you comments, it looks like self-signed SSL certificate should NOT works, and I have to apply one business SSL certificate for company using. Is it true?
    If true, could you help to give me more details about how to apply valid SSL certificate?
    Special thanks in advance!

  • hi, yes, this is true. as to getting a valid ssl certificate, you have to look for instructions in the internet. you can also look in the comments further above. someone posted a link to an instruction on how to retrieve a free valid ssl certificate…

  • DIego Escobar

    Thanks for this good tutorial, with new xcode seems that things have changed a little.. i was able to archive and export.. but theres no option to get manifest nor i can find it anywhere.. what can i do?

  • that is a flaw in xcode 6. take this plist and adapt it to suit your needs: http://johannesluderschmidt.de/wp-content/uploads/2014/10/dummy.plist_.zip

  • Rfx

    Great Article, Do you know if this could work offline? Within the company local network with no connection to outside. I see valid SSL cert required but could this be managed locally as long as it was real cert?

  • DIego Escobar

    thanks” Worked Great

  • i don’t know. i guess if you’ve got a dns nameserver running in the closed network allowing you to open the ssl connection using the appropriate url with the domain name (& not with an IP), then it could work.

  • Ben

    Hey! great post.
    Do you know how to make a manifest now on Xcode 6+?
    Thanks

  • hi ben, i don’t think so. maybe the coming xcode update (with all the apple watch stuff) fixes this problem. but i think apple is just not interested in enterprise provisioning problems at the current time. you can still use my template to manually create the manifest: http://johannesluderschmidt.de/wp-content/uploads/2014/10/dummy.plist_.zip

  • i checked xcode 6.2 beta and 6.3 beta for the creation of the manifest file while enterprise provisioning. neither does generate a manifest file 😡

  • David

    Thank you very much
    I followed your tutorial, but i can’t download ipa file.
    At first time, i could download ipa file, but it failed in middle process, it said that “… can’t download at this time”,
    i tried to make new provision profile (In-House), and built new ipa file, and uploaded to secure server,
    But now I can see installing message dialog , but when i click download button, nothing happens, It doesn’t start to download at all.

    Can you help me how to get rid of this?

    Thanks

  • hi david,
    i don’t know what fails in your process. there are so many things that can go wrong that it is hard to judge what it might be without more details. sorry.

  • We developed our first enterprise app, and we would like to distribute it, but we cant, xcode 6.1.1 says after I click to submit (In-House distribution):
    “Wildcard app ids cannot be used to create in house provisioning profile. Please use an Explicit App ID.”

    Anybody can help? Thanks!

  • you need to use the appropriate provisioning profile!

  • I wrote to DTS Team, and says set with these setting: https://developer.apple.com/library/ios/qa/qa1814/_index.html#//apple_ref/doc/uid/DTS40014030
    But still didn’t work…

  • i don’t understand what this article has to do with enterprise provisioning. all that the article says is how to configure your xcode for the automatic management of provisioning.

    for enterprise provisioning you will want to select a provisioning profile that has been created for the in-house/enterprise provisioning in the apple developer center. furthermore, for the code signing identities you will want to select the distribution identity from the certificate that has been used to sign the provisioning profile while creating it.

  • I don’t understand too… Now I selected everything from above your are write, but same error…
    “Wildcard app ids cannot be used to create in house provisioning profile. Please use an Explicit App ID.”

  • Uhm, what App Id did you use? must be something like com.example.myNeatAppName. You have to use this id to create the provisioning certificate.

  • Yes, I selected in member center, Explicit APP ID for provisioning certificate.

  • Dragon

    So sorry to bother you again, but could you kindly help to take a look at my issue?

    I created one very simple project to test the validation of this wireless APP publish way, something like hello world in MS. I exactly followed your steps one by one, and also applied one SSL certificate verified site from StartSSL. You can see it on below link 🙂

    https://www.frsasiabpit.com/apps/Hello.htm

    Unfortunately, When I clicked the “Hello” to install this simple App, it began to install and keep loading until failed. I think the error came here:

    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIInstaller performInstallationWithError:]: Installing

    By the way, I updated my iPad and Xcode to the latest, so the target of this App is iOS 8.1. Although I changed it to 7.1 the same as you to build, it still failed. There are many persons met this same issue, but without solution, which I tried many ways they told.

    Could you help to take a look?
    Special thanks in advance.

    Dragon

    Error log:

    Mar 9 15:02:04 iPad itunesstored[84] : LaunchServices: installing placeholder for com.voith.Hello
    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIClientConnection _doBackgroundInstallationForPath:withOptions:completion:]: Install of “/var/mobile/Library/Caches/com.apple.itunesstored/AppPlaceholders/3264694190031634873.app” type Placeholder requested by itunesstored (pid 84)
    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIInstaller performInstallationWithError:]: Installing
    Mar 9 15:02:04 iPad MobileStorageMounter[2034] : 0x324609dc Device-O-Matic: iterate_ancestors IORegistryEntryGetParentIterator failed: No such process
    Mar 9 15:02:04 iPad MobileStorageMounter[2034] : 0x324609dc Device-O-Matic: iterate_ancestors IORegistryEntryGetParentIterator failed: No such file or directory
    Mar 9 15:02:04 iPad MobileStorageMounter[2034] : 0x324609dc Device-O-Matic: iterate_ancestors IORegistryEntryGetParentIterator failed: No such file or directory
    Mar 9 15:02:04 iPad MobileStorageMounter[2034] : 0x324609dc Device-O-Matic: iterate_ancestors IORegistryEntryGetParentIterator failed: No such file or directory
    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIContainer makeContainerLiveReplacingContainer:withError:]: Made container live for com.voith.Hello at /private/var/mobile/Containers/Data/Application/9C588F49-2EC1-4364-8EC7-C894710931AF
    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIContainer makeContainerLiveReplacingContainer:withError:]: Made container live for com.voith.Hello at /private/var/mobile/Containers/Bundle/Application/722FCBB9-A979-457F-B0A1-D06C04758F20
    Mar 9 15:02:04 iPad installd[909] : 0x603000 -[MIInstaller performInstallationWithError:]: Staging: 0.01s; Waiting: 0.00s; Installation: 0.16s; Overall: 0.17s
    Mar 9 15:02:04 iPad itunesstored[84] : LaunchServices: Creating installProgressForApplication: com.voith.Hello (Placeholder) withPhase:3

  • Dragon

    anybody met this same error? appreciate any feedbacks. thanks!

  • Venkatesh

    Hi Dragon,

    did you able to resolve your error?
    If so, can you please share the solution to us. Thanks!

  • Johan

    Hi Johannes

    Great article!

    I will try to use this method for distributing an ipa created by Xamarin and not directly from Xcode. Xamarin uses Xcode for compilation and ipa-file creating så it should work, but in Xamarin there is no way to enter the Application URL so I want to enter it manually in the info.plist file.
    But when I look in your example it differs a bit from mine. Below is my Info.Flist file. Where do you think I can place the key and values for Application URL and title?

    CFBundleDisplayName
    Falck E-bärgning
    CFBundleIdentifier
    se.mjukvarukraft.Falck.Fluid.iOSClient
    CFBundleShortVersionString
    1.0.31
    CFBundleVersion
    11UIBackgroundModes

    location

    LSRequiresIPhoneOS

    MinimumOSVersion
    8.0
    UIDeviceFamily

    1

    UIMainStoryboardFile
    MainStoryboard
    UIRequiredDeviceCapabilities
    armv7
    UISupportedInterfaceOrientations
    UIInterfaceOrientationPortrait
    NSLocationWhenInUseUsageDescription
    Programmet vill avnäda din GPS
    NSLocationAlwaysUsageDescription
    Programmet vill använda din GPS
    CFBundleIconFiles

    [email protected]
    [email protected]
    UIPrerenderedIcon

  • hi johan, i cannot read the info.plist because wordpress’ comment engine strips out the tags. however, judging from what i see, this is not the plist file that is necessary for downloading an ipa file directly from the server to your device. your data looks like it comes from the info.plist from xcode. as far as i know, in that info.plist you do not need to enter an application url.

  • Johan

    Hmm

    Looks a bit strange

    Here is a link:

    http://downloads.mjukvarukraft.se/MVK/info.plist.zip

  • yes, this is the info.plist of your application. for enterprise provisioning you’ll need an additional plist file that you need to upload to your webserver (look in the post for additional information). for this plist file you can use the template i linked to in my last comment/answer.

  • Dragon

    Good luck to me, the root cause of my issue is iOS can support HTTPS for IPA URL. Only this IPA URL is available.
    Thanks!

    URL is the address of the IPA file where it will be accessible on the Internet. Beware: Although in the following of the process everything takes place under HTTPS, somehow the IPA URL had to use plain HTTP.

  • Johan

    Ok thanks, I misunderstood. I thought it was the same plist.info. Ok, I create a new one and place together with the IPA-file.

    A few questions about the values

    Shall the bundle-version always be 1.0?

    The [app-name] under title, is it the same as the CFBundleDisplayName in the Xcode plist?

  • as far as i know, the bundle-identifier is the bundle display name (this means the short name of your app). i can only guess what the bundle-version is supposed to contain. judging from the info.plist of another app that was created by xcode 5, this needs to be the version of the app (the version that you find under projectname -> targets/projectname -> general -> version).

  • arthy

    Very useful information.

  • Johan

    Ok, works perfect. And I don’t think the bundle-version really mean anything for this. Works with 1.0, works with 1 and the app-version is something totally different.

  • Sylvain

    Hi There,

    I’m having a problem to distribute my apps on iPad since I updated to Xcode 6.3 and iOS 8.3.

    Everything worked well before… provisioning profiles, plist file and bundles are OK.

    I first get stucked with a “waiting” on the app now each time I click on the link to update, nothing happens…

    Is there a log that I can check ? Already checked the crash log but nothing regarding my app.

    Thanks !

    Best

    Sylvain

  • Have you tried to install the app on different devices? I know of an issue where some devices will only install/update the enterprise provisioned app after a complete hard reset of the device.

    You can check the log of your device by connecting it to Xcode and selecting it under window -> devices. You see the device log in the lower right.

  • Sylvain

    Hi,

    Thanks for answering that quickly.

    Yes I did try on different devices and we still have the problem.

    By (finally) accessing the log, I found that the following error is a known issue. I tried the different workarounds found on the internet but it still doesn’t work…

    LoadExternalDownloadManifestOperation: Ignore manifest download, already have bundleID

    Thanks !

    Sylvain

  • Sylvain

    Hi There,

    Did some of you already encounter the same problem (if not they will…) ?

    Please let me know if you found a workaround (that works… I saw a few that don’t work like renaming the bundle in the plist, adding image description in the plist…)

    Thanks !

    Sylvain

  • akshay

    Hi,

    I followed the steps that you mentioned but i did not get the distribute option instead there are three options validate,submit,export.

    From export i selected save for enterprise option it created the ipa but no plist and not option for url is there.

    Please help. thanks in advance

  • akshay

    unable to access the links
    wordpress error

  • akshay

    i am not getting the distribute option as you have shown in the tutorial.
    I am getting three options submit,validate,export.
    Did i made some mistake.

  • when i press export in xcode 6’s organizer it shows me the attached drop down menu. can you post a screenshot of yours?

  • Sudheer

    @disqus_Tie81vzcBy:disqus : I followed your blog and implemented the Enterprise Distribution, we are
    able to install the App in iOS7 devices, but not working in iOS8
    devices. Getting Error, Unable to Download App. “App Name” could not be
    installed at this time. Please help me out.

  • i have not been confronted with that problem, yet.

    i googled (well, duckduckgoed) it quickly and came across the following potential problems (http://stackoverflow.com/questions/14375387/iphone-app-could-not-be-installed-at-this-time):
    “”””””””””””””””””””””””””””””””””””””””””””””””””””””””””
    Most common issues that cause this are (…):

    – Device storage is full
    – The provisioning profile is a developer provisioning profile

    – The device was restored from a backup and is causing a conflict for over-the-air distribution
    – There was a network timeout
    – Architecture settings of the build and the device are incompatible ( can sometimes happen -when “Build Active Architecture Only” is on when building).
    – Not Using Mobile Safari.
    “”””””””””””””””””””””””””””””””””””””””””””””””””””””””””

  • akshay

    Hi,

    I am getting the following error:

    “cannot connect to this server”

    The server is an IIS server.

    Please help.

    thanks in advance

  • do you have a valid ssl certificate and use https?

  • akshay

    Yes, I am using valid self signed certificate which is created on same windows server machine where ii is hosted. and also using https.

  • self signed is not allowed. read above: »In order to allow the IPA installation, the HTTPS connection needs to be certified by an SSL certificate that is registered for your domain and signed by a trust center.«

  • akshay

    So what should I do now, Can you help into this. How should I create the certificate?

  • akshay

    How can I create valid ssl certificate…?

  • as written above, you can buy one or you can try something like this: http://cases.azoft.com/how-to-fix-certificate-is-not-valid-error-on-ios-7/

  • Paul Freeman

    Thanks for the plist format, and the info about the https: requirement it was very helpful and my first BYOD distro installed without incident.

  • TobyKaos

    add your Team ID before the bundle identifier.

  • Sylvain

    Hi
    Thanks for answering.

    I added the TeamId before the bundle identifier in the plist file (looked like XYABC1234.com.company.myApp)
    But it still doesn’t work.

    Do I also need to make this change in Xcode bundle identifier and Build / Archive / Export again the app ?

    Thx

    PS : J’ai vu que tu parlais Français ?

    Sylvain

  • toniax

    j’ai aussi le même problème
    i have the same problem

  • toniax

    i’ve bug tracked apple about this

  • Sylvain

    Hi Toniax,

    Can you please give me your email address so we can discuss about this problem (en Français 🙂 as I still can not distribute my apps…

    Thanks

  • toniax

    j’ai pas trop envie de mettre mon mail sur un forum public 🙂
    comme expliqué précemment. j’ai posté le bug chez apple. on bosse avec un presta externe qui m’a confirmé avoir le même soucis avec xcode 8.3

  • Sylvain

    Hi Toniax,

    Actually I posted the bug 1 month ago using the “apple bug reporter”. I did not get any answer / update from them since that time. Please let me know if you have any news…

    Thx

    Sylvain

  • toniax
  • Sylvain

    I already saw this forum. It did not help.

  • Sylvain

    Hi Toniax,

    Any news regarding this problem ?

    Thx

    Sylvain

  • toniax

    i’ve had apple. they told me to test my certifs with adhoc distrib : it works. so they say that the problem is regarding the .plist file. not tested yet

  • Sylvain

    Hi Toniax,

    Don’t ask me why, it works today !!!!

  • Garrett

    I am not able to open this link

  • fixed the link

  • Sneha Singh

    hello i have $99 subscription. when i add new device, i have to create a new ipa file for distribution. is it same for enterprise distribution. do we need to create ipa file everytime when we add new device

  • no, you don’t add devices to the enterprise provisioning profile. you can install an enterprise provisioned IPA on arbitrary iOS devices (without adding them to the your developer account whatsoever). so, you only need to provision once.

  • Sneha Singh

    can u give me a more useful link on how to distribute applications using enterprise distribution. The issue i am facing is i create ipa flle and upload it on our enterprise server. whenever we add new devices, we have to upload the new ipa file on server. i want to skip the uploading the ipa file on server part whenver new device is added, bascally the old ipa should work. will this enterprise distribution work.

  • no sorry, i cannot give you another link. but you don’t need to upload a new ipa everytime you add a new device. as written above, arbitray devices are supported by enterprise provisioned apps.

    if you create a new IPA however because you changed your code, you still need to upload it to your servers. for this purpose, you can, for instance, you can employ a continuous integration approach. for instance, you can use xcode server or write a custom apache jenkins task for this purpose that automatically handles the IPA creation by pulling the code from your SCM system and uploads the IPA to your server. but this issue is not covered in this post.

  • Sneha Singh

    can you please elaborate on arbitary device and how it detects whether is enterprise device or ousdie device

  • there is no distinguishing between enterprise devices and non-enterprise devices. the enterprise provisioned app runs on all devices. therefore, the enterprise behing the enterprise provisioning profile is fully responsible for the contents of the app.

    what you are maybe thinking of is mobile device management (MDM). with MDM you can remote control enterprise devices (e.g., install profiles and apps). however, MDM has nothing to do with enterprise provisioning.

  • Sneha Singh

    so you mean to say with enterprise distribution, the download will be similar to app store distribution but only within enterprise.

  • Sneha Singh

    so you mean to say with enterprise distribution, the download will be similar to app store distribution but only within enterprise. only devices are not used.

  • yes. you just press on a download link on the website and the installation starts after clicking ‘OK’ on an alert.

  • Sneha Singh

    link is generated on apple website or we need to have dedicated server for that.

  • dedicated server

  • Greg

    Hi Johannes, This is fantastic and we have used this to deploy our internally built app for a couple of months now. However some users are reporting issues installing it recently as it seems that they have upgraded to iOS 8.3 and they are getting a “Cannot connect to xx.xx.net” issue. Do you know of any changes in 8.3 that would have caused this? Are there any changes to plist file that are needed?

  • hi greg, to be honest, i don’t know this issue. i have not done any enterprise provisioning lately.

  • Greg

    Hi Johannes, that’s no worries. I think I may have found the issue. 1 thing to note was the mime type setup for plist which was originally text/xml but I have now changed to text/plain. Also I think it has to do with the key of the SSL cert that is hosting the plist and ipa as ours is only 1024 (due to expire this month) whereas if I upload the same files for DropBox and the SSL cert there is 2048 it works with no issue.

  • Yongsik Kim

    Awesome!! This tutorial exactly solved my problem and actually works!!
    Thank you!!!!!

  • Rafay Hasan

    Thanks for the tutorial. However i followed what you said. But if i click the link from the browser it downloads the ipa file. But if i go to the same link from my iPad, it doesn’t work anymore. The link is http://appsynapsis.com/unisource/apps/unisource.ipa

    Can you please tell me what i did wrong. It will be great help for me. Thanks again.

  • bumaociyuan

    https://github.com/bumaociyuan/zxIpaServer

    Create a HTTPS Server with local ip address to install ipa locally

  • Mohammed Ward

    i am very thankful 🙂

  • Yashin

    Thanks for the post Johannes. Need to clarify a thing. I want send push notification for an In-house app that I have developed. So, when I create certificate for production should I select “In-House and Ad Hoc” or “Apple Push Notification service SSL (Production)”?

  • i have not had such an issue, yet. but i would guess that you have to choose the push certification certificate.

  • Ece

    Hi,
    I created plist successfully and upload ipa, plist to the server I connect to server with ssl certificate but when i clicked download link it says cannot connect to …..(url address). When I look to ios console for more detail, i saw during the error, it says cannot connect to itunes store.

    Can you help me? Because i can download things from app and itunes store also.

  • Ece

    I solve it. ISS didn’t support plist and ipa so I add those mimes.

  • Andrew Lewis

    I am using Xcode 6.4. On the “Choose a Distribution Method” screen, you now have the option to choose enterprise separate from ad hoc. In choosing “Enterprise”, I do not get the “Distribution” button as an option, only “Validate” and “Export”. When exporting, I can save the IPA to my HD but not sure about the Plist. And there is no option to add the “Application URL”. Anyone have any ideas how the process works in Xcode 6.4 and beyond? I am searching Apple’s documentation and so far have come up empty. Thanks for any help you can give!

  • Hi Johannes, thanks for this article. I have a quick question that I can’t seem to find an answer to. We have an existing app in the AppStore and would like to do enterprise distribution as well. Do you know if you can do both with the same App Identifier?

  • that’s a good question. no, i don’t know this.

    if i had to guess however, i would say: no you can’t. for the enterprise provisioning profile you have to use an app identifier from the enterprise development center. so, when creating the app identifier in the enterprise development center with the same id as for an app (that is already in the app store) from your regular development center, then the enterprise center should refuse to create the app identifier.

    or do you use the same account for the enterprise center as for the regular development through which you submit apps to the app store?

  • I got the same feeling as well.

    We do not currently have an enterprise certificate, I am trying to see if this is an option.

    The core of the problem I want to solve is getting builds to customers quickly when they have an issue that we can patch quickly or a small feature request. We have been using Fabric for this until now but it is a pain with getting their UDIDs and adding them to the provisioning profile. The new TestFlight doesn’t solve this problem very well either.

    We could build as two different target, one for app store and one for enterprise but we need the enterprise distributed one to have access to the localstorage generated from the app store version.

    Any ideas?

  • have you tried App Groups (look under App Identifier in the Development Center)?

  • In WatchKit 1, I had to use an App Group to allow access from the Watch Kit Extension on the App Container of the ‘mother’ app.

  • Oh, I like that. I had never looked into what that feature did. It may just work!

  • Hello. Does this solution still works ?

  • although there are newer versions of xcode and details of the developer center may have changed in the meantime, the basic principles remain the same. so the answer to your question is: it should still work but i have not tried.

  • Pingback: Unable to install Enterprise inHouse provisioning profile on mac - HTML CODE()

  • Bernadi Beltran Canovas

    Hi i read all post and thanks you for writing

    I’m not exactly sure I need to sign an IPA for a customer to distribute our in-house my ipa

    the customer has given us a certificate distribution p12 with the password we have added the keystore and exported .cer, should be sufficient?

    in Xcode my client certificate> buildSettings> codesigning appears, can select distribute certificate client, but when trying to export the ipa appears this message:

    “This product type must be built using a provisioning profile, however no provisioning profile matching the identity” iPhone Distribution: –CLIENT NAME–“was found.

    Xcode can Attempt to fix this issue. This will reset your code signing and provisioning settings to recommended values and resolve issues with signing identities and provisioning profiles. ”

    I think it’s because we have not added the user account of the client or we need some xcode certificate?

    Would greatly appreciate your help this issue takes us a long time

  • 张惠

    can you help me ,why my app can’t download complete?
    my app URL : https://app.rhtxsoft.com/
    thank you.

  • 张惠

    thanks for anyone who can help me.

  • please connect your iOS device to Xcode before installing the app over the air. then, in Xcode, under Window -> Devices select your iOS device and take a look in the lower right corner. if there are problems throughout the over the air installation, they will be logged there. if you cannot resolve the errors yourself, please post your log here and i will see if i can help you.

  • Savita Agrawal

    Hi Jhonnes, I’ve followed the while tutorial step by step and created a manifest files, ipa file and html file. But when I try to open the link, I’m getting the error “cannot connect to abc.co.uk”. I’ve gone through the posts but nothing helped. I’ve a valid SSL certifice on the server I’ve uploaded the .ipa file.And I dont see anything on device log.
    Please help.

  • Thomas Kicher

    Actually, the app identifier will be different, as the team ID will be different (XXXXXXXXX.com.enterprise.appname).

  • richarddas

    Just wanted to say THANK YOU for writing this up. You just saved my bacon! 🍻

  • cheers 🍻

About Johannes

I am a freelance iOS developer based in Wiesbaden, Germany. Additionally to iPhone, iPad, Apple Watch and tvOS apps, I love developing user interfaces for tabletop systems and interactive walls.

Furthermore, I develop all kinds of user interfaces for mobile, tablet or tabletop devices as well as web frontends and backend applications. You can check out my skills in XING or Linked In.

If you are interested in my UI research activities, check out my publications or my github account.

Still not enough? Read more…

My Multi-Touch Tables

@jluderschmidt