Home/ Questions/Q 7446095
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T12:12:57+00:00

Our customer has just joined the iOS Developer Enterprise Program. They have signed the

  • 0

Our customer has just joined the iOS Developer Enterprise Program. They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM.

As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate’s validity against Apple’s OCSP server.

Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism.

So with my developer program I can’t have two valid distribution certificates at the same time. Ok, as developers we can live with that.

Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program?

According to Apple:

Certificate Validation

The first time an application is opened on a device, the distribution
certificate is validated by contacting Apple’s OCSP server. Unless the
certificate has been revoked, the app is allowed to run. Inability to
contact or get a response from the OCSP server is not interpreted as a
revocation. To verify the status, the device must be able to reach
ocsp.apple.com. See“Network Configuration Requirements”(page 9).

The OCSP response is cached on the device for the period of time specified
by the OCSP server—currently between 3 and 7 days. The validity of the
certificate will not be checked again until the device has
restarted and the cached response has expired. If a revocation is
received at that time, the app will be prevented from running. Revoking
a distribution certificate will invalidate all of the applications you
have distributed.

An app will not run if the distribution certificate
has expired. Currently, distribution certificates are valid for one
year. A few weeks before your certificate expires, request a new
distribution certificate from the iOS DevCenter, use it to create new
distribution provisioning profiles, and then recompile and distribute the
updated apps to your users. See “Providing Updated Apps” (page 10)

Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can’t open their applications while they wait for the resigned apps?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.

    For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.

    I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.

    EDIT:
    The above mentioned bug is closed now. Here’s the official response:

    Distribution certs for enterprise are now 3 years in duration.

    • 0