We have multiple applications custom build for specific clients. Each application has its own "Enterprise" Distribution Certificate "iOS UniversalDistribution". Today we received word that all our client's applications have stopped working, they won't even open. At first we thought it was a bug after an update, but we noticed that our Provisioning profiles have expired. We did not receive any warnings, notifications, emails, ... they all just stopped working.
The applications are able to update themselves with a custom service we've build. Now that they won't open on the devices we fear we have to manually install the new versions on the devices?
But this means that in the future this WILL happen again. After researching the apple documentation something is still not clear. If we build a new version of the application (.IPA file) and we push the updates in the app, will the application also update all the certificates accordingly? So if we do an update several weeks before with renewed provisioning profiles will it prevent this from happening again?
Thanks in advance for the feedback.
So, unfortunately, none of the existing deployed apps will run now, so you will not be able to use the self-updating logic in the app to correct this. This is up to the developers to keep track of expiring profiles and certificates and ensure they get updated as needed.
All of the information below assumes you are using an Enterprise Distribution Profile to build these iOS apps.
You should note is that there are two things that can expire: the provisioning profile and the certificate.
Expiring Provisioning Profile:
Typically the provisioning profile expiring is easier to deal with, as you only need to get a new profile on the device. Technically, doing a new build with a new provisioning profile will do this, but there are other ways. For example, if these are managed, company devices, you can typically use the MDM software to push a new profile to the devices, without requiring a new .ipa (app binary) to be installed on the device). Also, if you use wildcard app ids in your provisioning profile, installing another device with a newer provisioning profile will also work (although this is a bit unorthodox). Long story, short: You need to get the new profile on the device. At this point, that is likely through you informing users they need to go re-download a new version of the app.
Expiring Certificate
If the certificate used to code sign the application is expiring, you will need to generate a new binary with the new certificate. There are ways to resign an existing ipa, but if you have the source code, it is easier to just re-build with the new certificate. The good news is that the certificate only expires every 3 years for an enterprise distribution certificate (vs. every 1 year for the provisioning profile). So this is not needed as often. But this will certainly require you to re-create a new binary signed with the new certificate.
Preventing This From Recurring
If you rely on the app to check for updates and self update, you need to make sure a new version gets published well enough in advance that users will launch the app in the time between the new version being released, and the profile or cert expiration. This length of time depends on your app. If it's a corporate app that people use daily, you can probably get by with 2 or 3 weeks (for people who are out of the office). If it's seldom used, I would consider deploying a new version, with a new provisioning profile at least 3-6 months in advance of the old one expiring. This takes planning and reminders to ensure you don't miss the timing window.
Also of note, if you are using automatic code signing, you lose some control over when a new profile is generated and used, as well as the certificates. That's why I recommend for enterprise apps to use manual code signing settings to allow you to be very explicit with which provisioning profiles are used, as well as the cert. Also, delete all older profiles from the Mac when doing a build to ensure you are using the right profile (you can have many profiles on the Mac for the same application at any given time. You can find them here: https://stackoverflow.com/a/45642752/3708242). It's risky to assume Xcode will pick the most recent one.