2

We are trying to supply one of our clients with an ipa to deploy on their AirWatch. There is a lot of conflicting information on what is the best way to do that, but they all seem to agree on the fact that it needs to be signed with the certificate and private keys of some account. However, the client seems to be managing their apple enterprise account through AirWatch. Does this mean that we could supply them with an unsigned ipa file and let AirWatch do its thing?

I have been scouring the internet for a while for this information and the closest ones are similar to Renew iOS Development and APNs Production for Corporate Apps [AirWatch] which is not what i was looking for

Community
  • 1
  • 1
govi
  • 687
  • 8
  • 21

3 Answers3

2

No - AirWatch does not re-sign anything IPA-wise. It can interrogate your IPA to make sure you're not trying to accidentally update App A's IPA with the IPA for App B but that's about it.

The link you provided has nothing to do with re-signing applications within AirWatch as much as it is the general practice for renewing your Enterprise Apple Developer Cert and Provisioning Profiles.

If you try to deploy an unsigned IPA to a device not in your Developer Portal you will likely run into an issue where the app will begin installation then throw an error that it cannot be installed.

Regarding what your client is doing there may be some confusion as AirWatch does not directly tie back to the Apple Developer Portal except for the MDM APNs cert which is unrelated to IPAs.

Dan
  • 5,153
  • 4
  • 31
  • 42
1

It depends on how sophisticated AirWatch's re-signing is. A good re-signer, should be able to take anything, re-sign it AND add the correct entitlements.

That said, in Xcode unsigned feels like an unsupported path - so my conservative approach is to sign a production build of the app (Ad Hoc, Enterprise or even AppStore if that makes sense) with its entitlements being as similar as possible to those of the final app's. If the app entitlements are simple (e.g. push notifications only), then this is the way to go.

But there's a problem: matching client entitlements has recently become harder, in part due to the proliferation of App Groups (which require an explicit, globally unique App ID - thanks, Apple Watch!), so your unsigned suggestion is starting to look more attractive.

Rhythmic Fistman
  • 34,352
  • 5
  • 87
  • 159
  • Hmm. The app is built using a custom script and xctool. So I can somehow create an unsigned one. But my doubt is, is AirWatch capable of resigning apps? – govi Apr 17 '15 at 05:12
  • If they're going to manage your account then they'll have to accept that responsibility. Handing control of your account over to a third party sounds pretty questionable. – Rhythmic Fistman Apr 17 '15 at 05:31
  • Cool. I'll go with the unsigned IPA and see where that leads me. – govi Apr 17 '15 at 06:16
0

Airwatch only resigns IPAs if you wrap it with their App Wrapper, because it will alter the original IPA and invalidate the Signature.

You have to provide both the Certificate and the Provisioning Profile to allow that.

If the IPA has to be signed with the Enterprise Certificate of your customer, you either require access to their Member Center or let them do it.

Apps like AppSign or iReSign can do that for you or your customer, if you provide them with the IPA.

Jürgen 'Kashban' Wahlmann
  • 1,539
  • 1
  • 11
  • 18