This content is part of the Essential Guide: Enterprise mobile security smackdown: iOS vs. Android vs. Windows

Essential Guide

Browse Sections

A technical deep dive on iOS app distribution

The rules around iOS app distribution vary depending on the type of app. Deployment options abound, but none are a piece of cake.

Apple's rules for app distribution are sometimes tricky and can present a challenge to the way the IT department normally goes about deploying applications.

There are two kinds of iOS apps that IT can deploy: iOS apps that are developed "in-house" by staff or contract programmers and distributed privately, and apps that are publicly available through Apple's App Store.

In-house iOS app distribution

If you want to deploy in-house apps to iOS users, Apple requires that your company register for the iOS Developer Enterprise Program. During the development and testing stage, Apple provides the registered developer with a provisioning profile to generate a certificate. The developer then uses the certificate to sign applications, which lets them run on a specified set of iOS devices. The development certificate is good for three months.

In the production phase, the person permitted to administrate the company's enterprise iOS app distribution program can create a certificate signing request (CSR) to Apple's iOS Provisioning Portal. In exchange for a valid CSR, the admin receives a distribution certificate that allows the application to be signed for an unlimited number of devices. To install the certificate, the administrator needs a provisioning profile that contains one or more signed in-house iOS apps. The distribution certificate expires every three years. Upon expiration, the certificate will need a new CSR. Additionally, the provisioning profile must be renewed every year. If either time frame lapses, the application will not launch.

With this method, companies don't use the App Store for iOS app distribution, so the process becomes more complex. The IT department is responsible for providing timely updates and version control for its own in-house apps. Even if the app never changes one line of code, IT still needs to renew certificates and profiles requiring the application to be signed, packaged and redeployed to iOS devices.

There are several options for deploying in-house applications without using the App Store:

Over-the-air deployment from a Web server requires an archived version of the application and a wireless manifest file that gives devices instructions about where to get the application. Users click on a URL that links to the wireless manifest file to trigger the app's installation. It's up to the IT department to encrypt (using https, for example) the traffic and compel authentication for users to be able to download the files.

iTunes can distribute your application, but users have to connect their iOS devices to a PC or Mac running the software. Because of the one-to-one nature of iTunes, this distribution method would be practical only when employees use the version of iTunes that is associated with their own devices.

Apple's configuration tools, such as the iPhone Configuration Utility or Apple Configurator, handle iOS app distribution for iOS devices that are connected to PCs or Macs. Unlike iTunes, this is user-neutral and more practical in settings where an admin might be setting up as many as 30 devices from one Mac or PC.

Mobile device management (MDM) and mobile application management (MAM) can also deliver applications from the developer to the iOS devices. MDM hooks into devices, and MAM becomes a sort of in-house application store.

Microsoft recently added support for iOS app distribution to System Center Configuration Manager (SCCM) 2012 and the Windows Intune cloud-based management service. IT could use the familiar SCCM they manage PCs with for iOS app distribution. This process involves publishing the application (either in-house or App Store-based) with SCCM and having iOS users log into the Intune site. This site shows the applications that are available for the user to install.

MAM goes further and provides methods of app wrapping, which is a way of packaging the application. The app runs under the MAM vendor's certificate with Apple, so IT doesn't have to manage provisioning profiles and distribution certificates. The tradeoff is that the application has to be built using the MAM vendor's software developer's kit (SDK). Currently, there is no standard for MAM, so SDKs are different from vendor to vendor. Moving to a new MAM tool down the line may cause development issues.

App Store applications

Using the App Store, IT can bypass most of the complexity of privately deploying in-house applications. But getting App Store apps deployed in an organizational setting is a bit more involved than one user downloading -- and paying for -- an app.

MDM tools can help nudge users to download applications from the App Store. But in a company with hundreds or thousands of iOS devices that need an app, the amount of work required to deliver that app to users via MDM and the App Store would quickly overwhelm any IT department. The App Store requires a one-to-one relationship between devices and the store (through users' Apple IDs), and it would be up to the IT department to associate users' Apple IDs with a corporate credit card. Making things even trickier is that a company may not own all -- or any -- of the devices.

More on iOS app distribution

Apple iOS security features, policies and controls

Code signing for Android and iOS apps

Using iOS MDM for better device management

Fortunately, Apple has a Volume Purchase Program (VPP). Organizations can enroll in the VPP and get an Apple ID to buy App Store applications. The VPP admin buys the desired quantity of applications and gives a URL to users, which allows the application(s) to be installed on their iOS devices. This install is redeemed out of the VPP up to the quantity of apps purchased.

Prior to iOS 7, the VPP had some big drawbacks. For example, if a person redeemed an app from the VPP on his personal device, Apple transferred ownership of the license to that user's Apple ID. But in iOS 7, Apple gives VPP admins the ability to revoke and reassign licenses to other users and devices.

Some MDM tools, such as MobileIron for iOS, have integration with the VPP to provide tighter control over who gets access to install the prepaid apps. Apple Configurator can also import data from the VPP, allowing IT to preconfigure an iOS device with VPP applications installed. This approach is limited to using a Mac to deploy the VPP apps, and the same Mac must be used to update the applications.

Dig Deeper on EMM tools | Enterprise mobility management technology