Search code examples
ipaddistributionprovisioning

iPad enterprise distribution options

We have an iPad app that we would like to distribute internally. We're looking into "Enterprise Distribution". The set of requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.

Users who do not have access to the website should not have access to the application. We can easily prevent them from downloading the app by forcing them to log in. However, it is not obvious to me that after they download the app (via an .ipa file?), that they couldn't just give it to someone else, something that is not allowed.

It looks like a way around this is to have Distribution Provision Profiles, which determine whether a given app will run on the device. However, it's not obvious to me that those couldn't just be copied as well.

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

Once you create the enterprise distribution provisioning profile, download the .mobileprovision file, and then securely distribute it and your application.

Sadly, I don't know enough to know exactly what I should be asking, but here goes:

  1. Can ipa files just be copied from one Ipad to another, allowing anyone to use any given app? (assuming there is no other protection on the app)
  2. If the answer to 1 is yes, is there any reason to believe that .mobileprovision files will help me?
Solution

  • Every device has a UDID, a unique identifier. This is how Apple enforces the 100 development devices rule for individual developers. You collect UDIDs as part of the download process, issuing the provisioning profiles to registered users.

    To answer your questions:

    1. Yes, theoretically, without DRM or provisioning, an ipa can be synced to iTunes (or manually copied with third party tools) and then moved to another dewvice.

    2. Yes, .mobileprovision files include UDIDs in them which are pretty much unique to a given device. (The exception may be on jailbroken devices, which, if I recall correctly, can spoof a UDID.)

    EDIT:

    Just to clarify, in response to your requirements:

    The set of requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.

    I would add a middle step.

    1. User logs in.
    2. User submits device info
    3. You create a provision for the device
    4. The user then downloads the app and the provision.

    This does not stop the user from giving out the app to others, but it's the best you've got. You can also require the user to log in inside the app, with the same email as the one used to register the UDID, theoretically.