Understanding provisioning for iOS purposes

This time I’ll clarify all the things in regards to the mysterious iOS provisioning course of and the construction of a provisioning profile.


What’s provisioning?

iOS is a really safe working system. You may solely set up apps in your gadget which were authorised by Apple so your utility must be digitally signed earlier than it will get revealed to the App Retailer. The signed binary helps Apple make sure the content material is coming from the precise developer (staff), so it isn’t compromised or altered by a third-party hacker. Unsigned apps can’t be revealed on the App Retailer, so this course of permits Apple to be the gatekeeper for his or her working system. Principally, they’ll merely disable developer accounts or revoke certificates if they do not observe the foundations. If that occurs, you will not have the ability to set up apps from that developer anymore.

Nonetheless, should you develop an utility you may need to take a look at it on an actual gadget earlier than the submission course of. That’s what provisioning course of is for: you possibly can signal your utility with a particular file referred to as provisioning profile. This file is a set of digital entities that connects bodily units to licensed developer groups. You may generate a provisioning profile to your utility through the use of the Apple developer portal. 👍

Now that you realize what provisioning is and why it’s so essential, let’s take a deeper take a look at on provisioning profiles and certificates.

What sort of provisioning profiles are there?

There are 4 sorts of provisioning profiles:

  • growth
  • distribution
  • ad-hoc
  • in-house

The growth profile provides you the flexibility to check your apps in your bodily units. It comprises the distinctive gadget identifier for each single take a look at gadget. You may solely run your app on the units which are included within the growth profile.

The distribution profile has no such limitation, as a result of it is used to distribute your app by way of the App Retailer. If you wish to submit your app for approval, you must signal it with a distribution profile. If Apple approves it, your app could be revealed to the shop, and this implies it may be put in by anybody. 😊

You may also create an ad-hoc profile which is mainly a distribution profile with gadget identifiers. Apps signed with the ad-hoc distribution provisioning profile could be put in on a restricted variety of designated units by way of web sites, mails or OTA. It is good for public beta testers, QA groups or consumer demos.

The in-house profile is just obtainable for enterprise builders, it may be used for inside distribution for non-registered units too. This implies that you’re not restricted to gadget identifiers, nevertheless it should not be used for the general public (solely to your firm or the workers of a selected firm). Every profile kind have to be registered with a certificates they usually each are required throughout the code signing course of. You may solely set up your utility after the binary is signed correctly. If the certificates is expired or you do not have the corresponding non-public key you will not have the ability to signal the app. Additionally if the provisioning profile is invalid, or if it would not include your gadget identifier (see under) you will not have the ability to launch your app. 📱

The anatomy of a provisioning profile

Each single provisioning profile comprises the next issues:

  • app identifier
  • staff
  • capabilities
  • entitlements
  • certificates
  • distinctive gadget identifiers (non-obligatory)

An app identifier could be registered by way of the developer portal by offering a bundle identifier search string. It may be an express one or a wildcard app id. Apple goes to create it out of your staff id and the bundle id. It is used to uniquely establish your app throughout the provisioning course of.

A bundle id is only a distinctive identifier beneath your developer account, however the app identifier is a extensively used distinctive id for your complete App Retailer ecosystem. Normally, it’s best to use a reverse area notation while you create a bundle id.

The staff part is simply primary details about your developer staff. In case you are a part of a number of developer groups, the construct system has to seek out the appropriate one to your provisioning profile throughout the code signing course of.

Capabilities are (cloud-based) companies and options. You may allow them from Xcode. A few of them should be configured contained in the developer portal beneath the App IDs part. For instance, the Push notifications functionality requires extra certificates and entitlements should be added to your utility.

Entitlements are easy configurations for accessing numerous companies, comparable to iCloud storage, Push Notifications, Apple Pay and so forth. It is a plist file inside your utility bundle. You do not actually have to fret about it an excessive amount of, Xcode can usually deal with managing entitlements.

Certificates are used throughout the construct course of to signal the app. Each certificates has an related non-public key part. In an effort to code signal the binary, you will want the non-public key in your native keychain. Certificates can expire too, so you must renew them yearly otherwise you will not have the ability to signal apps anymore. 🙅‍♂️

Distinctive gadget identifiers could be embedded right into a provisioning profile. In case you are making an attempt to run a take a look at model of your app on an actual gadget you will have to register your take a look at units’ UUID. You are able to do it manually contained in the developer portal or should you want Xcode it could possibly additionally do the job for you. It would not matter which methodology you select, however should you add a brand new gadget to the developer portal, you additionally need to re-generate the provisioning profile.

Expiration and invalidation

Each provisioning profiles and certificates do expire. If a profile expires, the app will fail to launch. It’s important to renew the profile, rebuild, resign and reinstall the appliance on the specified gadget if you would like to proceed to make use of it.

Apart from an in-house distribution profile, the entire profiles expire in a yr from the date of the creation of the profile. Which means the profiles have to be re-generated yearly to maintain distributing apps to units or the App Retailer. ⌛️

Advert-hoc profiles have longer expiry dates. Additionally, in case your utility is submitted to the App Retailer, don’t be concerned an excessive amount of, you possibly can set up it any time. Distribution profiles do expire, however that solely impacts your code signing workflow.

Nonetheless, there’s one factor that may occur along with your app within the App Retailer. If you happen to break a rule Apple can revoke your signing certificates so you will not have the ability to submit apps anymore. They’ll additionally take away your utility from the shop.

If a certificates expires or will get revoked, the related profiles will probably be invalid too. You may all the time examine the standing of your provisioning profile contained in the developer portal.

What may go incorrect?

These days, you do not have to create provisioning profiles by your self: you simply want to attach your developer account beneath Xcode’s preferences. In case you are prepared, you possibly can safely allow the computerized code signing function beneath the goal, so Xcode can deal with the remaining, however it’s best to word that generally issues can get tousled. 🤪

You may all the time use the developer portal to double examine all the things. Here’s a fast record of the commonest issues that may happen.

Verify if

  • you’ve a legitimate certificates (keychain + developer portal)
  • the certificates has an related non-public key (keychain)
  • an App ID to your bundle id exists (developer portal)
  • all of the capabilities are arrange and able to use (Xcode + developer portal)
  • the entitlements are prepared to make use of (Xcode)
  • the bodily take a look at gadget id is registered (developer portal)
  • the provisioning profile is legitimate (developer portal)
  • the provisioning profile comprises the certificates and the gadget ids

How do you examine the final one? Nicely, let me clarify this briefly.

Checking what’s inside a provisioning profile

The provisioning profiles are routinely downloaded by Xcode and saved beneath the ~/Library/MobileDevice/Provisioning Profiles listing. If you happen to navigate to this folder you will see a bunch of randomly named recordsdata. That ain’t gonna assist an excessive amount of. 😅

There are two wonderful QuickLook plugins, which can allow you to examine your complete content material of a provisioning profile immediately from Finder. I actually love this method, as a result of these plugins give me much more particulars than Xcode itself.


Let me sum up all the things yet one more time actual fast. ⚡️

If you wish to run an utility on a bodily gadget you must configure a legitimate provisioning profile. You may receive a profile from the developer portal. That profile, afterward throughout the construct course of, will probably be embedded immediately into the app bundle, plus the app goes to be code signed through the use of your developer credentials.

If you happen to attempt to launch the app on the gadget, first the provisioning profile goes to be checked and if it would not match the required standards your app will not run in any respect. In case you are fortunate sufficient and all the things was okay, your app will launch simply tremendous.

This entire course of above known as provisioning. I hope you loved this text. Subsequent time I am going to write about code signing and learn how to resolve code signing points. 😉