Install in-house apps wirelessly

http://help.apple.com/deployment/ios/#/apda0e3426d7

include manifest for over-the-air installation 意思说明

Install in-house apps wirelessly

iOS supports wireless installation of custom in-house apps without using iTunes or the App Store. Apps must in .ipa format and be built with an in-house provisioning profile. Wireless installation requires the following:

• An XML manifest file (described in this section)

• A network configuration that lets devices access an iTunes server at Apple

• Use of HTTPS for iOS 7.1 or later

To install the app users download the manifest file from your website using a special URL prefix. You can distribute the URL for downloading the manifest file by SMS or email, or by embedding it in another enterprise app you create.

It’s up to you to design and host the website used to distribute apps. Make sure that users are authenticated, perhaps using basic authentication or directory-based authentication, and that the website is accessible from your intranet or the Internet. You can place the app and manifest file in a hidden directory or in any location that’s readable using HTTPS.

Note: If you create a self-service portal, consider adding a web clip to the user’s Home screen so it’s easy to direct them back to the portal for future information, such as new configuration profiles, recommended App Store apps, and allowing them to enroll in an MDM solution.

Prepare an in-house app for wireless distribution

To prepare your in-house app for wireless distribution, you build an archived version (an .ipa file), and a manifest file that enables wireless distribution and installation of the app.

Use Xcode to create an app archive. Sign the app using your distribution certificate, and include your in-house provisioning profile in the archive. For more information about building and archiving apps, go to the iOS Dev Center website or refer to the Xcode User Guide, available from the Help menu in Xcode.

About the wireless manifest file

The manifest file is an XML plist used by Apple devices to find, download, and install apps from your web server. The manifest file is created by Xcode, using information you provide when you share an archived app for enterprise distribution.

The following fields are required:

• URL: The fully qualified HTTPS URL of the app (.ipa) file

• display-image: A 57-by-57-pixel PNG image that’s displayed during download and installation. Specify the image’s fully qualified URL

• full-size-image: A 512-by-512-pixel PNG image that represents the app in iTunes

• bundle-identifier: Your app’s bundle identifier, exactly as specified in your Xcode project

• bundle-version: Your app’s bundle version, as specified in your Xcode project

• title: The name of the app, which is displayed during download and installation

For iOS 8 Newsstand apps only, the following fields are required:

• newsstand-image: A full-size PNG image for display on the Newsstand shelf

• UINewsstandBindingEdge and UINewsstandBindingType: Keys that must match those in your Newsstand app’s info.plist

• UINewsstandApp: Indicates that the app is a Newsstand app

The sample manifest file also contains optional keys. For example, you can use the MD5 keys if your app file is large and you want to ensure download integrity beyond the error checking normally done for TCP communications.

You can install more than one app with a single manifest file, by specifying additional members of the items array.

Construct your website

Upload these items to an area of your website that your authenticated users can access:

• The app (.ipa) file

• The manifest (.plist) file

Your website can be a single page that links to the manifest file. When a user taps a web link, the manifest file is downloaded, which triggers the downloading and installation.

Here’s a sample link:

<a href="itms-services://?action=download-manifest&url=https://example.com/manifest.plist">Install App</a>

Don’t add a web link to the archived app (.ipa). The .ipa file is downloaded by the device when the manifest file is loaded. Although the protocol portion of the URL is “itms-services,” the iTunes Store isn’t involved in this process.

Also make sure your .ipa file is accessible over HTTPS and that your site is signed with a certificate that’s trusted by iOS. Installation fails if a self-signed certificate doesn’t have a trusted anchor and can’t be validated by the iOS device.

Set server MIME types

You may need to configure your web server so the manifest file and app file are transmitted correctly.

For OS X Server, add the MIME types to the web service’s MIME types settings:

• application/octet-stream ipa

• text/xml plist

For Microsoft’s Internet Information Server (IIS), use IIS Manager to add the MIME type in the Properties page of the server:

• .ipa application/octet-stream

• .plist text/xml

Troubleshoot wireless iOS app distribution

If wireless app distribution fails with an “unable to download” message:

• Make sure the app is signed correctly. Test it by installing it on a device using Apple Configurator 2, and see if any errors occur.

• Make sure the link to the manifest file is correct and the manifest file is accessible to web users.

• Make sure the URL to the .ipa file (in the manifest file) is correct and that the .ipa file is accessible to web users over HTTPS.

Network configuration requirements

If a device is connected to a closed internal network, you must let it access the following:

• ax.init.itunes.apple.com: The device obtains the current file-size limit for downloading apps over the cellular network. If this website isn’t reachable, installation may fail.

• ocsp.apple.com: The device contacts this website to check the status of the distribution certificate used to sign the provisioning profile.

Provide updated apps

Apps you distribute yourself aren’t automatically updated. When there’s a new version, notify users of the update and instruct them to install the app. Consider having the app check for updates and notify the user when the app opens. Make sure the notification provides the itms-services link. You can also use openURL from within the app to install the update.

If you want users to keep the app’s data stored on their device, make sure the new version uses the same bundle identifier as the one it’s replacing, and tell users not to delete their old version before installing the new one.

Before a provisioning profile expires, go to the iOS for Developers website to create a new profile for the app. Create a new app archive (.ipa) with the new provisioning profile for users installing the app for the first time.

If users already have the app, you may want to time your next released version so that it includes the new provisioning profile so user’s aren’t interrupted doing work with your app. If not, you can distribute just the new .mobileprovision file, so users won’t have to install the app again. The new provisioning profile overrides the one already in the app archive.

Distribution provisioning profiles expire 12 months after they’re issued. After the expiration date, the profile is removed and the app won’t launch.

Provisioning profiles can be installed and managed using MDM and then downloaded and installed by users through an app update or using MDM.

If your distribution certificate expires, the app won’t launch and you’ll need to rebuild the app with a new distribution certificate. Your distribution certificate is valid for three years from when it was issued, or until your Apple Developer Enterprise Program membership expires, whichever comes first. To keep your certificate from expiring, be sure to renew your membership before it expires.

You can have two independent distribution certificates active at the same time, with each independent from the other. The second certificate provides an overlapping period in which you can update your apps before the first certificate expires. When you request your second distribution certificate from the iOS Dev Center, be sure not to revoke your first certificate.

Certificate validation

The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. If the certificate has been revoked, the app won’t launch. To verify the status, the device must be able to reach ocsp.apple.com.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between three and seven days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app won’t launch.

WARNING: Revoking a distribution certificate invalidates all of the apps you’ve signed with it. You should revoke a certificate only as a last resort—if you’re sure the private key is lost or you think the certificate has been compromised.

Sample iOS app manifest file

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>   <!-- array of downloads. -->   <key>items</key>   <array>    <dict>     <!-- an array of assets to download -->      <key>assets</key>       <array>        <!-- software-package: the ipa to install. -->         <dict>          <!-- required. the asset kind. -->           <key>kind</key>           <string>software-package</string>           <!-- optional. md5 every n bytes. will restart a chunk if md5 fails. -->           <key>md5-size</key>           <integer>10485760</integer>           <!-- optional. array of md5 hashes for each "md5-size" sized chunk. -->           <key>md5s</key>           <array>             <string>41fa64bb7a7cae5a46bfb45821ac8bba</string>             <string>51fa64bb7a7cae5a46bfb45821ac8bba</string>           </array>           <!-- required. the URL of the file to download. -->           <key>url</key>           <string>https://www.example.com/apps/foo.ipa</string>         </dict>         <!-- display-image: the icon to display during download.-->         <dict>          <key>kind</key>          <string>display-image</string>          <!-- optional. indicates if icon needs shine effect applied. -->          <key>needs-shine</key>          <true/>          <key>url</key>          <string>https://www.example.com/image.57x57.png</string>         </dict>         <!-- full-size-image: the large 512x512 icon used by iTunes. -->         <dict>          <key>kind</key>          <string>full-size-image</string>          <!-- optional. one md5 hash for the entire file. -->          <key>md5</key>          <string>61fa64bb7a7cae5a46bfb45821ac8bba</string>          <key>needs-shine</key>          <true/>          <key>url</key><string>https://www.example.com/image.512x512.jpg</string>         </dict>       </array> <key>metadata</key>       <dict>        <!-- required -->        <key>bundle-identifier</key>        <string>com.example.fooapp</string>        <!-- optional (software only) -->        <key>bundle-version</key>        <string>1.0</string>        <!-- required. the download kind. -->        <key>kind</key>        <string>software</string>        <!-- optional. displayed during download; typically company name -->        <key>subtitle</key>        <string>Apple</string>        <!-- required. the title to display during the download. -->        <key>title</key>        <string>Example Corporate App</string>       </dict>     </dict>   </array> </dict> </plist>

Was this help page useful? Send feedback.