Enterprise app deployment doesn't install on iOS 8.1.3

QUESTION:

After updating iOS 8.1.3, I try to download, but the "Unable to download app" and "could not be installed at this time" messages appear.

What changes between 8.1.2 and 8.1.3 do I have to take into consideration?

Download mode: < a href="itms-services://?action=download-manifest&url=https://****.plist">

Thanks!

I'm running into the exact same problem on 8.1.3. Even app updates fail to install. So far we suspect we'll have to change the signing process or something along those lines. The issue is that apps that were installed while in < 8.1.3 continue to work in 8.1.3, which is unexpected.

I'm also having enterprise-signed apps that installed in iOS 8.1.2 not install in iOS 8.1.3. I get this error message in XCode's log: "Application is missing the application-identifier entitlement."

ANSWERS:

Fix to the problem:

Your application must have a valid `entitlements.plist', which includes correct the valid bundle identifier of an application.

If you are distributing an application signed with a iOS development certificate, here is an example of a entitlements.plist you should include with your app.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>com.yourbundleidhere.mycoolapp</string>
    <key>com.apple.developer.team-identifier</key>
    <string>com.yourbundleidhere.mycoolapp</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>com.yourbundleidhere.mycoolapp</string>
    </array>
</dict>
</plist>

If you are using a wildcard profile, replace com.yourbundleidhere.mycoolapp with yourwildcardappid.*. In both instances, you can use iResign to properly resign applications and include the now required, entitlements.plist.

Explanation of the problem

Due to security patches (see here under CVE-2014-4493), without the entitlements.plist, the application will not install. The security patch keeps applications from overriding existing apps and installing over the top of them/replacing them.

NOTE: I haven't currently tested this against iOS 8.1.2 or lower (proceed with caution!)

For apps that have ALREADY been signed with your OWN enterprise certificate, all you have to do (as mentioned by RAStudios in his edit) is to edit the manifest.plist:

Before:

<key>bundle-identifier</key>
<string>uk.co.acme.AcmeApp</string>

After:

<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>

For apps that have been signed by a third party that you're resigning with your enterprise certificate (this walkthrough is assuming the ipa file is AcmeApp.ipa, your entitlements file is entitlements.plist and your provisioning profile is provProvile.mobileprovision; all files are in the Desktop folder (Mac OSX), and S836XXACME is your team identifier):

Create a new entitlements.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>

Unzip the ipa:

cd ~/Desktop

unzip AcmeApp.ipa 

Remove the Code Signature:

rm -r Payload/AcmeApp.app/_CodeSignature/ 

Copy in the mobileprovision file:

cp provProfile.mobileprovision Payload/AcmeApp.app/embedded.mobileprovision 

Codesign:

codesign -f -s "iPhone Distribution: ACME Corporation Limited" --entitlements entitlements.plist Payload/AcmeApp.app

Zip it up as the resigned ipa: 

zip -qr AcmeApp_resigned.ipa Payload/

You also need to amend the manifest.plist file as per the 'ALREADY' signed part earlier:

<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>