Preparing and distributing Apps@Work Container

The following provides the steps for preparing and distributing Apps@Work Container:

• Procedure overview
• Creating a distribution certificate
• Adding the distribution certificate to your Login Keychain
• Creating a unique app ID
• Creating a push certificate
• Adding the push certificate to your Login Keychain
• Creating a distribution provisioning profile
• Signing and rebranding your custom Apps@Work app
• Distributing the app

Procedure overview

The following figure outlines the process of preparing and distributing Apps@Work Container. Perform these procedures using the Safari browser on a Mac OS X computer.

Figure 1. Overview of preparing and distribution Apps@Work Container

Creating a distribution certificate

The distribution certificate authenticates that the app comes from a source that is trusted by Apple.

Procedure 

1. Log in to Apple’s iOS Dev Center.

2. Under Developer Program, select Certificates, Identifiers, and Profiles.

3. Click Certificates.

4. Under Certificates, select Production.

5. Click + to add a certificate.

6. In the Production section, select In House and Ad Hoc.

7. Click Continue.

   If you already have a distribution certificate, contact the person who created the certificate to export the certificate along with its private key to a .CER or .P12 file. Save this file to your Downloads folder and proceed to Adding the distribution certificate to your Login Keychain.

8. Complete the process for generating a Certificate Signing Request (CSR).

9. Save the CSR file to your desktop.

10. Click Browse.

11. Select the CSR file.

12. Click Submit.

    This step sends the CSR to Apple for approval. When the certificate request is approved, a Download button displays in the Actions column. If the Download button does not display, try refreshing the page.

13. Click Download.

14. Click Save File.

    This step saves the file in your Downloads folder.

Next steps 

See Adding the distribution certificate to your Login Keychain.

Adding the distribution certificate to your Login Keychain

The following describes how to add the distribution certificate to your Login Keychain.

Procedure 

1. Double-click the certificate in your Downloads folder.

   This step opens Keychain Access and adds the certificate to your Keychain.

   No confirmation message is displayed.

2. In Keychain Access, confirm that the distribution certificate is listed in the Login Keychain.

   The certificate should have the following name: “iPhone Distribution: <Company Name>”.

3. If the certificate is not in the Login Keychain, check the other keychains.

4. If the certificate is in another keychain, move it to the Login Keychain.

Creating a unique app ID

The app ID grants your app access to the distribution certificate you added to your Login Keychain. Do the following steps on a Mac OS X computer using Safari

Procedure 

1. Log in to Apple’s iOS Dev Center.

2. Under Developer Program Resources, select Certificates, Identifiers & Profiles.

3. Click Identifiers.

4. Click App IDs.

5. Click + to add an ID.

6. In the Description field, enter a brief description of the app.

   Device users do not see this text.

7. Select Explicit App ID.

8. In the Bundle Identifier field, enter a unique identifier for the app bundle.

   Ivanti recommends using the following format:

   com.yourcompany.storefrontcontainer

9. Under the App Services section, select Push Notifications under the app services section (see Creating a push certificate.

10. Click Continue.

    The new app ID displays in the App IDs page.

11. Click Submit.

Creating a push certificate

Push notification enables badging for the app. Configuring push notifications requires a push certificate, also known as an APNS certificate. Do the following steps on a Mac OS X computer using Safari.

Procedure 

1. Log in to Apple’s iOS Dev Center.

2. Under Developer Program Resources, select “Certificates, Identifiers & Profiles”.

3. Click Certificates.

4. Click Production.

5. Click +.

6. Select Apple Push Notification Service SSL (Production).

7. Click Continue.

8. Select the app ID you created for this app.

9. Click Continue.

10. Follow the displayed instructions to create a CSR and save it to your desktop.

Next steps 

See Adding the push certificate to your Login Keychain.

Adding the push certificate to your Login Keychain

The following describes how to add the push certificate to your Login Keychain.

Procedure 

1. Open the push certificate you saved in your Downloads folder.

   The certificate will be labeled “Apple Production IOS Push Services: <bundle ID>”.

   This step adds the certificate to your Login Keychain and opens the Keychain Access app.

2. In the Keychain Access app, click the arrow to the left of the push certificate.

   This step displays the private key for the certificate.

3. Select the certificate and the private key.

4. Select File > Export Items.

   This step saves the information to a file in p12 format.

5. Enter the password for exporting when prompted.

6. Click OK.

7. Enter your Login Keychain password when prompted.

   This is typically your login password.

8. Click Allow.

9. In the SSL Certificate Assistant window, click Done.

Next steps 

See Creating a distribution provisioning profile.

Creating a distribution provisioning profile

The distribution provisioning profile associates the distribution certificate with your app and authorizes devices to use the app.

Procedure 

1. Log in to Apple’s iOS Dev Center.

2. Under Developer Program Resources, select Certificates, Identifiers & Profiles.

3. Click Provisioning Profiles.

4. Select Distribution.

5. Click +.

6. Under Distribution, select In House.

7. Click Continue.

8. Select App ID.

9. Click Continue.

10. Select the distribution certificate you created.

11. Click Continue.

12. The following prompt is displayed:

    Do you need additional entitlements?

13. Click Continue.

14. Enter a name for the profile.

    Enter a name that distinguishes the profile from others, such as “Storefront Container In House Profile.”

15. Click Generate.

    The file will have a .mobileprovision extension.

Next steps 

See Signing and rebranding your custom Apps@Work app.

Signing and rebranding your custom Apps@Work app

The script included in the package you downloaded from the Ivanti support site completes the following tasks:

• rebrands the app (optional)
• signs the app

Rebranding requirements

You can rebrand the following elements in your custom app:

• app title (This is the app name displayed on the home screen; the default is Apps@Work.)
• icons (The default icons are the same as those used for the Apps@Work web clip.)

If you are rebranding the app, prepare the icons as specified by Apple on Icon and Image Sizes.

You will use these icons in Running the script. You will also use the [email protected] icon in Distributing the app when you upload the Apps@Work app to MobileIron Core.

Accessing the default app icon

If you are not re-branding the app icon, then you need to acquire the default app icon included in the Apps@Work Container package.

Procedure 

1. In the folder in which you extracted the Apps@Work Container package, open the Payload folder.

2. Right-click the WebContainer file to display the context menu.

3. Click Show Package Contents.

   The default set of app icons are in the displayed folder.

4. Copy (but do not move) [email protected] to your Downloads folder.

You will use the default app icon in Distributing the app when you upload the Apps@Work app to MobileIron Core.

Signing requirements

Assemble the following items before running the signing/rebranding script:

• provisioning profile (created in Creating a distribution provisioning profile.)
• name of the distribution certificate (created in Creating a distribution certificate.)
• app version (You can choose your preferred version number for the app. Ivanti recommends using the version of the Apps@Work app package itself. However, you must increment this version if you are distributing multiple updates to the Apps@Work app, such as revised app icons.)

Running the script

When you have assembled the required items, complete the following steps to run the signing/rebranding script.

Procedure 

1. Make sure you have installed Xcode command line tools.

   See Installing Xcode command line tools.

2. Extract the Apps@Work Container package you downloaded from the Ivanti support site.

3. Place your provisioning profile in the folder containing the extracted contents.

4. If you are rebranding the app icons, create a new directory in the same folder which you extracted the package and place your rebranded icons in this folder.

   Be sure the dimensions and file names of all of your icons exactly match the dimensions and filenames of the icons specified by Apple on Icon and Image Sizes.

5. Open Terminal.

6. In the folder containing the extracted contents, run the script with the following command:

   ./brandAndSign.py --provisioningProfile <path_to_ProvisioningProfile.mobileprovision> --signingIdentity "<distribution certificate common name>" --appTitle "<app title>" --appIconsDirectory <directory> --appBundleVersion <build version> --appDisplayVersion <release version>

   Example  

   ./brandAndSign.py --provisioningProfile ./ProvisioningProfile.mobileprovision --signingIdentity "iPhone Distribution: <Company Name>" --appTitle "My App" --appIconsDirectory ./AppIcons/ --appBundleVersion 2.1.3.57 --appDisplayVersion 2.1.3

The version options should be used only if you to manage the versions to track things like updated branding for an app that has already been deployed. The appBundleVersion parameter assigns a custom bundle version, which is for internal version tracking. The appDisplayVersion parameter assigns a custom version to the app for display to app users.

Distributing the app

The steps for distributing the signed app resemble those of distributing an in-house app. However, you must also upload the APNS certificate you created in Creating a push certificate. The MobileIron Core process for adding an in-house app presents a field for uploading the APNS certificate when you upload the Apps@Work app.

The following procedure uses MobileIron Core 9.4.0.0.

Procedure 

1. Make sure you have access to the [email protected] icon.

   • If you are rebranding, this icon is in the icon directory you created when you signed the app.

   • If you are not rebranding, this is the default app icon you acquired as described in Accessing the default app icon.

2. Select Apps > App Catalog.

3. Click Add+.

4. Select In-House.

5. Next to Upload In-House App, click Browse to navigate to and select the signed Apps@Work app IPA.

6. Click Next.

7. Optionally add a description.

8. Click Next.

9. In the Apps@Work Catalog section, uncheck Feature this App in the Apps@Work catalog.

10. In the Icon and Screenshots section, click Replace Icon to navigate to and select the icon for the app.

11. Click Next.

12. In the Managed App Settings section, select Send installation request or send convert unmanaged to managed app request (iOS 9 and later) on device registration or sign-in.

    This step ensures that newly-registered devices receive a prompt to install this app. This is an important step for the Apps@Work app because the app does not display as a separate entry in Apps@Work.

13. In the APNS Messaging Configuration section, next to the APNS Certificate field, click Browse to navigate to and select the APNS certificate that you created in Creating a push certificate.

14. For Password, enter the password for the APNS certificate.

15. Click Finish.

    MobileIron Core automatically creates an AppConnect app configuration and AppConnect container policy for the Apps@Work app. Core uses these settings to automatically distribute the required configuration to the Apps@Work app on installed devices without requiring end-user interaction.

16. In Apps > App Catalog, select the Apps@Work app.

17. Select Actions > Apply To Labels.

18. Select the appropriate labels.

19. Click Apply.

After these steps, Apps@Work app will be installed on devices when they register with MobileIron Core.

Distributing the app to registered users

To distribute the app to devices that are already registered, use one of the following procedures:

• Send a message from the Core Admin Portal
• Ask device users to check for updates

Send a message from the Core Admin Portal

From the Core Admin Portal send a message to device users.

Procedure 

1. In the Core Admin Portal, go to Apps > App Catalog.
2. Select the Apps@Work app.
3. Select Actions > Send Message.
4. In the Send App Installation Request dialog, click Apply.

Ask device users to check for updates

Ask devices to do the following to check for updates.

Procedure 

1. Go to Settings > Check for Updates.
2. Tap Continue.