Page tree
Skip to end of metadata
Go to start of metadata

 

EASE provides a signing server that you can use to sign iOS and Android applications added to EASE. You can store signing credentials in EASE and use those credentials when you sign, or you can provide new credentials "on the fly" that will be used that time and optionally saved for future use. For a list of typical cases where you may wish to sign an application, see Signing Applications.

The signing server is supported with iOS and Android applications only. To sign a Windows Phone app, you can download a signing package that includes the app's binary file and a script for signing the app outside of EASE. You can also download a signing package for signing an iOS or Android app if you prefer to sign the app outside of EASE rather than use the signing server. For more information, see Use the Signing Package.

iOS apps with watchOS components must be signed with the signing package.

Before You Begin

When you sign an iOS application, you may want to sign with new credentials to take advantage of a couple features that are not available when signing with stored credentials:

  • Correct mismatched bundle IDs and App IDs: If you are signing an app that includes extensions, and not all of the bundle IDs and App IDs match, sign with new credentials so that you can upload the correct provisioning profile for the app and each of its extensions. If you attempt to use stored credentials to sign an app that has extensions, EASE will not know which provisioning profile to use with each extension unless the bundle IDs and App IDs match. When it signs the app, EASE will automatically modify the bundle ID in the app/extension to match the App ID in the provisioning profile.

  • Compare entitlements in the app/extension with the provisioning profile:  It is important that you sign with a distribution provisioning profile that has entitlements that match the entitlements built into the app. If the app includes app extensions, each of those extensions must be signed with a different provisioning profile that has the correct entitlements. When you upload new credentials, EASE compares the app (and its extensions, if there are any) with each provisioning profile that you upload and warns you if the entitlements don't match.

If You Are Re-Signing an App that Was Previously Distributed

 Click here for steps to mark an application update as mandatory...
  1. On the EASE Portal navigation bar, click Applications.
  2. Click the Edit link next to the application.
  3. Expand the Application field.
  4. Under Application Update Settings, click Set to today to force users to update the application the next time they attempt to log in to the App Catalog.

If an app is wrapped with the Self-Updating App policy, EASE makes it even easier for users to stay current with the latest and greatest version of an app. Rather than relying on the user to initiate installation of an application update through the App Catalog, EASE instead prompts the user to update while the user is launching the app. If a user launches an app wrapped with the Self-Updating App policy when there is a mandatory update of the app available, the user must either install the update or exit the app. When an update is optional, or when the date for a mandatory update has not yet been reached, the user can choose whether to install the update. If the user does not install the update, the user can continue to use the currently installed version. For more information on this policy, see Self Updating App.

For more information on application update settings, see Managing Application Updates.

Sign with Stored Credentials

To sign an application with stored credentials:

  1. On the EASE Portal navigation bar, click Applications. Use the Search box to search for a specific application. EASE searches the Application name, Short Description, and Long Description columns.
      
    In this example, the EASE administrator selects the Training app—an app which has signing credentials that are due to expire in 11 days.



  2. Click the Sign link next to the application you with to sign to open the Signing page. 

    For iOS apps only, a Current App Signature area displays information about the provisioning profile(s) with which the app is currently signed, including the name and type of provisioning profile, the type of certificate (Enterprise or Ad Hoc), and the creation and expiration date of the profile. In this example, the app is signed with only one provisioning profile. If an app has a extensions that are signed with different provisioning profiles, each of the profiles will be listed. See Sign with New Credentials for an example of the Current App Signature for an app with extensions.



  3. Under Sign with Stored Credentials, select the credentials you want to use to sign the app. If there are no credentials listed, it means there are no signing credentials stored for the type of app you are attempting to sign. Continue with step 5 in the Sign with New Credentials procedure to enter new credentials that you can save for future use or use one time only.

    When you re-sign an app that was already installed on any of your users' devices, it is important that you sign it with the same credentials used to previously sign it. iOS and Android will not allow a user to install an update of an app if the update is signed with different credentials than the currently installed version.

    If the certificate file is password-protected and the password is not stored with the credentials, a Password field displays. Enter the password.

  4. (Optional) By default, the After signing: Enable app check box next to the Sign button is cleared. This means that the app will be disabled after it is signed; a disabled app does not display in the App Catalog. To automatically enable the app after it is successfully signed, select the check box.  

    If you select Enable app, then you can also select Notify users about this update to send a push notification to the user's device. A push notification performs two tasks:

    • Flags the App Catalog icon on the user's Home screen with a notification badge that identifies the number of updates available.
    • Lists the updated app on the Updates tab in the user's App Catalog.

     

  5. Click Sign. The signing status at the top of the page changes to "In Progress." 
     

The time required to sign an app will vary based on conditions such as network traffic, file size, and server utilization. While signing is in progress, you can click elsewhere in the EASE Portal to perform a different task. If at any point you wish to cancel the signing process, click the Cancel button at the top of the page. When signing is complete, the signing status changes from "Pending Signing" to "Signed."

Sign with New Credentials

When you re-sign an app that was already installed on any of your users' devices, it is important that you sign it with the same signing credentials used to previously sign it. iOS and Android will not allow a user to install an update of an app if the update is signed with different credentials than the currently installed version.

To sign an application with new credentials:

  1. On the EASE Portal navigation bar, click Applications. Use the Search box to search for a specific application. EASE searches the Application name, Short Description, and Long Description columns.
      
  2. Click the Sign link next to the application you with to sign to open the Signing page. For iOS apps only, a Current App Signature area displays information about the provisioning profile with which the app is currently signed, including the name and type of provisioning profile, the type of certificate (Enterprise or Ad Hoc), and the creation and expiration date of the profile.  

  3. Scroll down to the bottom of the page until you see the Sign with New Credentials section. What you need to upload in this section depends on whether you are signing an Android or iOS application: 

    • If you are signing an Android app, you need to upload one certificate only. 

    • If you are signing an iOS app, you need to upload one certificate and one or more distribution provisioning profiles. The number of provisioning profiles depends on whether the app includes any extensions. The app and each extension is listed on a separate row. If the app does not include any extensions, there is only one row. You need to upload a separate provisioning profile for each row, as described in step 6. 

  4. Upload your organization's signing certificate and enter a password, if required:

    1. In the Key/Certificate P12 File field, browse to select the certificate. It must be in PKCS (Personal Information Exchange File) #12 format and have a .p12 extension. For instructions on importing a Java Keystore to a .p12 file for Android signing, see Import a Java Keystore to a PKCS #12. For instructions on creating a distribution certificate for iOS signing, see Distribution Certificates.

      When you upload the certificate, the expiration date displays. If the certificate has already expired, obtain your organization's current certificate and upload it. 

    2. If a checkmark displays by the blank Password field, it means the certificate does not require a password. Continue with step 6 for iOS apps; continue with step 7 for Android apps.

       

    3. If a checkmark does not display by the Password field after you upload the certificate, it means the certificate file does require a password. Enter the password for the certificate file.

      • For iOS certificates, this is a password that was defined for the distribution certificate when it was exported from the Login Keychain to a .p12 file.
      • For Android certificates, this is a password that was created when the Java Keystore was imported to a .p12 file

      If you enter the correct password, a checkmark displays.


  5. (For iOS only) The app and each extension is listed on a separate row. If the app does not include any extensions, then there is only one row. In each row, browse to select the distribution provisioning profile that you want to use to sign that app/extension. The profile must have a .mobileprovision extension. 

    If you are using a wildcard provisioning profile to sign multiple components of the app, some of the provisioning profile fields can be left blank. EASE will use the wildcard provisioning profile to sign all the components that do not have a corresponding provisioning profile. Apperian, however, recommends that you sign all apps and app extensions with explicit provisioning profiles if possible. Apple is deprecating support for wildcard app IDs and provisioning profiles, and may stop supporting certain functionality with apps that are signed with wildcard profiles.

    When you click on a row, it expands to display the following details about each app/extension and the provisioning profile, once it has been uploaded: 

    • App ID: For the app/extension, this is the bundle ID. For the provisioning profile, this is the App ID associated with the profile. When you upload an explicit provisioning profile that has an App ID that does not match the bundle ID for the app/extension you are signing, EASE will automatically modify the bundle ID in the app to match the App ID in the provisioning profile.

    • Entitlements: Entitlements are permissions, such as Push Notifications or Data Protection, granted to an app to give it capabilities beyond what it would ordinarily have. It is important that you sign an app/extension with a provisioning profile that has entitlements that match the entitlements built into the app/extension. EASE will allow you to sign with a provisioning profile that has entitlements that do not match the entitlements in the app/extension, but users will not be able to install the app. Once you upload a provisioning profile, EASE compares the entitlements in the profile will the entitlements in the app/extension and highlights any mismatches. For more information on entitlements, see App Extensions and Entitlements.

     

  6. If you want to store the credentials for future use, select the Save these credentials check box and then enter a description of the credentials in the Description field. The credentials will be saved under Signing Credentials on the Settings Page. On that page, you can modify the description or delete the credentials. For more information, see Manage Signing Credentials.

    If you enter a password, it will be stored with the credentials. If you do not want to store the password, you should instead save the credentials using the Settings page. On that page, you have an option to store credentials without the associated password.

     

  7. (Optional) By default, the After signing: Enable app check box next to the Sign button is cleared. This means that the app will be disabled after it is signed; a disabled app does not display in the App Catalog. To automatically enable the app after it is successfully signed, select the check box.  

    If you select Enable app, then you can also select Notify users about this update to send a push notification to the user's device. A push notification performs two tasks:

    • Flags the App Catalog icon on the user's Home screen with a notification badge that identifies the number of updates available.
    • Lists the updated app on the Updates tab in the user's App Catalog.

     

  8. Click Sign. The signing status at the top of the page changes to "In Progress." 
     

The time required to sign an app will vary based on conditions such as network traffic, file size, and server utilization. While signing is in progress, you can click elsewhere in the EASE Portal to perform a different task. If at any point you wish to cancel the signing process, click the Cancel button at the top of the page. When signing is complete, the signing status changes from "Pending Signing" to "Signed."

  • No labels