NOTE: Distributing iOS apps in-house requires an Apple Enterprise Developer license.
Enterprise apps are those apps which are developed by an organization and are used by the employees of the same organization. Such apps are not intended to be distributed privately through app stores. There are several ways by which mobile enterprise app distribution is possible in various operating systems. The various options for enterprise mobile app distribution and deployment are focused here.
Enterprise App Distribution iOS
An app such as an in-house app (an app that is built and used within an organization) or a private app is not indented to be distributed through an App Store. So, they can be distributed outside an App Store. There are four methods by which an iOS app can be distributed outside an App Store. These four methods are explained below:
Method 1: iOS App Ad Hoc Distribution
In iOS app ad hoc distribution, a distribution provisioning profile is to be created and the test devices are needed to be registered with Apple developer account (US $99 per year) prior to enterprise app distribution. To register the test devices, it is necessary to obtain UDID of each device.
In case you don’t know how to get UDID, read this section, otherwise, skip to the next paragraph.
How to obtain UDID?
Open iTunes on your computer and connect the iPhone or iPad. A button ‘iPad’ or ‘iPhone’ is displayed on the screen, click it. The device description is displayed on the screen. Click on the device’s serial number displayed on the screen. Now, go to Edit > Copy Identifier (UDID).
Once UDID is obtained, add the devices to the Apple developer account. Develop your app and archive it to have a .ipa file. Now, open Archives Organizer and select the archive, click on the Export button and select “Save for Ad-Hoc Deployment”. At this stage, the app will be signed with the distribution certificate. The next step is to select a team. In this step, Xcode automatically creates a provisioning profile. There are three ways in which an app can be installed on test devices.
Using Xcode
- Connect the device to a computer running Mac OS X.
- In Xcode, select Devices from Window, then select the connected device.
- An “Installed Apps” table will appear. Click on the + button and choose the iOS app that is to be installed.
Using Apple Configurator 2
- Connect the device to a computer running Mac OS X and open Apple Configurator 2. Connect an iPhone paired with an Apple Watch, for installing WatchOS apps.
- Select the device.
- Select Apps from the menu that pops up when + button is clicked.
- Click on “Choose from my Mac” and select the .ipa file.
- Click Add.
Using iTunes
- Connect the device to a computer running Mac OS X and open iTunes. Connect an iPhone paired with an Apple Watch, for installing WatchOS apps.
- Select the .ipa file that was created earlier.
- In iTunes, click on the device name that appears in the upper-left corner of the window.
- Click on Apps button. Find the app that needs to be installed and click on the Install button, and then the Apply (or Sync) button to sync the device.
Advantages of Ad-Hoc Deployment
- The app can be deployed directly from a computer.
- Do not require additional apps, such as in TestFlight, which is explained below.
Disadvantage
There is a need to obtain UDID of the test device and sign provisioning profile for deployment.
Method 2: TestFlight Beta Testing
TestFlight is a service provided by Apple, where mobile apps can be installed over-the-air (OTA) and can be tested. The TestFlight takes off with those developers having an Apple Developer Program account ($99 per year). To start with, create an account at TestFlight, create a new team, name it and add team members.
When done upload the .ipa file to TestFight. Invite testers via Email to test the app. The testers will receive an Email to test the app. In order to test the app, the testers should accept the mail. If they do not have TestFlight app on their device, then they will be prompted to download the app. If they have one, then the app is downloaded via TestFlight. The testers can reject the request or unsubscribe mail at any time. There are two types of testers – internal testers and external testers. If an app needs to be distributed for testing, then it is required that Apple reviews the app before testing. Internal testers are those who can test the app before Apple reviews it. External testers can test the apps only after Apple reviews them.
The major advantage in using TestFlight include:
- Groups can be added to include external testers for different apps.
- Apps are automatically available to internal testers when an app is added to TestFlight.
- Testers can easily install apps by tapping the link in the Email received.
- 25 internal testers are allowed to be added per app, and each tester can test an app on 10 different devices. 2000 external testers can also be added.
- 100 apps can be tested at a time, either by internal or external testers.
- No need to keep track of UDID or provisioning profile.
TestFlight will be better if Apple solves the following disadvantages:
- TestFlight does not support operating systems older than iOS 8.
- When an app is added to TestFlight, it will be deleted after 60 days. So, in every 60 days, new builds should be uploaded.
Method 3: Enterprise Deployment
As a member of Apple’s Developer Enterprise Program (need a Developer Enterprise license, US $299 per year), it is possible to create a team and distribute apps to the team members. The team agent is the one who builds the team. Team members assign admins and team members. Admins are those who manage the team and have the right to distribute the app outside App Store. Team members are those who develop apps, but cannot distribute apps to testers or other team members.
As an admin, the next step to be performed is to:
- Create a provisioning profile, and
- Register test devices. This step is optional. Apps can also be sent to and deployed on team members’ devices.
Team members should add their Apple ID to Account Preferences and then create a development certificate. Before sending an app to the test devices for testing, an ad-hoc provisioning profile is to be created for enterprise app distribution, by the admin or the team agent. After creating a provisioning profile, the admins and team agents can distribute the apps to testers and other team members.
The advantage of the Enterprise Deployment Program is that the review of apps is not done by Apple. The app can be immediately distributed after development and testing. The disadvantage is that the Enterprise account does not have support for App Store Distribution, Safari Extensions, TestFlight, and App analytics. It is not permitted to use outside an organization.
Method 4: iOS App Without Developer Account
There is a workaround to install iOS apps without a developer account or the need for a certificate. Xcode 7 allows you to use your personal Apple ID instead of a developer ID to build and deploy in house apps on devices. This method advantages users who do not want to create a developer ID for US $99 per year. Also, there is no need to jailbreak the device to sign provisioning certificates.
Download and install Xcode 7 on Mac OS X, and open it. Click Accounts, and add a personal Apple ID. There is no need to create a new Apple ID as the same Apple ID that is used in the App Store can be used here. When exporting an app to the device, the personal Apple ID can be used to sign the provisioning certificate.
Although this method is a major advantage, Game Center and in-app purchases are not available for apps developed using a personal Apple ID.
Enterprise App Distribution Android
There are three ways which allow you to distribute the Android app without Google Play. The first two methods are kind of easier than the third method, or than any methods for iOS enterprise app distribution.
Method 1: Allow Installation of Apps from Unknown Sources
The simplest method to install an Android app is to enable the “Unknown sources” option in Security (Android 4.0 or above) or Application (Android 3.0 or below) in Settings. After this option is checked in Settings, any apps can be installed from within the Android device.
Method 2: Install Android App from PC
There are some software that allows installing applications from a computer to an Android device. Such software requires an ADB (Android Debug Bridge) plug-in installed on the computer for the software to install apps on a device. After installing the software and plug-in, connect the Android device to a computer, open the app installation software and choose an app package that is already present on the computer. The app will be installed automatically.
Ghost Push
The above-mentioned methods are simpler to get into Android device, for both the users and for malware. A recent Trojan, known as Ghost Push caused millions of Android devices to malfunction in less than a year. This virus was first found in September 2015 and stands as one of the top viruses in Android. Ghost Push virus spreads through apps installing from unknown sources. Even if we install an app from a trusted developer, there is a chance that the app is a Ghost Push virus, since a Ghost Push virus is an application from a trusted developer modified to infect the devices. When Ghost Push first installs on a device, it roots the device and installs adware on the root. So, they cannot be deleted, even with a factory reset.
Method 3: Google Play for Work
The third method can be considered as a safe method, as the apps are transferred through a Play Store, known as Google Play for Work. Google Play for Work is available for free on all devices running Android for Work. Android for Work is an app that was built to introduce Mobile Device Management and helps secure corporate data while leaving the users’ personal data untouched.
With Google Play for Work, it is possible to purchase bulk apps from the store and distribute it to employees or upload corporate-specific app. To upload a corporate-specific app to Google Play for Work, a developer account is needed. After creating a developer account, users are to be added and roles are needed to be specified. Only an administrator can send an app to Google Play for Work. There can be more than one admins. Now, access the Google Play Developer Console, add an app, check the “Restrict Distribution” box, so that the app is available only for the specified users. Upload the app if the app is a Google-hosted private app.
Google claims that Google-hosted private apps have high security and have reduced data consumption. By reduced data consumption, it means that the entire package is not needed to be downloaded every time an update is available. If the app is a self-hosted private app, upload the app and metadata after checking the “I am uploading a configuration for an APK hosted outside of Google Play” box. In the store, give the name, description and other details on the app and then publish the app.
Android for Work
With Android for work, the employees would be more suitable having a second user profile known as Work Profile or Managed Profile in an Android device. The apps that are installed with the Work profile is marked with the Android for Work logo so they are easy to identify. The Work profile cannot access the files in the User profile and vice versa. The employees can have the same app installed on both profiles, with different accounts, for example. The IT team is able to restrict an app in the Work profile, but the app can be accessed with the User profile. The files that are saved on the device, or for example, the photos taken with Work profile are not stored in the cloud, without the organization’s consent.
Enterprise App Distribution Windows
There are five different methods to transfer Windows apps to the employees in an organization, and the last four methods depend on the Windows Store for Business.
- Sideload Windows 10 apps,
- Distribute through private store,
- Assign apps to each employee,
- Through MDM tool, and
- Offline method.
The second and third methods are online methods, where apps are transferred directly using a private Windows Store, while the fourth method mentioned above can be used to install both online and offline apps. The online methods require an online license from Microsoft to install and run these apps on a Universal Windows Platform (UWP). There is a fifth (offline) method where employees who do not have access to Windows Store can install apps offline. To install apps offline, the apps must have an offline license from Microsoft.
It is required to sign in to Windows Store for Business using an organizational account such as Office 365 account or Azure Active Directory account. The person who signs up with the Store for Business is the global administrator. Only one global administrator is permitted in Windows Store for Business. There are three types of administrators permitted – global, user and billing administrators. Global administrators are permitted to assign roles to other members, modify company profile, manage the Store for Business settings, download and distribute apps, and sign policies. User administrators can only assign roles to users. Billing administrators can download and distribute apps. To add users, it is required to add them to the Azure Active Directory account first. The employees will have a private store tab in the Windows Store, usually having the name of the organization they are working for. From there, they can download the apps in the private store.
Method 1: Sideload Windows 10 Apps
A new feature allows you to sideload Windows 10 apps similar to that of installing an app from unknown sources in Android. All you have to do is to go to Settings on your PC or mobile device running Windows 10, select Update & Security and select Sideload Apps option from “For developers”. You will be prompted to turn on app sideloading. Select Yes, and you are good to go. Selecting the Developer mode also allows you to install apps from unknown sources.
To install an app in Windows PC, open PowerShell and type Add-AppxPackage <location>. If the location is not provided, Powershell asks you to provide the path of the application. The app will automatically install after the app path is provided (for example, C:\Users\Username\Downloads\Hexnode.appx). In Windows Phone, tap on an APPX file and select Install to install the app.
Method 2: Distribute Through Private Store
First, the organization needs an account on Windows Store for Business. After logging in to the Store for Business, a new private store can be created. Add apps to the private store, or click on “Get the App”, so that the organization can purchase apps for their employees. Browse through the inventory and add an app to the private store. When the employees log in to Windows Store with Azure Active Directory (AD), they can access the private store and download apps added by the Admin.
Method 3: Assign Apps to Each Employee
To send an app, log in to Windows Store for Business. From the Inventory, find an app and select the option to assign it to people. Then type the Email addresses of those employees to which apps are to be sent. The selected employees will receive an email with a download link. Clicking the link from Windows devices will open the app page on Windows Store. The employees can download the app from there.
Method 4: Through MDM Tool
To send apps through the MDM tool, the MDM tool must be configured with Azure AD. MDM vendors can distribute online or offline-licensed apps.
Distributing Online-Licensed Apps
Initially, the admin purchases an app from the store or adds an enterprise app to the private store. The MDM server synchronizes data from the Business Store and policy is sent to the Windows device. After the policy is received by the device, it requests the app from the store. The Business Store sends the app and license to the device. The device will install the app.
Distributing Offline-Licensed Apps
Initially, the admin purchases an app from the store or adds an enterprise app to the private store. The MDM server synchronizes data from the Business Store and obtains the license and app. The client device downloads the app and license from the MDM server, and the app is installed on the device.
Method 5: Install Apps Offline
Microsoft has introduced an offline app installation method for those users who don’t have a Windows Store account, those who do not have Active Directory account and the employees of those organizations which use imaging for managing devices. Such apps do need an offline license and can be obtained by checking the box named “Allow disconnected (offline) licensing for organizations” at the time of obtaining the license for an application.
Offline apps are used to distribute over a network such as the network of an organization. Apps can also be deployed on devices which are not connected to the internet. For deploying an offline app to a device, the following files are required:
App Framework
The framework can be downloaded from the store. The framework is used to support the app package, and only one copy of the framework is required for an app.
App License
App licenses are of two types – encoded and unencoded. Encoded licenses are purchased when an app is distributed over MDM server or when imaging is used. The unencoded license is used when transferring apps using DISM (Deployment Image Servicing and Management). While downloading an app, select the type of license and select the option “Generate Licenses” and download the license.
App Metadata
Metadata includes app ID, details of the app, and similar items. When the organization downloads the app from the store, choose a language to download the metadata.
App Package
App packages are those which contain all the files related to an app. Different app packages are available in the store for different combinations of devices and platforms.
There are three options available for distributing an offline app. They are given below:
Deployment Image Servicing and Management (DISM)
DISM (DISM.exe) is a command-line tool in Windows that is used to run Windows services before they are deployed. DISM can be used to install, uninstall, update or configure Windows features.
To show usage of DISM, an example script is shown below (not related to app deployment). In newer operating systems such as Windows 8.1 and Windows 10, older versions of .NET (for example, dotNet 3) is not installed automatically and needs to be downloaded manually from the internet. To install this feature offline, the following script is used:
Dism.exe /online /enable-feature /featurename:NetFX3 /All /Source:driveletter:\sources\sxs /LimitAccess
where ‘driveletter’ represents the drive letter of the Windows installation disc.
Imaging and Configuration Designer (ICD)
ICD is a GUI tool that is used to make customize and provision Windows images easy. ICD can create a provisioning answer file. An answer file is a file that contains settings that are used when setting up Windows. The answer file is an XML file.
Mobile Device Management (MDM) Tool
Enterprise app distribution with MDM was explained before.
Share your thoughts