In the cases above, businesses have been misusing their Apple Enterprise Developer certificates and providing apps directly to consumers without going through the Apple store, thus breaking the Apple Terms of Service. Apple has revoked the Enterprise certificates issued to these businesses, effectively blocking all their enterprise apps from running on any iOS devices.
How does Apple verify these enterprise apps?
Apple utilizes cryptography to ensure that only authorized applications can run on iOS devices. For an app to run on an iOS device, it must be signed with a certificate issued by Apple. When an application is launched for the first time, the signature is validated and if the application (or any of its frameworks) is not signed, the application will not run. This check also happens periodically after the first launch. If a device is offline for an extended period of time, applications may stop launching since Apple is unable to verify the validity of the certificate. Details can be found here.
There are two developer programs
- Apple Enterprise Developer (https://developer.apple.com/programs/enterprise/)
- Apple Developer (https://developer.apple.com)
The main difference between the developer programs is that the Enterprise Developer provides the business with the capability to bypass the Apple Store to distribute applications. Applications signed by a certificate for “Enterprise” distribution can run on any iOS device.
Why does this matter?
Apple Enterprise Developer is an effective way of getting malware onto iOS devices, as these applications never go through the Apple App Store vetting process. They may contain malicious code or have a number of other threats to the individual and business data, like the example below:
How does Apple control the way Enterprise certificates are issued?
In order to obtain an Enterprise Developer Certificate and sign an application for “Enterprise” distribution, the developer must be a member of the Enterprise Developer Program. Apple takes a number of steps to validate the real-world identity of each developer (individual or business) for any businesses signing up for this to ensure that they are a real business. What are these requirements?
- Business must be a legal entity with 100 or more employees
- Business must have a DUNS number
- Business must have a website
All requirements are outlined here. Both developer programs also require a fee to be paid; $99 for Developer, $299 for Enterprise Developer
What can I do as an organization to protect my apps and data?
To ensure that your Enterprise Developer certificate does not get revoked, follow Apple Developer Terms of Service and do not distribute applications outside of your business. To ensure that your users don’t install 3rd party “Enterprise” apps on their device, enable the following settings via your MDM:
Disallow trusting new enterprise app authors
Disallow installing configuration profiles