I wasn't sure I should answer, since we don't use automatic signing, but since you haven't gotten any other responses, I'll take a stab at it. In general, distribution certificates are good for 3 years, and distribution profiles are good for 1 year. A profile must refer to a certficate. So if a certificate expires less than one year after the profile is created/updated, the profile should be assigned a certificate with a later expiration date. Traditionally, Enterprise Developer accounts could have 2 certificates, so you could let them "overlap" a little. In other words, manually create a new certificate when there is a little over a year left on the other one. I don't know if the limit now is 2 manual certificates plus whatever certificates Xcode automatic signing creates (indicated my "Managed" at the end of the certificate type) or 2 certificates total. From Googling various things like "Xcode automatic signing" and "apple rotate distribution certificates", it sounds like the system will update and/or create new profiles and certificates when the existing ones are getting close to expiring, but it only happens when you actually request that Xcode sign something. So if you recompile and archive your app, the automatic signing would do what is necessary with the profile and certificate. Based on my experience with manually managing enterprise profiles and certificates, if the profile is renewed and it is able to use the same distribution certificate (with the same expiration date) as last year, existing installs do not stop working until the expiration date of the "old" profile. I try to get users to install the new ipa (archived with the new profile) before then, but inevitably there are a few that call or email after that date wondering why the app doesn't work :). However, I couldn't find a definitive answer to the question "For an enterprise account, if the automatic signing system creates a new certificate, does it revoke the old one, which would cause all installations of the app that used the old profile (with the old certificate) to stop working?". As I said, this does't give you a definitive answer, but since no one else responded yet, maybe it will help?

First guesses would be: Device doesn't have WiFi access to internet, or a firewall is blocking access to Apple's server(s). Expired distribution profile (only good for 1 year). Expired distribution certificate (only good for 3 years).

An iOS Distribution Certificate can be used with many different Distribution Profiles. Just edit the profile and select the other (newer) certificate. Then I think you have to go to the Xcode preferences, choose the Accounts page, select your team, and click Download Manual Profiles. You can download the other (newer) certificate from the developer site and install it in your keychain, and I think you also have to get the corresponding private key from a machine that already has it installed and install it in your keychain. When you distribute your app in Xcode, you can choose manual signing and make sure you choose the newer certificate. EDIT: after re-reading your post, I realized that you may be saying that the other certificate is also about to expire. If that is the case, I don't think there's anything you can do, because I think the 2-cert limit applies whether you are manually managing your certs or letting Xcode/cloud manage them.

There is a similar question here, with a possible solution, but it is not specific to OIDC. I have no experience with OIDC.

Our Enterprise account renewal has never required us to regenerate anything.

Did you make sure your distribution profile is not expired? Also that the Distribution Certificate is not expired?

Each user will have to go to the device's Settings app > General > VPN & Device Management (Device Management on older iOS versions). There should be an ENTERPRISE APP heading with a company name to tap. I don't remember the exact sequence, but you have to tap there and tell the device to trust the developer.

Make sure your distribution profile (valid for one year) and the certificate it is based on (valid for 3 years) are still valid.

If you don't do anything, they will stop working. I don't know if I'd call it renewing the profile or updating the profile, but you can click on the profile (in the apple developer web site), click edit, choose the new certificate, click save, and download the updated profile. 3 - 5. Sorry, I don't have any experience with commercial MDM products in general or Intune specifically. You may be able to just put the new profiles on the server and it will push them.

Last I heard, bundle IDs must be universally unique and can not be deleted for re-use: Old Thread 1 - https://developer.apple.com/forums/thread/46407 Old Thread 2 - https://developer.apple.com/forums/thread/81233

Also, you can have as many distribution profiles and apps as you want. They can use either of your active certificates.

You can have two active distribution certificates. They are good for 3 years, so you normally "stagger" them by creating the second one when there is about one year left on the first one. You can revoke one before it expires, but then none of the apps signed with it, or apps using a distribution profile signed with it will run.

OTA still works, that might be what they are referring to with "using the iOS App (IPA) file".

No need to regenerate/redistribute app. As long as your account is renewed, the apps will work until May 2021.

The plus symbol is in a blue circle after the word Certificates at the top of the list on the main Certificates page now. If it isn't there, you might not be assigned to the Admin role.