Developer Account Setup for Multiple Clients

I'm the lead iOS developer at a company that develops iOS apps for multiple clients. We have 5 other iOS developers that work on different client projects. Due to issues we've run into using our current Apple Developer Account setup I'm looking for guidance on the "best practice" for organizing a developer account with this goal in mind. Let me begin by describing what we've been doing:


  1. An Individual Apple Developer account was originally setup by our founder. We use this account primarily for TestFlighting demo apps and do not publish any apps of our own.
  2. Each developer we employ has logged into this account in Xcode in order to be able to download profiles, generate certs, etc.
  3. Whenever we begin development with a new client we have them invite our main (individual) account to their developer account. This then gives all of our developers access to our client's profiles, certs, etc. It also allows us to upload TestFlight builds for the client.


This has been working, though a bit clunky. I always suspected an organization account might be a better fit, but the process of converting doesn't seem straightforward so we just stuck it out. Now, with the introduction of 2FA for all developer accounts and the unification of roles it again raises the question as to whether this could be done better. The problem is, the only difference I can determine between an Individual and Organization account is, according to Apple: "If you’re enrolled as an organization, you have the option of adding additional members to your team."


But it's unclear what the ability to add additional members would actually *do* for us. Here is how I imagine it ideally working:

  1. We switch to an Organization developer account and invite each of our developers individually via their own Apple accounts.
    1. SUPPOSED BENEFIT?: Our developers would not need to perform 2FA on an account that is not technically theirs.
    2. QUESTION: Do individually invited developers need to *also* have a paid developer account? The apps end up being submitted using our client's certs so I don't believe this should be required but it's not clear to me.
  2. Our organization account is then invited to our client's organization account. This then allows our developers to login using their Apple account and have access to our client's organization (due to their account being linked to our organization, which is linked to our client's organization).


Step #2 is the real key. I know we could have our clients invite our individual developers' accounts (though I'm still unsure whether our developers would need a paid account). But we need the ability to have any of our developers access a client's certs, etc in the case that the main developer for a client goes on leave suddenly or something similar. And we'd prefer to not have them invite 5 different accounts from the get-go. It also allows us to remove developers we no longer employ rather than having to ask each client to do so.


I have no idea whether an organization account can work this way. Any guidance on this would be appreciated. If it doesn't work the way I think (hope) it does, then how is this typically done for software shops? I'm sure it's not an uncommon scenario but cannot find any real guidance.

Answered by KMT in 351773022

>The goal being our developers only manage logging into one account (their own account) and that allows access to our account and therefore our client's accounts.


You can't get there from here. Accounts are top down based on the client first, not the team member.


Client/Account

Team

Team member


At a team level, members/devs do not have/use 'their own account', just their own apple ID, which can be used when assigning them a given team role on one or more multiple teams/accounts as required. They would use their apple ID to log in/out based on which team they intend to work with at a given time.


And while a single instance of Xcode is capable of handling multiple teams, in some cases, the dev that is tasked with working on more than one team may opt to create separate macOS user accounts (client specific) on their mac, where they log in to each one and move between those instances, instead. At that point, it's all about work flow and personal style, I think.

Yes, 3. They need their own accounts to distribute their own apps in the store.


A single 'company/LLC' Developer Account would not obviate that need.


2FA-for-devs is still being sorted, I think, so, no comment.

Developer Account Setup for Multiple Clients
 
 
Q