In my certificate list, I see a certificate type called “iOS Distribution Managed”. What is the difference between this and “iOS Distribution”? It's kind of automatic. I don't remember creating it
ios distribution managed
Where are you seeing this? If I go to Developer > Account > Certificates, Identifiers & Profiles > Create a New Certificate, I don’t see anything that mentions managed.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I was searching the internet for an answer to the same question.
In my Enterprise account, I go to certificates. I now see "iOS Distribution" cert and "iOS Distribution Managed" cert. Two different creators, two different expiration dates.
I got the same issue too, do you have any updates?
Hello, the same here (the "Distribution Managed" one isn't downloadable as you can see) !
As my regular "Distribution" will expire in a few days, do I have to renew it anyway or will I be able to use the "Distribution Managed" one as it expires later ?
Thanks in advance !
Same question . . . anyone learn anything yet?
I think this piece of documentation should answer your question: https://help.apple.com/developer-account/#/dev8e84490b9
You can also filter the certificates list by changing the "All Types" dropdown to "Cloud managed".
My "Distribution Managed" certificate is due to expire next week. I selected "Manually Rotate Certificate" and it seemed to create a new one that expires next year. So perhaps I am good to go now? This process seems shrouded in mystery.
I'm coming here for the same reason - curious what the "managed" cert is and how to actually use it to sign, given that my normal cert is expiring this week. Being an enterprise account, and having 2 separate development teams, I need to find a way to get an update out on MDM before the expiration, but have no way to renew anything. I'm wondering if somehow I can actually use the managed cert.
@pyrtsa-sanoma FYI your link seems to be broken now - please repost if possible.
I always get nervous about "renewing certs" because it's a once in a year affair and I don't fully understand the process. I just "follow my notes" and hope I don't mess something up. This year is a little bit different because I started to use "Managed Signing" in XCode by checking the "Automatically manage signing" box in XCode.
Normally, I have a "Development" cert and a "iOS Distribution" cert. They were to expire at the end of April. So, after getting a successful update posted to the App Store, I started the update process. I was able to get the two certs I'm used to replaced (and revoked the older certs) and was able to get XCode and my keychain updated. Everything appears to be working fine. "Good to go" for another year!
However, there is a "Distribution Managed" cert on my account that is set to expire 2024/04/28. The cert is also designated with an "Automatic Certificate Rotation Date" of 2024/01/29.
I have two questions:
-
Am I supposed to do something with this cert since it apparently didn't get "automatically rotated" on 1/29/2024? Should I be concerned about being able to push updates when this cert expires?
-
Given that signing is being automatically managed, do I still need to maintain the 'iOS Distribution" cert? Is it redundant to the cert being used by managed signing?
Thanks in advance.
Yeah, it's opaque as usual. I believe it's marked as managed if it's generated via Xcode; what I don't know is if an enterprise app has been signed by it and is distributed, does the app in-the-field still function after automatic/manual rotation?
I’m glad you ‘resurrected’ this thread because I’ve learnt more about this stuff since then.
As others have noted, if a certificate has the Managed suffix then it’s cloud-managed, as discussed in Developer Account Help > Create certificates > Cloud-managed certificates. That page has a bunch of helpful titbits, like:
A new cloud-managed certificate is automatically created … when new signing requests are received.
and:
Xcode 13 or later will cloud sign any apps or software for distribution if … a local signing certificate is not found.
If you’re shipping a product on the App Store, this is all good. Your distribution certificate only need to be valid at the time that you submit your app. See TN3161 Inside Code Signing: Certificates for more on that.
If you’re doing the whole In-House (Enterprise) thing, I’m not sure what the best approach is. Enterprise deployment isn’t really my forte.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Not sure how I missed this reply. Thank you, Eskimo. But, I still don't know if I'm supposed to do anything about the cert that did not rotate in January as it was schedule to do. It expires in 5 days. Am I supposed to use the link to manually rotate it?
I’m not 100% sure. My general approach to cloud-managed certificates is to ignore them and let Apple’s infrastructure do it’s thing. But I typically work in Individual and Organization teams, where certificate expiration is a non-event [1].
IIRC you’re working in an In-House (Enterprise) team, and I’m not sure what the best practice is there.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Except for Developer ID, but I manage those manually. See The Care and Feeding of Developer ID.
I'm not sure that I count as an In-House (Enterprise) team. At the end of the day, "I'm just a guy, standing in front of an App Store, praying that this cert won't expire and create issues when I try to push another release of my app" ;)
If you only care about App Store distribution, certificate expiration is not a big deal. In the worst case scenario, it’ll prevent you building your app for development or submitting your app for the store until you renew. It won’t affect your app on the store.
I specifically call this out in TN3161 Inside Code Signing: Certificates.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"