How is it that B2B apps never expire and don't require periodic provisioning profile validation and refresh?

I understand that it is now possible for an organization to provide B2B apps to themselves. The advantage of B2B apps is that they never expire and don't require periodic provisioning profile validation and refresh.


I am unclear on how this is possible though? Apps are build (using Xcode) such that they require a provisioning profile to be built. If this profiles expires, the app can no longer be launched. So how does B2B make apps never expire.

My understanding is the flow is as follows:

1. Build the app using code. Requires both a distribution profile, and a provisioning profile for the archive build to complete.

2. Publish the app to Apple Connect and mark it as a B2B custom app (using the a DEP id).

3. Once the app passes (we assume success) the review process, it shows up as a custom app in Apple Business Manager land.

4. I can deploy the app via VPP Codes that I issue to users, or as a managed license.


This is where I am confused. Let say I do nothing for the next 2 years. The provisioning profile that the app was originally built with has now expired. So how is the above statement correct? "The advantage of B2B apps is that they never expire and don't require periodic provisioning profile validation and refresh"?


*** Update:*** I did some further research, and I'd like some extra clarification. My understanding is that when it comes to BOTH Enterprise and with Custom apps, in both cases, I need a valid distribution profile, and a valid provisioning profile for the archive build to complete, this is where the similarity ends.


In the Enterprise program (which I am most familiar with), I would have to police the app, and make sure that the provisioning profile used to build the app, doesn't expire. This extra precaution is necessary because by going the Enterprise route we are bypassing the Apple Connect review process ... essentially taking responsibility into our own hands. Hence the need for us to be cognizant of the provisions profile expiry dates.


However, we have MUCH more flexibility under the Apple Connect route. Since the app is being formally reviewed and distributed as a B2B custom app, the app is re-signed in Apple Connect/Apple Business Manager (ABM) when then provisioning profile is near expiry; so the provisioning profile then never expires.


So returning to my example. Let say I do nothing for the next 2 years. The provisioning profile that the app was originally built with has now expired in developer.apple.com. It is of no concern of mine, as the app it was built with has been re-signed by apple (and hence can continue to be purchased via ABM.)


But.. if I plan to build a new version of the app using that same (now expired provisioning profile in developer.apple.com), I will have to first **** away and recreate the provisioining profile (in developer.apple.com)


Is my understanding correct?

Replies

Hello? Any responses?

When you are using a Custom/B2B app it is very much just a App Store app that is not published in the store search index.


You are correct that in this case Apple takes over the signing and provisioning of the apps. If you download a B2B app and inspect the signing you will see that it has no provisioning profile in it. It's simply signed with the Apple iPhone distribution certificates.


For example...


B2B signed app certificates:

Authority=Apple iPhone OS Application Signing
Authority=Apple iPhone Certification Authority
Authority=Apple Root CA


Enterprise signed app certificates:

Authority=iPhone Distribution: JAMF Software, LLC
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA


My B2B app was uploaded on March 1st, two years ago but it still gets signed fresh by Apple with their certificates and no provisioning profiles in it.