I'm the lead iOS developer at a company that develops iOS apps for multiple clients. We have 5 other iOS developers that work on different client projects. Due to issues we've run into using our current Apple Developer Account setup I'm looking for guidance on the "best practice" for organizing a developer account with this goal in mind. Let me begin by describing what we've been doing:
- An Individual Apple Developer account was originally setup by our founder. We use this account primarily for TestFlighting demo apps and do not publish any apps of our own.
- Each developer we employ has logged into this account in Xcode in order to be able to download profiles, generate certs, etc.
- Whenever we begin development with a new client we have them invite our main (individual) account to their developer account. This then gives all of our developers access to our client's profiles, certs, etc. It also allows us to upload TestFlight builds for the client.
This has been working, though a bit clunky. I always suspected an organization account might be a better fit, but the process of converting doesn't seem straightforward so we just stuck it out. Now, with the introduction of 2FA for all developer accounts and the unification of roles it again raises the question as to whether this could be done better. The problem is, the only difference I can determine between an Individual and Organization account is, according to Apple: "If you’re enrolled as an organization, you have the option of adding additional members to your team."
But it's unclear what the ability to add additional members would actually *do* for us. Here is how I imagine it ideally working:
- We switch to an Organization developer account and invite each of our developers individually via their own Apple accounts.
- SUPPOSED BENEFIT?: Our developers would not need to perform 2FA on an account that is not technically theirs.
- QUESTION: Do individually invited developers need to *also* have a paid developer account? The apps end up being submitted using our client's certs so I don't believe this should be required but it's not clear to me.
- Our organization account is then invited to our client's organization account. This then allows our developers to login using their Apple account and have access to our client's organization (due to their account being linked to our organization, which is linked to our client's organization).
Step #2 is the real key. I know we could have our clients invite our individual developers' accounts (though I'm still unsure whether our developers would need a paid account). But we need the ability to have any of our developers access a client's certs, etc in the case that the main developer for a client goes on leave suddenly or something similar. And we'd prefer to not have them invite 5 different accounts from the get-go. It also allows us to remove developers we no longer employ rather than having to ask each client to do so.
I have no idea whether an organization account can work this way. Any guidance on this would be appreciated. If it doesn't work the way I think (hope) it does, then how is this typically done for software shops? I'm sure it's not an uncommon scenario but cannot find any real guidance.