App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS.

Slides:

Advertisements

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.

IT Asset Management Status Update 02/15/ Agenda What is Asset Management and What It Is Not Scope of Asset Management Status of Key Efforts Associated.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Chapter 8 Create an App and Publish to the iPad. Apps are programs that run on the iPad. App is short for application. Exploring Apps and iPad Publishing.

Public Key Management and X.509 Certificates

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Cisco Confidential 1 © Cisco and/or its affiliates. All rights reserved. Last Updated: April 2015 Instructions for Navigating in the Training.

Electronic Discovery (eDiscovery) Chad Meyer & John Vyhlidal ConAgra Foods.

Individual User Logins

Software development. Chapter 7 – Application distribution and sales.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Learning Partner Associate Application Process.

AppExchange Partner Academy- Building Your Application Listing By Jesse Dailey.

SecureAware Building an Information Security Management System.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.

Document Management CategoryTracking Information Company:Citrix Systems, Inc. Author(s):Adolfo Montoya Owner(s):Worldwide Support Readiness Last modified:2/20/2012.

Content Strategy.

PRODUCT BRIEFING Call us on IRRV Distance Learning Introducing the new online service.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

© 2009 IBM Corporation Implementing TSRM in the Enterprise Premium Support Customer Presentation – James Matlock.

Site License Advisory Team Feb. 28, 2012 meeting.

MDM - request for use cases 06/06/2014 CAPPS - Request for MDM use cases2 Maciej Muszkowski, Michał Kwiatek - IT-OIS.

Maciej Muszkowski Self-service for signing iOS apps 2, Michał Kwiatek.

Apple Contract Support (SNOW FE) 2 Maciej Muszkowski, Michał Kwiatek - IT-OIS + applications procurement.

GREG CAPPS [ ASUG INSTALLATION MEMBER MEMBER SINCE:1998 ISRAEL OLIVKOVICH [ SAP EMPLOYEE MEMBER SINCE: 2004 GRETCHEN LINDQUIST [ ASUG INSTALLATION MEMBER.

Good MDM IOS Overview Presented by: Jerry Wen 02/09/2012.

Introduces ePIRATE electronic Portal for Institutional Research at ECU East Carolina University Office for Human Research Integrity.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS First look at the Mobile Framework Ivan Deloose,

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.

Message Validation, Processing, and Provisioning System (MVPS) Access for Jurisdictions User has SAMS User ID Center for Surveillance, Epidemiology, and.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Metro style Device App and Metadata Onboarding JOHN MULLALLY NIKET SANGHVI Program manager.

The Claromentis Digital Workplace An Introduction

Maciej Muszkowski Updates from IT/OIS 2, Michał Kwiatek.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Learning Partner Associate Requirements and Application Process.

Apple Configurator 2 What’s new in 2.0.

The information contained in this document represents the current view of Microsoft Corp on the issues discussed as of the date of publication. Because.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Enterprise Oracle Solutions Oracle Report Manager The New ADI and More Revised:June 20091Report Manager/SROAUG Presentation.

© 2013 IBM Corporation Accelerating Product and Service Innovation Service Virtualization Testing in Managed Environments Michael Elder, IBM Senior Technical.

Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.

SY0-401 COMPTIA Security+ Certification Exam Vcepracticetest.com.

1. Begin Quick Start 2. Administration 3. Good to Know 4. Slightly Technical 5. User Experience 6. You are ready to go !

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.

OEM Provision part Amin Omidy Oct  Introduction  Explain Oracle provisioning in general and provisioning types  Main Requirements for any Provisioning.

CompTIA Security+ Certification Exam SY

© Software602 a.s. SOFTWARE Zdenek Metodej Zalis Martin Vondrous Ondrej Malek.

My2N – Mobile Video Technical Training

Partner Smart Assist Service

Registering And Joining Developer Program

Changing of Apple ID Payment Information Settings  Open Settings and go to iTunes & App Store  Tap on Apple ID – this brings up a menu  Tap on View.

Get Microsoft Exam PDF Braindumps With Verified Question Answers By Realexamdumps.com

Jira Workflows for Business Teams

Cloud Connect Seamlessly

With IvSign, Office 365 Users Can Digitally Sign Word Documents in the Cloud from Any Device Without Having to Install Any Digital Certificates OFFICE.

Using K2 applications How can users interact with K2 applications?

SharePoint Security for the Site Owner

Installation & User Guide

SharePoint Online Authentication Patterns

Install AD Certificate Services

Delivering great hardware solutions for Windows

Microsoft 365 Business Technical Fundamentals Series

Presentation transcript:

App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS

Agenda Summary of iOS Dev Programs Program types, roles, certificates and provisioning profiles CERN Context The gap Current workflow Recent examples of CERNland and Open Days Open questions Conclusions CAPPS, 9/11/2013 App singing workflow3

iOS dev programs CAPPS, 9/11/2013 App singing workflow4

iOS dev programs roles CAPPS, 9/11/2013 App singing workflow5

iOS dev programs roles (con’d) iOS Developer Program Admin can also manage program members and assign roles The admin role is global to the entire contract – there is no concept of „admin for the given app” iOS Developer Program Agent is the „root” for the program; there is only one Agent for the given program CAPPS, 9/11/2013 App singing workflow6

iOS certificates Development Certifies the identity of an individual developer Can be requested by a program Member Can be downloaded by the Member who requested it after the request has been validated by a program Admin Production Certifies the identity of the entire team (CERN) Can be requested by a program Admin Can be downloaded only by an Admin CAPPS, 9/11/2013 App singing workflow7

iOS Provisioning Profiles Adequate provisioning profile is required to run a given application on a given device Development profile To install development apps on test devices Contains the development certificate (individual) and the list of devices Production App store To submit the app to the App Store Contains the production certificate (CERN) Production Ad Hoc To install your app on a limited number of registered devices Contains the production certificate (CERN) and the list of devices Production In House (iOS Developer Enteprise) To install your app on any device Contains the production certificate (CERN) Legally limited to apps distributed internally only Technically not limited CAPPS, 9/11/2013 App singing workflow8

CERN context 1 instance of iOS Developer Program 1 instance of iOS Developer Enterprise Program IT represents CERN within these programs App developers are CERN engineers 3-party companies contracted to create the app CAPPS, 9/11/2013 App singing workflow9

The gap We need to enable both CERN and 3-rd party developers to develop apps for CERN We need to keep control of the CERN Production certificates, because they are a cryptographic identification of CERN The concept of the production certificate is that it is shared by the entire development team But at CERN, we don’t have a single development team There is no concept of sub-teams or per-app certificates Moreover, once the app has been admin-approved by a for publication in the appstore, we need the CERN owner of the app to be able to publish it on their own CAPPS, 9/11/2013 App singing workflow10

Revoking a certificate What happens if my certificate expires or has been revoked? iOS Distribution Certificate (App Store) If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store. iOS Distribution Certificate (In-house, Internal Use Apps) Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate. CAPPS, 9/11/2013 App singing workflow11

Experience of the current workflow Color code: - worth automating as a self-service - worth delegating to the app owner - security issue CAPPS, 9/11/2013 App singing workflow12

Use Case 1: CERN Open Days Per developer: 1. Request IT to be registered as Member of the iOS Developer Program 2. Request IT to have your iOS devices registered for the iOS Developer Program Per app: 1. Request IT to have an application id created within the iOS Developer Program 2. Request IT to have a Development provisioning profile created for the given app, developers and devices 3. Develop your app and test it on the registered devices 4. Request IT to repackage your app (.ipa) using the Production In House profile (requires resigning with the iOS Developer Enterprise Production Certificate), so that tests can be extended to un-registered devices 5. Request IT to have a Production App Store provisioning profile created for the app 6. Request IT to share with you the CERN Production Certificate so that you can prepare the app for publication in the App Store 7. Request IT to have your app created within iTunesConnect 8. Request IT to have access to iTunesConnect so that you can publish – and later manage – your app within the App Store 9. Publish your app to the AppStore using iTunesConnect CAPPS, 9/11/2013 App singing workflow13 Can we replace these steps by: 6. Request IT to repackage your app using Production App Store provisioning profile 9. Publish the repackaged app to the AppStore using Application Loader

Use Case 2: CERNland 1. The external developer develops the app using their own iOS Developer contract 2. The CERN owner of the app requests IT to create the App id, Production App Store provisioning profile and get access to iTunesConnect 3. The CERN owner of the app requests IT to upload the app to iTunesConnect in cooperation with the developer CAPPS, 9/11/2013 App singing workflow14 Can we replace this step by: 3a. Request IT to repackage the app using Production App Store provisioning profile 4a. Publish the repackaged app to the AppStore using Application Loader or: 3b. The external developer publishes the app to the AppStore under his iOS Developer Program and then transfers the app’s ownership to CERN

Open questions 1) What is the real-life risk of sharing CERN iOS Developer Program’s Production Certificate’s private key within CERN? Clearly not optimal in such a large organisation The risk is mitigated by the fact that this certificate needs to be included in a provisioning profile, which can be specific to a given app id 2) Can we avoid sharing of this private key through a) Providing a self-service that would on-demand repackage the app using the Production AppStore provisioning profile b) Documenting use of Application Loader so that the app owner can publish the repackaged app within the AppStore 3) What happens when we hit the limit of 100 registered devices per contract? CAPPS, 9/11/2013 App singing workflow15

Conclusions We see a gap between CERN needs and how Apple organised the iOS Developer programs We have successful workarounds to assist owners of CERN iOS apps We are hoping to gradually move on from workarounds to solutions This activity is user-community driven – please talk to us if you need to distribute an in-house developed iOS app. CAPPS, 9/11/2013 App singing workflow16