Securing an app (injecting security policies) and signing an app (certifying the app was created by you) are two separate tasks. However, to secure an app with security policies, you need to specify signing options.
To code-sign apps with the console, specify the method for code signing and use a signing profile to specify app-signing parameters.
Unlike a policy profile, which is a collection of settings that can be applied with a policy to inject an app with security, a signing profile is a collection of code signing parameters. Because code signing is platform-specific, each signing profile is unique to Android or iOS.
Using signing profiles
When securing an app, specify the signing type and a signing profile. Unless you plan to sign the app yourself (choosing to skip code signing), securing an app requires a signing profile.
In the policy console, click Apps.
Click iOS or Android, then select your app.
Enterprise on-premises only: Under App Signing > Signing, select the signing type. (See Signing apps with the policy console for details about the options.)
Under App Signing > Signing, select a signing profile from the menu. Click the settings gear to create or modify a signing profile as necessary.
Click Apply Policies to use these settings.
Available signing profiles
The policy console provides this signing profile available by default:
- Android Grouped Apps Profile: This signing profile includes keystore information you can use to sign your apps. All apps in an app group must use the same signing profile; the shared user ID used in grouped apps is keyed to the certificate used to sign the app. See Data Sharing for more information about grouped apps.
Note that you can use this grouped app signing profile for all Android apps, whether they're grouped or not.
Migrated signing profiles
If your policy console was upgraded from a policy console without profile-based signing, the migration process produced signing profiles available for each app that had been secured and signed in the earlier console.
For each app in the old console, the migration process creates a signing profile in the new console:
- The signing profile is named after the app. The profile description specifies that it's a "Generated profile" for the app package name.
- Android apps: The signing profile includes the keystore file, plus the alias and password for the key last applied to the app.
- iOS apps: The signing profile includes the provisioning profile (a .mobileprovision file) and the signing certificate ID last applied to the app.
The migration process also creates this signing profile which is not associated with a specific app.
- iOS Global Signing Profile: If the previous console version had global signing parameters set (provisioning profile and certificate ID), then the migration process creates this profile.
Configuring signing profiles
Use a signing profile to set these options for code signing. (See Policy profiles for general information about managing profiles.)
Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.
Click the settings gear on the App Signing panel. The Policy details page appears, where you can create a new profile or edit an existing profile.
On the Policy details page, click + Signing Profile to create a new profile, or click the pencil icon next to an existing profile to edit it.
On the Signing Profile page, enter the Profile name and description.
Select Android or iOS, then set the appropriate options:
|Keystore file||The keystore file for your signing identity.|
|Keystore alias||The name of the specific key/certificate for app signing.|
|Keystore password||The password for the desired key.|
A provisioning profile, that is, a .mobileprovision file downloaded from the Apple Developer portal. If a provisioning profile has already been uploaded for this signing profile, its name and the associated AppIDName appear here, for example:
distribution.mobileprovision(DistributionSigning) already uploaded
|Signing certificate identifier||
The name of the iOS Distribution signing identity for your organization. This name is typically "iPhone Distribution".
When you are done configuring the profile, click Save changes. This profile is now available to use with any app.