Last Updated: February 25, 2016
· deckarep

iOS7.1 OTA installs got you down? This fixes it.

With the release of iOS7.1 Apple now requires OTA installs to be done over HTTPS. This applies to both Enterprise app deployments along with Ad-Hoc deployments. Unfortunately, Apple did not document this change and if your OTA installs stopped working this is why.

The good news is, if your deployment server has SSL already setup up, all you need to do is simply make sure you deploy going forward over an HTTPS connection. You may have to modify the paths to your manifest.plist file which points to the app binary.

The bad news is, if you don't already have SSL setup this means you need to set it up EVEN if your deployment solution is completely internal to your company. This is unfortunate because I don't believe we should be forced to do this while deploying safely inside our organization.

Nevertheless, we must succumb to Apple's requirements.

Some solutions have been proposed such as:

  • Use Dropbox over https going forward
  • Fork out the cash and buy a certificate from a well known certificate authority
  • Host your app binaries on your public facing server if it already has HTTPS support (bad idea!)

While you could do all of that, I give you a solution that requires no cash, works perfectly, and doesn't require you to ditch your current deployment environment by switching to something like Dropbox which is really just a hackish solution.

Here are the steps:

  • On any OSX computer
  • Download the following command line binary from: https://github.com/deckarep/EasyCert/releases
  • Run the following command: ./EasyCert -cn Acme -h http://www.acme.com
  • Obviously, replace the cn flag with some name that represents your company
  • Also, replace the h flag with the hostname of your web server that you deploy from
  • This will generate a handful of files but you only need the following three:
  • myCA.cer - install this on the device(s) that you want to deploy to
  • myCert1.cer - install this on your web server along with the key below to enable https
  • myCer1.key - install this also on your web server along with the certificate above to enable https
  • Done!

If you go this route it makes sense to provide a link on your web server where devices can navigate to you and actually click the certificate to install. This certificate will match with the web servers TLS credentials and allow you to install doing OTA like before. The certificate only needs to be installed once and your device will save it going forward.

Here is the stackoverflow.com article with more details: http://stackoverflow.com/a/22367111/71079

For anyone wanting the source to the EasyCert library here is the source code which is written in the Go programming language: https://github.com/deckarep/EasyCert/

Please keep in mind, that the intent of this solution is designed to be executed inside your organizations firewall. Since we act as our own Certificate Authority this is not the same as securing a web server from an official certificate authority but we do this anyways because it works inside our walled garden.

Good luck and please send me Pull-Requests if you have an issue with the EasyCert tool.

Please comment below if this helps you out or you have problems.