iOS resign and rewrap issue
livetoautomate opened this issue · 11 comments
Our Apple Developer Distribution certificate is expiring soon. We resigned the app with a DIFFERENT Apple Developer account distribution certificate. The app requires wrapping to function properly.
We rewrapped the app with the wrap tool v14.1.3 which completed, however when the app is launched for the first time the app takes you to the Microsoft Login and then crashes. The app crash log shows Thread Crashing: com.intune.mam.enrollment.operations (QOS: UNSPECIFIED). Subsequent launches also crash. Uninstall/reinstall results in the same behavior. Tested on two devices, iOS 12.3.1 and 14.3.
We also tried taking the signed app (unwrapped) and wrapping it with the original version of the wrapping tool used (8.0.14). When using the 8.0.14 version we get a different issue than above "Account Not Set Up: Your organization has not set up your account to access work or school data" and then "App Not Set Up: This app has not been set up for you to use..." I have seen these errors in https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-mam, however the App Protection Policy is delivered to the device and the user has an EMS E3 license.
The app is being delivered from MS Intune. The provisioning profile is delivered to the device. The App Protection policy is targetting the wrapped app and the user licensed for EMS E3 is in the Assignment group.
Could signing the app with a different developer distribution certificate be causing these issues?
Hi @bsmith05, are you able to share the crash log? The issue with 8.0.14 is likely caused by cert updates mentioned here so updating to the latest version of the wrapper will be required. Do you know which version of Xcode the app was compiled with and what the target iOS version was?
I have attached the sanitized crash log. I believe the app was compiled in xcode 9 for iOS 9 (based on minimum os version). The details here are fuzzy as the app was developed by someone else that is no longer with the company.
Hi @bsmith05, are you able to compile the app with the latest version of Xcode (12.4)? Could you also update target OS to iOS 12.2 as that is the minimum supported iOS version for the current release of Intune. The wrapper updates the minimum OS in the app's Info.plist, and usually this works fine. But if the app is using some old system API that is no longer available for apps targeting higher OS versions it may cause an issue. Xcode should produce a build error if that's the case.
if we can successfully create an ipa within xcode, when we try to wrap again...do we use the latest version of the intune wrapper tool?
we tried resigning the existing ipa. can we just edit the plist file from there as well (show package contents, etc etc)
@Nathan187 - Yes, you should re-wrap with the latest version of Intune. I don't think just updating target OS in the existing IPA will fix anything (the wrapper already does this), as the actual executable of the app was still compiled against an older iOS SDK. Updating Info.plist just makes it so the app can't be installed on older iOS versions.
Just to help confirm the version of Xcode that the original app bundle was compiled with though, could you share the value that is set for DTXcode from Info.plist?
9F2000
since then, we rebuilt the project using xcode 12.4, set the minimum os to 12.3 and wrapped with version 14.0. one of the admins is trying now to see how this goes.
Yep, looks like the original bundle was built with Xcode 9. Just want to confirm, was the target OS configured within Xcode build settings, or did you make that change in the Info.plist of the ipa after building with Xcode 12.4?
i think i changed it in the xcode build settings
does it make any difference if we are using the wrapping tool for mac versus windows? i have been wrapping the ipas with the intune wrapping tool on the mac. also, i'm curios about this being mentioned
If you've wrapped your app, you'll want to re-wrap your app with the latest wrapper (13.0.0 or higher)
wrap it twice?
Hi @Nathan187 - The app wrapping tool only works on Mac. "re-wrap" in the statement you referred to means to wrap the original (unwrapped) app again with the newest version of Intune and deploy it as an update.
thanks for your help Kyle. We found a temporary solution. Incident should be closed for now