How to publish an iOS App from Microsoft AppCenter to Apple App Store Connect

In this blog I will detail how you use Microsoft’s AppCenter to build an iOS app und publish it directly to iTunes Connect. This allows you to decouple the building, testing and distribution process from the developers. The developer only has to push the app to the repository (I am using Azure DevOps) and AppCenter takes care of the rest.

The steps to do so are:

  1. Create app project
  2. Configure build
  3. Add signing certificates
  4. Configure distribution to iTunes Connect

Create App Project

Open AppCenter and create a new project.

You can add AppCenter features to you app, but it’s optional. I already have a running app that I just want to build and distribute. Next step is to configure the build.

Build

Select the repository where the source code is hosted. I use Azure DevOps (free tier). Unfortunately, GitLab is not listed and in the free tier I am using it is not possible to add self-hosted git repositories.

AppCenter will connect to Azure DevOps via SSO and list the available projects.

This adds the repository to the build configuration. You’ll see the branches and last commit message.

To configure the build, click on the configuration option for the branch. The option will only appear when you hover with your mouse over the branch.

AppCenter will scan the project and find the available XCode settings.

You can configure the XCode version to be used for the build. This is very useful when you are using external libraries that do not work with newer XCode versions. For instance, the Fiori libraries included in my project were not released for 10.2.1 and the newer Swift version that comes with it. Therefore, the build exited with an error. Until SAP released an updated version of Fiori for iOS, I had to use XCode 10.2.

AppCenter offers options to automatically increase the build number, or run your XCTests.

Sign build

To be able to send the app to iTunes, you must sign the build using your certificate and provisioning profile. I wrote two blogs on how to get these:

When you have these available, you can start configuring the app signing. You upload the files and provide needed credentials for your private key.

Distribute

Next step is to define where you want to distribute the app to. You can send it to the official App Store, App Store Connect Users for your TestFlight beta testers, or to an internal Company Portal.

I am going to distribute the app to App Store Connect for TestFlight. Select App Store Connect. If you do not have yet an account linked to Apple, you can do this here.

AppCenter is connecting to App Store Connect and retrieves a list of apps. I only have one app available, making the selection easier. It also means that you have to create the app first in App Store Connect. AppCenter is not able to create the app definition for you.

Select the app and click on Assign.

In case 2FA is enabled for your Apple ID, you will have to provide an app-specific password. I wrote a blog an how to create an app specific password.

After informing the app-specific password, you get back to the previous screen. Click again on assign.

Now AppCenter is configured to connect to Apple Connect. Back at the Distribute builds section, you can select App Store Connect Users.

Result

You can now click on save or already start your first build.

Run build and distribute to App Store Connect

After the project is created and the build configured, you can start a build. AppCenter will find an available build agent, clone the repository, build, test, sign and distribute the app.

AppCenter

Waiting for a free build agent

Build starting

Distribute

After the build is done, the app is send to Apple Connect and processed there. Apple will check if the build is OK. This will take some time. The status of the build is Processing.

App Store Connect

When processing is done, you get an email form Apple.

The status of the app in AppCenter and App Store Connect changes and you can distribute the app to your beta testers via TestFlight.

Let the world know

Online Certificate Status Protocol

Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the answer. To use OCSP in your landscape, you will have to install and configure an OCSP responder. I did this for my sandbox SMP3 system. Here are the links that contain the information on how to set up your own OCSP responder on your Microsoft CA server.

My walkthrough

Hope you find the links useful.

Additional OCSP information

Here are some more links that I consulted when setting up my OCSP responder. All are from Microsoft and treat information regarding OCSP on a Microsoft server and CA.

About

Implementing OCSP responder part 1 – introducing OCSP

OCSP installation and configuration

Designing and implementing a PKI part 2

Designing and implementing a PKI part 3

Designing and implementing a PKI part 4

Designing and implementing a PKI part 5

Windows Server

Online Responder Installation, Configuration, and Troubleshooting Guide

AD CS: Online Certificate Status Protocol Support

Configure a CA to Support OCSP Responders

Let the world know

OCSP part 6 – Test OCSP service

To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.

Create CSR with OpenSSL

openssl req –new –newkey rsa:2046 –nodes –keyout dummy.key –out dummy.csr

This creates a key file and the CSR in Base64.

Submit CSR to CA

Certificate snap-in

MSFT Enterprise CA needs the CSR created for a specific template, something that OpenSSL is not offering. If you submit such a request to the CA via MMC, you get an error message.

More information

CA Web Interface

Open the web enrollment server in your browser. Click on Request a certificate.

Go to the advanced options.

Paste the Base64 encoded CSR in the input field. Select as certificate User.

Submit the request and download the generated certificate.

Take a closer look at the certificate. In the AIA section, OCSP must be shown.

Test OCSP service

In the above step, a new user certificate was created, containing OCSP information. To test if OCSP is working, Microsoft is offering the certutil tool.

certutiil –URL dummy.cer

In the Retrieve box, you can select how to certificate information should be retrieved.

Select OCSP.

Check the status

Result: Failed

Result: Unsuccessful

Result: Verified

Let the world know

OCSP part 5 – Further configuration steps

After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.

Enable NONCE

Edit OCSP configuration properties.

Go to tab Signing and enable NONCE.

Check status

In case you get a signing certificate not available for the array controller, do a refresh of the node.

The status should be empty.

In the CA, an OCSP signing certificate must appear in the list of issued certificates.

Let the world know

OCSP part 4 – Configure CA to support OCSP Responders

After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.

To configure a CA to support an Online Responder or OCSP responder services

  • Open the Certification Authority snap-in.


  • Open the properties of the CA.

  • Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.

  • Change from CDP to Authority Information Access (AIA)

  • Click on Add to add a new location.

  • Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.

    Example: http://<ServerDNSName>/ocsp

  • Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.

    You will have to restart the CA service to make the new configuration effective.

  • Next, you will have to include the OCSP certificate in the list of available certificates of the CA.


  • Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”


  • Select the OCSP Response Signing certificate.

  • To check that it worked, select the certificate and open its properties.

Let the world know

OCSP part 3 – Add read permission to NetWork Service

For the CA to be able to use OCSP, read permission to the private key must be given.

Add Read permissions to Network Service on the private key

Open the Certificate Templates snap-in.

Select the OCSP Response Signing template.

Right-click it and click on properties.

Go to tab security. Click on add.

In the dialog, select from the list of object types computer.

Search for the CA/OCSP computer. Click OK.

Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.

Finish the task by clicking on OK.

Let the world know

Microsoft NDES – use custom certificate template

To change the default certificate template NDES is using, it is necessary to change some Windows registry values. Looks like there is no GUI tool from Microsoft for this available. The procedure for changing these values is given by Microsoft [1],[2]. To do so, open the registry editor and navigate to:

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP

Under this node, the registry values can be found. By default, the certificate template used by NDES is IPSECIntermediateOffline.

I`ll now use my AfariaUser certificate I created in an earlier blog (you can find it on my site). To change this and to make use of the new AfariaUser certificate, edit all three entries.

Afterwards, the registry key looks like this:

To make the new templates effective for new requests, restart IIS (or the CA too, or the whole computer).

References

[1] http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Appendix_2_Set_Registry_Keys_to_Default_Values

[2] https://technet.microsoft.com/de-de/library/ff955642(v=ws.10).aspx

Let the world know

Afaria Setup 9: Configuration – SQL Server

Afaria needs a database server to save its data into a database. This data was installed in the previous step. Now the SQL Server Express data needs to be prepared for SAP Afaria installation.

Preparation

Afaria will need a user to log on to SQL Server Express. As Windows is already hosting an Active Directory, an SAP Afaria user can be created to be used to log on to SQL Server. The same user will be used later by Afaria as the Afaria service user. The user is created in the AD using the Active Directory tool.

Create user

  • First name: afauser
  • Last name: n/a
  • Full name: afauser
  • User logon name: afauser@tobias.de

Confirm the user data.

Add user to groups

After the user afauser is created, the user must be prepared for Afaria tasks. This is done by adding him to the right user groups. By default, the user is already part of the domain users. It must be added to domain admins too.

Select group: Domain Admins.

Create Afaria DB

Start SQL Server Management Studio

Open the context menu of the database node of the server and select New Database.

Enter a name for the database (AfariaDb) and give as initial log size 25 MB. The rest of the configuration parameters can be left as is.

Select the Security folder and Login. Open the context menu and select New Login.

Chose as login name the afauser created in section preparation. Set as default database AfariaDb.

  • Login name: afauser@tobias.de
  • Windows authentication: yes
  • Default DB: AfariaDB
  • Default language: <default>

Add db_executor role

Select AfariaDb under SQL Server and Databases. Select New Query.

In the query editor, enter: CREATE ROLE db_executor

Select Execute

The runs the SQL query on the AfariaDb. In the ouput message window the status of the query can be seen.

Next, run the query: GRANT EXECUTE TO db_executor

Select Execute

These 2 queries created a new role and granted the db_executor permission to it.

Assign roles

Next step is to assign to afauser the needed roles. Select Security -> Users under AfariaDb and click on New User.

Select afauser and give the following Database role memberships:

  • db_dataread
  • db_datawriter
  • db_ddladmin
  • db_executor

This concludes preparing Windows 2008 R2 Enterprise for Afaria. The next steps are now installing Afaria server.

Let the world know

Afaria Setup 8: Installation – SQL Server

SAP Afaria 7 needs a database server. Supported types are Sybase and SQL Server. The steps outlined in this blog will Microsoft SQL Server. There are various types of SQL Server available and Microsoft offers a free version of SQL Server: SQL Server Express. This version is “same” as the normal SQL Server with certain restrictions, but for Afaria it is just a normal SQL Server installation. To try something out with Afaria, this version is enough. In case you want to install Afaria in the cloud, there is a Windows and SQL Server bundle available from Amazon AWS.

Preparations

Create user for SQL Server in the AD domain. Here the user name is sqlserver@tobias.de

  • First name: SQLServer
  • Last name: n/a
  • Full Name: SQLServer
  • User logon name: sqlserver@tobias.de

Inform a password. To not have to change it every N months, disable password expiration.

  • Password never expires: true

Confirm user data.

Installation

Start the SQL Server Express installation. This will show the SQL Server installation center. Select Installation from the left and then click on New Installation.

Select the features to be installed: select all features. Leave the directory path to standard.

In the instance configuration, make sure Default Instance is selected. Do not change the default values.

As this is a try it out installation, keeping it simple is one of the main ideas. Therefore, use the same user account for all SQL Server services.

Enter the user information of the user created in the previous step: preparations.

  • User: sqlserver@tobias.de

Specify the users that are administrator for SQL Server. By default, it is Administrator (user used to run the installation). Confirm the values in the other tabs.

  • Authentication mode: Windows authentication mode

Next will start the installation.

After the installation is done, the wizard will show a status screen. In case everything worked, SQL Server Express is now installed.

Let the world know

Afaria Setup 5: Install roles – Application Server

The web interfaces of Afaria run on top of IIS and are ASP applications. To be able to run them, IIS and ASP must be made available on the server. On way to achieve this is to activate the application server role on the Windows server. This is done by adding this role to the sever. Afterwards, IIS and ASP are installed and configured.

To add the application server role, open the server manager and select Add Roles.

In the list of available server roles, the already activated roles are greyed out. Select the role Application Server.

The wizard shows a popup informing that an additional role services is required to fulfill the pre-requisites of the application server role. In the current state of activated roles, these will be two services. For each one of them, select Add Required Role Services.

Keep IIS services as they are

Confirm the installation paramters.

Windows will install and configure IIS.

Confirm the installation results.

This installs the role application server. After the installation finishes, the server is ready to host ASP web pages.

Let the world know