Request: Enterprise App Publishing (In-House Distribution)
Use this request when you need to distribute an internal-use only app to Northwestern University employees. Enterprise apps are deployed privately through a Mobile Device Management (MDM) solution (e.g., Jamf) or a secure internal distribution system — they are never published on the public App Store.
Not what you need? See the Program Overview to choose the right service request.
When to Use This Request
- Your app is intended exclusively for Northwestern employees — it is not available to the general public.
- The app is a proprietary, in-house tool developed by or for Northwestern.
- You plan to distribute via MDM (e.g., Jamf) or another secure internal distribution mechanism.
- The App Store, Custom Apps via Apple Business Manager, Ad Hoc distribution, or TestFlight would not adequately meet your needs.
Apple’s restriction: The Apple Developer Enterprise Program is strictly for proprietary, internal-use apps distributed to your organization’s employees. Enterprise certificates and profiles must not be used to distribute apps to the general public, students (unless they are also employees), external contractors, or partner organizations. Misuse can result in Apple revoking the enterprise membership, which would disable all enterprise-distributed apps across the university.
If your app should be available to the general public (including students and external users), use the App Store Publishing request instead.
Information Required
Please provide all of the following information when submitting your service request.
1. App Details
| Field | Description |
|---|---|
| App Name | The display name of the application |
| Bundle Identifier | The unique reverse-DNS identifier (e.g.,
edu.northwestern.internal.myapp) |
| Platform(s) | iOS, iPadOS — select all that apply |
| App Description | A brief summary of the app’s purpose and functionality |
| Department / Team | The Northwestern department or team responsible for this app |
| Primary Contact | Name and email of the person responsible for this request |
2. Distribution Details
| Field | Description |
|---|---|
| Intended Audience | Which employee groups will use this app? (e.g., all employees, specific department, field staff, healthcare workers) |
| Estimated Number of Users | Approximate number of employees who will install the app |
| Distribution Method | How will the app be distributed? (e.g., Jamf MDM, other MDM solution, secure internal portal) |
| Device Management | Are target devices managed by Northwestern IT via MDM? |
3. IT Security and Privacy Review
Even though enterprise apps do not go through Apple’s App Store Review, Northwestern still requires an internal security and privacy review. Please answer the following:
Data Collection and Handling
| Question | Your Answer |
|---|---|
| What data does the app collect from users? (e.g., name, email, location, health data, photos, usage analytics) | |
| How is data ingested? (e.g., user input, device sensors, APIs, third-party SDKs) | |
| How is data processed? (e.g., on-device, server-side, cloud-based) | |
| How is data stored? (e.g., local device storage, cloud database, third-party service) Where is it stored? | |
| How is data handled when the user deletes their account or the app? | |
| Is data encrypted at rest? | Yes / No — describe |
| Is data encrypted in transit (e.g., TLS/HTTPS)? | Yes / No — describe |
| Is data shared with third parties? If so, which ones and for what purpose? |
Third-Party SDKs and Services
| Question | Your Answer |
|---|---|
| Does the app use third-party SDKs or analytics services? (e.g., Firebase, Google Analytics, Crashlytics) | List all |
| Do any third-party SDKs collect data independently? | Yes / No — describe |
4. Authentication
If your app uses Northwestern NetID authentication (Shibboleth, SAML, or NU SSO):
| Question | Your Answer |
|---|---|
| Does the app use NU NetID for authentication? | Yes / No |
| Is the integration with NU Identity Services confirmed and operational? | Yes / No |
| Are all safety procedures for federated authentication in place? (e.g., token validation, session management, secure redirect URIs) | Yes / No — describe |
| Does the app enforce multi-factor authentication (MFA)? | Yes / No / Not Applicable |
| Is the app registered with NU Identity Services as a service provider? | Yes / No |
Note: If your app uses NU NetID authentication, you must work with Northwestern IT Identity Services to ensure your integration meets institutional security requirements before your request can be approved.
5. Special Capabilities and Features
Select all capabilities your app requires. Northwestern IT will provision the corresponding entitlements and credentials.
Push Notifications
If your app needs push notifications, select your preferred APNs authentication method:
| Method | Description | Recommendation |
|---|---|---|
| Token-based authentication (p8 key) | Uses a .p8 private key file to generate JSON Web Tokens
(JWT). The key does not expire (but can be revoked). A single key can be
used across multiple apps. This is Apple’s recommended
approach. |
✅ Recommended |
| Certificate-based authentication (p12 certificate) | Uses a .p12 SSL certificate tied to a specific app. The
certificate expires annually and must be renewed each
year. Requires a separate certificate for each app. |
Use if your server infrastructure specifically requires it |
Apple Documentation: - Establishing a Token-Based Connection to APNs — Token-based (p8) - Establishing a Certificate-Based Connection to APNs — Certificate-based (p12) - Registering Your App with APNs - Create a Private Key to Access a Service — How p8 keys are created
Other Capabilities
Note: Some capabilities available under the App Store program (e.g., In-App Purchase, Sign in with Apple) are not available for enterprise-distributed apps. See Supported Capabilities (iOS) for details.
What You Will Receive
After your request is approved, Northwestern IT will provision and securely share:
- Enterprise Distribution Certificate — Used to sign your app for in-house distribution.
- Enterprise Provisioning Profile — Ties your app’s Bundle ID and the enterprise distribution certificate together.
- Push Notification Credentials (if
requested):
- p8 key (token-based) — A
.p8file along with the Key ID and Team ID, or - p12 certificate (certificate-based) — A
.p12file with the corresponding password.
- p8 key (token-based) — A
See the Developer Guide — Certificates, Profiles, and Code Signing in Xcode for instructions on how to install and use these assets.
Process Overview
┌──────────┐ ┌───────────┐ ┌──────────┐ ┌──────────────┐ ┌──────────────┐
│ Submit │ │ NU IT │ │ Certs & │ │ Developer │ │ Deployed │
│ Request │──▶│ Security │──▶│ Profiles │──▶│ Builds & │──▶│ via MDM / │
│ via TDX │ │ Review │ │Provisioned│ │ Signs App │ │ Internal │
└──────────┘ └───────────┘ └──────────┘ └──────────────┘ └──────────────┘
- Submit your service request with all information above.
- Security Review — Northwestern IT reviews the security and privacy questionnaire.
- Provisioning — Enterprise certificates, profiles, and credentials are generated and shared securely.
- Development — You integrate the signing assets and build your app. See the Developer Guide.
- Distribution — The signed app is deployed to employees via your MDM solution or secure internal system.
Note: Enterprise apps do not go through Apple’s App Store Review process. However, the app must still comply with Northwestern’s internal security and privacy requirements, and the enterprise certificate must only be used for internal distribution.
Important: Enterprise Certificate Expiry
Enterprise distribution certificates expire annually. When a certificate expires:
- Users will no longer be able to open apps signed with the expired certificate.
- You must re-sign the app with a renewed certificate and redistribute it.
- Northwestern IT manages certificate renewals and will notify you in advance.
Reference: Expired or Revoked Certificates — Apple Developer — See “iOS Distribution Certificate (in-house, internal-use apps).”
Apple Documentation References
- Apple Developer Enterprise Program
- Distributing Your App for Beta Testing and Releases — Enterprise Distribution
- Certificates Overview — Apple Developer Account Help
- Supported Capabilities (iOS) — Apple Developer Account Help
- Establishing a Token-Based Connection to APNs — Apple Documentation
- Establishing a Certificate-Based Connection to APNs — Apple Documentation
← Back to Knowledge Base Home · Program Overview · Developer Guide