Request: Enterprise App Publishing (In-House Distribution)

Use this request when you need to distribute an internal-use only app to Northwestern University employees. Enterprise apps are deployed privately through a Mobile Device Management (MDM) solution (e.g., Jamf) or a secure internal distribution system — they are never published on the public App Store.

Not what you need? See the Program Overview to choose the right service request.


When to Use This Request

Apple’s restriction: The Apple Developer Enterprise Program is strictly for proprietary, internal-use apps distributed to your organization’s employees. Enterprise certificates and profiles must not be used to distribute apps to the general public, students (unless they are also employees), external contractors, or partner organizations. Misuse can result in Apple revoking the enterprise membership, which would disable all enterprise-distributed apps across the university.

If your app should be available to the general public (including students and external users), use the App Store Publishing request instead.


Information Required

Please provide all of the following information when submitting your service request.

1. App Details

Field Description
App Name The display name of the application
Bundle Identifier The unique reverse-DNS identifier (e.g., edu.northwestern.internal.myapp)
Platform(s) iOS, iPadOS — select all that apply
App Description A brief summary of the app’s purpose and functionality
Department / Team The Northwestern department or team responsible for this app
Primary Contact Name and email of the person responsible for this request

2. Distribution Details

Field Description
Intended Audience Which employee groups will use this app? (e.g., all employees, specific department, field staff, healthcare workers)
Estimated Number of Users Approximate number of employees who will install the app
Distribution Method How will the app be distributed? (e.g., Jamf MDM, other MDM solution, secure internal portal)
Device Management Are target devices managed by Northwestern IT via MDM?

3. IT Security and Privacy Review

Even though enterprise apps do not go through Apple’s App Store Review, Northwestern still requires an internal security and privacy review. Please answer the following:

Data Collection and Handling

Question Your Answer
What data does the app collect from users? (e.g., name, email, location, health data, photos, usage analytics)
How is data ingested? (e.g., user input, device sensors, APIs, third-party SDKs)
How is data processed? (e.g., on-device, server-side, cloud-based)
How is data stored? (e.g., local device storage, cloud database, third-party service) Where is it stored?
How is data handled when the user deletes their account or the app?
Is data encrypted at rest? Yes / No — describe
Is data encrypted in transit (e.g., TLS/HTTPS)? Yes / No — describe
Is data shared with third parties? If so, which ones and for what purpose?

Third-Party SDKs and Services

Question Your Answer
Does the app use third-party SDKs or analytics services? (e.g., Firebase, Google Analytics, Crashlytics) List all
Do any third-party SDKs collect data independently? Yes / No — describe

4. Authentication

If your app uses Northwestern NetID authentication (Shibboleth, SAML, or NU SSO):

Question Your Answer
Does the app use NU NetID for authentication? Yes / No
Is the integration with NU Identity Services confirmed and operational? Yes / No
Are all safety procedures for federated authentication in place? (e.g., token validation, session management, secure redirect URIs) Yes / No — describe
Does the app enforce multi-factor authentication (MFA)? Yes / No / Not Applicable
Is the app registered with NU Identity Services as a service provider? Yes / No

Note: If your app uses NU NetID authentication, you must work with Northwestern IT Identity Services to ensure your integration meets institutional security requirements before your request can be approved.

5. Special Capabilities and Features

Select all capabilities your app requires. Northwestern IT will provision the corresponding entitlements and credentials.

Push Notifications

If your app needs push notifications, select your preferred APNs authentication method:

Method Description Recommendation
Token-based authentication (p8 key) Uses a .p8 private key file to generate JSON Web Tokens (JWT). The key does not expire (but can be revoked). A single key can be used across multiple apps. This is Apple’s recommended approach. Recommended
Certificate-based authentication (p12 certificate) Uses a .p12 SSL certificate tied to a specific app. The certificate expires annually and must be renewed each year. Requires a separate certificate for each app. Use if your server infrastructure specifically requires it

Apple Documentation: - Establishing a Token-Based Connection to APNs — Token-based (p8) - Establishing a Certificate-Based Connection to APNs — Certificate-based (p12) - Registering Your App with APNs - Create a Private Key to Access a Service — How p8 keys are created

Other Capabilities

Note: Some capabilities available under the App Store program (e.g., In-App Purchase, Sign in with Apple) are not available for enterprise-distributed apps. See Supported Capabilities (iOS) for details.


What You Will Receive

After your request is approved, Northwestern IT will provision and securely share:

  1. Enterprise Distribution Certificate — Used to sign your app for in-house distribution.
  2. Enterprise Provisioning Profile — Ties your app’s Bundle ID and the enterprise distribution certificate together.
  3. Push Notification Credentials (if requested):
    • p8 key (token-based) — A .p8 file along with the Key ID and Team ID, or
    • p12 certificate (certificate-based) — A .p12 file with the corresponding password.

See the Developer Guide — Certificates, Profiles, and Code Signing in Xcode for instructions on how to install and use these assets.


Process Overview

┌──────────┐   ┌───────────┐   ┌──────────┐   ┌──────────────┐   ┌──────────────┐
│  Submit  │   │  NU IT    │   │  Certs & │   │  Developer   │   │  Deployed    │
│  Request │──▶│  Security │──▶│ Profiles │──▶│  Builds &    │──▶│  via MDM /   │
│  via TDX │   │  Review   │   │Provisioned│  │  Signs App   │   │  Internal    │
└──────────┘   └───────────┘   └──────────┘   └──────────────┘   └──────────────┘
  1. Submit your service request with all information above.
  2. Security Review — Northwestern IT reviews the security and privacy questionnaire.
  3. Provisioning — Enterprise certificates, profiles, and credentials are generated and shared securely.
  4. Development — You integrate the signing assets and build your app. See the Developer Guide.
  5. Distribution — The signed app is deployed to employees via your MDM solution or secure internal system.

Note: Enterprise apps do not go through Apple’s App Store Review process. However, the app must still comply with Northwestern’s internal security and privacy requirements, and the enterprise certificate must only be used for internal distribution.


Important: Enterprise Certificate Expiry

Enterprise distribution certificates expire annually. When a certificate expires:

Reference: Expired or Revoked Certificates — Apple Developer — See “iOS Distribution Certificate (in-house, internal-use apps).”


Apple Documentation References


Back to Knowledge Base Home · Program Overview · Developer Guide