Skip to main content

Understanding the App Update & Certificate Renewal Process for MDM-Distributed Apps

© 2026 Firstup All Rights Reserved.

Understanding the App Update & Certificate Renewal Process for MDM-Distributed Apps

  • Created
  • Updated

Overview

From time to time, MDM customers ask about:

  • App expiration dates shown in their MDM console
  • Ongoing app support and update visibility
  • How certificate renewal is tracked
  • Risk of outage if the app is not updated before expiration

This article explains how the annual enterprise certificate renewal process works for all MDM-distributed apps, including:

  • Basic wrapped enterprise apps
  • Intune-wrapped apps
  • Intune SDK-integrated apps
  • Other enterprise MDM distributions

Enterprise Distribution Model Explained

When an app is distributed via MDM (rather than through the public App Store), it is signed using an Apple Enterprise Certificate.

Key differences from App Store distribution:

  • No automatic updates
  • No App Store certificate management
  • App lifecycle is managed inside the customer’s MDM
  • Deployment and updates must be manually pushed by the customer

This model applies to all enterprise-distributed builds.

Why the App Shows an Expiry Date

When importing the IPA into an MDM, an expiration date will be visible.

This expiration date reflects the Apple Enterprise Certificate, not the app version itself.

How it works:

  • Firstup signs enterprise builds with an Apple Enterprise Certificate.
  • That certificate expires annually (typically in August).
  • Prior to expiration, Firstup renews the certificate.
  • New builds are generated and distributed to all MDM customers.

The expiration date is expected and part of Apple’s enterprise distribution framework.

Firstup's Responsibility

Each year, Firstup:

  1. Renews the Apple Enterprise Certificate.
  2. Generates updated builds signed with the renewed certificate.
  3. Distributes updated IPA files to all MDM customers.

Once the updated build is delivered, Firstup has completed its renewal responsibility.

Customer Responsibility (Critical)

After receiving the updated build, the customer must:

  • Upload the new IPA into their MDM platform.
  • Replace the previous version.
  • Deploy the updated version to managed devices before certificate expiration.
  • Validate successful installation across their device fleet.

Important:
After distributing the updated IPA, Firstup does not have visibility into:

  • Whether it was uploaded into the MDM
  • Whether it was assigned to device groups
  • Whether devices successfully received the update

MDM environments are fully customer-controlled.

What Happens if the App is Not Updated

If the renewed build is not deployed before certificate expiration:

  • The app will stop launching.
  • Users may experience login failures.
  • The app may be removed from managed devices.
  • An outage will occur.

These symptoms are often mistaken for authentication or backend issues, but they are caused by enterprise certificate expiration.

Was this article helpful?
0 out of 0 found this helpful

Related articles

Comments

0 comments

Article is closed for comments.