What I want to know is why these companies are using the same cert to sign apps with widely differing uses and security profiles. It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
If the companies are signing all of their apps under the same cert then it's kind of on them for being stupid to sign critical internal apps with the same cert they use to sign these privacy violating apps; but if Apple is globally disabling all enterprise distribution certificates under the guise that the companies violated their developer agreements and NOT disabling their user-facing apps then it still seems to me they are engaging in selective enforcement.
Regardless of how I feel about the ethical questions involved, I don't think this skirmish will end well.
There are terms and conditions that apply to the enterprise cert which are different than those of the standard developer cert. Some of the conditions are relaxed (e.g. wrt the lack of oversight on what you are pushing to your enterprise users) but your enterprise only gets one cert that covers all apps you distribute with these relaxed terms and conditions. If one of your developers pisses in the pool by using the cert to distribute an app outside of the enterprise, particularly an app that violates app store policies and therefore could only be distributed via the enterprise cert, then your cert gets yanked.
This revocation only applies to the apps that are signed with the enterprise cert, so, for example, the Facebook app or Google Maps app in the app store are not affected.
OK I did not understand they only issued one cert.
Still, with a company the size of Google you'd still think they would have multiple certs under different legal entities even if they werent doing anything wrong.
That was probably on purpose: the scrutiny for a Facebook enterprise account with maybe dozens of internal apps will be much lower than for a weird account which has only one or two apps but a lot of installs.
Easier to hide the rule-breaking app in a swarm of legitimate ones.
> It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
Apple does not normally give these out (and why would they?)
To my understanding, FB is using the enterprise cert to sign internal apps (which pointed me to my last replies on this thread) and another cert to sign things for general population. I think Google does the same.
> It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
For actual enterprise users you probably have a distribution profile set up and are pushing them out anyway. For outside users, they would selectively install the cert for the app they use one by one. Anyway it still strikes me as poor operational practices whether or not they were going to do anything nefarious.
If the companies are signing all of their apps under the same cert then it's kind of on them for being stupid to sign critical internal apps with the same cert they use to sign these privacy violating apps; but if Apple is globally disabling all enterprise distribution certificates under the guise that the companies violated their developer agreements and NOT disabling their user-facing apps then it still seems to me they are engaging in selective enforcement.
Regardless of how I feel about the ethical questions involved, I don't think this skirmish will end well.