iPad enterprise distribution options

We have an iPad app that we would like to distribute internally. We're looking into "Enterprise Distribution". The set o开发者_开发技巧f requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.

Users who do not have access to the website should not have access to the application. We can easily prevent them from downloading the app by forcing them to log in. However, it is not obvious to me that after they download the app (via an .ipa file?), that they couldn't just give it to someone else, something that is not allowed.

It looks like a way around this is to have Distribution Provision Profiles, which determine whether a given app will run on the device. However, it's not obvious to me that those couldn't just be copied as well.

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

Once you create the enterprise distribution provisioning profile, download the .mobileprovision file, and then securely distribute it and your application.

Sadly, I don't know enough to know exactly what I should be asking, but here goes:

1. Can ipa files just be copied from one Ipad to another, allowing anyone to use any given app? (assuming there is no other protection on the app)
2. If the answer to 1 is yes, is there any reason to believe that .mobileprovision files will help me?

Every device has a UDID, a unique identifier. This is how Apple enforces the 100 development devices rule for individual developers. You collect UDIDs as part of the download process, issuing the provisioning profiles to registered users.

To answer your questions:

1. Yes, theoretically, without DRM or provisioning, an ipa can be synced to iTunes (or manually copied with third party tools) and then moved to another dewvice.

2. Yes, .mobileprovision files include UDIDs in them which are pretty much unique to a given device. (The exception may be on jailbroken devices, which, if I recall correctly, can spoof a UDID.)

EDIT:

Just to clarify, in response to your requirements:

The set of requirements I have been given include that the method for distribution is to be that a user goes to a secure website from an iPad, logs in, and downloads the app. The app then works for them.

I would add a middle step.

1. User logs in.
2. User submits device info
3. You create a provision for the device
4. The user then downloads the app and the provision.

This does not stop the user from giving out the app to others, but it's the best you've got. You can also require the user to log in inside the app, with the same email as the one used to register the UDID, theoretically.

It's now July 2012. Apple's documentation on how to create and distribute an Ad-Hoc iOS application remains stuck at iOS 3, is over-complicated, overwhelming, and often wrong.

With an Developer Enterprise Program license (and a fair bit of patience), you can create an .ipa file, which you can stick on your website.

Your users can then navigate to this webpage on their iPad's Safari, click on a download link to download and install your app onto their device. No iTunes required.

Your app will need (amongst other things) to be signed with a distribution certificate, which you create on the Apple Developer website, but my point is that once you have jumped through all of these badly documented hoops, you can just stick an .ipa and .plist file on a webpage, and ANY user can install your app with it.

Even your Aunt Gladis, who lives 200 miles away and doesn't work for your company.

Mind you, if Apple finds out that you have distributed your app to anyone who doesn't work in your company, they will pull your license.

Getting the Enterprise Account takes a lot of work. Apple will want your DUNS and possibly other proof that you're who you say you are (and that you're an enterprise).

Going the other route (individual developer) will allow you to post your app (make it free so your users will not have to pay!) in the store. Your app can require an account on your local service that no one outside your company will be able to acquire, which will prevent people outside the company from using it. The risk here is that Apple will reject your app for this reason.