Re-signing Smart IT on Apple iOS

On Apple iOS devices you can re-sign Smart IT manually or by using the iOS re-signing and rebranding utility (referred to as 'utility' in this topic). Whether you re-sign manually, or by using the utility, you must ensure that you meet all the pre-requisites provided in Preparing to re-sign and rebrand Smart IT on Apple iOS.

Deploying Smart IT to your users

Re-signing by using the utility

Download or copy the iOS re-signing and rebranding utility on your Mac computer. Depending on the version of Smart IT that you are using, the utility is available at the following locations:

Version 18.05: {Smart_IT_HOME}\Smart_IT\smartit\download\utils\
Version 1.6 and 2.0: MYIT_HOME\Smart_IT_MyIT\IPA\download\utils directory, where MYIT_HOME is the installation directory.
Version 1.4, 1.5, and 1.5.01: BMC Communities

To re-sign by using the utility

Open the Resign.dmg file, and run the ResigningUtility.app application.
In the Application name field, select Smart IT, and click Next.
Select an appropriate Smart IT version, and click Next.
Create a new re-signing project, and provide the following details:
- Project Name—Give the re-signing project a name, for example, SmartITResignDemo.
- Project Location—Select a directory on your Mac computer for storing the project.
The utility creates a project file, for example SmartITResignDemo.resign, and subdirectories within the project directory.
Note

If you have previously created a re-signing project, you can use the same project file to re-sign a new .ipa file that is provided as a patch or a new build.
Go to the Configurations tab, and enter values in the required parameters.
(Optional) Re-brand Smart IT, for instructions; see Rebranding Smart IT on Apple iOS.
From the list of projects, navigate to Projects > projectName > Entitlements.
Here, the project name is the name of the project you previously provided (for example, SmartITResignDemo).
Select the SmartIT.entitlements file.
You can preview the content of the entitlements file.
Click Open and replace the values of the application identifier key and the keychain access groups key value with your team prefix and App ID.
For example, replace ABCDE-ID.com.bmc.bsmapps.SmartIT with TEAMBUNDLEID.com.companyName.SmartIT.
Note

You need to update the entitlements file only the first time you re-sign specific version of Smart IT. You can reuse the same entitlements file any subsequent time you re-sign that version of Smart IT.
Enter values for IPA or xcarchive, provisioningProfiles, signingCertificate that you used for your app.
Click ReSign.
An .ipa file is created in the builds subdirectory in your re-signing project directory. Provide this .ipa file to your iOS users for installing Smart IT.

For more information, see the following blog in the communities: Trending in Support: Re branding Smart IT for Apple iOS client. You can also download the required .dmg file from this blog.

Troubleshooting information

Value of keys in the entitlement files has spaces in it

iCloud configuration is not enabled for Smart IT provisioning profile

Bundle identifier is wrong

Customer is not using enterprise account

Group configuration is not enabled for Smart IT

Re-signing manually

In the terminal application, enter the following commands to create a SmartIT-ResignDir folder:
```
mkdir /path/SmartIT-ResignDir
cd /path/SmartIT-ResignDir
```
For example, /User/bill/SmartIT-working/SmartIT-ResignDir.

To clear the files of the previous build, enter the following commands:

rm -rf "$(getconf DARWIN_USER_CACHE_DIR)/org.llvm.clang/ModuleCache"
rm -rf ~/Library/Developer/Xcode/DerivedData
rm -rf ~/Library/Caches/com.apple.dt.Xcode

Copy the Galileo.xcarchive file to the SmartIT-ResignDir folder.
The Galileo.xcarchive file is included with the installation files that you can download from the Electronic Product Distribution (EPD).
Create the exportOptions.plist file, and click Open to Edit.

Enter values for the provisioning profiles, signingCertificate, and teamID parameters. You can find the values for these parameters in the Apple Developer portal.

{
    compileBitcode = 0
    method = enterprise
 	iCloudContainerEnvironment = Production
    provisioningProfiles = {
  		com.companyName.SmartIT = "TestDistSmartITDist"; //example value, replace value with profile value provided for app
 		com.companyName.SmartIT.watch = "TestDistSmartITWatchDist"; //example value, replace value with profile value provided for watch
 		com.companyName.SmartIT.watch.extension = "TestDistSmartITWatchExtensionDist"; //example value, replace value with profile value provided for watch
    }
    signingCertificate = "iPhone Distribution: BMC Software, Inc." //example value, replace value with enterprise certificate create earlier
    signingStyle = manual
    stripSwiftSymbols = 1
    teamID = "<XXXXXX>" //example value, replace value with team's ID provided for app
    thinning =

}

From the command line, run the following commands:

xcodebuild -exportArchive -archivePath Galileo.xcarchive \
-exportPath ./SmartIT.ipa \
-exportOptionsPlist exportOptions.plist

Re-sign the swift code dylibs with the following script, and replace iPhone Distribution: BMC Software, Inc. with your company certificate installed on this machine.

# Unpackaging app
unzip -q SmartIT.ipa
APP=`ls Payload | tail -1`
# Renaming original IPA
mv SmartIT.ipa SmartITOriginal.ipa 
# Replacing mobile provision
echo "Deleting original embedded.mobileprovision"
rm "Payload/Galileo.app/embedded.mobileprovision"
rm "Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"
rm "Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"

echo "Copying embedded.mobileprovision"
cp "SmartITWatchExtension.mobileprovision" "./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"
cp "SmartITWatch.mobileprovision" "./Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"
cp "SmartIT.mobileprovision" "./Payload/Galileo.app/embedded.mobileprovision"

# Resigning ipa
echo "Re-sign by iPhone Distribution: BMC Software, Inc."
# Resigning dylibs
if [ -e Payload/Galileo.app/Frameworks ]
then
  for dylib in "Payload/Galileo.app/Frameworks/*"
  do
    codesign -f -s "iPhone Distribution: BMC Software, Inc." $dylib
  done
fi
if [ -e Payload/Galileo.app/Watch/Watch.app/Frameworks ]
then
  for dylib in "Payload/Galileo.app/Watch/Watch.app/Frameworks/*"
  do
    codesign -f -s "iPhone Distribution: BMC Software, Inc." $dylib
  done
fi
if [ -e Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch\ Extension.appex/Frameworks ]
then
for dylib in Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch\ Extension.appex/Frameworks/*
do
codesign -f -s "iPhone Distribution: BMC Software, Inc." "$dylib"
done
fi
# Resigning app
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex"
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app/Watch/Watch.app"
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app"
# Cleaning output env
rm -r "SmartIT.ipa"
# Packaging ipa
echo "Packaging ipa"
zip -qr "SmartIT.ipa" Payload
echo "Re-signed ipa"

Unzip the ipa file.
```
unzip –q SmartIT.ipa
```

In Xcode, create SmartIT.entitlements file in the /path/SmartIT-ResignDir directory, and add the following lines.
You can download a copy of SmartIT.entitlements.

SmartIT.Entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>XXXXXXX.com.companyName.SmartIT</string>
	<key>aps-environment</key>
	<string>production</string>
	<key>get-task-allow</key>
	<false/>
	<key>keychain-access-groups</key>
	<array>
		<string>XXXXXXX.com.companyName.SmartIT</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.companyName.SmartIT</string>
	</array>
	<key>com.apple.developer.icloud-container-development-container-identifiers</key>
	<array>
		<string>iCloud.com.companyName.SmartIT</string>
	</array>
	<key>com.apple.developer.icloud-container-environment</key>
	<array>
	<string>Development</string>
		<string>Production</string>
	</array>
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array>
		<string>iCloud.com.companyName.SmartIT</string>
	</array>
	<key>com.apple.developer.icloud-services</key>
	<array>
		<string>CloudDocuments</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
		<string>XXXXXX</string>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array>
		<string>iCloud.com.companyName.SmartIT</string>
	</array>
	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>XXXXXX.com.companyName.SmartIT</string>
</dict>
</plist>

Replace the values for the following strings in the SmartIT.entitlements file:

Replace the value for this string	Your value
application-identifier	Team prefix and App ID
keychain access groups	Team prefix and App ID
com.apple.security.application-groups	App Group Name
com.apple.developer.icloud-container-development-container-identifiers	iCloud container name
com.apple.developer.icloud-container-identifiers	iCloud container name
com.apple.developer.team-identifier	Team prefix
com.apple.developer.ubiquity-kvstore-identifier	iCloud container name
iCloud Key-Value Store keys	Team prefix and App ID

Re-sign Smart IT on Apple watch by following the instructions at Re-signing the entitlement files of Smart IT on Apple watch.
Rebrand Smart IT on iOS by following the instructions at Rebranding Smart IT on Apple iOS.

Replace the mobile provision file.

cp "SmartITWatchExtension.mobileprovision" 
"./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"


cp "SmartITWatch.mobileprovision"
"./Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"


cp "SmartIT.mobileprovision" "./Payload/Galileo.app/embedded.mobileprovision"

Remove the BMC code signature.

rm -r "./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/_CodeSignature/"

rm -r "./Payload/Galileo.app/Watch/Watch.app/_CodeSignature"

rm -r "./Payload/Galileo.app/_CodeSignature"

Re-sign the IPA by using the name of your company Apple iOS Distribution certificate installed on the Mac machine in place of "iPhone Distribution: BMC Software, Inc.".

/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartITWatchExtension.entitlements"
"./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex"

/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartITWatch.entitlements" "./Payload/Galileo.app/Watch/Watch.app"

/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartIT.entitlements" "./Payload/Galileo.app"

Create the .ipa zip file.
```
zip -qr "SmartIT-rebranded.ipa" Payload
```
You must provide the new .ipa file when you deploy Smart IT to your users.

Re-signing the entitlement files of Smart IT on Apple watch

Regardless of whether you use Smart IT on Apple watch, to re-sign Smart IT on iOS you must re-sign the entitlement files for SmartITWatch and SmartITWatchExtension.

In Xcode, create the SmartITWatch.entitlements and SmartITWatchExtension.entitlements file in the /path/SmartIT-ResignDir directory, and add the following lines.

SmartITWatch.Entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>XXXXXXX.com.companyName.SmartIT.watch</string>
	<key>keychain-access-groups</key>
	<array>
		<string>XXXXXXX.com.companyName.SmartIT.watch</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.companyName.SmartIT</string>
	</array>
</dict>
</plist>

SmartITWatchExtension.entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>XXXXXXX.com.companyName.SmartIT.watch.extension</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.companyName.SmartIT</string>
	</array>
</dict>
</plist>

Replace the values for the given strings in the SmartITWatch.entitlements and SmartITWatchExtension.entitlements file:

Replace the value for this string	Your value
(Both files) application-identifier	Team prefix and App ID
(Both files) com.apple.security.application-groups	App Group Name
(SmartITWatch.entitlements file only) keychain access groups	Team prefix and App ID

Save the changes.

Replacing the Smart IT APNS certificate with your APNS certificate

After you re-sign, you must replace the Smart IT APNS scertificate with your APNS certificate.

Log in to the server that hosts the Smart IT server.
Stop the Tomcat instance that executes the Smart IT server.
In the Tomcat home folder, locate and open the external-conf folder.
In the external-conf folder, create a certification subfolder.
Place the .p12 file that contains the new APNS certificate that you created in the certification subfolder.
Log in to the Oracle or Microsoft SQL database used for Smart IT.
Go to the PUSH_NOTIFICATION_CERT table, and query for records.
To change the iOS APNS certificate record:
1. In the iOS_Cert field, replace the current value (the default value is GalileoAPNsProduction.p12) with the name of the .p12 file that contains your new APNS certificate.
2. In the iOS_Password row, in plain text, replace the current password with the password of your .p12 file.
Click Save.
Start the Tomcat instance.

Any notifications to iOS devices from your server (or tenant in multitenant environments) are sent by using the new certificate.

Where to go from here

Rebranding Smart IT on Apple iOS

Using Smart IT on Apple Watch