11.8 — Enterprise & B2B Distribution

Opening scenario

A Fortune 500 customer wants 5,000 seats of your app, with custom features (their logo, their SSO provider, their MDM compliance settings), deployed to corporate-managed devices, and they want to pay you via PO and invoice — not via consumer App Store IAP. “Just publish to the App Store,” you say. Their CIO laughs. “Our devices are MDM-locked. Public App Store is disabled. We need this through Apple Business Manager or it can’t ship.” Welcome to enterprise iOS distribution — a totally separate planet from consumer App Store, with its own tooling, contracts, and economics.

Context taxonomy

Distribution channel	Audience	Apple commission	Distribution mechanism
Public App Store	Anyone	15–30% on IAP	App Store search/browse
Custom App via Apple Business Manager	Specific orgs only	0% (direct invoice)	Private link, MDM, or ABM portal
Ad Hoc	≤ 100 specific devices/yr	N/A	Direct IPA install via UDID provisioning
TestFlight	≤ 10,000 testers, 90-day expiry	N/A	TestFlight invite link or public link
Apple Developer Enterprise Program	In-house employees only	N/A	Direct IPA install via enterprise cert
Unlisted App Distribution	Specific URL recipients	15–30% on IAP	App Store hidden listing
Alternative App Stores (EU)	Anyone (EU)	0% Apple commission, €0.50 CTF	AltStore PAL, Setapp, etc.
MDM (Jamf, Intune, Mosyle, Kandji)	Org-managed devices	N/A; orgs license MDM	Push apps to managed devices

Concept → Why → How → Code

Concept. Enterprise distribution is a parallel App Store with its own contracts (Apple Business Manager direct), its own commission model (often 0%), and its own deployment surfaces (MDM push instead of App Store browse). The architecture serves IT-controlled environments where employees can’t install consumer apps.

Why. Enterprise buyers want: predictable pricing (per-seat per-month invoiced in arrears), MDM-managed deployment (no employee choice), custom features (logos, SSO, compliance settings), and zero consumer App Store dependencies. The consumer App Store delivers none of this.

Channel by channel

Apple Business Manager (ABM) — the canonical enterprise channel.

Workflow:
1. You enroll in ABM (apple.com/business)
2. Your customer enrolls in ABM
3. You publish a Custom App to ABM, scoped to that customer's DUNS number
4. Customer's IT admin sees the app in ABM portal, pushes to managed devices via MDM
5. Customer pays you via direct invoice (PO, NET-30, whatever you agree)
6. Apple takes 0% commission on Custom Apps

Custom App requirements:

Same binary, packaging, and review as regular App Store
Reviewed by App Review, but listed privately
One Custom App can be scoped to multiple customers (each gets a different config bundled)
IAP works but defeats the purpose; use config to unlock features

Volume Purchase Program (VPP) — legacy term, now folded into ABM. Same workflow as ABM Custom Apps, but for buying licenses of public App Store apps in bulk.

Custom Apps — variant where you ship a customized binary to a specific customer with their branding, SSO, etc.

// Configurable via managed app config (MDM pushes this)
struct ManagedConfig {
    static let shared = ManagedConfig()

    var ssoProvider: String? {
        UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed")?["sso_provider"] as? String
    }

    var allowedFeatures: [String]? {
        UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed")?["features"] as? [String]
    }

    var customLogoURL: URL? {
        (UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed")?["logo_url"] as? String)
            .flatMap(URL.init)
    }
}

// In your app's start:
if let sso = ManagedConfig.shared.ssoProvider {
    auth.configureSSO(provider: sso)   // Customer-specific SSO endpoint
}

This com.apple.configuration.managed key is set by MDM at install time. Your app just reads it. No build customization needed per customer.

Ad Hoc — 100 specific devices per year via UDID provisioning. Useful for beta-testing on physical devices outside TestFlight, demos for prospects, or unusual deployment scenarios. Not a real enterprise distribution channel — just a developer-account-included mechanism.

TestFlight — 90-day test cycle, up to 10,000 testers. Often abused as a stealth distribution channel for limited audiences. Apple is increasingly strict about TestFlight-only “production” use — apps that stay in TestFlight indefinitely with no path to App Store get reviewed and rejected.

Apple Developer Enterprise Program (ADEP) — $299/year, allows in-house distribution to employees of your company only. Strict requirements:

Must have 100+ employees (Apple verifies)
Apps cannot be distributed to non-employees (revocation on violation)
Many startups bought this license to bypass App Store; Apple aggressively revokes
Use case: internal tools at large enterprises (Goldman Sachs internal trading apps, etc.)

Unlisted App Distribution — public App Store app with hidden listing. Distribution via direct App Store link only. Useful for niche B2B apps that don’t want to show up in App Store search.

Alternative app stores (EU only, post-DMA) — AltStore PAL, Setapp Mobile, Epic Games Store iOS, others. 0% Apple commission, €0.50 CTF per install over 1M/yr. Useful for European-targeted enterprise tools that want to bypass App Store entirely.

MDM tools — the real distribution layer

Enterprises manage iOS devices via MDM (Mobile Device Management). The market:

MDM	Strengths	Pricing (typical)
Jamf Pro	Most Apple-ecosystem-aware; default for Apple-heavy orgs	$4–8/device/mo
Microsoft Intune	Best for orgs already on Microsoft 365	bundled with M365 E3+
Mosyle	Education-focused; competitive pricing	$1–4/device/mo
Kandji	Newer; strong UX	$4–7/device/mo
Hexnode, ManageEngine	Mid-market, multi-platform	$1–3/device/mo

You don’t need to integrate with each MDM individually. You ship a normal app + a Managed App Configuration specification (an XML schema describing what config keys your app understands). MDMs read your spec and let admins fill in values.

Per-seat per-month invoicing pattern

# scripts/monthly_invoicing.py — typical B2B billing job
import requests
from datetime import datetime, timedelta

def generate_invoices_for_month(year: int, month: int):
    for customer in active_customers():
        seats        = count_active_seats(customer.id, year, month)
        prorate      = compute_proration(customer.id, year, month)
        amount       = seats.peak * customer.price_per_seat * prorate
        invoice_num  = next_invoice_number()

        invoice = {
            "customer":     customer.legal_name,
            "billing_addr": customer.billing_address,
            "po_number":    customer.current_po,
            "items": [{
                "desc":     f"Acme Pro — {customer.name} — {year}-{month:02d}",
                "qty":      seats.peak,
                "unit":     customer.price_per_seat,
                "total":    amount,
            }],
            "total":   amount,
            "due_date":(datetime.now() + timedelta(days=customer.payment_terms_days)).date(),
        }

        send_invoice(customer.billing_email, invoice)
        record_in_books(invoice)

Per-seat per-month is the standard B2B billing rhythm. Pricing is usually $5–$50/seat/month depending on app sophistication. Annual prepayment (5–15% discount) is common at $10k+ contract values.

Fastlane enterprise distribution lane

# Fastfile
desc "Build & upload Custom App to specific customer ABM"
lane :ship_to_customer do |options|
    customer = options[:customer]   # e.g., "acme-corp"

    # Build with customer-specific config
    build_app(
        scheme: "AcmeApp",
        configuration: "Release-#{customer}",
        export_method: "app-store",
        export_options: {
            "iCloudContainerEnvironment": "Production",
        }
    )

    # Upload to App Store Connect; mark as Custom App for specific customer
    upload_to_app_store(
        force: true,
        skip_metadata: true,
        skip_screenshots: true,
        api_key: app_store_connect_api_key,
        precheck_include_in_app_purchases: false,
    )

    # Notify customer's IT admin
    slack(message: "Custom App build for #{customer} uploaded to ABM")
end

Decision flow: which channel?

Audience size?
├── < 100 devices, internal beta?
│   └── Ad Hoc or TestFlight
│
├── Public consumer release?
│   └── App Store (Standard)
│
├── Specific corporate customer(s), not on public App Store?
│   ├── Customer wants their own branded version?
│   │   └── Custom App via ABM
│   └── Generic app, just need to invoice instead of IAP?
│       └── Volume purchase via ABM + standard App Store app
│
├── In-house employees of a large company?
│   └── Apple Developer Enterprise Program
│       (only if you actually have 100+ employees)
│
└── EU customers, want zero Apple involvement?
    └── Alternative app store (AltStore PAL, etc.)

In the wild

Salesforce Mobile uses Custom Apps via ABM for many F500 deployments — same binary, MDM-pushed managed config for each customer’s Salesforce org URL.
Cisco WebEx distributes via standard App Store for consumers and Custom Apps for enterprise customers needing custom SSO/MDM integration.
Goldman Sachs has internal trading apps on Apple Developer Enterprise Program — never available to the public.
Jamf themselves run an ABM-deployed agent app for managed devices.
Tesla ships their service-tech tool internally via ADEP; their consumer app via App Store.

Common misconceptions

“Apple Developer Enterprise Program lets you skip App Store.” Only for your own employees. Distributing to non-employees gets the cert revoked, killing every installed app in seconds.
“Custom Apps are a different binary.” They’re the same binary by default; per-customer behavior comes from managed app config keys. You ship one app, infinite Custom App targets.
“You need TestFlight for enterprise beta.” Ad Hoc (100 devices) works for small deployments; TestFlight for larger ones. ABM Custom Apps for production.
“MDM means the app needs special MDM SDK integration.” No. MDM controls device-level policies and pushes Managed App Config. Your app reads com.apple.configuration.managed from UserDefaults. That’s the full integration.
“Custom Apps via ABM means Apple still takes 15–30%.” No. ABM Custom Apps with direct invoicing have 0% Apple commission.

Seasoned engineer’s take

TIP. For B2B SaaS, default to: standard App Store distribution + per-seat invoicing via your billing platform (Stripe, Chargebee). Switch to Custom Apps only when a customer explicitly requires it. Most customers don’t.

WARNING. Apple Developer Enterprise Program ($299/yr) is extremely tempting as a workaround for various App Store frictions. Every workaround story ends with Apple revoking the certificate, killing every installed app simultaneously, and losing the developer license. Don’t.

The mental model that matters: enterprise iOS distribution is a separate sales motion from consumer App Store. It requires sales contracts, MSAs, security questionnaires, MDM integration testing, and an account management function — none of which the App Store automates for you. Plan headcount accordingly.

Interview corner

Junior — “What’s Apple Business Manager?” Apple’s portal for organizations to manage Apple devices and apps in bulk. Includes Custom Apps (private B2B distribution), Volume Purchase (bulk consumer app licenses), and device enrollment.

Mid — “How do you ship a private app to just one customer?” Custom App via Apple Business Manager. Scope the app to the customer’s DUNS number; it appears only in their ABM portal; their MDM pushes to managed devices. 0% Apple commission.

Senior — “Design B2B distribution for a SaaS app needing to serve 100+ enterprise customers each with their own SSO, branding, and compliance requirements.” Single binary with Managed App Config (XML schema published with the app). Each customer’s MDM pushes their config — SSO provider URL, branding asset URLs, feature flags, compliance toggles. Per-customer Custom App not needed unless legal/contractual requirement forces it. Billing via Stripe per-seat, monthly invoiced in arrears. Customer success team owns the deployment relationship; engineering ships one app.

Red flag — “We’re using Apple Developer Enterprise Program to distribute to customers.” That’s a TOS violation. Apple will eventually revoke the cert and kill every installed instance.

Lab preview

The labs in this phase focus on consumer monetization (paywall, pricing automation). Enterprise distribution is contract + ops territory; the patterns here are immediately applicable in any team selling B2B.

Next: 11.9 — Ad Monetization & SKAdNetwork

The Swift iOS & macOS Engineer