Can I sign Mac OS X applications with a Developer ID Cert. using an Enterprise Account?

iOS apps built using an Enerprise account can be distributed without having to provision every device and manage them. If you don't want to use an MDM environment, you can host the app on your own web server and users can install it from there. In that case, it is up to you to provide the appropriate security so that only your people can install it. Keep in mind that the app will have to be recompiled, and each device will have to install the updated app, at least once a year because Enterprise distribution profiles are only good for one year. You used to be able to just install a new distribution profile (by emailing the .mobileprovision file to everyone or putting it on your web page), but I think you can only install "stand-alone" profiles like that via MDM now.

I don't have any experience with OS X apps.

Thanks for the reply, it's very informative! We do plan on doing some internal iOS apps in the future too so I will keep this in mind. Does anyone else have information on OS X specifically?

Developer ID signing assets are available as part of the Apple Developer Program, which is separate from the enterprise program. [Edit: I was unaware of this earlier, but Developer ID is also available through the Enterprise program.] Remember though, Mac apps do not need to be provisioned like iOS apps do. You can run an unsigned, unprovisioned app on any Mac if you transfer it locally. If you transfer it over the Internet (possibly even over a LAN—I'm not sure), the app will automatically be quarantined and require a Developer ID signature to get past the Gatekeeper feature.

In summary, if you're just creating a Mac app for local use only, you shouldn't need to enroll in any programs. Just write the app and share it locally. If sharing it over the LAN does give you trouble, just right-click the bundle and choose "Open…" to override the Gatekeeper warning.

We are distributing the app through a (protected) server on Heroku so that employees can download at their own will. The app client also contacts this server to check for updates using Squirrel.Mac. So the app will need to be signed in order for our computers' Gatekeeper to allow it to be installed as well as update over the air.

So if I'm understanding you correctly, you're saying that with the Enterprise account, I cannot generate a Developer ID certificate to sign applications with?

I just looked at https://developer.apple.com/programs/enterprise/. The enterprise program does come with Developer ID signing credentials. You do not need the regular program. I don't know, however, if the Enterprise DevID has the same level of flexibility as the regular one does. I would expect it to be the same between programs, but I'm not 100% sure.

This Distributing Apple Developer Enterprise Program Apps article in Apple's Docs has a note that says:

"Note: Members of the Apple Developer Enterprise Program can also create Developer ID certificates to distribute Mac apps, described in Distributing Apps Outside the Mac App Store."

So it would appear that the Enterprise program can in fact issue Developer ID certs, and since this article links to the general distribution doc, one could assume that the certs are functionally the same.

Your reasoning makes sense. You know how to use Developer ID, right?

I do—I've been using my personal developer account to generate the certs for the beta.

I've also come across this thread which has made things even more confusing. So wait, there are two versions of Enterprise? Can you provide some clarity on this?

Edit: I think I understand. There are two programs available to organizations, not two enterprise programs. The two programs are the Apple Developer Progam, and the Apple Developer Enterprise Program. An individual can only enroll in the Developer program, but not the Enterprise program; Organizations can also enroll in the Developer program, but also have the option in enrolling in Enterprise program instead. Is this correct?

Well, if an individual has a DUNS, they can enroll in the Enterprise Account Program, but the general assumption is that a company with employees is the usual enrollee in that example.

As well, a company/LLC can also enroll in the Individual Account Program.

The difference is whether the end users are employees (Enterprise), or end users obtaining apps via the App Store (Individual).

You can compare memberships here: https://developer.apple.com/support/compare-memberships/