Managing Your Team
If you have a company membership in an Apple Developer Program, you can add people to your team and assign them roles, thereby granting them levels of access to team assets. Team members have roles and privileges that pertain to the development process. These roles define who is allowed to sign apps, who is allowed to create signing certificates, and so on. After adding team members, you may be responsible for performing other tasks on their behalf. For example, you approve signing certificates and create provisioning profiles for team members. If you’re an individual, you’re the team agent for your one-person team and don’t perform any of the tasks described in this chapter.
About Apple Developer Program Team Roles and Privileges
A person’s role on the team defines the level of access that person has to the team’s assets and types of tasks he or she can perform using developer tools. This privilege level extends to the kinds of tasks that a developer is allowed to perform on behalf of the team. For example, only certain members of the team are allowed to submit apps to the store. By giving you control over team roles, Apple makes it easier for you to maintain good security practices for the team.
If your team belongs to multiple developer programs, you can set different team roles for each program. You can also choose not to give someone access to a program.
Table 10-1 lists the roles a person can play and describes each. Each level of access includes all the capabilities of the levels below it.
A team agent is legally responsible for the team and acts as the primary contact with Apple. The team agent can invite team members and change the access level of any other team member. There’s only one team agent.
A team admin can set the privilege levels of other team members, except the team agent. Team admins manage all assets used to sign your apps, either during development or when your team is ready to distribute an app. Team admins are the only people on a team who can sign apps for distribution on nondevelopment devices. Team admins also approve signing certificate requests made by team members.
A team member can gain access to prerelease content delivered by Apple in Member Center. A team member can also sign apps during development, but only after he or she makes a request for a development signing certificate and has that request approved by a team admin.
Each team role defines a set of privileges or tasks that a person can perform. Table 10-2 lists the specific privileges granted to members of the team. The privileges are listed in chronological order to help guide you through the process. Refer to Table 11-1 for the types of certificates that each team member can revoke.
Have legal responsibility for the team
Be the primary contact with Apple
View prerelease Apple content
Enroll in additional developer programs and renew them
Invite team admins and team members
Request development certificates
Approve team member requests for development certificates
Request distribution certificates
For Mac apps, request Developer ID certificates
Add devices for development and testing
Create App IDs and enable certain technologies and services
Create development and distribution provisioning profiles
Create SSL certificates for Apple Push Notification service
Download development provisioning profiles
Submit apps to the App Store or Mac App Store
To start, one person must enroll in either the iOS or the Mac Developer Program; this person becomes the team agent for the team. The team agent may enroll in both programs if your team intends to develop apps for both operating systems. During this step, the team agent signs the legal agreements required to become an Apple developer and enters financial information so that the team can be paid for purchases of their app from the store.
The team agent has an unrestricted role; he or she has unrestricted access to the team and is legally responsible for the team. Initially, the team agent also performs most of the tasks to organize the team. After others have joined the team, the team agent may decide to delegate some of this authority to other members of the team, allowing those others to perform these tasks instead.
The team agent might need to sign updated or new licensing agreements, particularly when the team wants to incorporate specific technologies into an app. For example, an app that uses the iAd service requires that the team agent sign a separate agreement.
Inviting Team Members and Assigning Roles
If you enroll as a company, you’re the de facto team agent who has permission to add other developers, called team members, to your account. In general, team members have read access to view and download information managed by Member Center—but they don’t have write access. However, you can assign an admin role to a team member, which allows that person to have some of the privileges of a team agent—for example, a team admin can create signing certificates and provisioning profiles but can’t sign agreements. Assigning roles helps team agents delegate some of their responsibilities.
Inviting Team Members
When you invite people to join your team, you enter information about them and set their role on the team.
In Member Center, click People at the top of the webpage.
If necessary, click Invitations in the sidebar.
Click Invite Person.
Enter the first name, last name, and email address of the person you want to invite.
Specify the person’s access and role for each program.
Click Send Invitation.
The person you specified receives an email invitation, which he or she must verify by clicking the invitation code in it. If the person doesn’t have an Apple ID, he or she is asked to create one before accepting the invitation.
Changing Team Roles
After the team member accepts the invitation, the team agent receives a confirmation email and the team member has access to Member Center. Later, the team agent can change the role of a team member.
In Member Center, click People at the top of the webpage.
Click All People in the sidebar.
Click Details in the last column in the row of the person whose role you want to change.
Specify the person’s access and role for each program, and click Save.
Approving Development Certificates
If you’re a team admin for a company, it’s your responsibility to approve team member requests for development certificates. Team members need a development certificate to sign apps, to use the team provisioning profile, or to be added to other provisioning profiles. Team admins are notified via email when a team member requests a development certificate. The email contains a link to Member Center to approve the request.
To learn how to request development certificates using Xcode, read “Requesting Signing Identities.” Team admins also use Xcode to request their own signing certificates, which are automatically approved.
In Certificates, Identifiers & Profiles, select Certificates.
Under Certificates, select Pending.
Select the certificate.
In the dialog, click Approve again.
If you use the team provisioning profile, regenerate it after approving the certificate. Xcode regenerates the team provisioning profile whenever a team member refreshes provisioning profiles in Xcode, as described in “Refreshing Provisioning Profiles in Xcode.” Afterward, all other team members should refresh their provisioning profiles to download the latest team provisioning profile.
Registering Team Member Devices
Before a team member can launch an app on his or her device, the device needs to be registered and added to the team provisioning profile. Xcode automatically registers team agent and admin devices when needed, as described in “Launching Your App on Devices.” However, a team agent or admin must register team member devices on their behalf.
The team member sends the device name and device ID to their team admin. In Xcode, a team member can select the device in the Devices organizer to display the device ID, as described in “Locating Device IDs Using Xcode.” If you’re a Mac developer, you can also get the device ID using the System Information app, as described in “Locating Mac Device IDs Using System Preferences.”
In Member Center, the team admin may register one device, as described in “Registering Individual Devices,” or multiple devices, as described in “Registering Multiple Devices.”
Transferring the Team Agent Role
Because the team agent has sole legal responsibility for the team, another team member can’t demote the team agent, nor can the team agent’s privileges be restricted. However, the team agent can transfer their role to another team member using Member Center.
In Member Center, sign in as the team agent and click Your Account at the top of the webpage.
In the Developer Account Summary section, click Transfer Agent Role next to your name.
Follow the instructions that appear in a series of dialogs.
For example, you will be asked to choose a new team agent and sign an Agent Transferor Agreement.
In this chapter, you learned how to perform some tasks on behalf of team members who don’t have privileges to create development certificates or register their devices.