Create an Apple Certificate, Identifiers and Provisioning Profiles to use for Citrix XenMobile Application Wrapping

A while ago, Apple has determined no longer to allow wildcard Application ID’s for new Apple Developer Accounts. This means that you need to create an Apple ID for every application you wanted to wrap for use with Citrix XenMobile. In the meanwhile, Citrix updated there MDX Toolkit so that you can change the App ID during wrapping. In this step-by-step blog I will explain how to create the provisioning profiles that are needed for iOS Application Wrapping in three easy steps.

Step 1 : Create an Apple Certificate

The first step is the create an Apple Certificate, follow these steps to create one. 

Apple Developer Account Setup 001-c

Browse to and login with your Apple Developers Account. Click on Certificates, Identifiers & Profiles

Apple Developer Account Setup 002

On the left side under iOS Apps, click on Certificates

Apple Developer Account Setup 003

Click on the + (plus sign) at the right-hand corner

Apple Developer Account Setup 004

Select In-House and Ad Hoc. Scroll down and click Continue

Apple Developer Account Setup 005

Open the Keychain Access program (we come back here later)

Apple Developer Account Setup 006

Select the following menu item: Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority

Apple Developer Account Setup 007

Fill in the User Email Address and the Common Name. Select Saved to disk and click Continue

Apple Developer Account Setup 008

Select a folder you want to save the request file to and click Done

Apple Developer Account Setup 009

Click Continue

Apple Developer Account Setup 010

Click Choose File, browse to the saved request file and click Generate

Apple Developer Account Setup 011-a

Download the certificate and click Done

Apple Developer Account Setup 012

The certificate is now created

Apple Developer Account Setup 013

Go back to the Keychain Access program and select the following menu item: File > Import Items

Apple Developer Account Setup 014

Select the saved Certificate to import. After import, make sure the Private Key is linked to the certificate

Step 2 : Creating Identifiers (App IDs)

In this part of the blog I will show you how to create unique App IDs for every App. This is with one exception, and that is WorxMail. Citrix WorxMail need some additional steps that will be covered in this Citrix Blog :

Apple Developer Account Setup 015

Open the App IDs page under Identifiers and click on the + (plus sign) at the right-hand corner

Apple Developer Account Setup 016

Enter an application name, for this example I use WorxWeb

Apple Developer Account Setup 017

Scroll down and select Explicit App ID. Fill in a unique Bundle ID, best practice is to use your external domain name backwards + app name, for example com.robinhobo.worxweb

Apple Developer Account Setup 018

Scroll down, leave everything default and click on Continue

Apple Developer Account Setup 019

Click Submit

Apple Developer Account Setup 020

Click Done

Repeat these steps for every application you want to wrap.

Step 3 : Creating Distribution Provisioning Profiles

The last step is to create Provisioning Profiles. These profiles are needed when wrapping an application with the Citrix MDX Toolkit and needs to be downloaded to the Apple Macintosh device.

Apple Developer Account Setup 021

On the left side under Provisioning Profilesclick on Distribution. Click on the + (plus sign) at the right-hand corner.

Apple Developer Account Setup 022

Select In House and click Continue

Apple Developer Account Setup 023

Select an App ID created in step 2 (in this example I select the WorxWeb App ID). Click Continue

Apple Developer Account Setup 024

Select the iOS Distribution certificate created in step 1 and click Continue

Apple Developer Account Setup 025

Fill in a Profile Name and click Generate

Apple Developer Account Setup 026

Download the certificate and click Done or Add Another. Repeat these steps for every unique App ID. After this, you are ready to start wrapping the applications.



  • Currently we are using wild card id for all our apps. If we change to unique id, does my users have to re-download/install the app again?

  • If we have a wild card id can we continue to use it and just renew our provisioning profile when they near expiration? Also can we renew our provisioning profile with a more recent certificate and still have apps with the old profile continue to work?

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.