Enterprise 2FA CI Setup #18113
Replies: 3 comments 1 reply
-
|
I am now running into the same issue (also can't use App Store Connect API since we have Enterprise Developer Accounts). Since there are no other options, I am just now testing out the 2FA via spaceauth and storing the session into FASTLANE_SESSION. Can you give my an idea of about how long you are seeing the sessions last before having to update the 2FA again? Doing some searching I have seen things mention anywhere from hours to 30 days, so not really sure what to expect. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
I think it is region bound. We are only using an Organisation account, don't know how do they differ in terms of keeping the session. We do the auth flow on our machines (different than CI) which are located in different regions of the world (Europe & North America). They all run jobs on CircleCI & are able to use the pre-generated |
Beta Was this translation helpful? Give feedback.
-
|
Do you know if the Because as you pointed out, not everything is supported by API key; another team member reported: "we use Spaceship::Portal, and the API key access is for the Spaceship::ConnectApi3" |
Beta Was this translation helpful? Give feedback.
-
|
I can get the 2FA code using an Apple Script as the pipieline agent is located on my macOS machine. However, I just don't know how to:
|
Beta Was this translation helpful? Give feedback.
-
Due to the 2FA enforcement and absence of the App Store Connect API for Apple Developer Enterprise Program Accounts, we had to use the
FASTLANE_SESSIONas a workaround. Everything works fine for us, but it involved some learnings, so I wanted to share them here.The following steps allow you to continue using your existing fastlane setup, but they will require periodic manual steps to update the session cookie.
Activate Two-Factor Authentication
Activate 2FA for the Apple ID that is connected to the Enterprise account and you use for fastlane.
Creative workarounds for generating 2FA codes for a technical account
You might face the same situation as we did and might be wondering how to generate and distribute the 2FA codes for a technical Apple ID. If it is bound to one phone number of one person, this will be a bottleneck to create or refresh the session, or do any other tasks related to this account.
There are a couple of options to make the generation or distribution of the 2FA codes a bit easier, but you will need one phone number for the initial setup in all cases.
Add an additional verified phone number to the Apple ID
By adding an additional phone number to the Apple ID, you are not completely locked out when your primary phone number is not available at the moment you need a 2FA code. The documentation does not state if the codes are sent to all numbers, or if one has to go the account recovery route to switch between primary and secondary verified phone numbers, but it's better than nothing.
Use the technical account as Apple ID on a device
Once you are logged in on an Apple device with the 2FA enabled account, the device is "trusted", which means that it will receive requests for 2FA codes. By having trusted devices, the generation of 2FA codes is decoupled from the phone number. Additionally, it is possible to manually generate 2FA codes from this device through the Settings on iOS or System Preferences on macOS.
Create the session
FASTLANE_PASSWORDas well. Only setting theFASTLANE_SESSIONwill not work.Refresh the session
Once the session times out, you will see build failures quoting "2FA can only be performed in interactive mode" or other account related errors. Now you need to repeat the steps 1–4 to create a new session and store it as secret again.
I know this is far from ideal, but sadly the App Store Connect API is not yet supported for Enterprise Accounts. Feel free to open a Feedback to request this from Apple. (When you do, you can also refer to mine: FB8989082)
Beta Was this translation helpful? Give feedback.
All reactions