How to manage Enterprise Distribution certificate expiration?

This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.

For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.

I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.

EDIT:The above mentioned bug is closed now. Here's the official response:

Distribution certs for enterprise are now 3 years in duration.

The "missing" link is nowhttp://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3

A fewweeks before your certificate expires, request a new distributioncertificate from the iOS Dev Center, use it to create new distributionprovisioning profiles, and then recompile and distribute the updatedapps to your users.

The document describes also how to update Apps. There are frameworks that include the update mechanism easily into your app. Eg "Hockey", https://github.com/therealkerni/HockeyKit

Quoting the full article:

Certificate validation

The first time a user opens an app, the distribution certificate isvalidated by contacting Apple’s OCSP server. Unless the certificatehas been revoked, the app is allowed to run. Inability to contact orget a response from the OCSP server isn’t interpreted as a revocation.To verify the status, the device must be able to reach ocsp.apple.com.See Network configuration requirements.

The OCSP response is cached on the device for the period of timespecified by the OCSP server—currently, between 3 and 7 days. Thevalidity of the certificate isn’t checked again until the device hasrestarted and the cached response has expired. If a revocation isreceived at that time, the app is prevented from running. Revoking adistribution certificate invalidates all of the apps you’vedistributed.

An app won’t run if the distribution certificate has expired.Currently, distribution certificates are valid for one year. A fewweeks before your certificate expires, request a new distributioncertificate from the iOS Dev Center, use it to create new distributionprovisioning profiles, and then recompile and distribute the updatedapps to your users. See Providing updated apps.

Apple revised the documentation...

An app won’t run if its distribution certificate has expired. Currently, distribution certificates are valid for one year, and you can have two certificates active at the same time. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires.

For example, six months before your distribution certificate expires, create a new certificate and use it to update your apps for the next year. To do this, you request a new distribution certificate from the iOS Dev Center (do not revoke your first certificate), use it to create new distribution provisioning profiles for each of your apps, and then you recompile and distribute the updated apps to your users. See Providing updated apps.