Every iOS Enterprise Provisioning Profiles expires after 1 year, correct? After they expire and you renew them, do you need to re-install the new Provisioning Profile to all the devices, or do the devices get renewed automatically from Apple's certificate server?
So, in other words, after you distribute an Enterprise app, do you need to update all the devices every year or can you simply renew the certificate on the Developer Portal or via Xcode?
BigDave's answer and my answer here(as Thilo posted) actually cover all grounds in your question. I would just add two new things if you consider re-signing and distributing all your apps again, a big hassle.
You don't need the code of your app to re-sign with new certificate. You can do it through the terminal(and probably create a shell script if you have large number of apps). Check this thread.
If you have large number of apps distributed in your enterprise, consider deploying a MDM server. That way you can re-sign/Update your apps and push them wirelessly on registered devices with minimal user interaction.
EDIT: In regards to expiring provisioning profiles, the documentation states:
If the expired provisioning profile is installed on your device, remove it, as described in Verifying and Removing Provisioning Profiles on Devices. If the provisioning profile is an ad hoc provisioning profile, re-sign and distribute your app using the regenerated provisioning profile, as described in Exporting Your App for Testing (iOS, tvOS, watchOS).
From the apple site:
An app won’t run if its distribution certificate has expired. Currently, distribution certificates are valid for one year, and you can have two certificates active at the same time. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires.
So updating an app once a year is actually the best case. If the app is signed with a distribution certificate with only 6 months left then it will need to be updated after 6 months.
