Can't Build an App for Distribution After Joining Existing Enterprise Developer Program

What happens to my Enterprise apps after my Enterprise developer account membership expires?

To expand upon Krunal's answers:

What will happen to my currently running apps on user devices (remember apps are not distributed via App Store)?

Apps that are actually running (not just installed, but still actively running in memory, should continue to run. However, if the app is stopped and must be re-launched for any reason, it may or may not run for a short period after the developer account expires. When your developer account expires, your development and distribution certificates are invalidated. This means that if the device does check on the cert, they will be invalid and the app won't run. There is some caching that you should be aware of, but it won't allow the app to run very long after the account expiration:

Certificate Validation

The first time an application is opened on a device, the distribution certificate is validated by contacting Apple’s OCSP
server. Unless the certificate has been revoked, the app is allowed to
run. Inability to contact or get a response from the OCSP server is
not interpreted as a revocation. To verify the status, the device must
be able to reach ocsp.apple.com. See“Network Configuration
Requirements”(page 9).

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days. The
validity of the certificate will not be checked again until the device
has restarted and the cached response has expired. If a revocation is
received at that time, the app will be prevented from running.
Revoking a distribution certificate will invalidate all of the
applications you have distributed.

An app will not run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few
weeks before your certificate expires, request a new distribution
certificate from the iOS DevCenter, use it to create new distribution
provisioning profiles, and then recompile and distribute the updated
apps to your users. See “Providing Updated Apps” (page 10)

So at best a cached OCSP response will get you a week of extra run time, if the user had launched the app right before the cert was invalidated. Regardless, very soon after, the apps will immediately quit when launched after iOS knows that the certificate was revoked.

What will happens if the user does a fresh install of my app?

The app will not install. The app will download to the device, but when iOS goes to install the downloaded ipa, it will check the certificate, which is now revoked, and cancel the install.

What will happen to my current account, will I able to access the account?

Yes, you can log into the account. It will basically revert to a free developer account. With the free account, you can still build directly to devices, and they will be installed with a free developer provisioning profile that expires in 7 days (vs. 365 for a paid developer account). You also have no manual control over certificates and profiles. This means you cannot create distribution certificates and profiles.

Will my Enterprise certificate expire immediately?

Yes, Apple will revoke your certificate and invalidate your profiles when the account expires. This means you will no longer be able to create new builds using the certificate / profile.

Will my provisioning profile expire immediately?

Yes, the profiles will be invalidated.

Problems with InHouse distribution

I found the solution.

Thanks to this post I found this apple announcement and was able to fix the issue as described:

"Xcode unable to create distribution builds for App Store submissions or Enterprise apps.
This issue occurs when the expired WWDR Intermediate certificate is present in both the System keychain and Login keychain within the Keychain Access application. To resolve the issue, first download and install the renewed certificate. Next, in the Keychain Access application, select the System keychain. Select 'Show Expired Certificates' in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate. Your certificates should now appear as valid in Keychain Access and be available to Xcode."

Apple: Enterprise Account, but deploy to App Store?

According to this Enterprise FAQ page on Apple, you can't distribute on the App Store using an Enterprise account. The firm will have to also get a "regular" iOS Developer account:

I am enrolled in the iOS Developer
Enterprise Program. Can I distribute
my applications on the App Store?

The ability to distribute applications
on the App Store is available to
developers who enroll in the iOS
Developer Program as an Individual or
a Company. The iOS Developer
Enterprise Program only allows you to
distribute your applications to
employees or members of your
organization through Ad Hoc
distribution. If your company is
enrolled in the Enterprise Program but
would also like to distribute your
application(s) to customers via the
App Store, you will need to enroll in
the iOS Developer Program as an
Individual or as a Company.

Ad-hoc distributed applications after membership expiration

Hope this would answer your question:

Regarding Provision profile:
- Ad hoc profiles last for a year.
- Development build profiles last for 3 months.
Thus In your case until your profile is not expired you would be able to distribute your app using it. If you have already prepared the build & shared with valid provision profile then until it gets expired it should work. But once your certificate gets expired you can't use the same to prepare new builds & distribute.

From the apple developer support center certificates section:

iOS Distribution Certificate (In-house, Internal Use Apps)
Users will no longer be able to run apps that have been signed with
this certificate. You must distribute a new version of your app that
is signed with a new certificate.

Here are the cases for AppStore approved Apps when certificate gets expired.

Apple Push Notification Service Certificate

You can no longer send push notifications to your app.

iOS Distribution Certificate (App Store)

If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.

iOS Distribution Certificate (In-house, Internal Use Apps)

Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.

If your membership expires, your apps will no longer be available for purchase and will not appear in search results on the App Store. However, if you renew your membership after it has expired, your apps will be available for purchase on the App Store within 24 hours. You do not need to resubmit your apps.

Expiring In-house Distribution provisioning profile and certificate

You can have two certificates active at the same time. So I would generate a new certificate using the same key you used to generate the original one. To do this on the Apple developer portal, you will need the cert signing request. Most developers don't save this when they generate their certificate the first time. The good news is, if you have the private key that was used for your distribution certificate, you can use that to generate the CSR. To find out if you have the private key, you can use this post for how to locate it in the Keychain app. https://stackoverflow.com/a/33651921/3708242

Once you have verified that you have the private key used for the certificate for the app store distribution, you can generate the a CSR using the following procedure: https://stackoverflow.com/a/7111454/3708242

Once you have the CSR, go to Apple's developer portal and generate a new distribution certificate for "In-House and Ad Hoc" distribution. As long as you only have one out there, you should be able to create a second without having to revoke the existing one. Once you've done that, you will likely need to provide that certificate to the MaaS360 service (I'm not familiar with how that works, but somehow the Maas360 server must have the private key and certificate that the apps were built with, as it is clearly checking that when you push the build of your app and the certs don't match). So download the new cert and provide that to MaaS360.

Then, generate a new distribution profile using the new certificate. Or you can update the existing one to use the new cert by clicking the edit button on the provisioning profile, then changing the radio button to the new cert which should expire several years out. Note that this won't prevent any existing apps built using the profile from running in the meantime (revoking the certificate, however, would immediately cause the apps to stop working, which you don't want). Save and download the new profile, and use it to rebuild the app.

The app will then be built with the new certificate, that won't expire any time soon. I do think you are missing the part of the process where you will have to provide the new cert to MaaS360. I can't really help you with that part, but hopefully there is some documentation from IBM that can help you out there. But, you will need to fix it, because once the cert expires, non of the apps built with it will work. Good luck and let me know if any of this is not clear enough.