What is Apple's policy about sharing certs? To what risks does doing so expose the account holder?
The only alternative to providing an SBA is for the vendor or developer to provide the source of the project, Xcode or Android Studio usually, and to have Emory build the app. This
not an ideal solution because automation (build scripts) and environmental (Xcode version, library versions) dependencies. It is useful for when the vendor or developer can't produce the signed binary archive because they lack the knowledge or are otherwise unwilling to do so.
This The policy was put in place nearly 10 years ago and reflected in part the practical limitations of both stores ability to create a user that was limited to actions for a particular app or apps. In the present this is not the case: both app stores allow creating of users that are limited to a single app or set of apps.
Another limitation that has been lifted was the ability to restrict a user from performing the distribution/publishing task because Emory wants to have full control over this and not delegate this task.
This policy worked well for many years and did not need to be changed. It did so This is because many of the developers were Emory employees and were bound to comply with the policy. The few that weren't were willing to comply without question. The 3rd parties were in the minority and 3rd party developed apps did not seem to mind complying with the policy. Now however, many more of the apps in the Emory stores are developed by 3rd parties. Many of those are unable or unwilling to provide a signed binary archive and are requesting access to the stores, specifically, the permission to distribute the app. The requests were denied based on concerns about protecting Emory's brand.
This started with the "Theater Emory" app, a, Emory branded version of a generic app by a vendor who claimed they could only distribute the app by uploading it to the store. Furthermore, they wanted to update the app dozens of times a week. The request was denied and the theater department dropped the vendor and did not replace it.
Then, the Yomingo vendor would not provide the SBA and demanded that they should control the distribution and be able to "pull the app from the store" for reasons (such as non-payment) that are normally resolved contractually, not by relinquishing control over distribution. We nearly convinced them to change their minds but in the end the app owner dropped them and is in search of a new vendor.
Another class of vendor that is quite popular now but nearly non-existent only a few years back is the DIY vendor. This is exemplified by the case of the CBCT department who wanted to use Good Barber, a DIY vendor, to build their simple app that played MP3s of guided meditation. In this case, Good Barber's policy conflicted with Emory's. Just like Yomingo, Good Barber wanted to be the one who controlled distribution/publishing.
The EHC Patient Portal app, HealtheLife by Cerner will be the first app in which we allow a 3rd party to publish the app. Several vendors have asked for this permission in the past yet none had the clout to demand it like Cerner and were denied based on concerns about protecting Emory's brand. The The Cerner app now sets a precedent whereby we can be legitimately challenged by a 3rd party who wishes to have the same access as Cerner.