How to protect an iOS enterprise distribution kit with oauth on a public website?

We have a corporate distribution of the application that we would like to distribute only within our organization.

We created an ipa and plist file that points to the right places, and created an html page with url: itms-services: //? action = download & url = {link to our plist}.

However, our problem is to ensure the distribution process. We want our employees with iPads-owned companies to be able to download the app while on the move (they are very mobile). Therefore, we want to place the plist and application on a public website that requires login through the oauth service.

Our problem is that if we need authentication at the URLs for the application and plist, then itms-services: // url no longer works. What happens is that the user clicks the itms-services link, and we see an unauthorized request for plist (which is redirected to the system login), and then "Unable to connect to {hostname}" on the device.

At the moment, the only way to see that this works is if ipa and plist files are not checked for authentication. This means (I believe) that someone guessing our URLs in our plist file can create their own link to itms-services and download the application without permission and actually make us violate our agreement with Apple only for distribution among our employees.

So my question is: how can I create a link to itms-services that will not publish ipa and plist files? If that matters, the website is created using nodejs and the application is the PhoneGap application.