iOS App Management

This document explains the various steps involved in managing iOS Apps. Ensure these ports and domains are white listed for managing iOS apps.

Managing App Store apps for iOS devices

A wide range of apps are available in the App Store. Some of these apps are free apps whereas few of those are paid apps. In order to add an App Store app you need to know if the app is free or paid app. In case of free app, it can be directly added into the App Repository using the app name. To add the apps to the repository, refer these steps

Any enterprise app added in the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app(s) on the device.

App Management and Distribution

You can manage and distribute apps to iOS devices running iOS 9.0 or later versions by using VPP Redemption codes or Managed Distribution. When you use a VPP redemption code for distribution, you cannot revoke the redemption code if the user has installed the app. However, in Managed Distribution, you can revoke the license any point of time from the user and map it to a different user. So, when an app is purchased by the corporate, they have the leverage to revoke and re-assign the license to different users. When the license is revoked, user can use the app for the next 30 days, after which the app is listed as a paid app.

This is supported for Mobile Device Manager from Build #91071. If you're using MDM within Desktop Central, this is supported from Build #91051

VPP Redemption Codes

The redemption codes, which was purchased using VPP can be mapped to users. Redemption codes can be uploaded in .xls,.xlsx,.xlsm,.xltx,.xltm,.xlsb and .xlam format. The redemption codes which are mapped to users, cannot be revoked. In case the App is installed on a employee owned device, then the license cannot be re-used by the corporate and it is mapped with the device.

To migrate the unused VPP Redemption codes to Managed Distribution, refer to this

VPP Managed Distribution

Using Managed Distribution over VPP redemption codes, helps administrators to revoke the apps distributed to the users at any point of time. This is done by registering the corporate Apple ID to generate a sToken. This sToken should be uploaded in the Mobile Device Manager Plus server. Whenever an app, is purchased using the corporate Apple ID, the license details are synced with the Mobile Device Manager Plus server. You can also manually sync the license details by clicking on "Sync License" button under the specific app details view.

Ensure the Apple account used for VPP is not associated with any other device.


Administrators can distribute these Apps and revoke it at any point of time, unlike VPP redemption codes.

Purchasing apps through Managed Distribution(VPP)

You can purchase licenses for both free and paid apps in bulk through VPP and distribute it to the devices. License refers to the number of devices to which the app is to be distributed. For example, if you want to distribute ME MDM app to 300 devices, you must 300 app licenses. Apps can be purchased through Managed Distribution as explained below.

Login to Apple VPP Portal

Ensure you use a unique corporate Apple account for VPP and also do not associate this account with any other iOS device.
  1. Login to Apple VPP Portal
  2. Go to Business Store
  3. Sign in using your corporate ID

Purchase app licenses

With VPP, you can purchase licenses for both free and paid apps, for distribution to devices. The required app needs to be selected, the number of licenses are to be specified and then the app can be purchased. Once VPP is set up, MDM syncs with VPP every day, to automatically add any new purchases to MDM. You can also click Sync Apps button in the App Repository ->iOS VPP Distribution to manually sync the apps with MDM. You can use the Managed Distribution to revoke apps from users and map it to a different user. So, when an app is purchased by the corporate they have the leverage to revoke and re-assign the license to different users. When the license is revoked, user can use the app for 30 days, after which the app is listed as a paid App.

Download sToken

Upload sToken in MDM Web Console

Follow the steps mentioned below to upload the sToken in the Mobile Device Manager Plus server:

You have successfully created/renewed the sToken in the Mobile Device Manager Plus server. You can now distribute apps to the managed devices, assign license and revoke it as per your need.

We have made your job simpler!

Learn how to add apps to App Repository in bulk and install them silently in under 3 minutes through this demo video.
When uploading sToken, there are two options for App Installation Type:

Prompts for Apple ID

If the option 'Prompts for Apple ID' is selected while uploading sToken and an app purchased using Managed Distribution is distributed to the device, the user has to accept an one-time invitation. On accepting the invitation, users are registered for Managed Distribution.

Retiring a user from Managed Distribution does not remove the device from mobile device management. All the licenses distributed to the user is revoked.If a paid app, purchased using Managed Distribution is distributed to the user, then an invitation is resent to the user, to re-register the user for Managed Distribution.

Without Apple ID

This option lets you install install apps silently(in Supervised devices) or install apps without Apple ID(non-supervised devices). This can be useful in the following cases:
Silent app installation in iOS devices

Apps purchased via VPP can be installed silently in the managed iOS devices if the devices are Supervised and running iOS 9.0 or later versions. Silent installation of apps is especially useful when you want to have zero user intervention for installing apps in devices. Silent installation also helps in bulk installation of apps.

Installing apps without user intervention

Apps purchased via VPP can be installed in managed iOS devices running iOS 9.0 or later versions, without requiring an Apple ID. This is useful in case of distributing apps to corporate-owned devices, without associating an Apple ID to the devices.

Distributing ME MDM app silently to managed devices

ME MDM app must be installed in the managed iOS devices to locate the device as well as know whether the device is jail-broken or not. Using VPP, ME MDM app can be purchased, distributed to devices and installed silently in Supervised devices or without requiring an Apple ID in unsupervised devices.

Click here to know more about installing apps without Apple ID.

Migrate licenses of apps requiring Apple ID for installation

When licenses of apps require Apple ID for installation, they are known as user-associated app licenses as they the license gets associated to the Apple ID of the user. This scenario is not ideal in organizations where the devices are corporate-owned. Instead, the licenses of apps should be associated to the devices, known as device-associated app licenses. Click here to know how to migrate the app licenses.

Migration of App Store apps to VPP apps

Using MDM, you can migrate the App Store apps added in App Repository to VPP apps. This includes migration of apps which has been already distributed to the devices. After purchasing the apps, the apps distributed to devices are modified as VPP apps once syncing is complete. You can know more about migration of App Store apps to VPP-apps here.

Updating iOS Apps

It is also important for the IT administrator to ensure that the apps distributed stay up to date with all the critical updates installed on time. The apps distributed to the devices using VPP, with the option Install apps without Apple ID, then the App Store is completely in the control of the IT administrator, and the updates will not be available to the user on the devices directly. Hence, the admin has to distribute these updates to the devices to make them available to the user.

Follow the steps given here to distribute app updates to devices

App Configurations

MDM lets you modify the configurations of the app to be distributed to the device, effectively restricting the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer names and specifies a set of configurations as a XML file, which is to be uploaded in MDM Server and the configuration is pushed automatically with the app. The app developer must support app configurations for the app, to implement it using MDM.

Pushing app configurations based on user-specific/device-specific parameters such as E-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensures once the app configurations with user-specific/device-specific parameters are setup using dynamic varaiables, they needn't be configured again as the dynamic variables fetches all the required data from device/enrollment details.

Here is the table of parameters for which MDM supports dynamic variables:


PARAMETER DYNAMIC VARIABLE
Device UDID %udid%
Device Name %devicename%
User Name %username%
E-mail %email%
Domain name %domainname%
Serial Number %serialnumber%
IMEI %imei%
Exchange ID %easid%


Sample XML file
The App Configuration file is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
             <key>serverURL</key>
            <string>myServerUrl.myDomain.com</string>
            <key>username</key>
            <string>%username%</string>
            <key>domain</key>
            <string>%domainname%</string>
            <key>email</key>
            <string>%email%</string>        
</dict>
</plist>

Enterprise apps for iOS

Enterprise apps are also called as in-house apps. Enterprise apps are those which are not listed in the App Store. These apps are owned by the company. Enterprise apps are commonly a collection of computer programs with business applications or tools for modeling the organizational work. They are unique applications designed based on the business requirement. Enterprise apps are developed exclusively for distinguished platforms, like iOS & Android. Refer to this, to know more about adding enterprise App in the App repository.

1. For installing apps silently/without Apple ID, ensure you choose Without Apple ID for App Installation Type while uploading/modifying sToken.

2. Ensure https://ppq.apple.com is white lsited on your external firewall to ensure the added enterprise apps are trusted on the device.

B2B apps for iOS

B2B(Business-to-Business) apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and B2B apps is, the former is developed in-house while the latter usually involves third-party developers. Further, B2B apps is provided only through VPP, so your organization must've a VPP account. To know more about B2B apps, refer to this.






See Also: Configure Mobile Device Manager Plus, Device Enrollment, Location Tracking,App Management, Profile Management,Asset Management, Security Management , Reports
Copyright © 2018, ZOHO Corp. All Rights Reserved.
ManageEngine