Apple App Management

This document explains the various steps involved in managing Apple apps. Ensure these ports and domains are whitelisted for managing Apple apps.

Managing App Store apps for iOS devices

A wide range of apps are available in the App Store. Some of these apps are free apps whereas few of those are paid apps. In order to add an App Store app you need to know if the app is free or paid app. In case of free app, it can be directly added into the App Repository using the app name. To add the apps to the repository, refer these steps.

App Management and Distribution using ABM

Apple introduced Apple Business Manager (ABM) and Apple School Manager(ASM) that gives organizations and schools an integrated platform to manage their devices and apps. Volume Purchase Program (VPP) available with ABM and ASM is a free program that is preferred for managing free and paid Store apps. It simplifies managing apps with Managed Distribution using which the admin can approve licenses on these portals and distribute the apps to devices. These licenses can be revoked and reused if the app is removed from the user's devices. Other advantages include:

  1. Silent distribution of apps to the devices
  2. App installation without associating an Apple ID to devices
  3. Managing custom business to business (B2B) apps.

NOTE: The steps for configuring Apple Business Manager mentioned in this document are also applicable for the Apple School Manager portal.

Using ABM administrators can manage app licenses by assigning or revoking the apps distributed to a user at any point of time and reusing the licenses to distribute the app to another device. This is done by registering the corporate Apple ID to generate a server token. This server token should be uploaded in the Mobile Device Manager Plus server. Whenever an app, is purchased using the corporate Apple ID, the license details are synced with the Mobile Device Manager Plus server, once in a day. You can also manually sync the license details by clicking on "Sync License" button under the specific app details view on the ABM portal.

Ensure the Apple account used for VPP is not associated with any other device.

Purchasing apps

You can purchase licenses for both free and paid apps in bulk through ABM and distribute it to the devices. License refers to the number of devices to which the app is to be distributed. For example, if you want to distribute ME MDM app to 300 devices, you must purchase 300 app licenses. Apps can be purchased through Managed Distribution as explained below.

Login to Apple Business Manager Portal

Ensure you use a unique corporate Apple account for ABM and also do not associate this account with any other iOS device.
  1. Login to ABM portal
  2. Sign in using your corporate ID

If you do not have a corporate Apple account for ABM, click on Enroll now, to create an account for your organization. To upgrade your VPP account to the ABM portal and to know more about the upgrade, follow the steps given here.

If you are already using VPP with Mobile Device Manager Plus, we will automatically migrate your apps to ABM once you have upgraded. Upon the expiry of the server token, you'll have to generate the new token from the ABM portal to continue managing your apps.

Approve app licenses

With ABM, you can approve licenses for free apps and purchase paid apps, for distributing to devices. On the ABM portal, under Content, click on Apps and Books. Search for the apps and enter the required number of licenses to approve or purchase. Once ABM is set up, MDM syncs with ABM every day, to automatically add any new purchases to MDM. You can also click Sync Apps button in the App Repository ->Apple Business Manager to manually sync the apps with MDM.

Download Server Token

  1. On the ABM portal, navigate to Settings on the bottom left corner and select Apps and Books.
  2. stoken
  3. The server token for your organization will be available, click on Download.
  4. stoken
  5. Save the downloaded token in your desired location.

Upload Server Token on MDM console

Follow the steps mentioned below to upload the sToken in the Mobile Device Manager Plus server:

  1. On the web console, select App Repository
  2. Choose Apple Business Manager
  3. Click Browse to upload Server Token
  4. Choose either prompts for Apple ID or without Apple ID for App installation type.
  5. Click Save to complete the process.

You have successfully created/renewed the server token in the Mobile Device Manager Plus server. You can now distribute apps to the managed devices, assign license and revoke it as per your need.

When uploading sToken, there are two options for App Installation Type:

Prompts for Apple ID

In this case the app is associated to the user's Apple ID and when an app is distributed to the device, the user has to accept a one-time invitation. On accepting the invitation, users are registered for Managed Distribution. This invitation has to be accepted only the first time an app is distributed.  The approved licenses are accounted based on the number of Apple accounts the app has been distributed to. If 5 apps are distributed to devices, and all the devices have the same Apple ID, only 1 license will be used.

Without Apple ID

In this case the app is associated to the device instead of the user's Apple ID and lets you install apps silently (in Supervised devices) or install apps without Apple ID (non-supervised devices).  The approved licenses are accounted based on the number of devices the app has been distributed to. For example, if you distribute the app to 5 devices, 5 licenses will be used. This can be useful in the following cases:

Silent app installation in iOS devices

Apps purchased via ABM can be installed silently in the managed iOS devices if the devices are Supervised and running iOS 9.0 or later versions. Silent installation of apps is especially useful when you want to have zero user intervention for installing apps in devices. Silent installation also helps in bulk installation of apps.

Distributing ME MDM app silently to managed devices

ME MDM app must be installed in the managed iOS devices to distribute content, remotely troubleshoot, locate the device as well as know whether the device is jail-broken or not. Using ABM, ME MDM app can be purchased, distributed to devices and installed silently in Supervised devices or without requiring an Apple ID in unsupervised devices.

1. Click here to know more about installing apps without Apple ID.

2. Ensure is white listed on your external firewall to ensure the added enterprise apps are trusted on the device.

3. Apps with size greater than 150 MB are installed only via Wi-Fi and doesn't get silently installed if only Cellular Data is available.

Migrate licenses of apps requiring Apple ID for installation

When licenses of apps require Apple ID for installation, they are known as user-associated app licenses as the license gets associated to the Apple ID of the user. This scenario is not ideal in organizations where the devices are corporate-owned since the user must create and associate an Apple ID with these devices . Instead, the licenses of apps should be associated to the devices, known as device-associated app licenses. Click here to know how to migrate the app licenses.

Migration of App Store apps to ABM apps

Using MDM, you can migrate the App Store apps added in App Repository to ABM apps. This includes migration of apps which has been already distributed to the devices. After purchasing the apps, the apps distributed to devices are modified as ABM apps once sync is completed.You can know more about migration of App Store apps to ABM apps here.

B2B apps for iOS

B2B(Business-to-Business) apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and B2B apps is, the former is developed in-house while the latter usually involves third-party developers. Further, B2B apps is provided only through ABM, so your organization must've an ABM account. To know more about B2B apps, refer to this.

Removing server token

The server token associated with the MDM server can be removed by navigating to App Repository ->Apple Business Manager ->Remove. On removing the server token from MDM server, all the apps synced from MDM will be moved to Trash. Further, the apps synced from ABM and distributed to the devices are removed from the devices as well. On moving these back from Trash to App Repository, they'll be considered as normal apps added to App Repository via the App Store.

Updating iOS Apps

It is also important for the IT administrator to ensure that the apps distributed stay up to date with all the critical updates installed on time. If the ABM apps are distributed without Apple ID, the user has not control over the app updates. The admin has to distribute these updates to the devices to make them available to the user.

Follow the steps given here to distribute app updates to devices.

App Configurations

MDM lets you modify the configurations of apps to improve or restrict the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data from the managed devices. The app developer names and specifies a set of configurations as a XML file, which is to be uploaded in MDM Server the configuration is pushed automatically with the app. The app developer must support app configurations for the app, to implement it using MDM.

Follow the steps given below to apply app configurations:

  1. Click on App Repository from the Device Mgmt tab.
  2. Select the app from the repository or if a new app is to be added follow the steps given here.
  3. Select the Modify App option for existing apps or directly upload the XML file with the required configurations under the Configurations section.
  4. Save the changes.

Pushing app configurations based on user-specific/device-specific parameters such as E-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensures once the app configurations with user-specific/device-specific parameters are setup using dynamic varaiables, they needn't be configured again as the dynamic variables fetches all the required data from device/enrollment details.

Here is the table of parameters for which MDM supports dynamic variables:

Device UDID %udid%
Device Name %devicename%
User Name %username%
E-mail %email%
Domain name %domainname%
Serial Number %serialnumber%
IMEI %imei%
Exchange ID %easid%

Sample XML file
App Configuration is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Enterprise apps for iOS

Click here to know more about installing enterprise apps without Apple ID.

Enterprise apps are also called as in-house apps. Enterprise apps are those which are not listed in the App Store. These apps are owned by the company. Enterprise apps are commonly a collection of computer programs with business applications or tools for modeling the organizational work. They are unique applications designed based on the business requirement. Enterprise apps are developed exclusively for distinguished platforms, like iOS & Android. Refer to this, to know more about adding Enterprise App in the App Repository and installing them on devices without user intervention.

Any enterprise app added in the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app(s) on the device.

See Also: Configure Mobile Device Manager Plus, Device Enrollment, Location Tracking,App Management, Profile Management,Asset Management, Security Management , Reports
Copyright © 2019, ZOHO Corp. All Rights Reserved.