Apple App Management
This document explains the various steps involved in managing Store and enterprise Apple Apps. Ensure these ports and domains are allowlisted for managing Apple apps. In case you've already setup ABM in another MDM service, you can migrate it to ME MDM as explained here.
iOS, tvOS, macOS & iPadOS
Managing App Store apps for Apple devices
The App Store has a multitude of apps which include free apps and paid apps. Free apps can be added directly to the App Repository, using the app name or bundle identifier of the app. In case of paid apps, the app licenses need to be purchased as explained in the next section, after which they can be added to the App Repository. To add the apps to the Repository, refer these steps.
App Management and Distribution using ABM
Apple has introduced Apple Business Manager (ABM) and Apple School Manager (ASM) which gives an integrated platform to manage devices and apps in organizations and schools respectively. Volume Purchase Program (Apple VPP) available with ABM and ASM is a free program for managing free and paid Store apps. It simplifies managing apps with Managed Distribution using which the admin can approve licenses on these portals and distribute the apps to devices. These licenses can be revoked and reused if the app is removed from the user's devices. Other advantages include:
- Silent distribution of apps to the devices.
- App installation without associating an Apple ID to devices.
- Managing custom business to business (B2B) apps.
NOTE: The steps for configuring Apple Business Manager mentioned in this document are also applicable for Apple School Manager.
Using ABM, administrators can manage app licenses by assigning or revoking the apps distributed to a user at any point of time and reusing the licenses to distribute the app to another device. This is done by registering the corporate Apple ID to generate a sToken. This sToken should be uploaded in the MDM server. Whenever an app, is purchased using the corporate Apple ID, the license details are synced with the MDM server. You can also manually sync the license details by clicking on Sync License button under the specific app details view.
Ensure the Apple account used for ABM is not associated with any other device.
You can purchase licenses in bulk for both free and paid apps, using ABM and then distribute it to the devices. App License(s) refers to the number of devices to which the app needs to be distributed to. For example, if you want to distribute the ME MDM app to 300 devices, you should purchase 300 app licenses.
Note: To migrate unused VPP Redemption codes to Managed Distribution, refer this.
Apps can be purchased through Managed Distribution as explained below.
- Login to ABM portal
- Approve app licenses
- Download server token
- Upload server token in the MDM Web Console
Login to Apple Business Manager Portal
Ensure you use a unique corporate Apple account for ABM and also do not associate this account with any other Apple device.
- Login to ABM portal using your corporate ID.
If you do not have a corporate Apple account for ABM, click on Enroll now, to create an account for your organization. To upgrade your VPP account to the ABM portal and to know more about the upgrade, follow the steps given here.
If you are already using VPP with MDM, MDM automatically migrates your apps to ABM once you have upgraded. Prior to the expiry of the server token, you'll have to renew the token from the ABM portal to continue managing your apps.
Approve app licenses
With ABM, you can approve licenses for free apps and purchase paid apps, for distribution to devices. On the ABM portal, under Content, click on Apps and Books. Search for the required apps and enter the required number of licenses to approve or purchase. Once ABM is set up, MDM syncs with ABM every day, to automatically add any new purchases to MDM. You can also navigate to the App Repository, click the Sync Apps button and choose Sync ABM Apps to manually sync the apps with MDM
NOTE: Apple currently doesn't permit in-app purchases on apps added using ABM.
Download Server Token
- On the ABM portal, navigate to your ac on the bottom left corner and select Apps and Books.
- Click on Payments and Billing > Apps and Books and click on the server token to be downloaded.
- Download the server token and save it in a location as per your choice.
Upload Server Token on MDM console
Follow the steps mentioned below to upload the sToken in the MDM server:
- On the web console, select App Repository.
- Click on Apple App Management.
- Upload Server Token.
- Choose either prompts for Apple ID or without Apple ID for App installation type.
- Provide your e-mail address to receive notifications prior to the expiry of the server token.
- Click Save to complete the process.
You have successfully created/renewed the server token on the MDM server. You can now distribute apps to the managed devices, assign or revoke licenses as per your requirement.
Managing multiple location tokens
You can also upload multiple location tokens on the MDM console to manage department or location specific app purchases. To upload new tokens, navigate to App Repository -> Apple App Management -> Add Location Token -> Upload Token. Once uploaded, MDM will sync the apps added to the location token via ABM.
Note: If you need to add a new location in ABM portal, go to Locations and click on Add a new location. It is recommended to give the location a descriptive name, for easier identification purposes.
Each location token is valid for one year. When nearing expiration, it is essential that the token is renewed to distribute apps using the location tokens. You can renew the location token by logging in to ABM, downloading the location token again and uploading the token back in MDM by following the same steps as mentioned above.
In case you want to remove a server token, refer to the steps below:
Removing server token
The server token associated with the MDM server can be removed by navigating to App Repository ->Apple Business Manager ->Remove. On removing the server token from MDM server, all the apps synced from MDM are moved to Trash. Further, the apps synced from ABM and distributed to the devices are removed from the devices as well. On moving these back to App Repository from Trash, they'll be considered as normal apps added to App Repository via the App Store.
App Installation Type
When uploading sToken, there are two options for App installation type:
Prompts for Apple ID : In this case, the app is associated with the user's Apple ID and when an app is distributed to the device, the user has to accept a one-time invitation. On accepting the invitation, users are registered for Managed Distribution. This invitation has to be accepted only the first time an app is distributed. The approved licenses are counted based on the number of Apple accounts the app has been associated with. If 5 apps are distributed to 5 devices, and all the devices have the same Apple ID, only 1 license is used.
Without Apple ID : In this case, the app is associated with the device instead of the user's Apple ID. This lets you install apps without the Apple ID on devices. Additionally, if the devices are Supervised you can install apps silently on the devices. The approved licenses are counted based on the number of devices the app has been distributed to. For example, if you distribute the app to 5 devices, 5 licenses are used. This can be useful in the following cases:
Silent app installation in Apple devices
Apps purchased via ABM can be installed silently on managed devices if the devices are Supervised. Silent installation of apps is especially useful when you want to have zero user intervention for installing apps on the devices. Silent installation also helps in bulk installation of apps.
Distributing ME MDM app silently to managed devices
ME MDM app must be installed on managed Apple devices to locate the devices, detect jail-broken devices, and for various other features. Using ABM, ME MDM app can be purchased, distributed to devices and installed silently on Supervised devices, and without requiring an Apple ID in Non-Supervised devices.
- For installing apps silently/without using an Apple ID, ensure you choose Without Apple ID for App Installation Type while uploading/modifying sToken.
- Ensure https://ppq.apple.com is allowlisted on your external firewall to ensure the added enterprise apps are trusted on the device.
- Enterprise apps distributed by MDM, (including the ME MDM app) need to be verified by ppq.apple.com only once. They do not need to be re-verified by the user each time the device connects to the Internet.
- In case of apps installed without requiring Apple ID, in-app purchases cannot be utilized as the app installation is done directly using ABM and the apps are assigned to the device. In-app purchases can be used only for apps installed via App Store, with the apps being associated to the user.
Migrate licenses of apps requiring Apple ID for installation
When app licenses require Apple ID for installation, they are known as user-associated app licenses as the license gets associated to the Apple ID of the user. This scenario is not ideal in organizations where the devices are corporate-owned and the user must create and associate an Apple ID with these devices. Hence, the app licenses should be associated to the devices, known as device-associated app licenses. Click here to know how to migrate the app licenses.
Migration of App Store apps to ABM apps
Using MDM, you can migrate the App Store apps added in App Repository to ABM apps. This includes migration of apps which have been already distributed to the devices. After purchasing the apps, the apps distributed to devices are modified as ABM apps once syncing is complete. You can know more about migration of App Store apps to ABM apps here.
Updating Apple Apps
It is also important for the IT administrator to ensure the apps distributed stay up to date with all the critical updates installed on time. The apps distributed to the devices using ABM, with the option Install apps without Apple ID, then the App Store is completely in the control of the IT administrator, and the updates are not available to the user on the devices directly. Hence, the admin has to distribute these updates to the devices to make them available to the user.
Follow the steps given here to distribute app updates to devices.
MDM lets you modify the configurations of the app to be distributed to the device, effectively restricting the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer names and specifies a set of configurations as an XML file, which is uploaded to the MDMserver and is automatically pushed along with the app. The app developer must support app configurations for the app, to implement it using MDM.
Follow the steps given below to apply app configurations:
- Click on App Repository from the Device Mgmt tab.
- Select the app from the repository or add the app.
- Click on the ellipsis button under Action and select Modify App for existing apps. For new apps, you can directly upload the XML file with the required configurations under the Configurations section.
- Save the changes.
Pushing app configurations based on user-specific/device-specific parameters such as e-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensure once the app configurations with user-specific/device-specific parameters are setup using dynamic variables, they needn't be configured again as the dynamic variables fetch all the required data from the enrollment details.
Here is the table of parameters for which MDM supports dynamic variables:
Sample XML file
The app configuration file is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
To meet your organizational needs, you can create app configurations for the following applications.
Enterprise apps for Apple
Enterprise apps are also called as in-house apps. Enterprise apps are those which are specific to an organization and are used internally. These apps are owned by the company and are not listed in the App Store. Enterprise apps are commonly a collection of computer programs with business applications or tools for modeling the organizational work. They are unique applications designed based on the business requirement. Enterprise apps are developed exclusively for distinguished platforms, like Apple & Android. Refer to this, to know more about adding enterprise Apps in the App repository and installing them on devices without user intervention. To test and deploy Apple enterprise apps seamlessly using multi app version management refer to this link.
Any enterprise app added to the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app on the device.
B2B apps for Apple
B2B (Business-to-Business) apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and B2B apps is, the former is developed in-house while the latter usually involves third-party developers. Further, B2B apps are provided only through ABM, so your organization must have an ABM account. To know more about B2B apps, refer this.
- MDM server is not able to contact ABM to sync apps.
Check if vpp.itunes.apple.com is allowlisted along with other domains and ports listed here. Ideally, it is recommended to Allowlist *.apple.com for seamless management of Apple devices. Also, verify the availability of the required Apple services.
- Info.plist not found
While trying to upload an enterprise app, you receive the error message Info.plist not found. This error occurs when the .ipa file is extracted from an invalid source. Contact your developer to get the valid .ipa file.