Apple App Management Using VPP

This document explains the various steps involved in managing iOS Apps. Ensure these ports and domains are whitelisted for managing iOS apps. In case you've already setup VPP in another MDM service, you can migrate it to ME MDM as explained here.

Managing App Store apps

A wide range of apps are available in the App Store. Some of these apps are free apps whereas few of those are paid apps. In order to add an App Store app you need to know if the app is free or paid app. In case of free app, it can be directly added into the App Repository using the app name. To add the apps to the repository, refer these steps

App Management and Distribution

You can manage and distribute apps to iOS devices running iOS 9.0 or later versions by using VPP Redemption codes or Managed Distribution. When you use a VPP redemption code for distribution, you cannot revoke the redemption code if the user has installed the app. However, in Managed Distribution, you can revoke the license any point of time from the user and map it to a different user. So, when an app is purchased by the corporate, they have the leverage to revoke and re-assign the license to different users.

VPP Redemption Codes

The redemption codes, which was purchased using VPP can be mapped to users. Redemption codes can be uploaded in .xls,.xlsx,.xlsm,.xltx,.xltm,.xlsb, and .xlam format. The redemption codes which are mapped to users, cannot be revoked. In case the App is installed on an employee-owned device, then the license cannot be re-used by the corporate and it is mapped with the device.

To migrate the unused VPP Redemption codes to Managed Distribution, refer to this

VPP Managed Distribution

Using Managed Distribution over VPP redemption codes, helps administrators to revoke the apps distributed to the users at any point of time. This is done by registering the corporate Apple ID to generate a sToken. This sToken should be uploaded in MDM. Whenever an app, is purchased using the corporate Apple ID, the license details are synced with the MDM. You can also manually sync the license details by clicking on "Sync License" button under the specific app details view.

Ensure the Apple account used for VPP is not associated with any other device. Further, when you modify the credentials of your VPP account, all the VPP tokens are automatically revoked.


Administrators can distribute these Apps and revoke it at any point of time, unlike VPP redemption codes.

Purchasing apps through Managed Distribution(VPP)

You can purchase licenses for both free and paid apps in bulk through VPP and distribute it to the devices. License refers to the number of devices to which the app is to be distributed. For example, if you want to distribute ME MDM app to 300 devices, you must have 300 app licenses. Apps can be purchased through Managed Distribution as explained below.

Login to Apple VPP Portal
Ensure you use a unique corporate Apple account for VPP and also do not associate this account with any other iOS device.
  1. Login to Apple VPP Portal
  2. Go to Business Store
  3. Sign in using your corporate ID
Purchase app licenses

With VPP, you can purchase licenses for both free and paid apps, for distribution to devices. The required app needs to be selected, the number of licenses are to be specified and then the app can be purchased. Once VPP is set up, MDM syncs with VPP every day, to automatically add any new purchases to MDM. You can also click Sync Apps button in the App Repository ->Apple App Management to manually sync the apps with MDM. You can use the Managed Distribution to revoke apps from users and map it to a different user. So, when an app is purchased by the corporate they have the leverage to revoke and re-assign the license to different users. When the license is revoked, user can use the app for 30 days, after which the app is listed as a paid App.

Download sToken
  • After purchasing apps, select Account Summary.

    stoken

  • Click Download Token, to download sToken.

    stoken

  • Save the downloaded sToken in your desired location.
Upload sToken in MDM Web Console

Follow the steps mentioned below to upload the sToken in the MDM:

  • On the web console, select App Repository
  • Choose Apple App Management
  • Click Browse to upload sToken
  • Click Save to complete the process

You have successfully created/renewed the sToken in the MDM. You can now distribute apps to the managed devices, assign license and revoke it as per your need.

We have made your job simpler!

Learn how to add apps to App Repository in bulk and install them silently in under 3 minutes through this demo video.

App Installation Type

When uploading sToken, there are two options for App Installation Type:

Prompts for Apple ID : If the option 'Prompts for Apple ID' is selected while uploading sToken and an app purchased using Managed Distribution is distributed to the device, the user has to accept a one-time invitation. On accepting the invitation, users are registered for Managed Distribution.

Without Apple ID : This option lets you install apps silently(in Supervised devices) or install apps without Apple ID(non-supervised devices). This can be useful in the following cases:

Silent app installation in iOS devices

Apps purchased via VPP can be installed silently in the managed iOS devices if the devices are Supervised and running iOS 9.0 or later versions. Silent installation of apps is especially useful when you want to have zero user intervention for installing apps in devices. Silent installation also helps in bulk installation of apps.

Distributing ME MDM app silently to managed devices

ME MDM app must be installed in the managed iOS devices to locate the device as well as know whether the device is jail-broken or not. Using VPP, ME MDM app can be purchased, distributed to devices and installed silently in Supervised devices or without requiring an Apple ID in unsupervised devices.

1. Click here to know more about installing apps without Apple ID.

2. Apps with size greater than 200 MB are installed only via Wi-Fi and doesn't get silently installed if only Cellular Data is available.

3. In case of apps installed without requiring Apple ID, in-app purchases cannot be utilized as the app installation is done directly using VPP and the apps are assigned to the device. In-app purchases can be used only for apps installed via App Store, with the apps being associated to the user.

Migrate licenses of apps requiring Apple ID for installation

When licenses of apps require Apple ID for installation, they are known as user-associated app licenses as they the license gets associated to the Apple ID of the user. This scenario is not ideal in organizations where the devices are corporate-owned. Instead, the licenses of apps should be associated to the devices, known as device-associated app licenses. Click here to know how to migrate the app licenses.

Migration of App Store apps to VPP apps

Using MDM, you can migrate the App Store apps added in App Repository to VPP apps. This includes migration of apps which has been already distributed to the devices. After purchasing the apps, the apps distributed to devices are modified as VPP apps once syncing is complete. You can know more about migration of App Store apps to VPP-apps here.

Updating iOS Apps

It is also important for the IT administrator to ensure the apps distributed stay up to date with all the critical updates installed on time. The apps distributed to the devices using VPP, with the option Install apps without Apple ID, then the App Store is completely in the control of the IT administrator, and the updates are available to the user on the devices directly. Hence, the admin has to distribute these updates to the devices to make them available to the user.

Follow the steps given here to distribute app updates to devices

App Configurations

MDM lets you modify the configurations of the app to be distributed to the device, effectively restricting the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer names and specifies a set of configurations as an XML file, which is to be uploaded in MDM Server the configuration is pushed automatically with the app. The app developer must support app configurations for the app, to implement it using MDM.

Follow the steps given below to apply app configurations:

  1. Click on App Repository from the Device Mgmt tab.
  2. Select the app from the repository or if a new app is to be added follow the steps given here.
  3. Select the Modify App option for existing apps or directly upload the XML file with the required configurations under the Configurations section.
  4. Save the changes.

Pushing app configurations based on user-specific/device-specific parameters such as E-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensure once the app configurations with user-specific/device-specific parameters are setup using dynamic variables, they needn't be configured again as the dynamic variables fetch all the required data from device/enrollment details.

Here is the table of parameters for which MDM supports dynamic variables:


PARAMETER DYNAMIC VARIABLE
Device UDID %udid%
Device Name %devicename%
User Name %username%
E-mail %email%
Domain name %domainname%
Serial Number %serialnumber%
IMEI %imei%
Exchange ID %easid%


Sample XML file
The App Configuration file is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
             <key>serverURL</key>
            <string>myServerUrl.myDomain.com</string>
            <key>username</key>
            <string>%username%</string>
            <key>domain</key>
            <string>%domainname%</string>
            <key>email</key>
            <string>%email%</string>        
</dict>
</plist>

Enterprise apps for iOS

Click here to know more about installing enterprise apps without Apple ID.

Enterprise apps, also called as in-house apps, are those which are not listed in the App Store. These apps are owned by the company and are unique apps designed based on the business requirement. Refer to this, to know more about adding enterprise App in the App repository. To test and deploy iOS enterprise apps seamlessly refer to this link.

Ensure https://ppq.apple.com is whitelisted on your external firewall to ensure the added enterprise apps are trusted on the device. Any enterprise app added in the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app(s) on the device.

B2B apps for iOS

B2B(Business-to-Business) apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and B2B apps are, the former is developed in-house while the latter usually involves third-party developers. Further, B2B apps are provided only through VPP, so your organization must have a VPP account. To know more about B2B apps, refer to this.

Troubleshooting Tips



See Also: Configure MDM, Device Enrollment, Location Tracking,App Management, Profile Management,Asset Management, Security Management , Reports
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine