Workspace ONE UEM with Apple Business Manager's Device Enrollment Program (DEP) and Volume Purchase Program (VPP) and Apple Configurator, you can deploy and manage large numbers of Apple iOS devices These programs aim to help maintain and manage bulk device and content.

To reduce the risk of license inconsistencies, review these suggestions and guidelines for deploying VPP content to devices that you stage using Configurator and the DEP.

Note: This information does not apply to VPP applications assigned to device serial numbers.

Avoiding License Inconsistencies

Distribute VPP content bought using the managed distribution method:

  • Use a service token (sToken) in one MDM environment and not in multiple environments. Some examples include not using an sToken in Workspace ONE UEM and in another MDM system or in a trial environment and in a production environment.
  • Use an sToken in one organization group and not in multiple organization groups within Workspace ONE UEM.
  • Apply one device to one Apple ID and do not change the Apple ID on the device.

These actions reduce the risk of losing a license in one environment because it was revoked in another environment. However, it cannot be economically possible to have the number of licenses to cover your staged devices using these actions. VPP deployment in a staged environment is still manageable but it can take extra maintenance with special attention paid to the Apple ID.

Apple IDs

When user enrolls with Workspace ONE UEM and then Workspace ONE UEM registers the user with Apple and sends an invitation to join the Apple VPP. The user accepts the invitation and joins the VPP using the Apple ID. Currently, Workspace ONE UEM stores the association of the Apple ID with the user.

It is important to manage the Apple ID in staged environments because the Apple ID controls access to the user's specific set of VPP content. When users change Apple IDs on devices without communicating the change to their admins, they might experience access difficulties. Workspace ONE UEM follows the listed procedure when an admin uploads a service token to the console. This procedure outlines how the system ties the Apple ID users and all that user's licenses.
  1. Admin uploads service tokens to Workspace ONE UEM console.
  2. Workspace ONE UEM registers all users who have devices enrolled.
  3. Workspace ONE UEM sends invitations to users.
  4. Users accept invitations with an Apple ID.
  5. Workspace ONE UEM ties the Apple ID to the user.
  6. Workspace ONE UEM ties all licenses assigned to that user to the Apple ID.

Guidelines for Staging

Use the following processes to reduce license inconsistencies in Workspace ONE UEM.

Table 1. Staging and VPP

Staging

Method

Assign VPP 

Content To

Accepts VPP

Invitation

Installs applications

Updates applications

Maintenance Risks

Single User, Standard (Self-Registration)

Individual devices with unique Apple IDs

Not a staging user

End users with unique Apple IDs End-users install applications End-users update applications

No maintenance of Apple IDs

Least risk because end users maintain their own Apple IDs on individual devices

Single User, Advanced (Pre-Configured) Pre-configured devices with pre-configured Apple IDs End users with pre-configured Apple IDs End-users install applications End-users update applications
  • Maintain pre-configured Apple IDs
  • Provide pre-configured Apple IDs to end users
  • End-users change Apple IDs
  • End users do not return devices to the pre-configured Apple ID
Multi Users
  • Staging user
  • Individual users
  • Admin with the staging user Apple ID
  • End users with respective unique Apple IDs
  • Admin installs common applications with staging user Apple ID
  • End-users install unique applications with individual Apple IDs

 

  • Staging user ID must update common applications with staging user Apple ID
  • End users update unique applications with their individual Apple IDs
  • Maintain a staging user Apple ID for a common set of VPP content on all devices selected to staging user
  • Maintain end-user Apple ID at device check-out
  • All devices selected in to the staging user do not have the same Apple ID
  • Admins do not change devices to the staging user Apple ID upon device check-in
  • End users do not change the staging user Apple ID to their unique Apple IDs upon device check-out