To retrieve the data on the sToken, Workspace ONE UEM syncs with Apple Web services, and then displays the content for assignment and deployment. Workspace ONE UEM distributes licenses by smart group and publishes the content when you save an assignment rule in the flexible deployment feature.

The Enable Device Assignment option displays for applications that are eligible for distribution by device serial number. For information about the device-based distribution method, see Managed Distribution by Device Serial Number.

For information on flexible deployment and how to prioritize assignment rules, see Add Assignments and Exclusions to your Applications in the Application Management guide.

To publish with flexible deployment, assign content acquired from Apple's Volume Purchase Program (VPP) with managed distribution codes to smart groups.

  1. Navigate to Resources > Apps > Native > Purchased.
  2. Select the application and select Assign. The Assignment page appears.
  3. On the Assignment page, select Add Assignment and complete the options.
    1. In the Distribution tab, enter the following information.:
      Setting Description
      Name Enter the assignment name.
      Description Enter the description for the assignment.
      License Distribution Enter the smart group name to which you want to assign the application and the number of licenses you want to allocate.

      As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list. The allocated licenses must not exceed the total number of available licenses. You can also view the number of licenses that have already been redeemed, if any.

      If necessary, you can add more assignment groups.

      App Delivery Method
      • On Demand – Deploys content to a catalog or other deployment agent. The device user can decide if and when to install the content.

        This option is the best choice for content that is not critical to the organization. Allowing users to download the content when they want helps conserve bandwidth and limits unnecessary traffic.

      • Automatic – Deploys content to a catalog or other deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the content on their devices.

        This option is the best choice for content that is critical to your organization and its mobile users.

      If the Assignment Type is set to Auto when you Publish, Workspace ONE UEM sends an invitation to Apple iOS 7.0.3+ and macOS 10.9+ devices. The invitation enables users to register with Apple's VPP.

    2. In the Restrictions tab, enter the following information:
      Table 1.
      Settings Descriptions
      Remove on Unenroll

      Set the application to be removed from a device when the device unenrolls from Workspace ONE UEM. Workspace ONE UEM enables this setting by default.

      If you enable this setting, supervised devices are restricted from silent app installation. This is because the device is locked and the provisioning profile installation is in the command queue which requires a device to be unlocked to complete the installation.

      If you deactivate this setting, provisioning profiles are not pushed with the installed application. That is, if the provisioning profile is updated, the new provisioning profile is not automatically deployed to devices. In such cases, a new version of the application with the new provisioning profile is required.

      Prevent Application Backup Disallow backing up the application data to iCloud. However, the application can still back up to iCloud.
      Prevent Removal If you enable this setting, the user is prevented from uninstalling the app. This is supported in iOS 14 and later.
      Make App MDM Managed if User Installed

      Assume management of applications previously installed by users on their devices, whether applications are supervised or unsupervised.

      Enable this feature so that users do not have to delete the application version installed on the device. Workspace ONE UEM manages the application without having to install the AirWatch Catalog version on the device.

    3. In the Tunnel & Other Attributes tab, enter the following information.
      Settings Description
      Per App VPN Profile

      Select a VPN profile that you want to use for the application. Users access the application using a VPN, which helps ensure that application access and use is trusted and secure.

      Other Attributes App attributes provide device-specific details for applications to use. For example, when you want to set a list of domains that are associated to a distinct organization.
    4. In the Application Configuration tab, enter the following information.
      Settings Descriptions
      UPLOAD XML You can upload an XML file that contains the key value pairs supported by the application for the app configuration.
  4. Select Create.
  5. Select Add Assignment to add more assignments for your publication.
  6. Configure the flexible deployment settings by setting the priority for your app assignments.
    Settings Descriptions
    Priority Select the value from the drop-down menu to set the precedence for the assignments.

    Devices receive applications from the assignment groups based on the priority set for the assignment groups. Adjusting the priority for a single assignment automatically reprioritizes other assignments.

    Copy From the more options menu, select copy to duplicate the selected assignment.
    Delete From the more options menu, select delete to remove the selected assignment.
  7. Select Save & Publish.

Methods to Revoke Managed Distribution Licenses

Workspace ONE UEM offers several ways to revoke managed distribution licenses so that you can reuse them. You can manually revoke licenses. The system revokes licenses in response to you deleting or unassigning another system component like organization groups, sTokens, and smart groups.

See what methods are available to you to revoke your managed distribution licenses for reuse.

Table 2. Descriptions of Revoking Methods



Organization Group Delete an OG and Workspace ONE UEM makes the distribution licenses available for reuse.
User Unenroll all devices from a user. If another device does not use the unassigned managed distribution license, then the Workspace ONE UEM console revokes it so that it is available for reuse.

Revoke the license manually off the device.

You can use the manual method only for those licenses that are redeemed from an external system. This method is useful for adopting these licenses into Workspace ONE UEM.

App Record Delete VPP App Record from the UEM console. Once deleted, the license is available for reuse after the scheduler task runs.
sToken Delete the sToken. Workspace ONE UEM makes all associated licenses available for reuse.
Unassign Unassign an asset from a user. If that license is not used by anyone else, Workspace ONE UEM revokes the distribution license.
Smart Group Delete a managed distribution device user from a smart group. If that license is not used by anyone else, Workspace ONE UEM revokes the distribution license.

Workspace ONE UEM makes licenses available immediately after revoking or at a scheduled interval depending on the interval you set in the scheduler task, VPP revoke licenses. Find the scheduler task in Groups & Settings > All Settings > Admin > Scheduler.

Managed Distribution Information

You can access managed distribution information from the Device Details, Licenses, and Manage Devices pages. Each page offers various auditing and management actions depending on the type of asset

Device Details

From the Device Details page, audit assignments and perform installations and removals.

Go to Devices > List View > Apps or to Devices > List View > More > Books. The system does not support all management functions for all asset types. The system does not display unsupported options.

  • View the content assigned to the device.
  • If supported, install and remove the content on the specified device.


From the Licenses page, track sync processes, audit licenses available for reuse, and revoke licenses if supported.

Go to Devices > List View > Apps or to Devices > List View > More > Books. The system does not support all management functions for all asset types. The system does not display unsupported options.

  • View the content assigned to the device.
  • If supported, install and remove the content on the specified device.
  • View when assigned licenses were last synced.
  • Filter by License Owner Type to access licenses that are available to reuse due to error using the Not Assigned option.
  • For applications, use the Revoke action to make licenses available for reuse. This action is not available for books.

Workspace ONE UEM has logic to revoke licenses associated with devices or users for redistribution. If a user removes or uninstalls an application, the status is sent to Workspace ONE UEM. The following scenarios describe where Workspace ONE automatically revokes licenses associated with a device or user.

Administrator triggers removal of application
Administrator unassigns application from the device
Device is unenrolled via enterprise wipe, device wipe, or deletion
User removes the application
User rejects the installation or management request (unsupervised devices only)

Manage Devices

From the Manage Devices page, install and remove content, send invitations to join the VPP if supported, and audit application installations and VPP program registrations.

Go to Resources > Apps > Native > Purchased > Manage Devices or to Resources > Books > List View > Purchased > Manage Devices to access the page. The system does not support all management functions for all asset types. The system does not display unsupported options.

  • For applications, install the content to devices. This action is not available for books.
  • For application, remove the content from devices, if supported by the asset. This action is not available for books.
  • Notify devices concerning the VPP.
  • Reinvite user-based VPP members who have not registered their Apple IDs with the program.
  • Filter data using the Status option and find devices that have not installed VPP content.
  • Filter data using User Invite and find those user-based members who have not registered their Apple IDs with the program.

Staging Users and Managed Distribution for VPP

Workspace ONE UEM with Apple Business Manager's Device Enrollment Program (DEP) and Volume Purchase Program (VPP) and Apple Configurator, you can deploy and manage large numbers of Apple iOS devices These programs aim to help maintain and manage bulk device and content.

To reduce the risk of license inconsistencies, review these suggestions and guidelines for deploying VPP content to devices that you stage using Configurator and the DEP.

Note: This information does not apply to VPP applications assigned to device serial numbers.

Avoiding License Inconsistencies

Distribute VPP content bought using the managed distribution method:

  • Use a service token (sToken) in one MDM environment and not in multiple environments. Some examples include not using an sToken in Workspace ONE UEM and in another MDM system or in a trial environment and in a production environment.
  • Use an sToken in one organization group and not in multiple organization groups within Workspace ONE UEM.
  • Apply one device to one Apple ID and do not change the Apple ID on the device.

These actions reduce the risk of losing a license in one environment because it was revoked in another environment. However, it cannot be economically possible to have the number of licenses to cover your staged devices using these actions. VPP deployment in a staged environment is still manageable but it can take extra maintenance with special attention paid to the Apple ID.

Apple IDs

When user enrolls with Workspace ONE UEM and then Workspace ONE UEM registers the user with Apple and sends an invitation to join the Apple VPP. The user accepts the invitation and joins the VPP using the Apple ID. Currently, Workspace ONE UEM stores the association of the Apple ID with the user.

It is important to manage the Apple ID in staged environments because the Apple ID controls access to the user's specific set of VPP content. When users change Apple IDs on devices without communicating the change to their admins, they might experience access difficulties. Workspace ONE UEM follows the listed procedure when an admin uploads a service token to the console. This procedure outlines how the system ties the Apple ID users and all that user's licenses.
  1. Admin uploads service tokens to Workspace ONE UEM console.
  2. Workspace ONE UEM registers all users who have devices enrolled.
  3. Workspace ONE UEM sends invitations to users.
  4. Users accept invitations with an Apple ID.
  5. Workspace ONE UEM ties the Apple ID to the user.
  6. Workspace ONE UEM ties all licenses assigned to that user to the Apple ID.

Guidelines for Staging

Use the following processes to reduce license inconsistencies in Workspace ONE UEM.

Table 3. Staging and VPP



Assign VPP 

Content To

Accepts VPP


Installs applications

Updates applications

Maintenance Risks

Single User, Standard (Self-Registration)

Individual devices with unique Apple IDs

Not a staging user

End users with unique Apple IDs End-users install applications End-users update applications

No maintenance of Apple IDs

Least risk because end users maintain their own Apple IDs on individual devices

Single User, Advanced (Pre-Configured) Pre-configured devices with pre-configured Apple IDs End users with pre-configured Apple IDs End-users install applications End-users update applications
  • Maintain pre-configured Apple IDs
  • Provide pre-configured Apple IDs to end users
  • End-users change Apple IDs
  • End users do not return devices to the pre-configured Apple ID
Multi Users
  • Staging user
  • Individual users
  • Admin with the staging user Apple ID
  • End users with respective unique Apple IDs
  • Admin installs common applications with staging user Apple ID
  • End-users install unique applications with individual Apple IDs


  • Staging user ID must update common applications with staging user Apple ID
  • End users update unique applications with their individual Apple IDs
  • Maintain a staging user Apple ID for a common set of VPP content on all devices selected to staging user
  • Maintain end-user Apple ID at device check-out
  • All devices selected in to the staging user do not have the same Apple ID
  • Admins do not change devices to the staging user Apple ID upon device check-in
  • End users do not change the staging user Apple ID to their unique Apple IDs upon device check-out