To purchase and deploy content with Apple Business Manager's Volume Purchase Program (VPP), enroll and acquire content on the Apple Business Manager site and then use Workspace ONE UEM to distribute content.

  1. Content Purchase – Purchase content in the bulk through the App & Books in Apple Business Manager.
  2. Application Deployment – Distribute the assets throughout your device fleet using redemption codes or managed distribution service token files (sTokens).
    • Redemption Code Method
    • Managed Distribution by Apple IDs
    • Custom Applications
    • Managed Distribution by Device Serial Number

Redemption Code Method

This method uses redemption codes to allocate the content to devices, and it does not support revoking the codes from Apple iOS devices. Once the redemption code is redeemed, it cannot be recycled. Also, Workspace ONE UEM cannot delete content bought using redemption codes off devices.

Devices older than Apple iOS 7 must use this method for purchasing VPP content because the managed distribution is not available for older systems.

You cannot use redemption codes for macOS systems.

Complete All Tasks to Distribute Redemption Codes

For the successful distribution of the Apple's Volume Purchase Program (VPP) content to end users, perform all steps of the deployment process. In return, end users must complete all steps on their devices to receive the VPP content.

  1. Admins send VPP content to end users.
    1. Purchase your applications and download your redemption code spreadsheet from the Apple iTunes Store.
    2. Upload the spreadsheet to Workspace ONE UEM.
    3. Allocate redemption codes to organization groups and smart groups in the Workspace ONE UEM console and save the settings.
  2. End-Users receive content.

    This step occurs automatically when admins publish the content.

    1. Obtain a redemption code from Workspace ONE UEM.
    2. Install the content from the catalog.

Upload a Redemption Code Spreadsheet

You can use Workspace ONE UEM to manage and distribute applications and books purchased through the VPP to your Apple iOS devices. Apple uses Web services to manage redemption codes. For the Workspace ONE UEM console to access Apple's Web services, you must first upload the redemption code spreadsheet.

  1. Navigate to either Resources > Apps > Orders or Resources > Books > Orders.
  2. Select Add or Order to add a redemption code spreadsheet.
  3. Select Purchased Public App or Purchased Custom App (Custom app), for applications.

    This option is not available for books.

  4. Select Choose File to upload the CSV or XLS file that you downloaded from the Apple portal.

    This action creates the order.

  5. Select Save to continue to the Product Selection Form.
  6. Locate the appropriate product and choose Select to finish uploading the spreadsheet. If your spreadsheet contains an Adam ID, Workspace ONE UEM does not display this step.
    • If your spreadsheet contains an Adam ID, you do not have to locate the product. Workspace ONE UEM automatically adds applications and books from the app store when the spreadsheet contains the Adam ID. Adam IDs are specific to iTunes, are components of the Apple Search API, and are unique for each application.
    • If the Apple VPP redemption code spreadsheet contains codes for multiple applications or books, Workspace ONE UEM lists several products on this form. You can select only one per order.

iTunes uses Adam IDs, which are item identifiers, to automate connections to content. If your spreadsheet contains an Adam ID, then you do not have to locate applications and books in the app store. For custom applications, the Adam ID enables Workspace ONE UEM to update application IDs in the UEM console.

Assign Content to Users

You must enable the Workspace ONE UEM console to assign redemption codes to users and devices. Select the applicable organization groups and smart groups to which to assign redemption codes.

  1. Navigate to the organization group where you uploaded the redemption code spreadsheet.
  2. Go to Resources > Apps > Native > Purchased.
  3. Select the application you want to assign.
  4. On the Orders Assignment tab, complete the following options.
    Table 1. Orders Assignment Tab Options - General
    Setting Description
    Redemption Codes On Hold Enter the number of redemption codes that you want to place on hold. Use this option to save the redemption codes for later use.
    SDK Profile If you use AirWatch SDK functionality, assign an SDK profile to the application.
    Add Assignment By

    Assign redemption codes to organization groups or smart groups.

    • Organization Group – Allocate redemption codes to an organization group. Select All Users to include all users in that organization group, or choose Selected Users to display a list of users in the organization group. Use the Add and Remove buttons to choose the specific users to receive the application.
    • Smart Group – Allocate redemption codes to a smart group by typing the name of the group. Options display and you can select the appropriate smart group from the list. You can create a new smart group, if necessary.

      • You can apply redemption codes to organization groups and to smart groups simultaneously. However, you can only specify the users for organization groups of the Customer type.
      • You cannot specify users for smart groups. However, you can edit the smart group so that it contains the necessary users.
    • Verify the information in the following columns for each assignment rule:

      • Users – View the number of users for the order.
      • Allocated – Enter the number of licenses to allocate to the selected users. Do not exceed the total number in the order.
      • Redeemed – View the number of licenses that have already been redeemed, if any.
    Table 2. Orders Assignment Tab Options - Deployment
    Setting Description
    Assignment Type
    • On Demand – Deploys content to a catalog or other deployment agent. The device user can decide if and when to install the content.

      This option is the best choice for content that is not critical to the organization. Allowing users to download the content when they want helps conserve bandwidth and limits unnecessary traffic.

    • Automatic – Deploys content to a catalog or other deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the content on their devices.

      This option is the best choice for content that is critical to your organization and its mobile users.

    You can only use On-Demand for custom B2B applications acquired using redemption codes.

    When the Assignment Type is Auto, only eligible Apple iOS 7+ devices receive the application or book automatically.

    Remove On Unenroll

    Set the removal of the application from a device when the device unenrolls from Workspace ONE UEM. Workspace ONE UEM enables this option by default.

    If you choose to enable this option, supervised devices are restricted from silent app installation because the device is locked and the provisioning profile installation is in the command queue which requires a device to be unlocked to complete the installation.

    If you choose to deactivate this option, provisioning profiles are not pushed along with the installed application. That is, if the provisioning profile is updated, the new provisioning profile is not automatically deployed to devices. In such cases, a new version of the application with the new provisioning profile is required.

    Removing an application when a device is unenrolled does not recover the redeemed code. When installed, the application is associated to the app store account of the user.

    Prevent Application Backup Deactivate backing up the application data to iCloud. However, the application can still back up to iCloud. This restriction will work only for managed Apps. It will not work for unmanaged Apps.

    Make App MDM Managed if User Installed

    Assume management of applications previously installed by users on their devices, supervised and unsupervised.

    Enable this feature so that users do not have to delete the application version installed on the device. Workspace ONE UEM manages the application without having to install the AirWatch Catalog version on the device.

    Use VPN

    Configure a VPN at the application level, and select the Per-App VPN Profile. Users access the application using a VPN, which helps ensure that application access and use is trusted and secure.
    Send Application Configuration

    Send application configurations to Apple iOS devices, so users do not have to configure these specified values themselves.

  5. Select Save when you finish allocating codes.

Application configurations are vendor-specific key-value pairs you can deploy with an application to preconfigure the application for users.

Redemption Code Information

Access information about your redemption codes so that you can manage and track your VPP deployments.

To access orders of applications you acquired using redemption codes, navigate to Resources > Orders > Redemption Codes.

  • View the availability status of the code.

    Table 3. Redemption Code Status Descriptions
    Status Description
    Available Identifies an available key code to use to distribute the purchased content. You can make this key code unavailable or delete it.
    Externally Redeemed Identifies a key code that was assigned and redeemed outside of the Workspace ONE UEM Purchased (VPP) system. You cannot perform actions for this key code.
    Redeemed Identifies a key code that was assigned and redeemed within the Workspace ONE UEM Purchased (VPP) system. You can make this key code unavailable or delete it.
    Unavailable Identifies a key code that was explicitly made unavailable for various reasons. Reasons include separating codes that you want to save for users who might not be in your Workspace ONE UEM deployment.
  • View each redemption code and the order number.
  • View the date the redemption code was redeemed.
  • View to whom the code is assigned.
  • Delete a redemption code.

Managed Distribution by Apple IDs

This method uses service token files, also called sTokens, to authenticate assignments. It allows you to assign license codes to Apple IDs to allocate content to devices, and the method supports the revocation and recycling of these license codes.

Introduction

With Apple's Managed Distribution system integration with Workspace ONE UEM, you can distribute your free and purchased Volume Purchase Program (VPP) applications and books. The managed distribution model uses service tokens (also called sTokens) to retrieve your VPP contents and to distribute them to devices using the Workspace ONE UEM console.

Revoke Managed Distribution Licenses

Workspace ONE UEM can revoke licenses for applications but it cannot revoke licenses for books.

Complete All Tasks For Managed Distribution by Apple IDs

For successful distribution of VPP content to end users, perform all steps of the deployment process. In return, end users must complete all steps on their devices to receive VPP content.

  1. Admins send VPP content to end users.
    1. Purchase content and download your sToken from the Apple iTunes Store.
    2. Upload the sToken to Workspace ONE UEM.

      You can use multiple sTokens within your Workspace ONE UEM hierarchy but you can only have one sToken in each organization group.

    3. Sync licenses to display the content in the console.
    4. Add the bundle IDs for custom applications. This action activates management.

      This step is unnecessary for non-B2B applications and books.

    5. Allocate licenses and assign licenses to smart groups, and enable eligible applications for device-based assignment, if applicable. Then publish managed distribution content with the flexible deployment feature.

      Publishing content triggers invitations to end users whose content is tied to their Apple IDs.

  2. End-Users accept invitations and receive content.
    1. Accept the invitation and register with the Apple VPP.

      This step is not necessary for device-based use. This step ensures that they have the terms of agreement for participating in the program.

    2. Obtain the license from Workspace ONE UEM.
    3. Install content from the catalog.

Users that have multiple Apple iOS devices must select and apply a single Apple ID to all the devices. If admins make content available on demand, then users can accept the invitation and join and register with the VPP. They install the content from the catalog to any of their devices.

Upload VPP sTokens to Retrieve Managed Distribution Licenses and Content

Apple uses Web services to manage license codes. The Workspace ONE UEM console accesses Apple's Web services with the service token, or sToken, you upload to the console. Workspace ONE UEM retrieves your VPP content with the license data on the sToken.

You can upload an sToken at the top Customer level and below. The Workspace ONE UEM system prompts you to register your sToken, so thatWorkspace ONE UEM can detect if the sToken is used in other environments.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > VPP Managed Distribution.
  2. Configure the following settings.
    Table 4.
    Setting Description
    Description Enter your VPP Account ID.

    Using your VPP Account ID as the description has several advantages.

    • If you use multiple sTokens, it identifies the correct account.
    • Reminds you the correct account when you renew the sToken.
    • Identifies the correct account to others in your organization who assume management of the VPP account.
    sToken Upload Select Upload to navigate to the sToken on your network.

    VPP accounts in Apple School Manager and Apple Business Manager can now be associated to locations to allow moving licenses from one VPP account to another. If an sToken that is associated to a location is uploaded, the location name is displayed in the console.

    Automatically Send Invites Send invitations to all the users immediately after you save the token. The invitation request users to join and register with Apple's VPP. Registration gives users access to the terms of use to participate in the program.

    Use the Message Preview option to review the invitation.

    If your environment includes VPP applications set to the Assignment Type, Auto, then Workspace ONE UEM sends invitations no matter how you configure this option. This behavior facilitates quick access to applications upon enrollment.

    Workspace ONE UEM automatically sends users of Apple iOS v7.0.3+ and macOS 10.9+ (if supported) an invite command when you enable this option. It does not send them an email message.

    You do not have to enable this option immediately. You can leave it deactivatedd and still upload your token. Return and enable this feature to send invitations to all the enrolled devices whose users have not yet accepted to join the VPP.

    For Device-Based VPP, deactivated this check box for the device-based VPP system because invitations are not necessary. If you assign a device-based VPP device to a regular VPP app (a user-based VPP app), devices still receive invitations.

    Message Template Select an email template for an email message invitation for Apple iOS devices on Apple iOS v7.0.0 through v7.0.2.
  3. Save the sToken and confirm the addition of the token.

Sync Managed Distribution Content

Workspace ONE UEM has two methods that sync-managed distribution content, by assets and by license.

The assets function syncs the metadata on an sToken and claimed licenses information. The license function syncs information for a single asset. It is useful for sTokens that contain thousands of licenses and you only want to sync the licenses applied to one asset.

  • Sync Licenses
    1. Go to the organization group where you uploaded the sToken.
    2. Navigate to one of the following areas.
      • Resources > Apps > Native > Purchased
      • Resources > Books > List View > Purchased
    3. Select the asset check box and select Sync Licenses option from the actions menu.
  • Sync Assets
    1. Go to the organization group where you uploaded the sToken.
    2. Navigate to one of the following areas.
      • Resources > Apps > Native > Purchased
      • Resources > Books > List View > Purchased
    3. Select Sync Assets.
    4. Confirm to register an sToken with Workspace ONE UEM, if applicable. The system prompts for registration if it detects an sToken is used in another environment.
    5. To select that the sync completed, refresh the screen.

      Workspace ONE UEM syncs purchased asset meta data and if there are claimed licenses, the system syncs for those assets of the claimed licenses. Workspace ONE UEM makes the sync features inaccessible until reconciliation completes.

Custom Applications and VPP

You can upload custom applications acquired through Apple Business Manager's Volume Purchase Program (VPP) to Workspace ONE UEM. Workspace ONE UEM works with the redemption code method and with the managed distribution method.

The ability of Workspace ONE UEM to manage custom applications, depends upon the VPP system used to get the applications.

  • Redemption codes – Workspace ONE UEM can install custom B2B applications bought using redemption codes on to devices. End users can install these applications on-demand, but Workspace ONE UEM cannot manage these applications. Upload custom B2B applications acquired with redemption codes like other applications acquired with redemption codes.

    Go to Redemption Code Method for details.

  • Managed distribution – Workspace ONE UEM can install custom B2B applications bought using managed distribution. End users can install these applications on-demand or you can push these applications automatically. Workspace ONE UEM can manage these applications. Upload custom B2B applications acquired with the managed distribution like other applications acquired with the managed distribution. However, between the sync-steps and assign-steps, activate management of the applications.

    • Go to Managed Distribution by Apple IDs for details on uploading applications acquired with the managed distribution.
    • Go to Activate Management of Custom B2B Applications for details to activate management.

VPP, Custom Applications, and Push Mode

Workspace ONE UEM can manage custom applications acquired with managed distribution codes but it cannot manage custom applications acquired with redemption codes.

The ability of Workspace ONE UEM to manage the custom application determines the push modes available to distribute the application.

Table 5. Push Mode Depends on VPP Management
VPP Method Management Ability Available Push Mode
Managed distribution

Manage

Workspace ONE UEM can manage custom applications acquired with managed distribution codes.

Auto

On-Demand

Redemption code

Cannot manage

Workspace ONE UEM cannot manage custom applications acquired with redemption codes.

On-Demand

Activate Management of Custom Applications

When you acquire applications from Apple's Volume Purchase Program (VPP) with managed distribution codes, Workspace ONE UEM automatically displays all metadata for all applications it deems as custom applications. The systems retrieve the metadata such as the icon, the name, and the bundle ID from an Apple metadata service for App Store apps (public and custom).

As an admin, you have the option to edit the metadata text box. The Bundle Id text box should be deactivated if the custom application information is retrieved from the content metadata service. Applications you do not activate for management display as Inactive in the UEM console.

Note:

To update to the latest version of a custom application, as an admin, you can navigate to the Resources > Apps > Native > List View > Purchased option and select the custom application from the purchased applications list view and click the UPDATE APP option. The devices with a lower version of the custom application installed automatically get updated to the latest version and the devices with the latest custom application version already installed have no impact.

Managed Distribution by Device Serial Number

If your VPP deployment consists of iOS 9+ or macOS 10.11+ devices, consider enabling the assignment of Volume Purchase Program (VPP) applications by device serial number. This method removes the need to invite users to the VPP.

Deploy device-based VPP applications using the outlined processes in Managed Distribution and Workspace ONE UEM.

Workspace ONE UEM does not migrate applications to the device-based system. VPP applications already assigned to Apple IDs remain assigned as such.

Benefits

The device-based system offers several advantages.

  • Users do not have to accept invitations and register with the VPP.
  • Admins with multiple sTokens in their VPP deployment do not have to manage invitations.
  • Admins do not have to manage Apple IDs.

Uses

Device-based assignment is the best choice for deployments in the following scenarios.

  • Shared devices with check-in and check-out systems
  • Corporate owned devices
  • Staged environments with one-device-to-one-user ratios
  • Devices in Workspace ONE UEM for Education deployment

The user-based system is the best choice for the following scenarios.

  • Multiple devices assigned to a single Apple ID
  • Need to conserve licenses

Supported Platforms and Operating Systems

Configure a supported OS to use the device-based method to distribute applications acquired through Apple's Volume Purchase Program (VPP).

  • iOS 9+
  • macOS 10.11+

App Eligibility

Developers of VPP applications must enable the applications for use in the device-based VPP.

Invitations

With the Apple ID removed from the process, the device-based method no longer relies on invitations to register Apple IDs. However, if a device meets the requirements, the system still sends invitations.

  • Device does not use iOS 9+ or macOS 10.11+
  • App is not enabled for device-based VPP use
  • Device receives a user-based VPP application
  • Automatically Send Invites is enabled in Workspace ONE UEM

Deploy Device-Based VPP

The process to upload device-based (serial number) applications is similar to uploading user-based (Apple ID) VPP applications. The only difference is that the device-based method does not involve sending invitations.

Important: Once an application is enabled for device-based use in the Workspace ONE UEM console, you cannot reverse its status and use it in the user-based system.
  1. Upload or register an sToken in the desired organization group in Workspace ONE UEM.

    Skip this step if you already have sTokens in Workspace ONE UEM

    1. If you do not want Workspace ONE UEM to send invitations to devices, deactivated Automatically Send Invites.

      Workspace ONE UEM prompts you to register an sToken with the Workspace ONE UEM environment. It sends invitations automatically for user-based applications that have an Auto push mode.

  2. Assign and publish device-based VPP applications with the flexible deployment feature

    During the assignment process, Workspace ONE UEM prompts you to enable applications for the device-based method with the setting Enable Device Assignment.

  3. Access license and application information using the Licenses page, the Device Details page, and the Manage Devices page.
  4. Revoke licenses with various management functions.
    • Unenroll devices.
    • Select the revoke action on the information pages (Licenses, Device Details, and Manage Devices pages).
    • Deactivate and delete assignments.
    • Remove devices from smart groups assigned to the VPP application.

Update Device-Based VPP Applications Manually or Automatically

Configure automatic updates or manually push updates to device-based VPP applications at the application level. This feature offers management of updates by Workspace ONE UEM or allows you to push updates as a way to control application versions.

This feature does not work for the managed distribution by Apple ID. The VPP application must be enabled for the device-based distribution, also called distribution by device serial number. For general information about the managed distribution method by device serial number, see Managed Distribution by Device Serial Number. This topic includes supported operating systems, benefits, and the need for no VPP invitations.

Note: The non-device-based VPP applications are tagged as Not Applicable, such VPP applications are not supported for this feature.

System Behavior on Initial Setup

The system automatically queues application installation commands at the time you first configure the Enable Auto Updates. Workspace ONE UEM stores the currently available application version number from the App Store in the database. Workspace ONE UEM can automatically trigger install commands for devices to perform application updates if they report a version below the currently available version from the App Store. Workspace ONE UEM system regularly checks the App Store for updates and records any new versions in the database to continue the process.

Update Challenge for Device-Based VPP Applications

Device-based VPP applications had update issues due to their disassociation from the Apple ID. Workspace ONE UEM developed a system to help with the updates of device-based applications. You can configure automatic updates or manually push updates.

Challenge

In the device-based VPP method of managed distribution, the device serial number is the connection between licenses and the application. It replaces the Apple ID. However, the update of the application is still tied to the Apple ID because the Apple ID is tied to the purchase history. Device-based applications can miss updates because the Apple ID is removed from the license-assignment process.

Solution

Workspace ONE UEM checks the app store for updates of your device-based VPP applications and identifies when updates are available in the UI.

Enable automatic updates for device-based VPP applications and Workspace ONE UEM updates these applications whenever it identifies an updated is available.

If you want to control the version of an application, leave automatic updates deactivated and manually push updates when needed.