Apple’s Volume Purchase Program (VPP) lets you easily purchase and manage bulk licenses for apps. JumpCloud lets you assign those licenses to your macOS and iOS managed devices and device groups, and reclaim licenses when you unbind devices and device groups. Managing software remotely for your MDM-enrolled devices saves you time and helps control App Store purchases.
This article uses the term iOS devices to include iPhones and iPads.
Prerequisites:
- An account with Apple Business Manager (ABM) or Apple School Manager (ASM) is required, with the role of Administrator or Content Manager.
- Mobile Device Management (MDM) is configured for your organization. See Set up Apple MDM.
- If you want to manage VPP apps on user enrolled devices, make sure the prerequisites in Add Personal Apple Devices to MDM with User Enrollment.
Considerations:
- Using the App Store Restrictions Policy can prevent VPP app deployments from installing.
Setting up VPP
Configuring VPP requires two steps:
- Set up VPP by connecting your organization to Apple’s VPP by uploading a location’s VPP token to JumpCloud. This requires you to download a token from ABM or ASM and upload the token to JumpCloud.
- Purchase licenses from the App Store and Apple Books for the apps you will distribute.
To set up VPP:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > MDM.
- Select Apple, then select VPP. The Configure VPP page is displayed.
- Click add token to connect your organization’s MDM server to Apple’s VPP. If you are adding a second location for your organization, click add new.
- In the Configure Apple’s VPP page, click sign in to Apple Business Manager under Sign in to Apple to download a token for your MDM server. If you have an education account, click sign in to Apple School Manager.
- In ABM or ASM, select your profile name.
- Select Preferences, then select Payments and Billing.
- Under Server Tokens, hover over the token for your site, then click Download token.
- Locate the token, which was saved locally.
If you do not see a screen similar to above, but instead see a page under Apps and Books with a Get Started button, click that button and follow the prompts. You will then have access to your token.
- In the JumpCloud Admin Portal, under Upload the token to JumpCloud, click Browse or drag and drop the server token for your MDM server. You can only upload a token once.
- Click Complete. Your organization’s token appears in the VPP tab. The token is valid for one year.
Managing VPP Tokens
To manage your VPP tokens:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > MDM.
- Select the VPP tab.
- Select the VPP token for your location and click actions.
- To renew your token for one year, choose Renew Configuration.
- In the Renew Apple’s VPP page, click sign in to Apple Business Manager under Sign in to Apple to download a token for your MDM server. If you have an education account, click sign in to Apple School Manager.
- In ABM or ASM, select your account at the bottom-left, then select Preferences from the pop-up menu, then select Payments and Billing from the main panel.
- Under My Server Tokens, find the token for your location, then click on it to download the VPP token.
- Click Save to save the token locally.
- Click Replace if your token already exists in the same folder.
- In the JumpCloud Admin Portal, under Upload the token to JumpCloud, click Browse or drag and drop the server token for your MDM server. You can only upload a token once.
- Click complete. Your organization’s token appears in the VPP tab. The token is valid for one year.
If you see see an "Unable to upload file!" error message, double check that you are renewing the correct VPP token. The token name in AMB or ASM should match the name of the token listed in the JumpCloud Admin Portal.
- To remove JumpCloud’s connection to this token, select the location, click actions, and choose Delete configuration, then click delete again.
- Deleting a location’s token removes all the location’s apps from JumpCloud and will no longer be managed by JumpCloud. Deleting the token removes the token in JumpCloud, but does not remove the token in ABM or ASM.
- Deleting a location’s token removes all the location’s apps from JumpCloud and will no longer be managed by JumpCloud. Deleting the token removes the token in JumpCloud, but does not remove the token in ABM or ASM.
Managing VPP Apps
Purchasing Licenses
You can buy licenses for apps that are available in the App Store.
To purchase licenses for an app:
- Sign in to ABM or ASM.
- Select Apps and Books, then locate and select the app you want to purchase.
- Under Buy Licenses, choose the location where the license will be assigned.
- Enter the number of licenses you want to purchase and click Get. The app is added to your MDM App Repository during the daily sync.
The list of VPP apps might contain multiple copies of the same software if it is associated with multiple locations.
Installing Apps & Redeeming Licenses
To install VPP apps on devices:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Software Management.
- Select Apple.
- Click refresh list to see the list of purchased macOS/iOS apps available for your organization. The list displays Supported Devices, Location Name, and Command Status for each app. If needed, you can also search for an app. You can also filter your search by supported device families or location name.
The Command Status column shows the number of successful results out of the total number of pending actions. A status may not register as successful yet if it is still queued or if there was a communication interruption. See Installation Status for further details.
- Select the app you want to install. Learn more about the app by clicking view in app store on the Details tab.
- Verify that there are enough available licenses. The Details tab displays the available number of licenses and the total number of purchased licenses.
- (Optional) To supply a managed configuration for an app, select Supply Configuration and enter the AppConfig XML file for the app. The XML is not validated, but needs to be a valid SML property list in AppConfig format. For more information on AppConfig, visit the AppConfig Community.
- (Optional) To keep the application patched as updates become available, select Automatically keep up to date. Applicable devices will be requested to install the latest version when the application has an update.
- Updates, including frequency and availability, are subject to Apple and the App Store.
- If this option is not selected, then the latest version available in the App Store is installed at the time the application is bound to the device, and the application will not be updated post-install.
- To deploy the app to all devices in a device group, you can bind the app to a group.
- Select the VPP app you want to install.
- Select Device Groups.
- Select the checkbox for each device group that will access the app.
- Click save, then click save again. The app is now available on the devices that belong to the device group.
- To deploy the app to specific devices:
- Select the VPP app you want to install.
- Select Devices.
- Select the checkbox for each device that will access the app.
- Click save, then click save again. The app is now available on those devices.
Use the device panel’s Apps tab to see the Apps installed on the device (for macOS or iOS devices only).
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the device, then select Apps to see the installed apps, location, device family, and app status.
When you assign an app to a device that is device enrolled, the license is assigned based on the device serial number - use of multiple devices will require multiple licenses. When you assign an app to a device that is user enrolled, the license is assigned based on the user’s MAID (Managed Apple ID) - use of multiple devices will only require one license. See the table below.
Enrollment Type | Licenses Redeemed on Binding | Devices That Can Use the Redeemed License | Number of Licenses Reclaimed When App Unbound | |
---|---|---|---|---|
User (Managed Apple ID) | User Enrollment | 1 | Multiple | 0 unless unbinding app from user’s last user enrolled device |
Device (Serial Number) | Device Enrollment or Automated Device Enrollment | 1 | 1 | 1 for each device unbound |
Understanding App Management Authority
When installing a VPP application that already exists on a user's device, the success of the install and who ultimately manages the application will depend on the type of device and how it is managed. When an admin installs a VPP app on a device, and wants the VPP version of the app to have control, the following scenarios need to be considered:
- on macOS: Installation will fail and report as failed in JumpCloud because a VPP app can’t be installed over a user-installed app.
- on iOS (Supervised): Installation will succeed and report as success.
- on iOS (Device Enrolled, Company Owned): Installation may succeed, but will require user consent. JumpCloud will report a success or failure based on the user’s approval or denial, respectively.
- on iOS (User Enrolled): Installation will fail and report as failed in JumpCloud because a VPP app can’t be installed over a user-installed app.
Checking the Install Status of Apps
- In Software Management, select the app and select Status.
- View the Status column to see the installation status:
- Install Pending – The app is queued for installation.
- Command Sent – The install command was received by the device.
- License Failed – There are not enough available licenses.
- Command Failed – The installation command was sent but the installation might have been interrupted due to communication issues.
- Uninstall Pending – This device has not responded to the request to remove the device and reclaim the license. The task will be completed at the next check-in.
- Uninstall Success – The device has been removed and the license reclaimed.
- Click View to see more details about the status of the installation, including Status Details and software version installed.
- If needed, you can retry for these statuses: Command Sent, License Failed, and Command Failed.
- Retrying an installation will send the install command a second time, which may result in errors if the command was recently sent.
- If an installation fails, you might need to purchase more licenses. Verify that you purchased enough licenses. See Purchasing Licenses to learn how to purchase licenses for your apps.
- A command will fail if the app is already installed on the end user’s device (status code 12025). When the user has uninstalled the application from their device, you will see the retry option from the command results.
- The Command Timestamp column shows the last action time, which will help determine if you should retry for a more recent version.
- If needed, a bulk Retry Command action is available on the Status tab.
- Select devices with the checkboxes or select all by selecting the top checkbox.
- Any devices with the status of Command Sent or Command Failed will be resent.
- To view available license counts:
- Select the Apple app.
- Select Details. The available number of purchased licenses displays, as does the total number of available licenses.
Reclaiming App Licenses
Reclaiming licenses presumes you have unbound a VPP app from a device.
To unbind a VPP app from a device or device group:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Software Management.
- Select Apple.
- Select the desired VPP app.
- From the Devices or Device Groups tab, unselect the devices or device groups where you no longer want to manage the app and click Save.
- On the Manage software associations prompt, read through the implications and click the checkbox to acknowledge the following:
- You will unbind the software from the selected devices.
- This will not uninstall the software from the devices.
- The software will no longer be managed by JumpCloud on the devices.
- Click Unbind to proceed.
After you reclaim a license, you can apply it to another managed device. Users can continue to use free apps even if the license gets reclaimed from their device. When using a paid app, the user can use the app until the app updates, at which time they will be asked to repurchase the app.
To reclaim iOS licenses:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Software Management.
- Select Apple.
- Select the desired VPP app.
- Review the number of available and used software licenses in the Details tab.
- Click reclaim licenses to get licenses that were released by Apple and other licenses used by unknown serial numbers.
- If the iOS device is Device Enrolled, unbinding an app from a device will reclaim the app license.
- If the iOS device is User Enrolled, unbinding an app from a device will remove the app from the device and only reclaim the license if the app is not tied to any other user enrolled devices associated with the user account. Refer to the table above.
- View the number of available and used licenses. If the available and used license count stays the same, you might need to buy more licenses from ABM or ASM. See Purchasing Licenses.
To reclaim macOS licenses:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Software Management.
- Select Apple.
- Select the desired VPP app.
- Review the number of available and used software licenses in the Details tab.
- Click reclaim licenses to get licenses that were released by Apple and other licenses used by unknown serial numbers.
- View the number of available and used licenses. If the available and used license count stays the same, you might need to buy more licenses from ABM or ASM. See Purchasing Licenses.