The Volume Purchase Program (VPP) allows businesses and educational institutions to purchase publicly available iOS applications or specifically developed third party iOS applications in volume for distribution to corporate devices. This program is unique to Apple. There are two VPP deployment methods: Redemption code and License based. When registering users must select the need of their organization: Education or Business.
Registering for VPP
In order to start using the VPP from Apple, at first, a valid Apple ID needs to be created. Business enterprises should navigate to http://www.apple.com/business/vpp/ and Educational institutions should navigate to https://volume.itunes.apple.com/us/store. Once the required information is entered, Apple sends an email to the user with the instructions for the remaining Apple ID setup.
Versions of VPP
Apple offers two versions of VPP to choose from depending on the need of the organization. A business enterprise can use the Volume Purchase Program for Business and create a Business account and an educational institution can use the Volume Purchase Program for Education and create an Education account.
For a business, Apple requires a Dun & Bradstreet (D-U-N-S) number, business contact information (address, phone, email), and tax registration information appropriate to your country. When Apple has verified that information as part of the enrollment process, you can create a special Apple ID for your organization. Unlike personal Apple IDs that are used for almost every interaction with Apple, this one is specific to your VPP membership and is designed solely for purchasing content for distribution and facilitating distribution of custom business-to-business apps.
For a school, district, or college, the process is a bit different. An education administrator or IT leader must enter an individual Apple ID (Recommended to be a unique Apple ID created for this purpose) to begin the enrollment process. That person must submit contact information for the organization (address, phone, and an email internal to the organization—not a public email like Gmail or Yahoo Mail) and his or her supervisor, and tax registration information appropriate to the country where the school is located (if Apple already has such information on file for purposes like tax exempt status in the U.S. or Canada, an existing Apple customer number is acceptable). This information will be verified by Apple to ensure that the person submitting the information is authorized to enroll and manage a VPP account.
How does VPP work?
To register for Apple VPP, navigate to http://www.apple.com/business/vpp/ for Business or https://volume.itunes.apple.com/us/store for Education. Certain information need to be provided as part of the enrollment process.
- Business enterprises should provide their Dun & Bradstreet (D-U-N-S) number.
- The address, contact number and the email address associated with the educational institution or business enterprise.
- The tax registration information as per the geographical location where the institution or enterprise is located.
The enrollment is complete after Apple reviews and validates the information, and the Apple ID created is used to access the VPP account.
For educational institutions,once enrollment is complete,the individual who was authorized by the institution to enroll as the Program Manager for Apple VPP can login to the VPP site for Education. With the newly created Apple ID, the Program Manager can create accounts for Program Facilitators. The program facilitators are the ones responsible for purchasing apps and books on behalf of the institution.
The VPP store provides a streamlined process for purchasing apps and books.
- Navigate to https://vpp.itunes.apple.com/us/store.
- Log in with the VPP Apple ID created during the enrollment process.
- Search for the app or books in the VPP store.
- Once the app or the book is found, enter the quantity for purchase.
- Select the distribution method to assign, revoke and reassign the apps through the MDM.
- Complete the transaction using a corporate credit card.
- Download the Redemption code spreadsheet or the Authentications stokens from the VPP website.
The apps are distributed through the MDM to the users by either License Based Distribution or Order Based Distribution methods.
Order Based Distribution
Order Based Distribution method uses Redemption codes for distributing the apps. Redemption codes are assigned to individual users through a Mobile Device Management (MDM) provider. In this method, the codes once redeemed cannot be reused.If a user downloads an application using a code, the same code cannot be reused to download the app. Even if the user uninstalls the application, this method still does not permit the reuse of redeemed codes.
Using Order Based Distribution
The initial requirement for using the Order Based Distribution method is to download the Redemption code spreadsheet from the VPP website. This spreadsheet lists the unique codes of all the purchased apps and books. Every time, a code is redeemed, the spreadsheet is updated thus tracking the number of codes redeemed.
The steps for Order based distribution using Redemption codes are as follows:
- Download the Redemption code spreadsheet from the VPP website.
- Upload the Redemption code spreadsheet onto the AirWatch console. An application order is created in the AirWatch console.
- This spreadsheet is of the format .csv or .xls
- After saving the Redemption code spreadsheet, continue with the Product Selection form in the AirWatch Console.
- Locate the appropriate product.
- Select the organization group and smart group for which the redemption codes should be assigned.
- Select the assignment type.
- There are two assignment options available; Auto and On demand
- Auto - Users will receive a popup notification asking them to install an app. Users may select accept or deny. If accepted, they will be prompted to enter their Apple password so that an application can be downloaded from the Apple App Store (public and purchased applications). This is a requirement by Apple. If the passcode has been entered recently, the user will not receive a prompt. Supervised iOS7+ devices will not be prompted to select or accept an application installation. They will only be prompted to enter their Apple passcode.
- On Demand - User must open AirWatch App Catalog and click install. VPP apps are downloaded from the app store; therefore, the user may be prompted for a passcode (depends on when passcode was last entered). This is a requirement by Apple.
- Save the settings and Publish the app.
Note: Only iOS 5+ devices receive application automatically when Assignment type is Auto.
Note: Unused redemption codes can be converted to licenses. Customers need to contact Apple to do this.
License Based Distribution
Licensed Based Distribution also called as the Managed Distribution is the newer of the two VPP distribution methods. The license based distribution method uses the authentication tokens called stokens for distributing the free and purchased apps to iOS 7+ and macOS 10.9+ devices through MDM. With licensed distribution, the apps which were assigned to a user can be revoked and reassigned to another user if the current user leaves the organization or no longer needs the app. This allows the organization to have complete control and ownership on the purchased app. In addition, you can choose the license assignment: user-based or device-based. If you choose the device-based assignment, you can associate a license code directly with a iOS 9+ or macOS 10.11+ device, which will eliminate the need for users to enter their Apple ID to install the purchased apps.
Using License Based Distribution
The steps to setup license based distribution are as follows:
- Navigate to the VPP website.
- Download the stoken from the VPP website.
- Upload the stoken in the AirWatch Admin Console to acess Apple's web services. Apple uses web services to manage license codes.
- Choose either user-based assignment or device-based assignment
- If you use user-based assignment, AirWatch sends an invite via email or push notifications to the user’s device asking the users to log in to their apple account to join Apple's License Program for VPP.
- On the Apps & Books > Settings > Catalog > License Based VPP page, select Automatically Send Invites checkbox to send the invite immediately upon device enrollment.
- Users who did not accept the initial invitation to join Apple's VPP can be re-invited using the Manage Devices option from the actions menu at Apps & Books > Applications > List View > Purchased for applications or Apps & Books > Books > List View > Purchased for books.
- To choose device-based assignment, select Enable Device Assignment on the app's assignment page.
- If you are using device-based assignment for all purchased apps, you can disable Apps & Books > Settings > Catalog > License Based VPP > Automatically Send Invites. This will result in users not to be prompted to enter their Apple ID when installing these apps.
- Sync License on the console to sync all licenses and associated applications.
- This adds the apps that were bought using license codes and also the apps that were initially bought using redemption codes and were later re-bought using license codes.
- Syncing licenses can be in two ways:
- Syncing all licenses or recently purchased licenses - All licenses of an sToken can be synced. It is also possible to sync only those licenses that were purchased after the previous sync action. Syncing recently purchased licenses takes less time as there is no need to sync all licenses for the sToken.
- Syncing licenses by application - Licenses for particular applications can be synced using the Sync Licenses option from the application's actions menu. This feature is useful as there is no need to look through thousands of licenses to find those licenses that must be synced for an application.
- Assign the license codes to the Smart Groups.
- Select the Assignment type to install the application on the user's device.
- There are two assignment options available; Auto and On Demand
- Auto - The application is pushed automatically to the user's device.
- On Demand - The user is allowed to install the app on the device.
- If you are using user-based assignment for the app, the user accepts the invite and logs in using the personal Apple ID. Once the user logs in, the user’s device links to the AirWatch Admin Console server and the app is installed on the device.
With License based distribution, licenses can be revoked and reassigned to another user/device. License revocation takes place in the following scenarios:
- When the device is unenrolled
- When the device is deleted
- When the user is deactivated
- Deletion of:
- Organization Group (OG)
- Changes to Smart Groups
The details about licenses and the device ids can be retrieved from the deviceapplication.vpplicense table. When any one of the above mentioned scenarios take place, all licenses to be revoked are picked from the deviceapplication.vpplicense table and put into the deviceapplication.vpplicenseaudit table. Licenses are revoked on a scheduled basis, that is, the licenses are revoked when the scheduled job runs.
Custom B2B applications
Custom B2B applications are those which are not available in the App store but specifically developed by third party developers for enterprises with specific business need. These apps could be free or purchased at a price set by the developer.
Due to the updates in the Apple's VPP, Managed Distribution method, AirWatch can now deploy custom B2B apps to iOS 7+ and MAC OS X 10.9+ devices. It is distributed using the Managed Distribution method in the same way as free or purchased app. Unlike free or purchased apps, a placeholder is created for all Custom B2B apps as AirWatch cannot retrieve the metadata such as app name, icon and the associated Bundle Id for these apps. After entering the required information for these placeholders is when the app will be active and ready to be managed by AirWatch.
Before the functionality of sToken inheritance is understood, it is important to understand the terms Inherit and Override with regards to License Based VPP.
Inherit - A child organization group (OG) that has no sTokens of its own receives all the properties of the sToken uploaded at the parent OG.
Override - A child OG will surpass the settings of the parent OG by having its own sToken uploaded. The child OG not only has its own sToken properties but will also receive the properties of the sToken uploaded at the parent OG.
Customer is the highest organization group type where an sToken is uploaded. All the organization groups beneath the Customer can upload one sToken each and will also receive all the properties of the sToken uploaded at the Customer level. However, it is not mandatory for an sToken to be uploaded at the Customer organization group. As long as the Customer organization group exists, the organization groups beneath it will be able to upload the sTokens.
- Level 1
- First sToken is uploaded at the Customer OG.
- Level 2
- Child 1 - sToken is uploaded at Child 1 OG. It overrides the properties of the Customer OG's sToken. Child 1 has control over its own set of apps apart from the VPP settings and apps that were inherited from the Customer.
- Child 2 - No sToken has been uploaded for Child 2. It inherits all the apps and VPP settings from Customer OG.
- Level 3
- Grandchild 1 - No sToken has been uploaded at Grandchild 1 OG. Since its parent Child 2 is inheriting all the apps and VPP settings of Customer, grandchild 1 also inherits all the apps and VPP settings of Customer.
- Grandchild 2 - sToken has been uploaded at Grandchild 2 OG. It will have control on its own apps and VPP settings apart from the apps and VPP settings inherited from Customer.
- Level 4
- Great Grandchild 1 - sToken has been uploaded at the Great Grandchild 1 OG. It overrides the settings from Customer. It still receives the VPP settings and apps from Customer and also has control over its own VPP settings and apps.
- Great Grandchild 2 - No sToken has been uploaded at Great Grandchild 2 OG. It inherits the apps and the VPP settings from both Customer and Grandchild 2.