Apple’s Volume Purchase Plan (VPP) and License Management
What is VPP?
VPP, or more formally, Apple's Volume Purchase Program, is a mechanism by which an organization or institution can purchase macOS and iOS applications and books in bulk and provide these to their end users. The process revolves around creating a VPP administrator account, creating one or more VPP facilitator accounts, enrolling devices into the MDM (mobile device management) system, and assigning applications and books to the end users. More details on Apple's requirements and capabilities with VPP are available at the following two URLs:
VPP is supported in FileWave for both iOS and macOS. There are two mechanisms for assigning applications and books to clients - redeemable codes and managed distribution licenses. Redeemable codes provide a set of codes to be used for content distribution, but once given out, the content legally belongs to the owner of the Apple ID that redeemed the code. Managed Distribution provides licenses that can be associated and revoked, so the purchasing authority retains ownership of the license (with the exception of books, which always are owned by the person to whose Apple ID the license was distributed to). This allows you to assign institutionally-purchased applications to end users as needed; then revoke the licenses for those apps at a specific time, returning the licenses to your control.
Differences between redeemable codes and managed distribution licenses
The original model for mass deployment of content was using redeemable codes. The VPP administrator purchased applications from the Apple VPP site. Apple provided a set of codes in a spreadsheet that could be downloaded. Those codes were then used to create an application Fileset for installation on managed devices, or were provided to the end user for them to redeem. Once a code has been redeemed, it cannot be reclaimed by the MDM administrator. VPP redeemable codes are available for applications and books. Note: With the current VPP system, free apps and books cannot be obtained with redeemable codes, only managed licenses.
It is also possible to have all of your redeemable codes exchanged for Managed Distribution licenses. This Apple Support article describes the process: https://support.apple.com/en-us/HT202863.
Apple's newer model for application license management allows you to assign licenses to users and revoke those licenses at a future date. This mechanism is called Managed Distribution and it applies to VPP purchases of any free content, applications, and books. When a license is assigned to a user, that user sees the item in their Purchases list, as well as in FileWave's Kiosk. When the application is no longer needed, or the user is no longer associated with that institution, the MDM administrator can revoke or remove the license. FileWave regains that license for distribution to another user.
Note: This process is only valid for applications since Apple requires all book distributions to be permanently assigned to personal Apple IDs.
Managed Distribution - user versus device assignment
Initially, Managed Distribution required association to a unique Apple ID for any deployed content. With the release of iOS 9 and OS X 10.11, VPP managed distribution licenses acquired the ability to be assign applications directly to a device, provided the developer allows it. This method opens up a huge benefit in layered deployment models. Now an institution can assign core applications directly to devices in carts, labs, or even on 1:1 deployments.
How FileWave works with VPP
There are several approaches to using FileWave with VPP. The deployment workflows relate to the overall control of the application(s) to be deployed. The actual workflows discussed are covered in detail later in this Chapter.
Redeemable Codes - A Fileset is created that links to the App Store and provides a redeemable code for each device that is associated with that Fileset. When the user accepts the installation, the code is redeemed against that user's Apple ID. The code, once redeemed, belongs to the end user and cannot be retrieved by the FileWave administrator. If the user refuses the installation, the code is reserved for the next 24 hours against that device, then it is returned to the pool for that Fileset. Note: Under OS X, all application associations must be done as Kiosk items.
Managed Distribution licenses - For the managed distribution method, FileWave doesn't manage users directly; but associates users with specific devices. All of this is done through the linkage of an Apple ID and the FileWave MDM. Whether you use individual Apple IDs, in the case of a BYOD or full 1:1 deployment, or institutional Apple IDs in the case of a managed lab or cart, the application licenses remain under your control.
If you assign the licenses to devices, there is no longer a requirement to match an Apple ID with the device. You can, for example, use a generic LDAP or fixed MDM authentication account to enroll the device(s), then just configure your Filesets to be assigned to the device.
When you assign or associate Apple Store content through a Fileset to a user's Apple ID, the end user will see that content in their Purchases in the App Store.
For iOS devices, you could use Apple Configurator to prepare, and possibly supervise, the device; then turn it over to an end user to add their own content using their personal Apple ID. You could use VPP direct device association to place the applications onto the device, then let the user add items as they see fit. With this model, you, as the FileWave administrator, would be responsible for maintaining the institutional content and software, while the end users would be responsible for any applications and content they install.
Setting up your FileWave server for VPP
In order to provide your users with content from VPP, you need to establish an institutional VPP account and link that account with your FileWave server. If you are an educational institution, you need to follow the steps provided by Apple on setting up VPP for Education: http://www.apple.com/education/it/vpp/. If you are a business or enterprise customer, you need to use the VPP for Business instructions: http://www.apple.com/business/vpp/. Once you have your VPP account, you are ready to configure FileWave for VPP support.
Important - Ensure you do not have another VPP system, such as Apple's Profile Manager or Apple Configurator, active with your VPP token when you set up FileWave for VPP. This will cause problems with your ability to manage VPP user accounts.
Set the VPP token(s)
When you signed up for your VPP account, you were provided a coded token that allows you to configure FileWave for VPP. Use the instructions in Chapter 2 to configure your FileWave Admin Preferences for VPP.
Synchronize data with the VPP server for VPP
Once your token(s) are active, the FileWave Server will automatically synchronize with Apple's VPP service. Depending on how many items you have in your purchase list, this process may take a while. When you have synchronized your VPP data with your FileWave Server, you should see any VPP Managed Distribution purchases listed in the License Management section of FileWave Admin.
The first time after you set up VPP, you can force a full synchronization by holding down the option key, and clicking on the Synchronize button.
You should see entries in the License Management view that match your purchase history.
Note: Only VPP Managed Distribution licenses will be displayed here. The older VPP Redeemable Codes, if you have any, will still be located in the "VPP Code Management" assistant in FileWave Admin. When you purchase redeemable codes, you must download the spreadsheet and import it into FileWave using this assistant.
Adding licensed applications to your FileWave Server
The process of adding content for VPP code redemption or managed distribution is extremely simple. When you purchase any content in the VPP Store, upon a VPP sync with your FileWave server, the items will appear in your License Management pane. First, you make your purchase in the VPP Store:
Once you receive confirmation that the purchase is completed, you can force a sync of VPP in your Preferences, or wait for the overnight sync. In FileWave Admin, go to the License Management pane and click the Refresh button in the toolbar. You will get the following dialog:
That dialog tells you that your purchase information has been loaded into FileWave; but there is no corresponding Fileset. At this point, you should click on Yes and follow up by updating the Model to refresh the database. You will be taken to the Filesets pane, and your new VPP application Fileset will be waiting:
Back at the License Management view, it will display the new license:
At this point, you can begin associating the new content with your enrolled devices.
VPP and iBooks
If you purchase managed distribution licenses, you have control over the assignment of those licenses to end users, regardless of the deployment model. The one exception to this is with books. Free books can only be provided with managed distribution licenses, yet the item becomes permanent property of the assigned user. Books available for a cost do allow the use of redemption codes; but the same rules apply - books cannot be revoked or reassigned. Books must also be assigned to personal Apple IDs; they are not allowed to be assigned to institutional Apple IDs per Apple's legal guidelines, nor can they be assigned to devices.
Manually creating Filesets from VPP managed distribution content
By default, your VPP managed distribution license purchases should automatically show up in License Management, and upon a Refresh of the pane, you should get a dialog asking you to create a Fileset for your purchases. If, however, you have items that are displayed in the License Management pane, and they do not have a corresponding Fileset, you can manually correct that problem.
Create a mobile Fileset for a managed content item
All VPP purchases now appear in License Management as soon as the FileWave server syncs with the Apple VPP site. The first time you access this area after setting up your FileWave Server, you will get a dialog box telling you that a Fileset can be created for each of the licenses. You can also right-click on any purchase and create a Fileset.
Redeemable codes
For redeemable codes, you will need to download the code spreadsheets. Log into your VPP account online, and select your Purchase History. For any content that you purchased using redeemable codes, you will see that you are able to download the codes in the form of an .xls spreadsheet. Note: This spreadsheet will always be kept up to date on the VPP site. As you, or your users, redeem codes, the online spreadsheet will be updated to show remaining codes.
Once you have downloaded the spreadsheet(s) as needed, you will need to go to Assistants / VPP Code Management. This pane is used only for linking redeemable codes to Filesets. You have two methods for bringing codes into FileWave Admin, by importing the spreadsheet or manually entering the code information.
The Import Spreadsheet… method is quite simple. Select the Fileset (if there are multiple Filesets for a purchased item, just pick one), then click on the Import Spreadsheet… button, locate your downloaded VPP .xls file, and import it. The dialog box tells you to verify that the codes you are uploading into FileWave Admin match the item you want to link them too. You will get errors if you try to match codes to the wrong content, or try to import an older spreadsheet into the set once you have begun redeeming codes. Once you have imported codes, you will see them listed next to your selected Fileset.
The Import Manually… button lets you import a custom text file you create. The format is the URL as you would see it on the App Store or on the VPP spreadsheet, or just the redeemable codes. For example, the file custom_codes.txt could look like this: https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/freeProductCodeWizard?code=Y6XJ69TFXDEJ
Y4XJ69HYTFEB
A benefit of using FileWave for working with redeemable codes is that you don't need to breakdown your spreadsheets into separate sections to match the different sets of the same content you plan to deploy. You can just select the number of codes you want to assign to specific Fileset and drag those codes onto that Fileset. This example shows dragging one code from the main Fileset for Digits onto the Fileset meant for the testing team.
Managed Distribution Licenses
The managed distribution content licenses are treated as part of a pool. When you look at each Fileset's details, you can see the status of your licenses:
You will be required to track the usage of your licenses to avoid exceeding your allowed limit. If you distribute more copies of an item than you have licenses for, you will get installation errors.
VPP Managed Distribution User Management
The most complex portion of the VPP Managed Distribution system is the interaction of the end user and the VPP license architecture. The process is as follows:
- User agrees to link their Apple ID with your VPP MDM server
- The MDM server associates managed distribution content licenses with a linked user
- The user sees all assigned content in their own Apple ID-based purchases in the iTunes/App Store
- If the user has auto-install enabled, the content automatically appears on the user's device(s)
- If/when the MDM systems administrator revokes a license, the end user may be allowed up to 30 days to continue use of that application while the MDM systems administrator regains use of the license for another distribution. That timeframe is entirely up to the application developer. It is not a value that you can set or change. You would need to check with the specific app developer to get their assigned revocation timeframe.
- If the user purchases the revoked application within the developer allotted timeframe, they maintain all of their sandboxed content. If not, the application and content are deleted (iOS only).
Note: Never use your VPP account Apple ID for personal purchases.
Creating users for your devices
Apple's VPP manages licenses that are either assigned to a device, or assigned to specific user's Apple ID. In the Assistants / VPP User Management pane, you can see all of your enrolled devices, and a list of VPP users.
In the upper left is the list of enrolled devices. In the upper right is the list of VPP users you need to create. The lower portion of the window displays the device and users who are associated with each other for management purposes.
Note - You do not need to do this process manually for a population of several thousand users. FileWave provides the ability for you to link your LDAP directory and your enrolled devices together automatically.
The option exists to have a VPP user created automatically as each device enrolls. When doing batch rollouts of iOS devices, this may be your best option.
Note: If you use only VPP device assignment, and do not assign licenses to any unique users, you will not need to work with the VPP User Management pane. FileWave assigns a "ghost" VPP user account to each device to handle device assignments. You cannot see these accounts and will not need to manage them.
In the VPP User Management pane, we can manually assign a new VPP user for each device. This will give us a VPP user account with blank fields:
The VPP Client User ID is a construct that is used by FileWave to facilitate the association of a device - which FileWave can manage - to an Apple ID - which belongs to a user. The account is unique, and has one of three states: registered; associated; or, retired. Registered means that the account is assigned to your FileWave MDM by Apple. Associated means that the account is linked to an Apple ID through an iTunes ID hash and the user can have licenses assigned to them. Retired means that all licenses assigned to that VPP Client User ID are revoked and can be used again.
An Apple ID can be associated with multiple VPP Client User ID's; but only one VPP Client User ID can be associated with an enrolled device. It also allows users with multiple iOS/macOS devices to have a single VPP Client User ID associated with those devices.
If you link your LDAP accounts to FileWave, then the directory service will have the users associated with a VPP account. This will fill in those blanks, and make the next step easier. LDAP authentication is covered in Chapter 3.
Inviting users to the FileWave MDM VPP
Apple requires the end user to actively link their Apple ID to your FileWave MDM. You must send an email to each VPP user account after you have provided their email address. Click in the Email Address field for the VPP user account and enter a valid email address. The does not need to be a user's Apple ID email address, just an address where the user can get a VPP MDM request.
Once you have entered a valid email address, the button to send an invite to the user will be active.
The user will get an email asking them to activate the link to their "VPP organization;" i.e., your FileWave MDM server. This email account does not need to be the email that person uses for their Apple ID. It can be an internal email address used within your organization/institution, or any common email address the user may provide.
Once the user clicks on the link to the iTunes Store, authenticates with his or her Apple ID, and gives permission, the user will get notified that he/she can now be provided with content from your FileWave MDM.
This process links that user's Apple ID to your FileWave MDM so that you can assign applications and content to them. You will never see the user's Apple ID (unless they give you the email account they use for their Apple ID as their contact email). What you will see, as proof that this has occurred, is an iTunes ID hash in the VPP User Management window.
If you are doing this as part of a BYOD or 1:1, this process can be sped up by having the end users register themselves with FileWave. An enrolled iOS device will have the App Portal installed. When the user opens the App Portal he/she will be greeted with a dialog asking them to register their Apple ID: This is just like the above process; i.e., they authenticate to the iTunes Store and give permission for the linkage.
FileWave and macOS VPP users
The process for macOS computers and users is almost identical to that of iOS users. When you add an macOS computer as a FileWave Client, it will show up in the Manage VPP Users… window.
Note: Direct device assignment is still an "in-progress" thing with OS X. Full functionality from Apple will be available in a future release.
You still have to go through the user assignment process unless you automated that in the VPP preferences. The user email will have to be entered unless the user logged into the device with an LDAP account and that account had a valid email account attached. If so, you can have the FileWave server automatically send off an invitation to associate that user with the FileWave VPP. Whichever process you use, the end user will still have to agree to associate with your system. Once that is done, you will be able to assign applications and books to that user through Filesets linked to the VPP managed distribution system. Here's the final view of the Kiosk and the App Store after some Filesets are associated with the client.
Retirement
Note: If you retire a VPP user account, it cannot be used again. We suggest that you DO NOT test "retiring" VPP user accounts on actively enrolled users.
Where OS X VPP differs
One key difference between iOS and macOS VPP managed distribution is in the way the applications are installed. You will be asked on the client if you want to turn on automatic application installs; but it refers to apps downloaded onto other devices. What that means is if the end user has a single device, they will get apps showing up in their App Store / Purchases section and those apps will not automatically install on the device. The user must do the installation manually.
This also affects Kiosk operations. If an application is in the Kiosk, just selecting it and telling it to install may not result in it showing up in the user's Applications folder - until they go to the App Store / Purchases list and install it from there.
Revoking licenses using FileWave MDM with VPP managed distribution
When a user is no longer part of an institution, or is no longer working on a project or class that requires a costly application that you have a limited number of licenses for, you can revoke the managed distribution license for that application and return it to FileWave's inventory.
The process is the same as you may have already used to remove any other assigned item to a managed device with FileWave - you merely dis-associate the Fileset. Once the model has been updated, you will see the application licenses returned to your license management pool. The behavior of the application on the client device is dependent on the way the application developer designed the revocation settings into the app. A developer can set the app to continue to exist for up to 30 days on a user's device. This also means that the application will remain in the user's purchased list in iTunes.
Note: macOS X computers may take several minutes before noticing the applications are no longer assigned to them. In some cases, if the user has both an iOS and macOS device associated with your VPP system, you may see notifications pop up on the iOS device before the macOS computer gets the word.