The Apple Volume Purchase Program (VPP) allows organizations to purchase apps in volume to distribute to their managed devices. Using ZENworks, administrators can easily distribute, reclaim, and reassign iOS apps using the existing Bundles workflow. Your organization might possess multiple VPP accounts. ZENworks can distribute licenses from multiple such VPP accounts to both iOS devices.
ZENworks lets you purchase and distribute VPP apps using the Apple Deployment Programs account and Apple Business Manager. In Apple Deployment Programs all licenses are linked to the email ID of the VPP purchaser and it uses an account-based token (hereafter referred to as legacy token within this document). Whereas, in Apple Business Manager all licenses are linked to a location and it uses a location-based token. ZENworks lets you associate a location-based token to an existing subscription and ensures that all existing bundle assignments work seamlessly with Apple Business Manager.
If you have already enrolled in the Apple Deployment Programs account and want to upgrade to Apple Business Manager, then before migrating, it is recommended that you review the best practices for migration by referring to both the Apple Support documentation (for general information on the migration process) and the Migrating to Apple Business Manager section (for information on migrating to a location-based token in ZENworks) within this guide. This will ensure that Apple Business Manager works seamlessly with ZENworks and the existing bundle assignments are not affected.
IMPORTANT:If you are purchasing VPP apps using Apple School Manager, ensure that the Content Manager role is assigned to your Apple School Manager account. For more information, see the Apple School Manager Help.
To help ZENworks distribute the apps purchased through the Apple VPP, you need to create an Apple VPP Subscription in ZCC. This will enable you to link your ZENworks Server to the VPP account to retrieve all apps purchased through the VPP account.
NOTE:Before creating an Apple VPP Subscription, ensure that an MDM role is assigned to at least one of the ZENworks Primary Servers. For details, see Configuring an MDM Server.
While creating a subscription, you can also define a schedule based on which bundles for these purchased apps will be automatically created by ZENworks.
You can enroll in either of the following programs
Apple Deployment Programs account: Navigate to deploy.apple.com and create your program agent account. For more information, see the Apple Documentation.
Apple Business Manager: Navigate to business.apple.com to create your Apple Business Manager account. For more information, see the Apple Documentation.
On the Getting Started with Mobile Management page, navigate toand click . Alternatively, click > > .
Selectand click .
Fill in the fields:
Subscription Name: Specify a unique name for the subscription.
Folder: Browse to the folder in which the subscription will be created. By default, the subscription will be created in the /Subscriptions folder.
Description: Provide a short description for the subscription. This description is displayed on the subscription’s Summary page. Click.
On the Configure Apple Volume Purchase Program page, perform the following:
Download the Apple Volume Purchase Program Token: You can download and link either of the following tokens:
For legacy tokens, click Appleto sign in to the Apple VPP portal using the Apple Deployment Programs account. Download the VPP token from the Account Summary page of the Apple VPP portal.
For location-based tokens, click Appleand sign in using your VPP account credentials. Download the specific location-based VPP token by navigating to Settings > Apps and Books section.
Link ZENworks to the Volume Purchase Program server: In ZCC, browse and upload the VPP token. The following information that is associated with the token is retrieved:
Organization: The name of the organization that has subscribed for the Apple VPP.
Country Code: The country code associated with the Apple VPP token.
Apple ID: The Apple ID associated with the Apple VPP token.
Email: The email address associated with the Apple VPP token.
Location ID: The unique code associated with the location-based token. This is applicable only for Apple Business Manager accounts.
Location Name: The name of the location associated with the location-based token. This is applicable only for Apple Business Manager accounts.
Token Expiry: The expiry date of the Apple VPP token.
After the token is successfully uploaded and linked to ZENworks, any existing licenses associated with the token are reset and the associated users, if any, are also retired. If the token is already in use by another MDM solution, then ZENworks will notify with an appropriate message, after which you can clickto link the token with ZENworks.
If the token was previously used by a subscription (that is deleted but its bundles are retained) within the ZENworks zone, then the new subscription will reflect the licenses already consumed. This is achieved by reconciling the VPP account of the new subscription with the one of the deleted subscription.
For each app purchased using the Apple VPP, ZENworks retrieves the app details from Apple and creates iOS bundles, which can then be distributed to users or devices. On the Bundle Creation Settings page, click the browse icon to select a folder location where you want the iOS VPP bundles to reside. Within this folder location, another folder with the name of the subscription is created, within which bundles will reside.
You can also configure additional app settings for these bundles:
Allow ZENworks to take ownership of the app, if the app is already installed on the device: If the app is already installed on the device, this option allows ZENworks to now manage the app. This option is checked by default for all VPP bundles and cannot be modified.
Retain app on the device after unenrolling the device from the ZENworks Management Zone: Retains the app on the device if the bundle is unassigned or deleted, or if the device is removed from the zone. This option is unchecked by default for all VPP bundles and cannot be modified.
Prevent backup of app data to iCloud: Prevents the backup data of apps from getting synced with iCloud. You will not be able to retrieve the app data if the device has unenrolled from the zone.
Create Bundle as Sandbox: Creates a Sandbox-only version of the bundle. A Sandbox version of a bundle enables you to test it on your device before actually deploying it. This option is selected by default for all VPP bundles.
From thedrop-down list, choose one of the schedule types. Based on the specified schedule, ZENworks retrieves the latest apps associated with the VPP account. Subsequently, bundles are created for only those apps for which bundles are yet to be created.
You can also select thecheckbox, which will re-direct you to the Apps Catalog page. Click to complete creating the subscription.
After creating the subscription, you can view its status in thesection of ZCC. and statuses indicate that the process to claim management of the VPP account from another MDM solution is either in progress or has failed. If the claim fails, ZENworks will retry until the claim is successful. However, if for any reason the status remains as > for a substantial period of time, then it is recommended that you delete the subscription along with its bundles and create a new subscription.Until the claim is successful, you will be unable to perform actions such as creating bundles, with this subscription.
IMPORTANT:Any replicated content objects, such as bundles that are associated with Apple VPP Subscriptions should not be shared across multiple zones.
ZENworks creates VPP bundles based on theselected while creating the Apple VPP Subscription. However, if you have not specified a schedule or if you want to create bundles immediately, then you can perform any of the following actions:
Clickby navigating to > > or by navigating to the Summary page of the Apple VPP Subscription. These actions initiate a sync between Apple and ZENworks to retrieve the latest apps. Subsequently, bundles are created for these apps.
Click Viewing Apps Catalog.on the Apps Catalog page for specific apps. For more information, see
You can distribute apps purchased through the Apple Volume Purchase Program (VPP), by assigning VPP bundles to either the devices or to the users who have enrolled their devices to the zone.
When a bundle is assigned to a user or a device and the associated device syncs with the ZENworks Server, the app license is Viewing Apps Catalog.from Apple. Subsequently, the user is prompted to confirm the app installation. Based on the user’s response, the app is on the device. The license consumption and installation count is updated on the Apps Catalog page. For details, see
NOTE:If a bundle is assigned to multiple devices, device groups or folders, or multiple users, user groups or folders, then the app licenses are distributed based on the order in which the devices sync with the ZENworks Server.
VPP Bundles can be distributed to users, user groups, or user folders.
If a VPP bundle is assigned to a user for the first time, then as soon as the first device associated with the user syncs with the ZENworks Server, an invitation is sent to the user to join the Apple VPP.
To accept the invitation, users need to sign-in on their devices with their personal Apple ID. The Apple ID is registered with the Apple VPP, but remains private and is unknown to ZENworks. As soon as the users agree to the invitation and accept the iTunes Store terms and conditions, they are associated with ZENworks. In the next sync, the app license is consumed from Apple and a message is sent to the device prompting the user to confirm whether to install the app or not. Based on the user’s response, the app is installed on the device.
NOTE:When the user associates with the Apple VPP, these invites are not re-sent to the user for subsequent assignments.
The Apple ID with which the user has associated for the Apple VPP, should be used across all the user’s devices to enable successful installation of VPP apps. Also, it is important that the Apple ID does not change, so that all bundle assignments are successful and all assigned apps are retained on the device. If the user logs into the iTunes account using a different Apple ID, then the apps distributed to the user are revoked.
NOTE:The terms Apple ID and iTunes ID are used interchangeably in ZENworks.
VPP bundles can be distributed to devices, device groups, or device folders.
VPP bundles can be distributed to only those iOS devices that are running on iOS versions 9.0 or newer.
When a bundle is assigned to the device and the device syncs with the ZENworks Server, the server consumes app license for the device from Apple. If the license consumption is successful, the user is prompted to install the app on the device.
For more information on assigning bundles, see Assigning Bundles.
Updating Apps: Based on the schedule selected while creating the Apple VPP Subscription, ZENworks syncs with Apple to retrieve the latest apps. However, irrespective of the schedule selected, ZENworks automatically syncs with Apple on a daily basis to retrieve the latest apps. Bundles are not created for any newly purchased apps during this sync.
You can also initiate this sync immediately by performing either of the following:
Clickby navigating to > > > or by navigating to the Summary page of the Apple VPP Subscription. This option also creates bundles for any newly purchased apps.
Click on the Apps Catalog page.
Updating Distributed Licenses: If an app license is assigned to a device or a user, then the license consumed and installed count is updated when the associated devices syncs with the ZENworks Server. Subsequently, the app is installed on the device.
Revoking Licenses: Unused app licenses are revoked when the device syncs with the ZENworks Server. To revoke licenses from devices that cannot sync with the ZENworks Server, click on the Apps Catalog page. This option can be used to revoke licenses in the following scenarios:
Mobile device management on the device is disabled.
The device is in aor state. In case of a device assignment, all apps assigned to the device are revoked. In case of a user assignment, if the device is the last device associated with the user, then the app licenses are revoked from the user.
Bundle assignment is removed.
User does not exist anymore.
Alternatively, ZENworks periodically (every two hours) revokes unused licenses from devices that cannot sync with the ZENworks Server. However, if you do not want to wait for the device to sync or for the periodic schedule to revoke licenses, then clicking helps in revoking licenses instantaneously.
If any of these tasks fail, then the relevant error messages are displayed when you visit the Apps Catalog page.
The validity of a VPP token is one year from the time the token is downloaded. As soon as you upload the token while creating a new subscription in the ZENworks Management Zone, the expiry date of the token is displayed. You can also view the expiry date of token by visiting thepage of the Apple VPP Subscription. To renew this token, download the token again from the Apple VPP portal and upload it in the tab of the Apple VPP Subscription, which can be accessed by clicking the subscription.
If the device cannot sync with the ZENworks Server, then you can click on the Apps Catalog page. This option can be used to revoke licenses in the following scenarios:
Mobile device management on the device is disabled.
The device is in aor state. In case of a device assignment, all apps assigned to the device are to be revoked. In case of a user assignment, if the device is the last device associated with the user, then the app licenses are to be revoked from the user.
Bundle assignment is removed.
User does not exist anymore.
As stated earlier, unused app licenses are revoked when the device syncs with the ZENworks Server. Also, every two hours ZENworks automatically revokes unused licenses from devices that cannot sync with the ZENworks Server. However, if you do not want to wait for the device to sync or for ZENworks to automatically revoke licenses, then clicking helps in revoking licenses instantaneously.
If you delete a subscription, all of its associated bundles are retained in the zone. If a token that was previously linked to a deleted subscription (but the bundles are retained), is now linked to a new subscription within the same zone, then the VPP account of the new subscription reconciles with the one of the deleted subscription. The new subscription will reflect the licenses that are already consumed. However, if after deleting the subscription from Zone 1, a new subscription is created with the same token in Zone 2, then while creating a new subscription with the same token in Zone 1 you will have to associate a new VPP account with the subscription and all existing bundles that were retained in zone 1 will be deleted.
NOTE:If you want to delete the subscription successfully, including all its bundles, then you need to have the relevant Bundle rights assigned to you. For details, see Bundle Rights in the ZENworks Administrator Accounts and Rights Reference guide.