How to silently push free apps using VPP, Managed Distribution, Supervision and AirWatch

Your rating: None (2 votes)

What's the best way to get an App Store app onto many iOS devices? If those devices are supervised, the best way is to use MDM and Apple's new Managed Distribution method. I'll demonstrate how to do that using AirWatch below. (Other MDM providers have similar capabilities. Check with your favorite.)

Steps

  1. Make sure you will meet the requirements: VPP, MDM, Supervision, and a common Apple ID.
  2. Link your MDM provider to your Apple VPP account
  3. Invite your MDM "users" to your VPP program
  4. Use VPP to "purchase" apps (even free ones)
  5. Use MDM to deploy the apps to your users.

Alternatives

Before we start, are you sure you want to do this? Apple Configurator may be a much better solution for the "getting apps onto iPads and iPhones" problem, at least when all the devices are in the same room. But if the devices will be scattered far from the iGeek, then keep reading.

Requirements

The setup is quite important.

  • Make sure your MDM provider your platform version supports iOS 7's new Managed Distribution system. ("New" means November 2013.)
  • You'll need to create an MDM user who will own all those devices. You will want to make sure this user is in a new location group.
  • You will need to set up an iTunes Volume Purchase Program account for your business or school. Note this requires a new Apple ID, a DUNS number, a pound of flesh, some eyes of newts and toe of dog, and a few days for processing. OK, it isn't that hard, I'm just having fun.
  • You'll need an Apple ID to share among your devices. You will want to use the technique to credit an Apple ID without a credit card. (I'm assuming you will be distributing only free apps to your devices, which means you can share the same Apple ID.)

Got it? Good. Now for every iOS device, you'll need to do a few preparation steps. (Hint: If you play your cards right, you will be able to accomplish all of the below in a single stoke.)

  • Supervise it using Configurator
  • Sign in to the App Store using the common Apple ID (restore a backup image with the App Store user signed in)
  • Enroll into MDM (you can do that automatically using Configurator during the supervision process, at least with Casper Suite, AirWatch, MobileIron, and others.)
  • Associate the device with the common MDM user (that should be a setting in MDM prior to generating the enrollment profile)

Link your MDM provider to your Apple VPP account

Sign into your VPP Account. In the upper-right corner, click on your Apple ID and then "Account Summary".

In the "Managed Distribution" section, download the VPP token. This contains the credentials your MDM provider needs to link to VPP.

Now log into AirWatch. Navigate to Settings > Apps > Catalog > License Based VPP. Double check you are looking at the correct location group.

Enter a name to describe this connection (I called it "Tekserve VPP") and upload the token. I strongly recommend "Automatically Send Invites" is NOT checked.

Save this config, and you now have linkage!

Invite your MDM "users" to your VPP program

Next step is to invite your MDM users to participate in the program. There is no assumption that the Apple ID is the same as the MDM user's email. In fact, Apple is pretty clear they don't want MDM (or the employer) to ever know an employee's Apple ID. Therefore the MDM system needs to send an email to the users, who click a link to accept enrollment in the VPP program.

I haven't yet figured out how to invite one user at a time, so we're going to have to invite EVERY user in the MDM location group. Now if you have been following carefully, you are working in a location group with only a single MDM user. Cool. Send the invitations by clicking the "(Re)Invite Users" button. There won't be a confirmation, but email will be sent to all addresses the MDM has on file.

Quote:

Aaron Freimark,

Using your iOS7 device's browser, please click on this https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/associateVPPUse... to register for Apple's License Based VPP Program. Registering for the program will enable you to download applications purchased by your organization on your behalf.

Please contact your IT helpdesk if you have any questions: noreply@air-watch.com

Regards,
AirWatch

Clicking the link will open the App Store (on an iOS device) or the Mac App Store (on a Mac) and ask for an Apple ID and password.

Quote:

This organization can now assign apps and books to you.

Use VPP to "purchase" apps (even free ones)

Next step -- there are a lot of steps -- is to use Apple's VPP to purchase an app.

The iTunes VPP store used to have only paid apps. Now it has free apps as well. Today let's install Tiny Death Star, a popular enterprise productivity app. So log into the iTunes VPP store, search for "death star", and "purchase" several copies. You can purchase as many as you want, it's free!

A paid app presents a choice for either downloading old-style redemption codes or new-style managed distribution. Free apps don't get a choice; managed distribution for all.

After purchase, Apple takes a few minutes to prepare your order. Wait until you receive email confirmation before continuing to the next step.

Use MDM to deploy the apps to your users

Back in AirWatch, click on Apps & Books > Applications > Purchased. Now you ask AirWatch to check with Apple, so click the "Sync Licenses" button. This part may take a short time, but in my test I just needed to refresh the page.

Once AirWatch is aware of the app, you can assign it to users. Click the twisted-arrow button.

AirWatch assigns these apps via smart groups only. This article is already way too long, so I won't explain how to create these.

Now decide how many licenses you want allocated to the group.

Now save the assignment. The last step is to publish the app.

In my experience, the app isn't quite ready to publish immediately. So if it doesn't work immediately, wait 15 minutes and try to publish again.

As expected...

On my test supervised iPod, I get the Tiny Death Star app, automatically downloaded and without any prompts. It works! Woo hoo!

As unexpected...

My unsupervised iPhone also received the Tiny Death Star app, and it isn't even enrolled into AirWatch. Hmm.

I understand part of this. I used my personal Apple ID for the test; the same Apple ID I used on my iPhone. Managed distribution works by adding the assigned apps to my Apple ID purchase history. And my iPhone has automatic app downloads enabled. But does this imply that unsupervised devices can also receive silent installs?

Looks like more exploration is needed.

Share your ideas

tboyko's picture

tboyko

Joined: Oct 30, 2012
WWW

Unexpected Installation

Your rating: None (1 vote)

Aaron (and fellow readers),

You're on the right track with your reasoning for the app showing up on your unsupervised iPhone. My hunch is that it automatically installed due to a setting on the device itself. If you navigate to Settings > iTunes & App Store and scroll down, there is an "Automatic Downloads" section. Perhaps you have "Apps" turned on?

This functionality, in my mind, has strong implications. Automatic downloads, in conjunction with the VPP program could solve the app deployment/management problem for business with more basic needs, without MDM. If you're already using MDM, it eases the process of the VPP enrollment step. Point being however, MDM isn't necessary to get an app to remotely install on a device any longer.

This is a great article for explaining VPP. We've found that the primary snag for new VPP users is not necessarily the implementation of it with MDM, but rather understanding the steps involved in linking a device (or rather, an iTunes account) to a VPP program. This article does an excellent job of clarifying this, so thank you!

For any readers that are looking for an MDM solution that supports VPP, I suggest trying Unwired DeviceLink, which I contribute to the management and development of.

Taylor Boyko
tboyko@unwiredrev.com
http://www.unwireddevicelink.com/

simplemdm.com
Intuitive, Powerful Device & App Management

Top
bfromm's picture

bfromm

Joined: Nov 12, 2013

What about the 10 device limit per Apple ID?

Your rating: None (1 vote)

I love the concept of configuring an Apple ID on a device, backing it up with Configurator, and then applying that image to all of your devices. But what about the 10 device limit per Apple ID that Apple imposes? I am sure that you won't notice any problems when you do this initially since you aren't signing in on each device and therefore not having Apple detect anything, but do you worry that Apple will eventually see hundreds or thousands of devices tied to the same ID and have it blocked?

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

There is no 10 device limit

Your rating: None (2 votes)

You can use an Apple ID on as many devices as you want. The 10 device limit is a widespread myth, or perhaps a misunderstanding. "Automatic downloads" can be enabled on only 10 devices per Apple ID. But as long as you don't have automatic downloads on, there is no limit.

I used the same Apple ID on over 3,000 devices once. No malfunctions, no threatening letters, no black helicopters.

[UPDATE: I now believe I was wrong about this. See below.]

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
Joshua Elvey's picture

Joshua Elvey

Joined: Nov 14, 2013

Won't work for AirWatch App Restrictions

Your rating: None (1 vote)

Our use case requires locking our iPads down as much as possible, without utilizing the single app mode. Because we don't want our end-users knowing or entering our (shared) apple ID, I was hoping to take advantage of this. Unfortunately, as quoted below, this isn't an option for those pushing out APP restrictions. Once Apple situates our VPP enrollment (oh what a pain!), I will test to confirm and post the results.

From AirWatch:

"You will not be able to use silent install if there are any app restrictions at all. This includes restricted mode for iOS, disallowing installing of public apps, and disallowing iTunes. Also, in the restrictions profile, please make sure "Force iTunes password entry" is not checked and all Media Content categories are set to Allow All. With all of these restrictions lifted, an iTunes account registered on the device, and the device in supervised mode, you should be able to use the silent install feature."

Top
FranzKlein's picture

FranzKlein

Joined: Sep 9, 2014

Technically you are correct but the T&Cs state otherwise

Your rating: None (1 vote)

if you read Apple TERMS AND CONDITIONS then you will notice in the "APP STORE PRODUCT USAGE RULES" section the following text:


(i) If you are an individual acting in your personal capacity, you may download and sync an App Store Product for personal, noncommercial use on any iOS Device you own or control.

(ii) If you are a commercial enterprise or educational institution, you may download and sync an App Store Product for use by either (a) a single individual on one or more iOS Devices used by that individual that you own or control or (b) multiple individuals, on a single shared iOS Device you own or control. For example, a single employee may use an App Store Product on both the employee's iPhone and iPad, or multiple students may serially use an App Store Product on a single iPad located at a resource center or library. For the sake of clarity, each iOS Device used serially by multiple users requires a separate license.


So as long as you are an individual, I would agree and there is no 10 device limit but if you are a "business" then the contract seems to set some rules: if you use the same Apple ID on all the devices, then you associate the same license to all the devices and thus as each device does not have a separate license, you are in breach of the Terms and Conditions.

Black helicopters might not be there, but may be one day, if Apple were to decide to technically enforce this and check for possible abuse to ensure all the developers are paid what they are due then you might find your 3000 units deployment to be not working - which would be annoying.

To cope with the need of volume deployment, there is the Volume Purchase Program and ability to allocate different licenses to different devices through MDM or Apple Configurator, which let you stay within the intent of properly licensing software and ensuring all the apps developers are paid what they are entitled to.

Top
emax's picture

emax

Joined: Sep 11, 2014
WWW

Couple of questions

Your rating: None (1 vote)

Aaron, thanks for the great information and the wonderful resource that EnterpriseiOS is! I'm trying to replicate this functionality for an MDM project I'm working on, and have hit a couple of snags.

We're using Airwatch, and also have the purchased the iPads via DEP. My first question relates to the requirements. You state:

"You'll need to create an MDM user who will own all those devices. You will want to make sure this user is in a new location group."

I'm not clear what you mean by a location group within Airwatch. Are you referring to organization groups? If so, can that group be a subgroup of the top-level organization group?

My second question relates to the apps themselves: Assuming I'm successful getting your recipe working for us, how would we modify the process to accommodate purchased apps? We need to distribute some iBooks textbooks and can purchase them via VPP.

Any thoughts and feedback greatly appreciated.

-max

Max Buxton
Systems Engineer
ACTC | Apple Certified Technical Coordinator
ACSP | Apple Certified Support Professional
ACN MTC | Mobility Technical Competency
Apple Consultants Network Member | ACN
Call Andy! Macintosh Consulting

Top
960Design's picture

960Design

Joined: Aug 5, 2014

Having spoken many times on

Your rating: None

Having spoken many times on the vagueness of the EULA with Apple engineers and lawyers I'm sorry to say that you are correct in the wrong way.

Personal Ownership:
1) You may absolutely use an AppleID on as many devices as you wish as long as they are owned / controlled by you.
2) You may push free apps to as many devices as you wish.
3) You may push a paid app to as many as 10 associated devices.

Commercial Ownership:
1) None of the standard EULA applies
2) Commercial EULA - free apps the same
3) Paid apps must have a single license for each device it is pushed to. A record of the receipt must be kept on file to match the total pushed apps to common Apple IDs under commercial.

Apple has turned the other cheek for a long time as Apple, the MDMs and app developers get managed distribution fully documented. This does not mean you cannot be prosecuted for illegal distribution in the future. Remember the iTunes song sharing a while back? Some of those abusers were made an example of.

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

The black helicopters arrived.

Your rating: None

It seems that I've been a bit selective in my reading of the terms and conditions. Upon further review, as suggested by a couple of friends, the limit of devices per app is actually overruled by the limit of devices per Apple ID. It is written:

Quote:

Association of Associated Devices is subject to the following terms:

(i) You may auto-download iTunes Eligible Content or download previously-acquired iTunes Eligible Content from an Account on up to 10 Associated Devices, provided no more than 5 are iTunes-authorized computers.

There you go. Also see HT4627:

Quote:

When you turn on iTunes Match or Automatic Downloads, or when you download past purchases on an iOS device or computer, that device or computer becomes associated with your Apple ID. Your Apple ID can have up to 10 devices and computers (combined) associated with it, with a maximum of 5 computers at any time.

So there it is: We can have only 10 devices (max) associated with an Apple ID. So my example above associating 3,000 iPads to one Apple ID? Not kosher.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
Joshua Elvey's picture

Joshua Elvey

Joined: Nov 14, 2013

We were successful in using

Your rating: None

We were successful in using Aaron's well described method for silently pushing out apps using one Apple ID on 50 + devices (through Airwatch). However, it no longer works with devices updated to iOS 8, thus, it'll be unique Apple IDs moving forward...

Top
robotech's picture

robotech

Joined: Feb 23, 2015

Magic number 10?

Your rating: None

I'm in education supporting iPad deployments for schools, we are using Meraki MDM and have over 1500 devices deployed. Most devices are shared by students, we have been using one Apple ID per school, Staff and Teachers use individual Apple IDs and get invited to join MDM, each school has its own VPP account with licenses for paid apps in Meraki.

Under iOS 7 we were able to silently push both free and paid apps using this model. Since the upgrade to iOS 8 we are being randomly prompted to enter Apple ID passwords on devices when pushing apps. Sometimes if we press Cancel the app will still install, other times it won't. Last week I was setting up a new set of 30 iPads, all where supervised, restored from backup, enrolled into mdm. I pushed apps to 10 devices first without being prompted, when I moved on to the next 10 devices they prompted for the Apple ID password, same with the last batch of 10 devices.

Is iOS 8 Apple limiting the number of devices that can use the same Apple ID? We use one Apple ID per school, schools have between 20 - 100 devices each. Does iOS 8 put an end to this and force us to move to one Apple ID per device?

Any help is much appreciated.

Top
gtoews's picture

gtoews

Joined: Jan 16, 2014
WWW

Thought that 10 was Magic...but alas, it was not!

Your rating: None

We have 2500+ iPads in carts at 45 sites.
Our iPads are Supervised with Configurator, and enrolled into Airwatch for MDM.
Each school has a unique VPP account and is in a unique Airwatch Org Group.
We have successfully connected the VPP Managed Distribution token for each school.
We "purchase" licenses for both free and paid apps and sync licenses back to Airwatch.
Each school has a unique Apple ID and has accepted the invite to Managed Distribution.
We are running iOS 8.1.x on all iPads.
When the iPads are first enrolled we have no problem pushing Public apps. We have a set of 6 "must haves" that get installed upon enrolment into Airwatch. HOWEVER, have this initial success, the rate of success increasingly goes down hill!

On average we get 2 -5 iPads out of 30 - 50 to reliably install an App. AND this almost always involves the end user re-entering the Apple ID password.

Our latest attempt was to create Apple ID's for every 10 devices. At the first school we tried this, we got 10 out 55 iPads to install Apps...and we still needed to enter passwords.

I am at my whits end.

Any help or insight would be greatly appreciated.

Gary Toews
Education Technology Support
gary_toews@sd34.bc.ca
Abbotsford School District
2000+ iPads in 45 Schools Managed with Apple Configurator

Top
jvolzer's picture

jvolzer

Joined: Jan 29, 2015

School-based MDM

Your rating: None

Hey guys, my company has created a cloud-based MDM specifically for the school market that includes both traditional MDM tools for IT along with some classroom management tools for teachers such as screen freeze. We had been working exclusively with the Android platform until recently when we added support for iOS including VPP (and DEP) support.

We're currently in running a beta program we call the "Early Experience Program." I'd love to have you test out our VPP implementation to see if it overcomes some of the problems you're describing here. During the Early Experience program, there's no cost to the school, as we just want to get your feedback. In fact, we'll be offering a discount after EEP is over for those who participated and want to stay on board. With the situations you're describing here, I'd love to have your feedback if you'd like to join us. Jump over to the TabPilot web site at www.tabpilot.com and fill out the form so we can set things up.

Top

Recent Activity