The strength of any Enterprise Mobility Management (EMM) or ultimately Unified Endpoint Management (UEM) solution relies on more than just Mobile Device Management (MDM). At the minimum, an administrator must be able to manage application from configuration to deployment. For iOS applications, the Apple Volume Purchase Program (VPP) helps streamline the application management process on managed iOS devices.

As I’m writing this post, Apple Volume Purchase Program (VPP) is actually being replaced by Apple Business Manager. You can visit my other post on the migration process.

In this post, I will share the setup process in VMware AirWatch by referencing this KB. This post also gears toward corporate account and not education account. Regardless, the steps should be more or less the same for either account type.

To start, you will need a valid Apple ID. I recommend using a shared account for this in case of transfer of responsibility from one person to another.

If you already have an Apple Device Enrollment Program (DEP) account set up, you can utilize the same account for VPP as well. Otherwise, be prepared to provide information such as a Dun & Bradstreet (D-U-N-S) number, business contact information (address, phone, email), and tax registration information.

Once your VPP Apple ID is created, visit Apple Volume Purchase Program and log in.

Before proceeding further, we first need to link our Apple VPP account with our MDM solution (i.e. VMware AirWatch).

Once you download the sToken, return to VMware AirWatch console. Then go to Groups & Settings -> All Settings -> Devices & Users -> Apple -> VPP Managed Distribution.

Here, you will upload the sToken to complete the link with Apple VPP. Notice the sToken is valid only for 1 year and must be renewed once it expires. The steps are the same except you will click the Renew button instead.

Be sure not to uncheck Automatically Send Invites if you wish to deploy the app via device-based assignment and thus the user will NOT be prompted for Apple ID during installation. I will clarify this further in just a moment.

Now, let’s log back into Apple VPP and select the app for deployment.

Underneath Search, enter the name of the application to be purchased including free app. Then click Search.

Click on the application (make sure to select the appropriate format – iPhone or iPad).

Enter the quantity to be purchased (maximum is 25000). Then click on Review Order.

Click Place Order.

Sign in with your Apple VPP account once more. Then click Buy.

An email will be sent to the email address associated with the Apple VPP account similar to the one below. Please note that this email will not get sent until the codes have been generated at Apple. Also, an order of 25000 can take up to 48 hours before this email is received.

From here on, it’s time to sync down the purchased app to VMware AirWatch console. Navigate to Apps & Books > Applications > List View > Purchased. Then select Sync Assets to sync down the purchased app.

Once that completes, click on the pencil icon next to the app to be deployed. Then, assign the newly synced application to a smart group(s) and enter the number of licenses to allocate. However, the smart group(s) is created may vary from one organization to another. I generally prefer one smart group for each app unless it’s part of the default app set (i.e. VMware Boxer and VMware Browser).

For Assignment Type, select either Auto or On Demand (default is Auto). You can also check the box next to Remove On Unenroll and Make App MDM Managed if User Installed to ensure the purchased app is totally managed.

Starting from VMware AirWatch version 8.3 and above, an app can now be assigned to a device without requiring Apple ID. This is also known as a device-based assignment by device serial number. Once an application is enabled for device-based use in VMware AirWatch Admin Console, you cannot reverse its status and use it in the user-based system.

Finally, navigate to Apps & Books > Applications > List View > Purchased. Next, to the app, click on the drop-down arrow and select Publish from the actions menu.

Users with VPP registered device will now automatically receive the app if the Assignment Type is Auto. No user’s intervention is required whatsoever!

Below are few troubleshooting steps you may take if you get stuck:

• The assigned application does not come down after the device is registered with Apple VPP.
  • Use Syncios or iTools to collect real-time log for further analysis.
• Received the prompt below when syncing assets
  • https://support.air-watch.com/articles/115001674028
    • After updating AirWatch, we have received the below message when attempting to sync purchases: “The sToken that you are trying to upload is being used in another environment. Please note that if you choose to continue, the licenses claimed in the other environment will be marked as ‘Externally Redeemed’ and can be revoked from this environment. Do you still wish to continue?”
    • This message appears due to the console having recently been upgraded to a new version that comes with VPP enhancements. The new version of the console is simply seeing your current sToken as a different sToken since it existed on the previous version of the console. In order to take advantage of these new VPP enhancements, you will have to sync your sToken and upon syncing your sToken, the message should no longer present itself.
  • https://support.air-watch.com/solutions/sol-15026?qid=ZWE3OTU2YjE0MDJkNDg2ZGE0NjMwYTlkZmNiNjdlYjA6MTUxMDYwNjYyODo0MjIzTDRSRkFTREU=
    • Sync Assets is always displaying a warning message about sToken being used in another environment “The sToken that you are trying to upload is being used in another environment. Please note that if you choose to continue, the licenses claimed in the other environment will be marked as ‘Externally Redeemed’ and can be revoked from this environment. Do you still wish to continue?”
    • Generally, you can ignore this prompt and click OK to sync assets. This prompt shows up because the new version of the console is simply seeing your current sToken as a different sToken since it existed on the previous version of the console.

As always, stay mobile!