Skip to main content
Cisco Meraki Documentation

Apple Volume Purchase Program (VPP)

  1. Last updated
  2. Save as PDF

 The Volume Purchase Program (VPP) is an Apple portal for businesses and schools to purchase and license apps and books in volume. Systems Manager fully integrates with VPP to easily distribute, revoke, and centrally manage your licenses, supporting both of Apple’s methods of managed distribution and licensing via redemption code. This article will explain how to link your VPP account to Dashboard, and what the licensing distribution options are. VPP facilitates silent deployments of App Store and Mac App Store applications to iOS and macOS devices, while allowing your company/institution to maintain ownership of the applications you purchase. 

 

In order to understand how Apple's managed distribution model is designed, it is strongly recommended to review Apple's Business and Education whitepapers on VPP app distribution before using this tool in Systems Manager. 

Enrolling into VPP is free:

  • Businesses can enroll in VPP here.
  • Educational institutions can enroll in VPP here.

Note: Apple School Manager VPP accounts support location based VPP licenses where a single VPP account/token can be connected to Meraki Systems Manager with licenses purchased from many different VPP accounts. This makes purchasing licenses and syncing to Meraki Systems Manager a more simplified experience. For more information on location based VPP tokens and all of its features go here. Existing VPP accounts can be invited into the new Apple School Manager location based VPP accounts by following this

Adding Apple VPP Account(s) to Systems Manager

Note: It is recommended that your Apple VPP token does not reside in multiple MDM solutions

  1. In Dashboard, navigate to the Organization > MDM page.
  2. Scroll down to Apple VPP Accounts.
  3. Select Add new.
    VPP
  4. In the Add VPP account window input the required information:
    clipboard_e7dca0c57a19e537ff89bc0d030b8873b.png

Name: Name of the VPP administrator's account. This will be shown on the email sent to invited users, and should indicate your organization.

Email: Email address on record for the VPP account.

Service token: For Apple School Manager, sign in to your account at school.apple.com. At the bottom left of the page, click "settings" then navigate to "Apps and Books" then click download next to the server token.

For Apple business manager, sign in to your account at business.apple.com. At the bottom left of the page, click your account, then "preferences" and select "payments and billing". Download the token by clicking the name of the server you'd like to download.

VPP Location server tokens can be downloaded on Apple Business Manager or Apple School Manager accounts by clicking your account > Payments and Billing > Server Tokens then clicking on the VPP token you'd like to download:
Screen Shot 2022-04-01 at 3.28.00 PM.png

Allowed admins: Which Dashboard administrators should be allowed to manage users and app licenses for this VPP in Dashboard.

Assignable networks: Which Systems Manager networks within an Organization are able to use VPP device assignment. 

5. Click Update.

Note: If a "VPP service token can't be blank" error appears when attempting to save, make sure there are no special characters or trailing numbers such as '(1)' in the filename of the vpp service token. This can also indicate that your VPP token is already bound to another MDM solution. If this is the case, you will need to remove the token from the existing solution or generate a new VPP token to upload into Dashboard.

6. Once your account is synced, you should see your licenses populated in Systems Manager > Manage >  VPP

 

Renewing a VPP Token

Renewing a VPP Token is as simple as repeating the steps for adding a VPP token to your Dashboard Organization, but instead of selecting Add New in step 3 above, you select the pencil icon of the existing VPP Token entry and click Update Token.  From there, you can download the new copy of your VPP Token from the ABM/ASM portal, upload it to your Dashboard Organization, and save your changes to complete the VPP Token renewal.  

VPP Deployment Methods

There are three options for VPP license distribution. Please see Apple's documentation for a full list of requirements and feature differences.

  • Device Assignment 

Assign licenses to specific iOS, iPadOS, macOS, or tvOS devices, based on serial numbers. This allows for pushing applications without requiring the device to be signed in with an Apple ID, as well as silently installing apps without any end user input when used with supervised devices.

  • User Assignment

Assign licenses to a specific users, based on an Apple IDs. This is useful in cases like 1:1 deployments for schools, where students have their own iPads and unique Apple IDs to sign-in with. User assignment can also be used to license iOS App Store applications.

Distribute licenses as redeemable codes, which can be given to end users to claim. This method is deprecated by Apple, and not recommended over the two managed distribution methods.

Note: It is recommended to license apps either by device or user, not both.

Any unused VPP Redemption Codes can be migrated to the more robust Device Assignment or User Assignment licenses by following this

Device Assignment

VPP Device Assignment grants app licenses directly to a device, identifying it by serial number. This makes VPP Device Assignment the best option to use when you do not want to associate your apps to end user's Apple ID(s). Furthermore, on Supervised iOS devices and macOS 10.11+, apps install completely silently with VPP Device Assignment. For detailed steps on how to grant and revoke VPP Device Assignment licenses, please watch the video below: 

The following requirements must be met in order to use VPP Device Assignment:

In addition to the above requirements, the app itself must support device assignment. This can be checked by navigating to  Systems Manager > Manage > VPP, and checking the Device-assignable column (shown below). An app with a Y supports device licensing:

Screen_Shot_2015-10-22_at_6.52.30_PM.png

To enable VPP device licensing for an app:

  1. In Dashboard, make sure the app has been added under Systems Manager > Manage > Apps.

  2. Select the app to view more details.

  3. Enable VPP device licensing:

    • Free apps: Enable the checkbox for Use VPP device license.

      Screen_Shot_2015-10-16_at_11.55.49_AM.png

    • Paid apps: Set the Purchase Method to VPP Device Assignment:
      Screen_Shot_2015-10-16_at_11.48.55_AM.png
       

  4. Click Save Changes.

On app install, a license for the app will be associated with the serial number of the device that downloaded it, allowing anyone to use the app on that device. 

VPP Apple ID User Assignment

VPP User Assignment grants apps to end user's Apple ID(s). This is a great option for 1-to-1 deployments where end users are already using their own Apple IDs. For detailed steps on how to grant and revoke VPP Apple ID licenses, please watch the video below: 

The following requirements must be met in order to assign licenses on a per-user basis:

  • iOS 7+, or macOS 10.9+
  • VPP enabled in Dashboard
  • Available licenses on the VPP portal
  • Each user must have a personal Apple ID to receive managed distribution apps. This licensed Apple ID must then be signed in on the iOS/macOS device in order to receive VPP apps.

Note: Apple limits each Apple ID to 10 devices, so it is not recommended to use a shared Apple ID across all of your organization’s devices. 

Configuring user assignment consists of the following steps:

  1. Invite user to receive licenses.
  2. Grant license for the desired app to the user.
  3. Deploy the app with Systems Manager.

A license can also be reclaimed by revoking a user's app license.

Invite User to Receive Licenses

You can bulk import and invite VPP users via CSV, as well as individually. 

  1. Navigate to the Systems Manager > Manage > VPP page.
  2. Click on the User management tab.
  3. Select + Add user on the right of page.
  4. Input the account information of the user to grant VPP access.
  5. Find and check the desired user(s) in the list, and select Send invitation(s).
  6. Confirm that User status for the selected user(s) changes from New to Invited.

  7. Invited users will receive an email from Cisco Meraki. Accepting the invitation will require the user to sign in to iTunes or the App Store with their Apple ID, and accept Apple's VPP terms and conditions. 

    Note: Invitation links are unique and can only be accepted once. The Apple ID which is used to accept the invitation is not received or reported by Systems Manager.

The following image shows a list of users with various statuses. Only 'Associated' users have accepted the invite.

363bbb57-a749-49c1-b01c-6d77c21531f3.png

Grant License for Desired App to User

To automatically assign licenses to users in scope, and avoid manually granting licenses to users, see this article.

  1. Navigate to the Systems Manager > Manage > VPP page.
  2. Click on the Licensed applications tab.
  3. Select the app to grant license for (if multiple VPP accounts have been added on the Org > Settings page, ensure the proper account is selected from the VPP account' drop-down menu).
  4. Check the box next to the user and click on + Grant license to user(s).
  5. Confirm license access to selected number of users.

ffa1dc65-d950-4bef-9dd4-d9b9e0534203.png

At this point, 'licensed' users have been granted a VPP license for the selected app. Licensed users will be able to download this app onto their device by signing in with the licensed Apple ID, and navigating to the 'Purchased' tab in Apple's App Store.

In order for the licensed app to be managed by Systems Manager the app must still be deployed via Systems Manager. 

Deploying Apps with Systems Manager

  1. Navigate to the  Systems Manager > Manage > Apps page.
  2. Select + Add new > iOS App Store app or macOS App Store app.
  3. Search for and choose the desired app already licensed.
  4. Define the scope of the app. This should cover the user/devices that were licensed through VPP.
  5. (Paid apps only) Set the Purchase method to VPP app assignment.
  6. Confirm clients in scope at bottom of page.
  7. Click Save Changes.

91022d8b-121b-437a-a15f-3d2073712c9b.png

Revoking a User's App License

To automatically revoke licenses from users who are no longer scoped for an app, and avoid manually revoking licenses from users, see this article.

In order to re-claim a license, the user's app license must be revoked. A license can be revoked for a specific app, or a user's access to all licensed apps can be revoked. As per Apple's policies, a revoked user will be granted a 30-day grace period before any re-claimed apps are removed from the user's purchase history. Once a license has been revoked for one user, it can be reassigned to another user after a brief time (typically about two minutes).

To revoke access to a specific app:

  1. Navigate to the Systems Manager > Manage > VPP page.
  2. On the Licensed applications tab, click on the name of the desired app.
  3. Check the box for the user to revoke access.
  4. Select Revoke license from user(s).

74eab11b-01b6-4065-b800-e41088ac4401.png

To revoke licenses for all distributed apps by retiring user:

  1. Navigate to the  Systems Manager > Manage > VPP page.
  2. Select the User management tab.
  3. Check the box next to the user to revoke access.
  4. Select Retire user(s).

 939df289-5c88-444d-afaa-dcf422d1fef4.png a User's App License

Apple Books (iBooks) App License

  • Apple Books are assigned per user and not per device. Please take note when assigning an Apple book via VPP:
  • VPP Apple book licenses must be granted to an Apple ID (user) and requires an Apple ID to sign in.
  • VPP Apple book licenses are not device assignable.
  • Apple Book licenses are permanent and cannot be revoked or reassigned.

Irrevocable next to an App verifies the license is permanent and cannot be revoked from the Apple ID it is assigned to.

ibook2.png

Location Based VPP in Apple School Manager & Apple Business Manager

On Apple School Manager and Apple Business Manager, Apple has added a new concept called "Locations". Locations gives the Apple portal administrator the ability to transfer VPP licenses between different Locations (which will transfer the VPP licenses between different VPP tokens). Be sure to add the VPP tokens to Org > MDM for all/any of the Apple School Manager or Apple Business Manager Locations that you want to sync licenses from. Use the following screenshots to help confirm that the VPP licenses are in the desired VPP Location/token. 

Screen Shot 2019-01-24 at 3.50.10 PM.png

Screen Shot 2019-01-24 at 3.50.36 PM.png

Screen Shot 2019-01-24 at 3.51.01 PM.png

Troubleshooting VPP Installs

If you've followed the above steps and have issues installing apps onto your device, see the troubleshooting guide here.