Configure synchronization for Apple VPP in Microsoft Intune
Organizations that want to start purchasing volume licensed iOS apps can finally leverage Apple Volume Purchase Program (Apple VPP) with Microsoft Intune. Almost all of the apps available in iTunes Store (App Store) can be volume purchased and distributed to managed devices. In this blog post, I’ll cover the requirements for Apple VPP and show you how you can configure Microsoft Intune to synchronize information from Apple VPP.
Before you get started with Apple VPP, you’ll need to enroll into the Apple VPP service. During this process, the information that you enter will be used to create an Apple ID. There are two scenarios in regards to Apple IDs that you need to be aware about. In the first scenario where you’ve already registered for an Apple ID that’s being used to generate the APN for managing iOS devices with Microsoft Intune, you’ll have to register (done during enrolling into Apple VPP or DEP) a new Apple ID if you’re going to use Apple VPP (or DEP). The second scenario is that you’ve not yet enabled management of iOS devices, and therefor do not have an Apple ID, but you want to start managing iOS devices and perhaps at a later stage use Apple VPP (or DEP). In this scenario, I’d suggest that you enroll for an Apple ID through the Apple VPP registration process as mentioned earlier.
Here’s the link to enroll to Apple VPP for your convenience:
This blog post will not cover the steps required to enroll for Apple VPP, however, you should be aware that during the enrollment you need to provide your organizations D-U-N-S number and if you’re in the European region a VAT number. The enrollment could take up to a couple of weeks, so plan for ahead for this. If you’re unsure of your organizations D-U-N-S number, Apple has provided an excellent guide for you:
Microsoft has written some general guide lines for how to successfully synchronize Microsoft Intune with data from Apple VPP. Make sure that you follow and understand them:
- Each organization can have only one VPP account and token.
- Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.
- If you have previously used a VPP token with a different product, you must generate a new one to use with Intune.
- Each token is valid for one year.
- By default, Intune syncs with the Apple VPP service twice a day. You can, however, initiate a manual sync at any time.
- After you have imported the VPP token in Intune do not import the same token into any other device management solution. Doing so might result in the loss of license assignment and user records.
- Before you start to use iOS VPP with Intune, remove any existing VPP user accounts created with other MDM vendors. Intune will not synchronize those user accounts into Intune as a security measure. Intune will only synchromize data from the Apple VPP service that was created by Intune.
NOTE! From the first statement above, it would seem that you can only use a single Apple ID with a token and associate that with your Microsoft Intune tenant, which is correct. However, there is a scenario where for instance your organization have several tenants. In that particular scenario, the first Apple ID account that was created during the enrollment into Apple VPP (or DEP) is treated as the Agent account (I’d refer to it as the Super Admin account), which can subsequently add other Apple ID’s as administrators. You can then associate those administrator Apple ID’s with seperate Microsoft Intune tenants. As you can see in the screenshot below, where I’ve signed in with the Agent (Super Admin) Apple ID account:
The following screenshot shows how to add administrator accounts:
Apple also provides a great FAQ regarding their volume purchase program that answers many of the regular questions one would have:
Configure Apple VPP synchronization
Once you have got your Apple ID in order and are able to sign in to the Apple VPP portal, we need to download a token that we need to upload to Microsoft Intune so that we can manage volume purchased apps.
1. Login to manage.microsoft.com with a Global Admininstrator account.
2. In the Admin workspace under Mobile Device Management, expand iOS and Mac OS X and click on Volume Purchase Program. Click on Apple VPP Account.
3. In the new window that opens up, select either Education or Business (choose what kind of organization/business you represent).
4. Sign in with your Apple ID and password.
5. Click on the button in the right corner showing your Apple ID and select Account Information.
6. Click on Download Token and save the VPPTOKEN file to e.g. C:\Temp.
7. Go back to the Microsoft Intune Admin portal and select Upload the VPP token.
8. In the window that appears, browse for the VPPTOKEN, enter your Apple ID and click on Upload.
9. Consent with the statement that appears and click Yes.
10. Once the processing has completed, you should be able to see additional information regarding Apple VPP under iOS and Max OS X node:
That’s it. Your Microsoft Intune tenant is now configured for synchronizing volume purchased apps from Apple VPP. If you were to go back to the Volume Purchase Program node, you’ll see that there are more information present than before, including a Sync now option. Normally, Microsoft Intune synchronizes two times a day with Apple VPP. However, should you need to perform a manual sync, click on the Sync now button:
Additionally, in the Apps workspace there’s a new node called Volume-Purchased Apps. As of now, since I’ve not made any purchased in Apple VPP or synchronized, nothing is shown here like you can see in the picture below:
Once I start making purchases in Apple VPP, and either wait for the synchronization to occur or initiate it manually, my purchases will appear in the Microsoft Intune Admin portal like shown in the picture below:
You can now start deploying purchased apps from Apple VPP with Microsoft Intune!
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.