MSEndpointMgr

Deploy Volume Purchased apps from Apple VPP with Microsoft Intune

In my previous post on how to get started with Apple Volume Purchase Program (Apple VPP) with Microsoft Intune, I walked through the process of connecting these two services together in order to synchronize volume purchased apps. Naturally, the next step would be to talk about deploying volume purchased iOS apps. So in this blog post we’re gonna have a look at the process of purchasing apps in the Apple VPP portal, synchronizing apps into Microsoft Intune and finally look at the deployment experience from an end-user perspective.
If you’ve not read my previous post regarding Apple VPP and Microsoft Intune, I recommend that you take a look at it before you continue to read this post, since I’m gonna assume that you have uploaded an Apple VPP token and that you’ve access to an Apple ID enrolled into Apple VPP. Check out the post below for more information:
Configure synchronization for Apple VPP in Microsoft Intune

Purchasing apps

Before we can deploy any volume purchased apps to iOS devices, we need to make a purchase in the Apple VPP portal. For demonstration purposes, I’ll be making a purchase of a free app. I’ve also not entered any credit card information at this point for my Apple ID. If this is the first time that you’re making a purchase in the Apple VPP portal, your experience might differ slightly to what’s described below. However, it’s not rocket science so don’t worry.
If you want to know more about the payments options available, have a look here:
https://support.apple.com/en-us/HT202957
When purchasing apps, as well for deploying apps for the iOS platform in general, you need to distinguish between iPhone and iPad apps.
Enough talking, let’s make an iPhone app purchase.
1. Browse to vpp.itunes.apple.com and select whether to login for Business or Education with your Apple ID.
2. When logged on to Apple VPP, simply start typing the name of an app that you want to purchase. I’ll be going with Yammer throughout this post. Hit search and wait for the search results to appear. Click on the Yammer app to continue with the purchase.
184_3
3. Enter the quantity that you want to purchase and click on Review Order.
184_4
4. Review your order and click on Place Order.
184_5
5. Your order has now been placed, and you should be receiving an email shortly with information that your app is ready for distribution. Once you’ve received that email, you can synchronize your Microsoft Intune tenant with Apple VPP to get your volume purchased apps ready for deployment.

Deploy a volume purchased app

Once your Microsoft Intune tenant has synced with Apple VPP, you’ll be able to deploy your purchased app. When deploying volume purchased apps, you should be familiar with the concept of licenses. The quantity that we entered earlier, 5 in this example for Yammer, translates to how many licenses you’ve bought. Each time the application is installed, a license will be invoked. In order to reclaim that license, simply just target an Uninstall deployment.
At the time of writing this blog post, Microsoft Intune only supports deployments of volume purchased apps for Users. Device targeted deployments are not supported. This will require the end user to join the Apple Volume Purchase Program, which in other words means that they require an Apple ID. We’ll see this end user experience later in this post when we’ve deployed the Yammer app.
1. In the Intune Admin portal, go to the Apps workspace, expand Apps and select Volume-Purchased Apps. Here we can see that the Yammer app that we’ve purchased through Apple VPP is now available for distribution.
184_7
2. Select the Yammer app and click on Manage Deployment.
184_8
3. Select a group that you wish to deploy the Yammer app to. In my lab environment, I’ll be targeting my IT Department group that consists of a single user. Click Add and then Next.
184_9
4. In the Deployment Action section, select an Approval method for the deployment of the Yammer app. As you can see by the screenshot below, our options or not many, in fact we can only select either Required Install or Uninstall. Select Required Install.
184_10
5. We’re not quite done yet in the Deployment Action section, we also need to select a Deadline option. However, since we’ve select the Approval option of Required Install, the Deadline option is automatically selected for us. If you click the drop down menu, you’ll in fact see that there’s no other options than As soon as possible.
184_11
6. Before we go ahead and click Finish, there are a few things that I want to point out. One of them is that, since we can only target user groups, you might be thinking about how the license tracking will behave. According to the notice you see in the Deployment Action section, one of the purchased licenses (quantity in Apple VPP) is used by each user that installs the app. How would that affect if a user installs the same app on multiple devices? I’ll cover that later in this post, right after we’ve taken a look at the end user experience.
Another note that you need to be aware of, that since we’re not targeting devices (I hope that’s a feature coming in the next few months or so), users that are targeted with deployments of volume purchase apps will be invited to join Apple VPP. We’ll take a look at the how that process looks from the end user perspective later on in this post. With that said, click Finish.
184_12
7. You have now successfully deployed a volume purchased iOS app.
Next we’ll take a look at the end user experience on an iOS device.

End user experience

Now that the Yammer app has been both purchased and deployed to desired users (in this case a single user only), let’s have a look at how your end users experience after the initial volume purchased iOS app has been deployed. As mentioned earlier, if the user has not yet signed up for the Apple VPP program, an invitation popup will appear on the devices that the user has enrolled. In order to speed up the overall experience, I’ve manually synced policies from Microsoft Intune in the Company Portal app in between some of the pictures shown below, which you could do as well.
First off, once the deployed volume purchased iOS app policy has been identified by the device, the end user will be asked to allow the organization to assign book and apps to him or her.
IMG_0005
When the end user presses Continue, another prompt will appear asking them to sign in with their Apple ID. By associating their Apple ID and the device, Microsoft Intune can now distribute volume purchased apps to the user on their device.
IMG_0004
Another prompt appears and the user is asked to provide their Apple ID and password. Next up a license agreement has to be accepted. The end user agrees to this by selecting Agree.
IMG_1792
All steps included up until this point will be a one time operation that’s required on every device the user has enrolled. From this point on, end users will receive a prompt informing them that a volume purchased app is about to be installed, and that their Apple ID will not be charged. For each volume purchased app that the organization deploys to the end user, they will receive this notification. To give you a better idea of what I’m talking about, I’ve included screenshots of two different volume purchased apps (Yammer and Office Lens) below.
IMG_0006 IMG_0008
When the end user selects Install, the volume purchased app is installed on the device.
IMG_0007

License tracking

I raised a question earlier in this post, on how the license tracking per user that has more than one device enrolled would behave. As per the documentation, licenses are assigned by users and not devices. To confirm that behavior, I’ve enrolled a second device with the same user that I deployed the Yammer app to and installed the app. After some time, you’ll notice that the license information in Volume-Purchased apps under the Apps workspace will be updated. And just like the documentation tell us, we’ve only used up a single license, even though I have the Yammer app installed on two devices, as proven in the screenshot below:
184_13
As a final note, I really hope that Microsoft is working on Apple VPP device deployment targeting support in the upcoming releases to Intune. Until then, we’ll have to make do with dealing with Apple IDs.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

4 comments

  • If there any road map for EMS to support device base VPP so that IT Admin can roll out applications to company owned devices with Apple ID.
    Thanks.

  • Hi and thanks for a great guide
    You write: “…will require the end user to join the Apple Volume Purchase Program”. Does the end user have to do anything else than provide an ordinary AppleID? What are the steps on the end user side to join the program?

    • Hi Pete,
      EMS is just a bundle of cloud services that Microsoft provide. Intune, which is a part of EMS, does support Apple DEP.
      Regards,
      Nickolaj

Sponsors