What your company needs to know about Apple's updated app-licensing scheme
Last week, Apple unveiled the details of its new app licensing program that it announced earlier this year alongside iOS 7 and Mavericks. The new model is a vast improvement on the Volume Purchase Programs (VPPs) that Apple had previously offered to both business and schools and it stands to offer Apple a significant advantage in enterprise mobility.
The core advantage is that organizations can bulk purchase and deploy iOS and Mac apps (and ebooks) to user devices and revoke access to apps on specific devices—essentially reclaiming the license for that app so that it can be deployed to another device. The result is a model very similar to the one that has been used with desktop software for decades, that can be employed with both BYOD and company-owned devices.
While the new model, now dubbed "managed distribution" by Apple, has been public knowledge for some time, the actual mechanics of it have been a mystery over the past few months. With Apple's announcements about the program, the waiting and wondering game is largely over.
Getting started with Apple's VPP
The first piece of the puzzle for an organization is to join Apple's Volume Purchase Program. The requirements differ some what depending on whether your organization is a business or school.
For a business, Apple requires a Dun & Bradstreet (D-U-N-S) number, business contact information (address, phone, email), and tax registration information appropriate to your country. When Apple has verified that information as part of the enrollment process, you can create a special Apple ID for your organization. Unlike personal Apple IDs that are used for almost every interaction with Apple, this one is specific to your VPP membership and is designed solely for purchasing content for distribution and facilitating distribution of custom business-to-business apps.
For a school, district, or college, the process is a bit different. An education administrator or IT leader must enter an individual Apple ID (their own or a unique one created for this purpose) to begin the enrollment process. That person must submit contact information for the organization (address, phone, and an email internal to the organization—not a public email like Gmail or Yahoo Mail) and his or her supervisor, and tax registration information appropriate to the country where the school is located (if Apple already has such information on file for purposes like tax exempt status in the U.S. or Canada, an existing Apple customer number is acceptable). This information will be verified by Apple to ensure that the person submitting the information is authorized to enroll and manage a VPP account.
This process creates a Program Manager account for the organization. That account can then be used to create Program Facilitator accounts for individuals within the organization that are authorized to make app and content purchases. VPP-specific Apple IDs will be created for those individuals and, as with the VPP for business, they can only be used for VPP purchases.
The VPP-specific Apple IDs can then be used to browse/search and make purchases through the VPP stores for business or education. The process is largely the same with a couple of exceptions. Businesses only receive a single VPP-specific ID and have access to Apple's B2B developer program. Education institutions can create as many Program Facilitator accounts/Apple IDs as needed and developers can offer special education discounts of 50% on apps purchased in quantities of 20 or more at a time.
It's important to note that VPP enrollment is only available in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain, United Kingdom, and United States and that the program is limited to just apps (not ebooks) in Canada and Germany.
Selecting and purchasing apps is very similar to using the standard App Store—it can be browsed and searched and you can copy and paste App/iTunes store links into the VPP stores to locate specific items.
Managed distribution or VPP redemption codes.
Making a purchase from either VPP store is pretty straightforward—enter the number of copies that you want, select how you will distribute them, and enter payment information.
The key choice here is the method of distribution. Apple allows you to use the new managed distribution mechanism, which allows you to distribute apps to users while retaining ownership and the ability to revoke them, or to purchase a set of VPP redemption codes that can be distributed to users, after which they become the owner of the app.
It's worth noting here that Apple is allowing organizations to migrate previously purchased but unredeemed VPP codes to managed distribution. That's useful for organizations that have previously purchased a large number of apps and want to move to a managed distribution model, but it seems to be a one-time all-in process according to Apple.
A support document on the migration option provides the following caution.
Make sure you want all your unredeemed codes or codes redeemed through Apple Configurator converted to managed distribution before you request migration. If you choose migration, all previously purchased codes must be migrated and all unredeemed codes will be disabled after you convert to managed distribution. If you have unredeemed codes in circulation within your organization, you may want to redeem them, alert users that they won't be available, or delay migration until they have been redeemed.
What you need to do managed distribution
Managed distribution relies on a mobile management solution to distribute apps. Several MDM vendors have already announced plans to incorporate managed distribution, although the feature isn't available in any of their current releases (an exception being Apple's Profile Manager in Mavericks Server, which is more focused on the small business market rather than the enterprise). Many expect to have full support in the coming weeks.
Once your MDM vendor announces compatibility, you'll need to link your MDM solution to your VPP account. This is accomplished using a token from the VPP store that you can download and then enter into your MDM solution (a new token will be generated each year to maintain the link). Once linked, VPP purchases selected for managed distribution will be available for distribution using your MDM console.
Before you can begin distributing apps, however, you'll need to invite users to enroll in the service using their personal Apple IDs. MDM solutions supporting managed distribution can invite users by email or push notification. The enrollment process will link a user's Apple ID to the VPP service. To preserve user privacy, however, administrators will not have access to or knowledge about a user's Apple ID. Apps will be assigned (and revoked) by the user and device information within the MDM console.
As you assign apps through MDM, one of two things will happen. For iOS devices placed into supervise mode by Apple Configurator, the apps will simply install in the background without user interaction. Users of unsupervised devices, like employee-owned BYOD devices, will be prompted via push notification of the assignment and will be able to download the apps immediately or at their leisure. Assigned apps will be displayed in a user's purchase history, allowing them to download (and re-download) apps at a later point.
Revoking and reassigning apps
Apps can be revoked from a user through your MDM console. Although you'll be able to reassign the app to another user, the original user will still have access to the app for 30 days. This grace period lets them use the app, save or export data, and offers the option to pay for the app and continue using it as a personal app. If the app was deployed as a managed app, MDM can be used to delete the app and its data immediately.