Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Configuration Manager/ Intune and Apple VPP

Posted on April 15, 2016August 25, 2017 by Jörgen Nilsson

I get a lot of questions if there are any difference in functionality in Intune Standalone and in Hybrid with Configuration Manager. There are a lot of differences, in this post I will show how to setup the Apple Volume Purchase Program(VPP) integration in Configuration Manager 1602 with Intune and cover the differences in functionality between Intune Standalone and Configuration Manager/Intune Hybrid.

The Apple Volume Purchase Program comes in two different version one for Business and one for Education. Both programs work in the same way making it possible to volume purchase applications and deploy them with a MDM solution of your choice. When you sign up you download your Apple VPP token that is then imported into the MDM solution that you want to use. This token is valid for one year. More information can be found here: http://www.apple.com/business/vpp/

There are some things to keep in when it comes to the Apple VPP Program in Configuration Manager, for more information see the following link where these limitations are taken from. https://msdn.microsoft.com/en-us/library/mt627954.aspx

  • Only one VPP account and token is supported
  • Only the Apple Volume Purchase Program for Business is supported.
  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.
  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.
  • Each token is valid for one year.
  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.
  • Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.
  • When you click Sync to perform a manual sync, this will always perform a full synchronization.
  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.
  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

The differences between Intune Standalone and Intune/ConfigMgr Hybrid are actually bigger than you think. The table below illustrates the different deployment types and targets and if it works in Standalone/Hybrid.

Deployment Type

Intune/ConfigMgr Hybrid

Intune Standalone

User Required

X

X

User Available

X

Device Required

X

Device Available

So how do we configure Apple VPP in Configuration Manager? To start with you need the following:

  • Apple VPP Token that is to be used.
  • An account that is Global Administrator in your Intune Subscription used for Configuration Manager.

In the Configuration Manager Admin Console the Apple VPP Program is configured in under Software Library as shown below.

VPP2

We select to add “Create Apple Volume Purchase Program Token” which actually doesn’t create a token for you, you must have your token available.

VPP3_1

VPP4

In the next dialog you must log on to Intune with an account with Global Administrator permissions. Note that if you log on with an account without the required permissions the wizard will fail with a cryptic error message so make sure you have the correct permissions for your account.

VPP5

Then the token is uploaded.

VPP6

When the token is uploaded a Synchronization is started, the full synchronization downloads the information about which apps you have bought with your Apple VPP account and the license information for them how many you bought and how many are in use. After that Configuration Manager will synchronize twice a day to ensure that the license information is updated and it does a full synchronization once a week.

VPP7

Under the licensed apps we now have our applications and all information about them available in the console.

VPP8

We can now deploy the iOS application that we downloaded the information for through the Apple VPP program.

VPP9

We select the “App Package for iOS from App Store” option and then Browse.

VPP10

In the next dialog we now have two tabs, one for the App Store and one for Apple Volume Purchase Program and under the “Apple Volume Purchase Program” we can now choose the apps that are bought through the Apple VPP program and deploy them.

VPP11

We can then import the application based on the information from the Apple VPP Program.

VPP12

VPP13

Now we have an application with a link to the application in the Apple VPP Business Store which we can deploy as normal in Configuration Manager. We can deploy it both to Users and to Devices and that is the big difference between Intune Standalone and Intune/Configuration Manager in Hybrid as I mentioned above. When we deploy it to devices the device must have a user affinity which means that it doesn’t work for iOS devices enrolled via DEP without user affinity.

In Intune standalone we can only deploy Apple VPP apps to Users and only as required as shown here as well.

VPP9_2

We select the user group, only user groups are shown.

VPP9_I

And then we select deployment action and only Required Install is allowed.

VPP9_3

Support for Apple VPP program in Intune has been one of the most frequent feature requests for Intune and it is great that it is available!
It is also cool that Hybrid actually delivers!! Hybrid Rules!

  • Currently, each organization can have only one VPP account and token.

  • Only the Apple Volume Purchase Program for Business is supported.

  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.

  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.

  • Each token is valid for one year.

  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.

    Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.

    When you click Sync to perform a manual sync, this will always perform a full synchronization.

  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.

  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

  • Apple VPP
  • Intune
  • Intune Hybrid
  • SCCM Hybrid
  • 4 thoughts on “Configuration Manager/ Intune and Apple VPP”

    1. Roman says:
      August 26, 2016 at 4:28 pm

      Hi,

      I cannot find the part you are describing in my SCCM Version 2012 R2 SP1 5.0.8239.1302

      Do you have an idea where to find this or which requierements Need to be matching here?

      Kind Regards Roman

      Reply
    2. Dennis says:
      December 21, 2016 at 12:34 am

      I have the same issue – the node for Volume Purchase Programs is not present. I am running SCCM 2012 R2. Does anyone know how to get this into SCCM?

      Reply
      1. Jörgen Nilsson says:
        December 22, 2016 at 10:11 am

        Hi,
        Upgrade to Configuration Manager CB 1602 or later as it was introduced in 1602.
        Regards,
        Jörgen

        Reply
    3. Justin says:
      March 21, 2018 at 7:04 pm

      My initial VPP sync is failing with error code 5. Where can I find documentation about what this code means? And are there any log files that I should be checking to find more detailed info?

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Recent Posts

    • Community tools demoed at WPNinjas 2023
    • PowerShell script to keep Personal Teams away in Windows 11
    • Windows 11 Multi-App kiosk – a first look
    • Playing around with Driver Updates in Intune
    • MMUGSE – Summer Meetup 8th of June 2023

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT