Configuration Manager/ Intune and Apple VPP

I get a lot of questions if there are any difference in functionality in Intune Standalone and in Hybrid with Configuration Manager. There are a lot of differences, in this post I will show how to setup the Apple Volume Purchase Program(VPP) integration in Configuration Manager 1602 with Intune and cover the differences in functionality between Intune Standalone and Configuration Manager/Intune Hybrid.

The Apple Volume Purchase Program comes in two different version one for Business and one for Education. Both programs work in the same way making it possible to volume purchase applications and deploy them with a MDM solution of your choice. When you sign up you download your Apple VPP token that is then imported into the MDM solution that you want to use. This token is valid for one year. More information can be found here: http://www.apple.com/business/vpp/

There are some things to keep in when it comes to the Apple VPP Program in Configuration Manager, for more information see the following link where these limitations are taken from. https://msdn.microsoft.com/en-us/library/mt627954.aspx

• Only one VPP account and token is supported
• Only the Apple Volume Purchase Program for Business is supported.
• Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.
• If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.
• Each token is valid for one year.
• By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.
• Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.
• When you click Sync to perform a manual sync, this will always perform a full synchronization.
• If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.
• While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

The differences between Intune Standalone and Intune/ConfigMgr Hybrid are actually bigger than you think. The table below illustrates the different deployment types and targets and if it works in Standalone/Hybrid.

Deployment Type	Intune/ConfigMgr Hybrid	Intune Standalone
User Required	X	X
User Available	X
Device Required	X
Device Available

So how do we configure Apple VPP in Configuration Manager? To start with you need the following:

• Apple VPP Token that is to be used.
• An account that is Global Administrator in your Intune Subscription used for Configuration Manager.

In the Configuration Manager Admin Console the Apple VPP Program is configured in under Software Library as shown below.

We select to add “Create Apple Volume Purchase Program Token” which actually doesn’t create a token for you, you must have your token available.

In the next dialog you must log on to Intune with an account with Global Administrator permissions. Note that if you log on with an account without the required permissions the wizard will fail with a cryptic error message so make sure you have the correct permissions for your account.

Then the token is uploaded.

When the token is uploaded a Synchronization is started, the full synchronization downloads the information about which apps you have bought with your Apple VPP account and the license information for them how many you bought and how many are in use. After that Configuration Manager will synchronize twice a day to ensure that the license information is updated and it does a full synchronization once a week.

Under the licensed apps we now have our applications and all information about them available in the console.

We can now deploy the iOS application that we downloaded the information for through the Apple VPP program.

We select the “App Package for iOS from App Store” option and then Browse.

In the next dialog we now have two tabs, one for the App Store and one for Apple Volume Purchase Program and under the “Apple Volume Purchase Program” we can now choose the apps that are bought through the Apple VPP program and deploy them.

We can then import the application based on the information from the Apple VPP Program.

Now we have an application with a link to the application in the Apple VPP Business Store which we can deploy as normal in Configuration Manager. We can deploy it both to Users and to Devices and that is the big difference between Intune Standalone and Intune/Configuration Manager in Hybrid as I mentioned above. When we deploy it to devices the device must have a user affinity which means that it doesn’t work for iOS devices enrolled via DEP without user affinity.

In Intune standalone we can only deploy Apple VPP apps to Users and only as required as shown here as well.

We select the user group, only user groups are shown.

And then we select deployment action and only Required Install is allowed.

Support for Apple VPP program in Intune has been one of the most frequent feature requests for Intune and it is great that it is available!
It is also cool that Hybrid actually delivers!! Hybrid Rules!