This document explains the various steps involved in managing Store and enterprise Apple Apps. Ensure these ports and domains are allowlisted for managing Apple apps. In case you've already setup ABM in another MDM service, you can migrate it to ME MDM as explained here.
iOS, tvOS, macOS & iPadOS
Platform | VPP Apps | Store Apps |
---|---|---|
iOS | ![]() |
![]() |
iPadOS | ![]() |
![]() |
Shared iPad | ![]() |
![]() |
tvOS | ![]() |
![]() |
macOS | ![]() |
![]() |
Note:
Adding apps to app catalog is not supported for macOS.
The App Store has a multitude of apps which include free apps and paid apps. Free apps can be added directly to the App Repository, using the app name or bundle identifier of the app. In case of paid apps, the app licenses need to be purchased as explained in the next section, after which they can be added to the App Repository. To add the apps to the Repository, refer these steps. To distribute unlisted iOS apps to devices, refer to our Unlisted iOS App to Devices guide.
Apple has introduced Apple Business Manager (ABM) and Apple School Manager (ASM) which gives an integrated platform to manage devices and apps in organizations and schools respectively. Volume Purchase Program (Apple VPP) available with ABM and ASM is a free program for managing free and paid Store apps. It simplifies managing apps with Managed Distribution using which the admin can approve licenses on these portals and distribute the apps to devices. These licenses can be revoked and reused if the app is removed from the user's devices. Other advantages include:
NOTE: The steps for configuring Apple Business Manager mentioned in this document are also applicable for Apple School Manager.
Using ABM, administrators can manage app licenses by assigning or revoking the apps distributed to a user at any point of time and reusing the licenses to distribute the app to another device. This is done by registering the corporate Apple ID to generate a sToken. This sToken should be uploaded in the MDM server. Whenever an app, is purchased using the corporate Apple ID, the license details are synced with the MDM server. You can also manually sync the license details by clicking on Sync License button under the specific app details view.
Ensure the Apple account used for ABM is not associated with any other device.
You can purchase licenses in bulk for both free and paid apps, using ABM and then distribute it to the devices. App License(s) refers to the number of devices to which the app needs to be distributed to. For example, if you want to distribute the ME MDM app to 300 devices, you should purchase 300 app licenses.
Note: To migrate unused VPP Redemption codes to Managed Distribution, refer this.
Apps can be purchased through Managed Distribution as explained below.
Ensure you use a unique corporate Apple account for ABM and also do not associate this account with any other Apple device.
If you do not have a corporate Apple account for ABM, click on Enroll now, to create an account for your organization. To upgrade your VPP account to the ABM portal and to know more about the upgrade, follow the steps given here.
If you are already using VPP with MDM, MDM automatically migrates your apps to ABM once you have upgraded. Prior to the expiry of the content token, you'll have to renew the token from the ABM portal to continue managing your apps.
With ABM, you can approve licenses for free apps and purchase paid apps, for distribution to devices. On the ABM portal, under Content, click on Apps and Books. Search for the required apps and enter the required number of licenses to approve or purchase. Once ABM is set up, MDM syncs with ABM every day, to automatically add any new purchases to MDM. You can also navigate to the App Repository, click the Sync Apps button and choose Sync ABM Apps to manually sync the apps with MDM
Follow the steps mentioned below to upload the sToken in the MDM server:
You have successfully created/renewed the content token on the MDM server. You can now distribute apps to the managed devices, assign or revoke licenses as per your requirement.
You can also upload multiple location tokens on the MDM console to manage department or location specific app purchases. To upload new tokens, navigate to App Repository -> Apple App Management -> Add Location Token -> Upload Token. Once uploaded, MDM will sync the apps added to the location token via ABM.
Note: If you need to add a new location in ABM portal, go to Locations and click on Add a new location. It is recommended to give the location a descriptive name, for easier identification purposes.
Each location token is valid for one year. When nearing expiration, it is essential that the token is renewed to distribute apps using the location tokens. You can renew the location token by logging in to ABM, downloading the location token again and uploading the token back in MDM by following the same steps as mentioned above.
If the location token is already in use,
The location token is valid for one year. You can renew the token by downloading the token from the ABM portal and uploading them in the MDM server. Follow the steps below to renew the token. Note: Renewing location tokens does not affect the existing apps that are distributed from MDM.
The content token associated with the MDM server can be removed by navigating to App Repository ->Apple Business Manager ->Remove. On removing the token from MDM server, all the apps synced from MDM are moved to Trash. Further, the apps synced from ABM and distributed to the devices are removed from the devices as well. On moving these back to App Repository from Trash, they'll be considered as normal apps added to App Repository via the App Store.
The app is associated with the device instead of the user's Apple ID. This lets you install apps without the Apple ID on devices. Additionally, if the devices are Supervised you can install apps silently on the devices. The approved licenses are counted based on the number of devices the app has been distributed to. For example, if you distribute the app to 5 devices, 5 licenses are used.
ME MDM app must be installed on managed Apple devices to locate the devices, detect jail-broken devices, and for various other features. Using ABM, ME MDM app can be purchased, distributed to devices and installed silently on Supervised devices, and without requiring an Apple ID in Non-Supervised devices.
It is also important for the IT administrator to ensure the apps distributed stay up to date with all the critical updates installed on time. If the apps are distributed to the devices using ABM, then the App Store is completely in the control of the IT administrator, and the updates are not available to the user on the devices directly. Hence, the admin has to distribute these updates to the devices to make them available to the user.
Follow the steps given here to distribute app updates to devices.
MDM lets you modify the configurations of the app to be distributed to the device, effectively restricting the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer names and specifies a set of configurations as an XML file, which is uploaded to the MDMserver and is automatically pushed along with the app. The app developer must support app configurations for the app, to implement it using MDM.
Follow the steps given below to apply app configurations:
Pushing app configurations based on user-specific/device-specific parameters such as e-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensure once the app configurations with user-specific/device-specific parameters are setup using dynamic variables, they needn't be configured again as the dynamic variables fetch all the required data from the enrollment details.
Here is the table of parameters for which MDM supports dynamic variables:
PARAMETER | DYNAMIC VARIABLE |
---|---|
Device UDID | %udid% |
Device Name | %devicename% |
User Name | %username% |
%email% | |
Domain name | %domainname% |
Serial Number | %serialnumber% |
IMEI | %imei% |
Exchange ID | %easid% |
Sample XML file
The app configuration file is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>serverURL</key>
<string>myServerUrl.myDomain.com</string>
<key>username</key>
<string>%username%</string>
<key>domain</key>
<string>%domainname%</string>
<key>email</key>
<string>%email%</string>
</dict>
</plist>
|
To meet your organizational needs, you can create app configurations for the following applications.
MDM lets you to modify the App policies for App Store and Enterprise apps. App policies are helpful in protecting the corporate app data when the MDM profile is removed from the device or when you migrate from one MDM server to another etc.
MDM allows you to configure the following app policies:
Note: If you modify these app policies after distributing the app,
Enterprise apps are also called as in-house apps. Enterprise apps are those which are specific to an organization and are used internally. These apps are owned by the company and are not listed in the App Store. Enterprise apps are commonly a collection of computer programs with business applications or tools for modeling the organizational work. These apps are developed exclusively for distinguished platforms, like Apple & Android. Refer to this, to know more about adding enterprise Apps in the App repository and installing them on devices without user intervention. To test and deploy Apple enterprise apps seamlessly using multi app version management refer to this link.
Any enterprise app added to the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app on the device.
Custom apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and Custom apps is, the former is developed in-house while the latter usually involves third-party developers. Further, Custom apps are provided only through ABM, so your organization must have an ABM account. To know more about Custom apps, refer this.
A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.
Unlike Android, you can’t install any app on an iOS device. It has to be signed by Apple first. However, when you’re developing an app, you probably want to test it before sending it to Apple for approval. Provisioning profile act as a link between the device and the developer account. During development, you choose which devices can run your app and which app services your app can access. A provisioning profile is downloaded from your developer account and embedded in the app bundle, and the entire bundle is code-signed. A Development Provisioning Profile must be installed on each device on which you wish to run your application code. If the information in the provisioning profile doesn’t match certain criteria, your app won’t launch.
There are several types of iOS app provisioning profiles, each serving a different purpose. Here are the most common types:
In MDM, uploading enterprise apps build with Development/In-house/Ad-Hoc provisioning profiles is only possible.
For an app to be installed in all compatible Apple Devices, without registering their UDIDs like Ad-hoc and Development provisioning profiles, the In-house provisioning profile must be used. To create an In-house provisioning profile, one must have been enrolled in Apple Developer Enterprise Program.
Apps can be installed, updated, managed, and uninstalled on iOS devices using the above specified methods.
Check if vpp.itunes.apple.com is allowlisted along with other domains and ports listed here. Ideally, it is recommended to Allowlist *.apple.com for seamless management of Apple devices. Also, verify the availability of the required Apple services.
While trying to upload an enterprise app, you receive the error message Info.plist not found. This error occurs when the .ipa file is extracted from an invalid source. Contact your developer to get the valid .ipa file.
This error happens due to network failure. Ensure that you have a stable network connectivity throughout the app distribution.
You can purchase licenses in bulk for both free and paid apps, using ABM and then distribute it to the devices. App License(s) refers to the number of devices to which the app needs to be distributed to. For example, if you want to distribute the ME MDM app to 300 devices, you should purchase 300 app licenses.
Note: To migrate unused VPP Redemption codes to Managed Distribution, refer this.
Apps can be purchased through Managed Distribution as explained below.
Ensure you use a unique corporate Apple account for ABM and also do not associate this account with any other Apple device.
If you do not have a corporate Apple account for ABM, click on Enroll now, to create an account for your organization. To upgrade your VPP account to the ABM portal and to know more about the upgrade, follow the steps given here.
If you are already using VPP with MDM, MDM automatically migrates your apps to ABM once you have upgraded. Prior to the expiry of the content token, you'll have to renew the token from the ABM portal to continue managing your apps.
With ABM, you can approve licenses for free apps and purchase paid apps, for distribution to devices. On the ABM portal, under Content, click on Apps and Books. Search for the required apps and enter the required number of licenses to approve or purchase. Once ABM is set up, MDM syncs with ABM every day, to automatically add any new purchases to MDM. You can also navigate to the App Repository, click the Sync Apps button and choose Sync ABM Apps to manually sync the apps with MDM
Follow the steps mentioned below to upload the sToken in the MDM server:
You have successfully created/renewed the content token on the MDM server. You can now distribute apps to the managed devices, assign or revoke licenses as per your requirement.
You can also upload multiple location tokens on the MDM console to manage department or location specific app purchases. To upload new tokens, navigate to App Repository -> Apple App Management -> Add Location Token -> Upload Token. Once uploaded, MDM will sync the apps added to the location token via ABM.
Note: If you need to add a new location in ABM portal, go to Locations and click on Add a new location. It is recommended to give the location a descriptive name, for easier identification purposes.
Each location token is valid for one year. When nearing expiration, it is essential that the token is renewed to distribute apps using the location tokens. You can renew the location token by logging in to ABM, downloading the location token again and uploading the token back in MDM by following the same steps as mentioned above.
If the location token is already in use,
The location token is valid for one year. You can renew the token by downloading the token from the ABM portal and uploading them in the MDM server. Follow the steps below to renew the token. Note: Renewing location tokens does not affect the existing apps that are distributed from MDM.
The content token associated with the MDM server can be removed by navigating to App Repository ->Apple Business Manager ->Remove. On removing the token from MDM server, all the apps synced from MDM are moved to Trash. Further, the apps synced from ABM and distributed to the devices are removed from the devices as well. On moving these back to App Repository from Trash, they'll be considered as normal apps added to App Repository via the App Store.
The app is associated with the device instead of the user's Apple ID. This lets you install apps without the Apple ID on devices. Additionally, if the devices are Supervised you can install apps silently on the devices. The approved licenses are counted based on the number of devices the app has been distributed to. For example, if you distribute the app to 5 devices, 5 licenses are used.
ME MDM app must be installed on managed Apple devices to locate the devices, detect jail-broken devices, and for various other features. Using ABM, ME MDM app can be purchased, distributed to devices and installed silently on Supervised devices, and without requiring an Apple ID in Non-Supervised devices.
It is also important for the IT administrator to ensure the apps distributed stay up to date with all the critical updates installed on time. If the apps are distributed to the devices using ABM, then the App Store is completely in the control of the IT administrator, and the updates are not available to the user on the devices directly. Hence, the admin has to distribute these updates to the devices to make them available to the user.
Follow the steps given here to distribute app updates to devices.
MDM lets you modify the configurations of the app to be distributed to the device, effectively restricting the capabilities and features of the app. App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer names and specifies a set of configurations as an XML file, which is uploaded to the MDMserver and is automatically pushed along with the app. The app developer must support app configurations for the app, to implement it using MDM.
Follow the steps given below to apply app configurations:
Pushing app configurations based on user-specific/device-specific parameters such as e-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensure once the app configurations with user-specific/device-specific parameters are setup using dynamic variables, they needn't be configured again as the dynamic variables fetch all the required data from the enrollment details.
Here is the table of parameters for which MDM supports dynamic variables:
PARAMETER | DYNAMIC VARIABLE |
---|---|
Device UDID | %udid% |
Device Name | %devicename% |
User Name | %username% |
%email% | |
Domain name | %domainname% |
Serial Number | %serialnumber% |
IMEI | %imei% |
Exchange ID | %easid% |
Sample XML file
The app configuration file is an XML file which contains details regarding the configurations supported by the app. A sample XML file is shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>serverURL</key>
<string>myServerUrl.myDomain.com</string>
<key>username</key>
<string>%username%</string>
<key>domain</key>
<string>%domainname%</string>
<key>email</key>
<string>%email%</string>
</dict>
</plist>
|
To meet your organizational needs, you can create app configurations for the following applications.
MDM lets you to modify the App policies for App Store and Enterprise apps. App policies are helpful in protecting the corporate app data when the MDM profile is removed from the device or when you migrate from one MDM server to another etc.
MDM allows you to configure the following app policies:
Note: If you modify these app policies after distributing the app,
Enterprise apps are also called as in-house apps. Enterprise apps are those which are specific to an organization and are used internally. These apps are owned by the company and are not listed in the App Store. Enterprise apps are commonly a collection of computer programs with business applications or tools for modeling the organizational work. These apps are developed exclusively for distinguished platforms, like Apple & Android. Refer to this, to know more about adding enterprise Apps in the App repository and installing them on devices without user intervention. To test and deploy Apple enterprise apps seamlessly using multi app version management refer to this link.
Any enterprise app added to the App Repository and associated to devices, gets automatically trusted and does not require the user to manually trust the app on the device.
Custom apps are tailor-made apps developed to specifically cater to the needs of an organization. The basic difference between enterprise apps and Custom apps is, the former is developed in-house while the latter usually involves third-party developers. Further, Custom apps are provided only through ABM, so your organization must have an ABM account. To know more about Custom apps, refer this.
A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.
Unlike Android, you can’t install any app on an iOS device. It has to be signed by Apple first. However, when you’re developing an app, you probably want to test it before sending it to Apple for approval. Provisioning profile act as a link between the device and the developer account. During development, you choose which devices can run your app and which app services your app can access. A provisioning profile is downloaded from your developer account and embedded in the app bundle, and the entire bundle is code-signed. A Development Provisioning Profile must be installed on each device on which you wish to run your application code. If the information in the provisioning profile doesn’t match certain criteria, your app won’t launch.
There are several types of iOS app provisioning profiles, each serving a different purpose. Here are the most common types:
In MDM, uploading enterprise apps build with Development/In-house/Ad-Hoc provisioning profiles is only possible.
For an app to be installed in all compatible Apple Devices, without registering their UDIDs like Ad-hoc and Development provisioning profiles, the In-house provisioning profile must be used. To create an In-house provisioning profile, one must have been enrolled in Apple Developer Enterprise Program.
Apps can be installed, updated, managed, and uninstalled on iOS devices using the above specified methods.
Check if vpp.itunes.apple.com is allowlisted along with other domains and ports listed here. Ideally, it is recommended to Allowlist *.apple.com for seamless management of Apple devices. Also, verify the availability of the required Apple services.
While trying to upload an enterprise app, you receive the error message Info.plist not found. This error occurs when the .ipa file is extracted from an invalid source. Contact your developer to get the valid .ipa file.
This error happens due to network failure. Ensure that you have a stable network connectivity throughout the app distribution.
Thank you for your feedback!
Sorry about that!