Understanding Apple's New Deployment Programs

Yesterday Apple released two new deployment programs for iOS and Mac, and rolled out enhancements to another. I want to explain as best I can how they work together.

The Volume Purchase Program has been significantly enhanced and there are two new programs: Device Enrolment Program and AppleID for Students. Let's look at each of these in turn.

Device Enrolment Program

Until now, the best practice for deploying institutionally-owned devices was to put them into supervision mode using Apple Configurator and either deploy apps at the same time or later via Mobile Device Management (MDM). This required an admin to handle each device and physically connect it to a Mac with a USB cable.

The Device Enrolment Program basically takes that best practice but moves it into Apple's device activation servers.

DEP provides four major advantages over cabled deployment:

  • A device can be supervised over-the-air
  • Users can be presented with a simplified version of the setup assistant
  • Devices can be automatically enrolled in your institution's MDM
  • MDM enrolment can be locked

Those four improvements go a long way to making a deployment easy and scaleable. You, as an admin, don't have to touch a device at all to roll it out. Just assign them to users, have the users open them up and start configuring them and you'll have supervised devices with MDM enrolment automatically enforced.

After that, you're into essentially the same mode of operation that you'd normally be in with an MDM-based deployment.

There are two major caveats with DEP. The first is that it is only for institutionally-owned devices directly purchased from Apple. There is no procedure for registering devices purchased, for example, over the counter at an Apple Store. My understanding is that this is a philosophical decision on Apple's part: admins should not be able to "capture" devices that they don't own. This is the same philosophy that says that personally-owned can't be locked into MDM. My own opinion is that this is not an unreasonable fear on Apple's part. Sysadmin over-reach is a real issue.

The second caveat is that DEP is US-only for now. Apple operates a direct sales model in the US and therefore has knowledge of who ordered which devices, down to the level of individual serial numbers. That's not true in most other countries where Apple works through resellers to sell to institutions.

AppleID for Students

The COPPA regulations in the US have made it awkward to use individual AppleIDs for students under 13. This is being solved with the AppleID for Students program.

Previously the 'institutional model' of deployment, where there was one AppleID used for apps that was not available to the student, was used for students under 13. This prevented access to a range of features that depend on an individual AppleID, such as iCloud backup and content syncing to students own devices.

With the AppleID for Students program, Apple is providing a way for the school and Apple to have verified parental consent for students to create an AppleID. Schools can bulk-upload requests for AppleIDs to be created, then emails requesting consent are sent to parents. Once consent has been given, the AppleID can be created.

Volume Purchase Program enhancements

The Volume Purchase Program has been around for a while but it has been enhanced with some new capabilities.

Previously MDM servers could store and distribute VPP coupon codes to users. Once the user redeemed that code in the App Store, the code was gone and could never be re-allocated.

The new VPP model is called "Managed Distribution". Under MD, the model is not "sending coupon codes to devices" but "assigning apps to AppleIDs". The idea is that your MDM has a concept of who the users are in your organisation and what their AppleIDs are. You then upload a "token" from the VPP program that indicates the apps that you have purchased. Then, in your MDM interface, you assign apps to groups of users. The result is that those AppleIDs get access to the apps you specify.

It may not be obvious, but Managed Distribution requires that each deployed iPad in your school be used by one AppleID. This obviously plays together with the AppleID for Students program such that students can now have individual AppleIDs without too much difficulty.

There are some further enhancements to VPP. The first is the ability to "recall" an app from a user over the air. For some time, we've been able to recall an app deployed through Apple Configurator, but not apps assigned through MDM. We can now do this, which is great.

The second enhancement is that, for supervised devices, apps can be installed silently with no user interaction. Previously, installing an app required the user to accept the push from the MDM server but this is no longer the case for supervised devices.