Understanding VPP Managed Distribution in Casper

Ever since Apple announced the availability of the VPP Managed Distribution program earlier this year, the race has been on to see which MDM vendors would ship support - and when.

At Cedars, we use the Casper Suite from JAMF Software (disclaimer: who also occasionally sponsor my podcast). Casper 9.3 just came out this week with their support for VPP-MD, and I've been working on getting it up and running.

Firstly, the migration to 9.3 was as painless as Casper updates always are. Do back up your database first, though!

VPP-MD Theory

You need to understand how VPP-MD works. Here are a couple of key ideas:

  • You now buy a number of "managed tokens" in VPP. You no longer buy coupon codes under VPP-MD.
  • Apps are assigned to individual Apple IDs, not to devices.
  • Apple IDs are not disclosed to the organisation's MDM server.
  • App allocations can be revoked from an Apple ID and reallocated to another Apple ID.
  • Books can be purchased and allocated in the same way, but they cannot be revoked. Ever.

Apple IDs in Casper

The fact that apps are now allocated to Apple IDs instead of devices means that Casper has had to acquire a notion of "users". This was initially rather confusing as Casper already has "users" - in the sense of "accounts that can log into the JSS and manipulate it with some level of access control".

The first thing to realise is that a capital-U "User" is essentially Casper's representation of an Apple ID in the MDM system.

How does Casper get that Apple ID? Well, there's a new concept of "VPP Invitations". Apple requires that each Apple ID owner give permission for an organisation to allocate apps and books to their devices. Casper does this by sending a VPP Invitation.

When they receive a VPP Invitation, the user sees a notification on their device asking for permission. When the user OK's the notification, they're asked to sign into their Apple ID and to agree to new T&Cs.

Question: how does Casper know which device to push a notification to? Well, since we have existing devices in Casper, I created new User objects and then assigned those Users' usernames to the username field in the device's "Owner and Location" information. That's the connection between a User object and a Device object.

Once the user has fully responded to the invitation, Casper knows how to connect an Apple ID with one or more enrolled devices.

VPP in Casper

Under VPP-MD, Apple maintains information in the App Store system about your institution's VPP account and how many of which apps you've bought. The only interfaces you have to this back-end API from Apple is through the VPP portal (to buy apps) and your MDM server (to allocate apps to Apple IDs).

To get going with this, you have to download a "token" from the VPP portal and upload it to Casper. This allows Casper to query the App Store to know which apps you've bought and show them to you in the Casper UI.

Once you've connected Casper to your VPP account, created new User objects, connected them with the enrolled devices and sent VPP invitations, you should be ready to start allocating apps.

When you buy apps, if you choose "Managed Distribution" instead of the old "Redeemable Codes", you no longer get a spreadsheet of codes to download. Instead, the app licenses are credited to your VPP account and will eventually show up in Casper. There seems to be a small delay of a minute or two before Casper is notified of the new apps.

Incidentally, one of the side effects of Managed Distribution is that you now have to "buy" free apps. I don't mean you have to pay for them, but you do have to complete a transaction in the VPP portal to put those free apps into your VPP-MD account.

Allocating Apps in Casper

When you're ready to allocate apps in Casper through VPP-MD, there is a new idea of "VPP Assignments". Whereas, previously, you would add apps to Casper and scope them to specific devices or groups of devices, you now select apps from your VPP-MD account and scope them to specific users or groups of users.

I have still to think through exactly how to architect these groups correctly but the obvious first-cut is to create one group per class and a staff group. Creating subject-and-stage-specific groups would allow the allocation of specific apps to, say, "all pupils and teachers involved in Higher Chemistry".

One of the big advantages of VPP-MD for schools is the ability to reallocate apps. At its most obvious, this means you don't have to re-buy apps for pupils next year. Think a little more deeply, though, and you can see how this might start to facilitate buying "class sets" of more expensive apps and moving the apps around different devices, rather than having to buy one copy for everyone who might ever need it.

If only we could do that with books.

Silent Installation

With Managed Distribution and iOS 7, we get a new and very helpful feature: silent push-installation of apps on devices.

Under earlier systems, pushing an app to a device required that the user see and respond to an alert asking them to install the given app. This allowed the possibility that the user might cancel the installation and the only way to complete the install was to repeat the push. This is obviously quite wasteful of admin effort.

One of the main reasons I chose Casper Suite last year was their Self-Service Portal, which worked around this problem quite nicely. Self-Service shows a list of all the apps that are in scope for a particular device and allows the user to initiate a push to their device by tapping an "install" button in the portal.

However, with VPP-MD, even that's no longer required. When an app comes into scope for a given user, Casper will push-install the app on their registered devices. Better, it will do this silently, with no interaction required from the user and therefore no ability for the user to, well, screw things up.

Currently, I have to return all our primary school iPads to base to install new apps. Under VPP-MD, I can just sit at my Casper dashboard and push apps out all over the school. It won't matter if the iPads are in schoolbags or in use. It won't even matter if a pupil is absent that day (a big issue in return-to-base maintenance) - the push will find them at home as long as they're online.