Understanding VPP Managed Distribution in Casper

Ever since Apple announced the availability of the VPP Managed Distribution program earlier this year, the race has been on to see which MDM vendors would ship support - and when.

At Cedars, we use the Casper Suite from JAMF Software (disclaimer: who also occasionally sponsor my podcast). Casper 9.3 just came out this week with their support for VPP-MD, and I've been working on getting it up and running.

Firstly, the migration to 9.3 was as painless as Casper updates always are. Do back up your database first, though!

VPP-MD Theory

You need to understand how VPP-MD works. Here are a couple of key ideas:

  • You now buy a number of "managed tokens" in VPP. You no longer buy coupon codes under VPP-MD.
  • Apps are assigned to individual Apple IDs, not to devices.
  • Apple IDs are not disclosed to the organisation's MDM server.
  • App allocations can be revoked from an Apple ID and reallocated to another Apple ID.
  • Books can be purchased and allocated in the same way, but they cannot be revoked. Ever.

Apple IDs in Casper

The fact that apps are now allocated to Apple IDs instead of devices means that Casper has had to acquire a notion of "users". This was initially rather confusing as Casper already has "users" - in the sense of "accounts that can log into the JSS and manipulate it with some level of access control".

The first thing to realise is that a capital-U "User" is essentially Casper's representation of an Apple ID in the MDM system.

How does Casper get that Apple ID? Well, there's a new concept of "VPP Invitations". Apple requires that each Apple ID owner give permission for an organisation to allocate apps and books to their devices. Casper does this by sending a VPP Invitation.

When they receive a VPP Invitation, the user sees a notification on their device asking for permission. When the user OK's the notification, they're asked to sign into their Apple ID and to agree to new T&Cs.

Question: how does Casper know which device to push a notification to? Well, since we have existing devices in Casper, I created new User objects and then assigned those Users' usernames to the username field in the device's "Owner and Location" information. That's the connection between a User object and a Device object.

Once the user has fully responded to the invitation, Casper knows how to connect an Apple ID with one or more enrolled devices.

VPP in Casper

Under VPP-MD, Apple maintains information in the App Store system about your institution's VPP account and how many of which apps you've bought. The only interfaces you have to this back-end API from Apple is through the VPP portal (to buy apps) and your MDM server (to allocate apps to Apple IDs).

To get going with this, you have to download a "token" from the VPP portal and upload it to Casper. This allows Casper to query the App Store to know which apps you've bought and show them to you in the Casper UI.

Once you've connected Casper to your VPP account, created new User objects, connected them with the enrolled devices and sent VPP invitations, you should be ready to start allocating apps.

When you buy apps, if you choose "Managed Distribution" instead of the old "Redeemable Codes", you no longer get a spreadsheet of codes to download. Instead, the app licenses are credited to your VPP account and will eventually show up in Casper. There seems to be a small delay of a minute or two before Casper is notified of the new apps.

Incidentally, one of the side effects of Managed Distribution is that you now have to "buy" free apps. I don't mean you have to pay for them, but you do have to complete a transaction in the VPP portal to put those free apps into your VPP-MD account.

Allocating Apps in Casper

When you're ready to allocate apps in Casper through VPP-MD, there is a new idea of "VPP Assignments". Whereas, previously, you would add apps to Casper and scope them to specific devices or groups of devices, you now select apps from your VPP-MD account and scope them to specific users or groups of users.

I have still to think through exactly how to architect these groups correctly but the obvious first-cut is to create one group per class and a staff group. Creating subject-and-stage-specific groups would allow the allocation of specific apps to, say, "all pupils and teachers involved in Higher Chemistry".

One of the big advantages of VPP-MD for schools is the ability to reallocate apps. At its most obvious, this means you don't have to re-buy apps for pupils next year. Think a little more deeply, though, and you can see how this might start to facilitate buying "class sets" of more expensive apps and moving the apps around different devices, rather than having to buy one copy for everyone who might ever need it.

If only we could do that with books.

Silent Installation

With Managed Distribution and iOS 7, we get a new and very helpful feature: silent push-installation of apps on devices.

Under earlier systems, pushing an app to a device required that the user see and respond to an alert asking them to install the given app. This allowed the possibility that the user might cancel the installation and the only way to complete the install was to repeat the push. This is obviously quite wasteful of admin effort.

One of the main reasons I chose Casper Suite last year was their Self-Service Portal, which worked around this problem quite nicely. Self-Service shows a list of all the apps that are in scope for a particular device and allows the user to initiate a push to their device by tapping an "install" button in the portal.

However, with VPP-MD, even that's no longer required. When an app comes into scope for a given user, Casper will push-install the app on their registered devices. Better, it will do this silently, with no interaction required from the user and therefore no ability for the user to, well, screw things up.

Currently, I have to return all our primary school iPads to base to install new apps. Under VPP-MD, I can just sit at my Casper dashboard and push apps out all over the school. It won't matter if the iPads are in schoolbags or in use. It won't even matter if a pupil is absent that day (a big issue in return-to-base maintenance) - the push will find them at home as long as they're online.

Deploy 2014, Part 7: Financing and Roll-Out

This week on the Deploy 2014 podcast series, we tackle the thorny questions of financing and roll-out strategy. This is one of the hardest areas to get right.

We tackle the two issues together because financing and roll-out go hand-in-hand. Your finances might dictate a certain style of roll-out but the roll-out style could impact your finances for years to come.

Fraser and Bradley open the show with a discussion of the Microsoft Office release for iPad and how it relates to Google Apps For Education schools (along with iPads). At $99 per year, is it that much better than iWork and Google Drive? Fraser compiled some interesting statistics that he shared on Twitter:

I identified 75 word processing features and compared Word, Pages and GDrive on iOS. Pages has 61, Word 57, Google Drive….18.

Of 54 high-level spreadsheet features: Excel: 39; Numbers: 42; Google Drive: 23.

Fraser points out that the ability to view Office documents on iOS and have them render perfectly will be a big win for a lot of folks. The lack of printing does seem like a huge oversight and will likely be added soon.

Next, we talk about some JAMF Software news: Casper 9.3 shipped this week, bringing support for VPP Managed Distribution. Fraser talks about some corner cases he’s found in testing but is overall quite enthusiastic about the technology.

They then move onto the actual deployment topic and discuss financing and roll out. Financing is always a tricky thing to discuss. In the private school sector, a lot of parents feel like their tuition should cover any technology. In the public school sector, you may not be legally allowed to ask. Fraser brings up the point that “technology fees” seem to be going away and jokes that you should charge a “bathroom fee” as well. By making something an “add on”, some parents feel like its optional. Bradley brings up the point that many schools use fees to keep their tuition low on their website for parents who are shopping around. The overall point is that you have to get it funded and you have to get it re-funded in 3-4 years. There are many routes to funding. It can either be a budget decision, grants, or private donations. Bradley mentions that if you do get a grant, that you need to begin planning budget wise for your next refresh as you may not get another grant.

They then move onto the topic of rollouts. There are basically 4 types.


In this model, there is little consistency. You’ll probably see 80% iOS, but we speculate that, in the future, just “iOS” might be all you need to mandate. As the platform matures, hardware may be different year to year. The biggest thing we see right now is there is no AirDrop on the iPad 2. The bottom line is that teachers want a predictable and stable foundation to plan against and BYOD doesn’t allow for that. Fraser notes that, in the UK, the leading argument for a mandatory school uniform was that you don’t want pupils to be visibly distinguished by their parents’ inability to buy the “best kit”. BYOD seems to accept that this is OK in technology. Some parents will provide iPads but what of those children whose parents either don’t understand or can’t afford the best technology?

Year at a time

In this model, a grade gets deployed each year. It looks low risk, but in reality it is very difficult in practice. You end up on a treadmill of “new devices every year” and it’s really hard to get off it. Also, if you start at the bottom year group and work up, what of those children who were in year two at the start and have 5-6 years of education without tech while the years below move on with technology? Great way to factionalise your school.


As Fraser mentioned, pilots are often as simple as: Let’s order 30 iPads and see what happens. This teaches you essentially nothing about being a 1:1 school unless you use that kit to build a small 1:1 enclave in your school. Spreading the kit around means you have to solve problems that you don't when you're 1:1. You’d be better off spending that money in traveling to other schools or bringing in deployment personnel to help you navigate the waters.

All In (The Cedars Model)

This model is easier than ever with DEP and VVP-MD. iOS is at a place where it doesn’t matter if its 100 or 50,000. Other than the unboxing, Apple has built the tools to scale these deployments

iOS deployments are at a place where it’s not as simple as knowing how to sync an iPad to iTunes 200 times over. Deployments are like the “Choose Your Own Adventure” books from the 1990s. There are decisions you make that you can’t go back on. It’s not longer about brute forcing solutions, but about thinking through piecing the puzzle together (WiFi, MDM, DEP, VPP-MD, etc).

I hope you're enjoying the series so far. You can subscribe in iTunes, directly on our site or in the search feature of your mobile podcast client.

Deploy 2014, Part 6: Accessories and Apps

Here's the discussion for this week: buying accessories and apps.

The TL;DL version is that we're not really keen on any accessories, but we do like a good solid core set of apps (mostly free!) that will let you go a long way.

Fraser and Bradley continue their deployment series with a discussion on accessories. They left the discussion of cases to show 67. Both Fraser and Bradley are down on screen protectors because they change the “feel” of the device, but they don’t protect it from falls.

Keyboards are the next item. Fraser talks about horror stories of hearing about classrooms of 30 with bluetooth keyboards. Bradley mentions that bluetooth operates on 2.4 ghz, so it can create WiFi interference. Fraser mentions that certain classes/exams can make good use of a keyboard and that Logitech makes a wired option. Bradley mentions that he is down on keyboard cases because there is no reason to carry it 100% of the time when it is probably used 5% of the time.

Styli are next. Fraser brings up the fact that iOS needs to begin to build in support for these products. Some of the more advanced models are using bluetooth, so it requires charging and pairing. Bradley says that if you have 2 styli, then you blew it (a reference to Steve Jobs saying if you see a stylus then they blew it). Bradley mentions that he’s heard math teachers would love a fine tipped stylus.

Fraser closes out the section with a reminder that screen wipes are essential for your deployment and it is something that most people forget about. Especially when it comes to flu season, you want to keep the devices clean.

They then move onto app selection. Fraser mentions that a lot of teachers go through the “app, app, app” craze and want to try everything. He said to think about apps not as book replacements but as tool replacements. What apps are core to just about any deployment?

  • iWork
  • iLife
  • iBooks
  • iTunes U
  • Explain Everything
  • Google Drive/Dropbox/OneDrive (a near-line file system)
  • PDF annotator (We like PDF Expert)

    Fraser mentions that specific subjects will always have unique needs, but that shouldn’t be the rule. He also mentions that it is wise for schools to decide on core app suite so students don’t end up with a different note taking app for every teacher.

    Both Bradley and Fraser have simple methods for teachers request apps (email). A lot of people think teachers will go nuts and spend a ton of money, but that isn’t what either have experienced. It also seems that as students get older, they need fewer and fewer apps.

I hope you're enjoying the series so far. You can subscribe in iTunes, directly on our site or in the search feature of your mobile podcast client.

Deploy 2014, Part 5: Device Selection

I've been remiss in updating the blog to match the show, but here's a catch-up.

In part 5, we discuss device selection. How do you choose what you're going to deploy?

When it comes to 1:1, the questions seems to be either iPad or “other”. This is not to discount other platforms, but that is just the reality of the education market in 2014. Chromebooks have become a nice alternative to a traditional laptop, especially if the majority of your computing is done on a browser. Bradley and Fraser begin the show by talking about the recent Google Drive pricing changes where 100 GB is now $1.99 per month (1 TB is $9.99 per month). The Chromebook has some pros and cons.

Pros: Traditional form factor, low costs Cons: Robustness questionable, Reliability questionable (although at £220 who cares?), After-sales support situation unclear, Management fee – not too expensive but non-zero

We also discuss Windows 8 and the Surface product line. Bradley mentions that while he doesn’t hope that Microsoft loses like he did back in 2008 or 2009, but that he isn’t betting on them anymore. He says time will tell if they are like Apple in 1997 or like Sega in 1999 with the Dreamcast. Will they stay in the hardware business longterm (or even the modern OS discussion). Fraser mentions that when deploying 1:1 iPad, don’t forget about teachers who has specific needs tied to high end software (AutoCad, etc). Bradley and Fraser then discuss what it would take to run software like Cubasis and AutoCad on iOS. Both agree that it is time for those genres to re-think how they work in a touch and gesture based world.

We then move onto the iPad. Even with the iPad, there are discussions about size, model, color, etc. Fraser gives us storage stats from his deployment:

  • 75+% full: 12%
  • 50-75% full: 24%
  • 25-50% full: 50%
  • 0-25% full: 14%

    Both recommend buying the newest iPad that is out when you do your deployment. Although March release dates were nice for schools, that isn’t the current reality. When it comes to storage 32 GB is recommended. 16 might be fine for a while, but if you are consistently having issues 20 months into a deployment, you’ll regret it.

    Apple had certainly upped the capabilities of how you manage iOS deployments, but with that power comes responsibility. Fraser mentioned his first deployment was built on iTunes syncing and home sharing. DEP, MDM and VPP have certainly simplified larger rollouts, but it does take planning and training.

    iCloud is a great service, but it’s a different kind if platform than Dropbox or Google Drive. As your students go through your school, you’ll need to consider their long term near-line storage needs.

    Fraser closed the show with an important reminder. The most important thing when it comes to device selection is to actually choose. Too often, the phrase “it’s not about the technology” is deployed, either to justify a choice that has no particular merits or to avoid having to make that justification in the first place. Yes, a good enthusiastic teacher can “find the learning” with any equipment but that doesn’t mean that everyone can or that a one-off classroom project can scale to become part of the culture of a school.

    The thing is, the long term goal isn’t about the technology but there are short-term goals that are very much about the technology.

I hope you're enjoying the series so far. You can subscribe in iTunes, directly on our site or in the search feature of your mobile podcast client.