Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Recommended method to deploy apps in the enterprise

I have a Mac server configured with Profile Manager. My users at this point log into their iMacs with their Active Directory credentials. Classroom laptops use AD credentials as well, and the rest of the laptops (1/3 of all Macs on our site) have stand-alone accounts on the local machines.


We've been messing with VPP up to this point, but honestly I'm not impressed with the way it works with OSX devices. I can enroll a machine into Profile Manager via trust certificate and the management profile. This works fine, and I can group the machines in logical order. According to the documentation, I should be able to deploy apps to the workstations themselves (independent of who is using it), but so far it doesn't seem to work like that.


With a free VPP app, such as Garageband, in Profile Manager, I can only see where I can associate it with a user or user-group. I see two options with this. First, we use a common app-store credential to associate with the VPP apps. This seems like a poor option since a user wouldn't necessarily know the password to this account, and as soon as the app has an update, they are going to call us to login as the common app-store credential that owns the VPP app. Second, we associate the app to a user him/herself and let them do the installing or updating. This also assumes that our users sign up for an app-store account if they don't already have one (kind of weak, IMO).


With these two, any common area/lab machines would obviously need a shared admin accessible VPP app-store ID, but with user-specific machines, I see it the other way. If I could target all of these machines without involving the users, that would be optimal. Given these three options (target user, target shared app-store account with manual admin intervention on each machine, target machine independently of a user), what do you all recommend?

OS X Mavericks (10.9.1)

Posted on May 13, 2014 7:50 AM

Reply
4 replies

May 13, 2014 8:06 PM in response to nebbbben

I will give my .02 on this topic. I hope this helps.


App distribution for Apps from the AppStore is a tricky mine field. The new VPP program is a step in the right direction and for many businesses it is a dream come true (no more redemption codes, transfer of assets, European Union tax issues, I can go on...). However, I will agree with you in regards that education does not benefit as much, especially when (1) the students do not have an Apple ID, (2) the devices are not deployed in the one-to-one model, and (3) users are not permitted to alter machine configurations.


VPP for enterprise is a good thing, provided your organization is willing to allow user's the freedom to add content (an use Apple IDs). The way it works is as follows.

• You enroll in the VPP program

• You purchase apps/books in bulk through the app store

• You configure your MDM to participate in the VPP

• You invite your users using an email or via push notification if devices are already enrolled

• When the user gets the invite, the user uses her own Apple ID to associate their App Store catalog with your enterprise App Store catalog (this all happens on Apple's servers)

• The enterprise does not care nor does it need to know which Apple ID the user used. This is irrelevant to the organization.

• You then assign the apps and books to the users through your MDM

• The user now sees this content in their App Store from their device

• If the user leaves the organization, you can remove the app from the user and you recall the seat into the available pool.

• The App remains on the device for 30 days I believe and the user (if this is a personal device and they still have it after being removed from the program) will be prompted to purchase the app (books are transferred - you can not pull them back).


So, all that being said, you are not deploying to an enterprise and you are not deploying to dedicated devices. I suspect that some of your users may also be too young to have an Apple ID. So while I still recommend that you participate in the VPP to ensure software compliance, the reality is that you are likely going to use a single Apple ID to download the software. This will be included in a master build when imaging and prepping machines. If there are updates, you will download the update onto a build machine and use tools like ARD, JAMF, Deploy Studio, etc to push the app out to your fleet of machines. Keep in mind that updates from the App store are full versions and they are self contained bundles. Also, turn off all software update notifications on the workstations to keep users from realizing updates are available.


I am a firm believer that schools should not apply updates to machines between September and June unless it is a tested security patch. The risk of impacting the educational process is too great. Look no further than the dramatic changing in the iLife and iWork tools. Changing mid year can cause entire curricula to be disrupted. There is no deeper wrath than that of a school matriarch dressing you down because you put out software that does not match her lesson plans.


Ok, I am done on the soap box. Hope this helped. My suggestion again is stick with the VPP for compliance reasons but use distro tools to push the updated/new apps out to machines as needed. This allows you to continue to use a single Apple ID, the account information is obscured from the user, and all updates happen via a distro push, avoiding touching each machine.


R

Apple Consultants Network

Apple Professional Services

Author "Mavericks Server – Foundation Services" :: Exclusively Available in Apple's iBooks Store

May 14, 2014 4:56 AM in response to nebbbben

VPP is still a mess at the moment mainly to do with Apple IDs but continues to improve as described by Strontium90. However for OS X applications that are not purchased via the App Store the following are solutions to consider.


You could push them via Apple Remote Desktop administrator (cheap)

A better option would be to use Munki or Simian (free)

Another option would be to use Casper Suite (expensive)


I personally use Munki.


See -


ARD - http://www.apple.com/uk/remotedesktop/

Munki - https://code.google.com/p/munki/

Simian - https://code.google.com/p/simian/

Casper Suite - http://www.jamfsoftware.com

Feb 27, 2015 5:35 PM in response to Strontium90

Strontium90 - any chance I can get in touch with you directly? We're currently trying to push over 400 apps (in total, not to each device) to 1300+ student iPads. I have no problem with free apps, and I can get paid apps to the device, but it's a messy process.


I'm particularly interested in how you "invite your users".


We're using Citrix Xenmobile. We have individual Apple ID's for all students, and generic ones that we've created for our 3:1 devices.


If anybody out there has conquered Xenmobile and VPP, please let me know! I'd love to chat.


Our current process goes something like this:

-Log iPad into a unique Apple ID

-Enroll in Worx (Xenmobile)

-Free apps push without issue


For Paid apps:

-Must push at least one paid app via EAS and go to Worx Store on the device

-Add that app via work store, which will make you "register the device with VPP"

-the app still doesn't push, but once the device has registered, I can go to the Apple App store and download the device for free (it will have the cloud with the arrow, as thought the app had already been purchased (which it has, via VPP).


Obviously, we'd like to streamline this process, as we don't want students to have to navigate through the Apple App store to find every app they need. Even if they can pull directly from the Worx store, I'd be happy.


Any advice is welcome!


Thanks!

Recommended method to deploy apps in the enterprise

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.