Recommended method to deploy apps in the enterprise
I have a Mac server configured with Profile Manager. My users at this point log into their iMacs with their Active Directory credentials. Classroom laptops use AD credentials as well, and the rest of the laptops (1/3 of all Macs on our site) have stand-alone accounts on the local machines.
We've been messing with VPP up to this point, but honestly I'm not impressed with the way it works with OSX devices. I can enroll a machine into Profile Manager via trust certificate and the management profile. This works fine, and I can group the machines in logical order. According to the documentation, I should be able to deploy apps to the workstations themselves (independent of who is using it), but so far it doesn't seem to work like that.
With a free VPP app, such as Garageband, in Profile Manager, I can only see where I can associate it with a user or user-group. I see two options with this. First, we use a common app-store credential to associate with the VPP apps. This seems like a poor option since a user wouldn't necessarily know the password to this account, and as soon as the app has an update, they are going to call us to login as the common app-store credential that owns the VPP app. Second, we associate the app to a user him/herself and let them do the installing or updating. This also assumes that our users sign up for an app-store account if they don't already have one (kind of weak, IMO).
With these two, any common area/lab machines would obviously need a shared admin accessible VPP app-store ID, but with user-specific machines, I see it the other way. If I could target all of these machines without involving the users, that would be optimal. Given these three options (target user, target shared app-store account with manual admin intervention on each machine, target machine independently of a user), what do you all recommend?
OS X Mavericks (10.9.1)