Configure permissions and assign agile deployments (2023)

To retrieve the data in the sToken, Workspace ONE UEM syncs with Apple web services and then exposes the content for distribution and deployment. Workspace ONE UEM distributes licenses by Smart Groups and publishes content when you save assignment rules to the Agile Deployment feature.

heEnable device mappingThis option appears for apps that are eligible for distribution by device serial number. For information on device-based distribution methods , seeDistribution is managed by device serial number.

For information on agile development and how to prioritize assignment rules, see Adding Assignments and Exceptions to Your Application atApplication Managementguide.

For agile releases, assign content purchased from Apple's Volume Purchase Program (VPP) using managed distribution codes to smart groups.

  1. navigationresource>application>native>purchase.
  2. Choose an application and choosedistribute.The Allocation page appears.
  3. for himTaskpage, selectadd workand fill in the options.
    1. heredistributetab, enter the following information:
      work describe
      Name Enter a name for the task.
      describe Enter a job description.
      license distribution Enter the name of the Smart Group you want to assign the application to and the number of permissions you want to assign.

      When you enter the smart group name, options appear and you can choose the appropriate smart group from the list. Allocated licenses cannot exceed the total number of available licenses. You can also view the number of licenses redeemed (if any).

      You can add more task groups if necessary.

      How to submit your application
      • by order– Deploy content to catalogs or other deployment agents. Device users can decide whether and when to install content.

        This option is the best choice for content that is not critical to your organization. Allowing users to download content at any time can help save bandwidth and limit unnecessary traffic.

      • automatic– Deploy content to a directory or other deployment node on the device during recording. After the device is enrolled, the user is prompted to install the content on their device.

        This option is the best choice for content that is critical to your organization and mobile users.

      If the allocation type is set tothiswhen youLocation, Workspace ONE UEM sends invitations to Apple iOS 7.0.3+ and macOS 10.9+ devices. This invitation allows the user to enroll in the Apple VPP.

    2. herelimittab, enter the following information:
      Table 1.
      set up illustrate
      delete on unsubscribe

      Configure the application to delete from the device when the device logs out of Workspace ONE UEM. Workspace ONE UEM enables this setting by default.

      If you enable this setting, silent app installations on supervised devices are restricted. This is because the device is locked and the configuration file is installed in the command queue, which requires the device to be unlocked to complete the installation.

      If this setting is disabled, configuration files are not provided with installed applications. That is, if the profile is updated, the new profile is not automatically deployed to the device. In this case, a new version of the application with a new configuration file is required.

      Avoid Backup Apps Backup of app data to iCloud is not allowed. However, the app can back up to iCloud.
      avoid deletion If this setting is enabled, users will not be able to uninstall the app. This is compatible with iOS 14 and later.
      Let the app be managed by MDM if the user installed the app

      Manage the apps that users have pre-installed on their devices, whether they are supervised or unsupervised.

      Enable this feature so that the user does not have to delete the version of the app installed on the device. Workspace ONE UEM does not require an AirWatch catalog version to be installed on the device to manage the application.

    3. hereTunnels and other featurestab, enter the following information.
      set up describe
      VPN profiles per app

      Select the VPN profile you want to use with this application. Users access applications through VPN to ensure the reliability and security of accessing and using applications.

      other properties Application properties provide device-specific details for use by applications. For example, when you want to create a list of domains related to different organizations.
    4. hereapplication settingstab, enter the following information.
      set up illustrate
      load xml You can configure your application by uploading an XML file containing key-value pairs supported by the application.
  4. choosecreate.
  5. chooseadd workAdd more tasks to your posts.
  6. Configure flexible deployment settings by setting the priority of application assignments.
    set up illustrate
    priorities Select a value from the drop-down menu to set the priority of the assignment.

    Devices receive applications from distribution groups according to the priority set for the distribution group. By adjusting the priority of individual tasks, other tasks are automatically repeated.

    copy From the More Options menu, select Duplicate to duplicate the selected task.
    delete From the More Options menu, choose Delete to delete the selected assignment.
  7. choosestore and publish.

Methods of Revoking Managed Distribution Licenses

Workspace ONE UEM provides several methods to revoke managed distribution licenses so you can use them again. You can revoke permissions manually. The system revokes permissions in response to the deletion or unassignment of other system components such as organization groups, tokens, and smart groups.

See what methods are available to revoke a Managed Distribution license for reuse.

Table 2. Withdrawal method description



organization team Removing OG and Workspace ONE UEM makes the distribution license available for reuse.
user Logs out of all devices for the user. If another device is not using an unassigned administrative distribution license, thenWorkspace ONE UEM ConsoleYou revoke it so it can be reused.

Manually revoke a device's license.

You can only use the manual method for licenses redeemed from external systems. This method is useful for adopting these licenses in Workspace ONE UEM.

apply for registration Unregister the VPP application from the UEM console. Once removed, the license can be reused after the developer completes the work.
Indications Delete token. Workspace ONE UEM makes all associated licenses reusable.
designer Register assets from users. Workspace ONE UEM will revoke the distribution license if no one else is using the license.
smart team Remove a managed distribution device user from a smart group. Workspace ONE UEM will revoke the distribution license if no one else is using the license.

Workspace ONE UEM makes the license available immediately upon revocation, or at scheduled intervals based on the interval you set in the developer task VPP Revoke License. Find developer jobs atGroups and Configurations>all settings>manage>programmer.

Managed Distribution Information

You can access managed distribution information from the Device Details, Licensing, and Manage Devices pages. Each page provides various control and management actions based on asset type

Device Details

fromDevice Detailspage, check allocations, and perform installations and removals.

I canhome appliances>list display>applicationmannerhome appliances>list display>farther>books.The system does not support all management functions for all asset types. The system does not display unsupported options.

  • View the content assigned to the device.
  • If supported, install and remove content on specified devices.


From the licenses page, monitor the sync process, check for reusable licenses, and revoke licenses if supported.

I canhome appliances>list display>applicationmannerhome appliances>list display>farther>books.The system does not support all management functions for all asset types. The system does not display unsupported options.

  • View the content assigned to the device.
  • If supported, install and remove content on specified devices.
  • View when the assigned licenses were last synced.
  • filterLicensee categoryAccess to licenses that are reusable due to misuseunassignedchoose.
  • For applications, use thisrememberAn action that makes a license reusable. This action is not available for books.


Workspace ONE UEM has logic to revoke a license associated with a device or user for redistribution. If the user deletes or uninstalls the app, the status is sent to Workspace ONE UEM. The following scenarios describe situations where Workspace ONE automatically revokes a license associated with a device or user.

Admin activates delete app
Admin distributes application from device
Wipe device with corporate wipe, device wipe, or wipe
User deletes app
User denies install or administration request (unsupervised devices only)

device Manager

Install and remove content, send invitations to VPP (if supported), and control app installation and VPP program registration from the Manage Devices page.

I canresource>application>native>purchase>device Managermannerresource>books>list display>purchase>device ManagerVisit the page. The system does not support all management functions for all asset types. The system does not display unsupported options.

  • For apps, install the content on the device. This action is not available for books.
  • For applications, deletes the content from the device if the component supports it. This action is not available for books.
  • Notifies the device about VPP.
  • Re-invite VPP members based on users who do not have an Apple ID registered.
  • filter data using itsituationAnd search for devices that do not have VPP content installed.
  • Data filtering usinguser invitationAnd look up those members based on users who haven't registered an Apple ID with the program.

Casual users and hosted distribution of VPP

Workspace ONE UEM with Device Enrollment Program (DEP) and Volume Purchase Program (VPP) and Apple Configurator from Apple Business Manager lets you deploy and manage large numbers of Apple iOS devices. These programs are designed to help maintain and manage large numbers of devices and content.

To reduce the risk of permission inconsistencies, read these tips and guidance on how to deploy VPP content to devices you provision with Configurator and DEP.

use:This information does not apply to VPP applications assigned to device serial numbers.

Avoid permission inconsistencies

To distribute your purchased VPP content using a managed distribution method:

  • Use one service token (sToken) in one MDM environment instead of multiple environments. Some examples include using sTokens not in Workspace ONE UEM and another MDM system, or in test and production environments.
  • Use sTokens in one org group instead of multiple org groups in Workspace ONE UEM.
  • Apply for an Apple ID for the device, do not change the Apple ID on the device.

These actions reduce the risk of losing a license in one environment because it was revoked in another. However, it may not be economically feasible to prepare enough licenses to cover the equipment you use for these operations. Deploying VPP in a staging environment is still manageable, but may require additional maintenance and special attention to Apple IDs.

Apple ID

When a user enrolls in Workspace ONE UEM, Workspace ONE UEM enrolls the user in Apple and sends an invitation to join the Apple VPP. User accepts invitation and joins VPP with Apple ID. Currently, Workspace ONE UEM stores the Apple ID associated with the user.

Managing Apple IDs in a multi-tier environment is important because Apple IDs control access to user-specific sets of VPP content. When users change the Apple ID on a device without notifying the administrator, they may experience difficulty signing in.A UEM workspaceFollow the process indicated when the administrator uploads the service token to the console. This process describes how the system links an Apple ID user with all licenses for that user.

  1. The administrator uploads the service token toWorkspace ONE UEM Console.
  2. A UEM workspaceLogs users of all registered devices.
  3. A UEM workspaceSend an invitation to the user.
  4. User accepts invitation with Apple ID.
  5. A UEM workspaceAssociate an Apple ID with a user.
  6. A UEM workspaceLink all licenses assigned to that user to an Apple ID.

Staging Guide

Use the following procedure to reduce licensing inconsistencies in Workspace ONE UEM.

table 3. Staging and VPP



PPV distribution

content in

Accept VPP

Invitation card

install the application

app update

maintain risk

single user, standard(automatic registration)

A personal device with a unique Apple ID

not a casual user

End users with unique Apple IDs End user installs the application End user update application

Maintenance-free Apple ID

Reduced risk as end users retain their Apple IDs on personal devices

single user, advanced(default) Preconfigured devices with preconfigured Apple IDs End users with preconfigured Apple IDs End user installs the application End user update application
  • Keep your preconfigured Apple ID
  • Provide end users with pre-configured Apple IDs
  • End user changes Apple ID
  • End users do not return devices to their pre-configured Apple IDs
multiple users
  • casual user
  • personal user
  • Administrators using the temporary user's Apple ID
  • End users with their own unique Apple IDs
  • Admin installs shared app using temporary user's Apple ID
  • End users install unique applications using personal Apple IDs
  • Temporary user IDs must be used to update shared apps with the temporary user's Apple ID
  • End users update unique applications using their personal Apple IDs
  • Maintain a single temporary user Apple ID for a common set of VPP content on all devices selected for the temporary user
  • Store the end user's Apple ID in the device casing
  • All devices selected in the casual user do not have the same Apple ID
  • When enrolling a device, the administrator does not change the device to the temporary user's Apple ID
  • The end user does not change the temporary user's Apple ID to their unique Apple ID when the device is removed


Top Articles
Latest Posts
Article information

Author: Ray Christiansen

Last Updated: 04/16/2023

Views: 6048

Rating: 4.9 / 5 (49 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.