- Article
- 17 minutes to read
Apple allows you to purchase multiple licenses for an app that you want to use across iOS/iPadOS and macOS devices in your organizationApple CEOÖApple-Schulmanager. You can sync your volume purchase information with Intune and track volume purchased app usage. Purchasing application licenses helps you efficiently manage applications in your organization and retain ownership and control over purchased applications.
Microsoft Intune helps you manage apps purchased through this program:
- Synchronization of location tokens downloaded from Apple Business Manager.
- Track how many licenses are available and used for purchased apps.
- We help you install apps up to the number of your licenses.
You can also sync, manage, and assign books purchased through Apple Business Manager with Intune for iOS/iPadOS devices. For more information, seeHow to manage iOS/iPadOS eBooks purchased through a Volume Licensing program.
What are location tokens?
Location tokens are volume purchase licenses, commonly known as Volume Purchase Program (VPP) tokens. These location tokens are used to allocate and manage licenses purchased with Apple Business Manager. Content Managers can purchase and associate licenses with location tokens for which they have Apple Business Manager entitlements. These location tokens are downloaded from Apple Business Manager and uploaded to Microsoft Intune. Microsoft Intune supports loading multiple location tokens per tenant. Each token is valid for one year.
Use
Apple's Volume Purchase Program (VPP) has been integrated into Apple Business Manager. Apple Business Manager is a portal for administrators to deploy Apple devices and bulk purchase content. Content can include apps, books, and custom apps. Location tokens are used to allocate and manage licenses purchased using Apple Business Manager. VPP is now called legacy VPP token.
How are purchased apps licensed?
Purchased apps can be assigned to groups with two types of licenses offered by Apple for iOS/iPadOS and macOS devices.
Use
VPP Apps licensed per device may only be installed and updated through the MDM channel. Users cannot go directly to the Store to manually install or update a VPP app.
| action | Device Licenses | User Licenses |
|---|---|---|
| Enter the App Store | Not required. | Each end user must use a unique Apple ID when prompted to sign in to the App Store. |
| Device settings that block access to the App Store | Apps can be installed and updated through the company portal. | The invitation to join Apple Business Manager requires access to the App Store. If you have set a policy to disable the App Store, user licenses for VPP apps will not work. |
| Automatic app update | As configured by the Intune administrator in the Apple Business Manager token settings. If the enrolled devices permission type is available, available app updates can also be installed through the company portal by selectingTo updateAction on app detail page. | As configured by the Intune administrator in the Apple Business Manager token settings. If the enrolled devices permission type is available, available app updates can also be installed through the company portal by selectingTo updateAction on app detail page. |
| User registration | Unsupported. | Supports Managed Apple IDs. |
| Books | Unsupported. | supports. |
| used licenses | 1 license per device. The license is assigned to the device. | 1 license for up to 5 devices with the same personal Apple ID. The license is assigned to the user. An end user associated with a personal Apple ID and an Intune-managed Apple ID consumes 2 app licenses. |
| License Migration | Apps can be silently migrated from user to device licenses only when they are in useMandatoryorder type. | Apps cannot migrate device-to-user licenses for any type of assignment. |
Use
Company Portal does not display device-licensed apps on user enrollment devices because only user-licensed apps can be installed on user enrollment devices.
When you create a new assignment for an Apple Volume Purchase Program (VPP) app, the default license type is now Device. Existing assignments remain unchanged.
What types of apps are supported?
With Apple Business Manager you can buy and distribute public and private apps.
- Appstore:Apple Business Manager allows content managers to purchase free and paid apps available on the App Store.
- custom applications:With Apple Business Manager, content managers can also purchase custom apps that are privately available for their organization. These apps are tailored to the specific needs of your business by developers you work with directly. learn more abouthow to distribute custom apps.
previous requirements
- EApple CEOÖApple-SchulmanagerAccount for your organization.
- Purchased app licenses assigned to one or more location tokens.
- Downloaded location tokens.
Important
- A location token can only be used with one device management solution at a time. Before you begin using apps purchased with Intune, revoke and delete any existing location tokens used with another mobile device management (MDM) provider.
- A location token is only supported for use on one Intune tenant at a time. Don't use the same token across multiple Intune tenants.
- By default, Intune syncs location tokens with Apple once a day. You can initiate a manual sync in Intune at any time.
- After you import the location token into Intune, do not import the same token into other device management solutions. This can result in the loss of license assignment and user records.
Migrate from Volume Purchase Program (VPP) to apps and books
If your organization hasn't already migrated to Apple Business Manager or Apple School Manager, please reviewApple's guide to migrating to apps and booksbefore proceeding to manage purchased apps in Intune.
Important
- For the best migration experience, migrate only one VPP buyer per site. If each buyer migrates to a single location, all licenses (assigned and unassigned) are moved to Apps and Books.
- Do not delete the existing legacy VPP token in Intune or the apps and entitlements associated with the existing legacy VPP token in Intune. These actions require all app roles to be re-created in Intune.
Migrate existing purchased VPP content and tokens for apps and books to Apple Business Manager or Apple School Manager as follows:
- Invite VPP buyers to join your organization and instruct each user to choose a unique location.
- Make sure all VPP buyers in your organization have completed Step 1 before proceeding.
- Make sure all purchased apps and licenses have been migrated to Apps & Books in Apple Business Manager or Apple School Manager.
- Download the new location token by going toApple Business (oder School) Manager>Ideas>applications and books>My server tokens.
- Update the location token in the Microsoft Endpoint Manager admin center by going toTenant Management>connections and guides>Apple VPP-Tokenand load the token manually.
Upload an Apple VPP or Apple Business Manager location token
- login inMicrosoft Endpoint Manager Admin Center.
- chooseTenant Management>connections and guides>Apple VPP-Token.
- In the VPP Token List pane, selectCreate. IsCreate VPP tokenthe process is displayed. Four sides are used when creating a VPP token. The first isThe essential.
- About itThe essentialProvide the following information on the page:
- Token-Name- A management field to define the token name.
- Apple identity- Enter the Managed Apple ID of the account associated with the uploaded token.
- vpp token file- If you haven't already, sign up for Apple Business Manager or Apple School Manager. After signing in, download the Apple Business Manager Location Token (Apple VPP Token) to your account and select it here.
- give clickNextto show theIdeasbook page.
- About itIdeasProvide the following information on the page:
Take control of another MDM's token- Put this option onSimAllows the token to be reassigned to Intune from another MDM solution.
Land/Region- Select the store for the VPP country/region. Intune syncs VPP apps for all locales in the specified country/region VPP store.
note
If you change the country/region, the next time you sync with the Apple service, the app metadata and app store URL will be updated for apps built with this token. The app will not update if it is not present in the new country/region store.
VPP Account Type- Choose betweenBusinessÖTraining.
Automatic app updates- Choose betweenSimÖNOto enable automatic updates. When this option is enabled, Intune VPP detects app updates in the App Store and automatically pushes them to your device when you sign in.
Use
Automatic app updates for Apple VPP apps are automatically updated for bothMandatoryjAccessibleinstallation attempts. For applications implemented withAccessibleIntended to install, the automatic update generates a status message to the IT administrator that a new version of the application is available. This status message can be viewed by selecting the application, selecting device installation status and checking the status details.
When updating a VPP application, it can take up to 24 hours for the device to receive the updated VPP application. The device must be unlocked and available to successfully install the update.
I give Microsoft permission to send user and device information to Apple.- You have to chooseI agreeContinue. For information about what data Microsoft sends to Apple, seeData that Intune sends to Apple.
- give clickNextto show thearea designationsbook page.
- give clickSelect range tagsto optionally add scope tags to the application. For more information, seeUse role-based access control (RBAC) and scope tags for distributed IT.
- give clickNextto show therevise + createbook page. Review the values and settings you entered for the VPP token.
- When you're done, clickCreate. The token is displayed in the token list box.
Sync a VPP token
You can sync app names, metadata, and license information for apps purchased from Intune by selectingsynchronizefor a selected token.
Assign a volume purchased app
chooseto form>alle Apps.
(Video) Apple Automated Device Enrollment with Microsoft Intune MDM Set Up (for MacOS & iOS Devices)In the app list box, select and select the app you want to assignCharacteristics. chooseEditnext toTasks.
About itTaskstab, choose whether the application will beMandatoryÖAvailable for registered devices.
ChooseAdd groupunder the task type you selected, then on theselect groupsOn the dashboard, select the Azure AD user or device groups you want to assign the app to.
Use
When you create a new assignment for an Apple Volume Purchase Program (VPP) app, the default license type is Device. Existing assignments remain unchanged.
When you're done, chooseSave on computer.
Use
The available deployment intent does not support device groups, only user groups are supported. The displayed list of applications is associated with a token. If you have an application associated with multiple VPP tokens, the same application will appear multiple times. once for each chip.
Use
Apps marked as available are not managed on the device until the user initiates an app installation. Once an app assigned as Available is installed or the user attempts to install the app, Intune ensures that the app is licensed.
Use
Intune (or any other MDM) does not install VPP apps. Instead, Intune connects to your VPP account and tells Apple which app licenses to assign to which devices. From there, the entire actual installation takes place between Apple and the device.
End User Requests for VPP
The end user is prompted to install the VPP application in various scenarios. The following table explains each condition:
| # | road map | Invite to the Apple VPP program | Request to install the application | Apple ID request |
|---|---|---|---|---|
| 1 | BYOD: User License (No User Enrollment Device) | Y | Y | Y |
| 2 | Corp: User License (Unattended Device) | Y | Y | Y |
| 3 | Corp: User License (Supervised Device) | Y | Norte | Y |
| 4 | BYOD: licensed device | Norte | Y | Norte |
| 5 | CORP: Licensed Device (Unattended Device) | Norte | Y | Norte |
| 6 | CORP: Licensed Device (Supervised Device) | Norte | Norte | Norte |
| 7 | Kiosk Mode (Supervised Device) - Licensed Device | Norte | Norte | Norte |
| 8 | Kiosk Mode (Supervised Device) - User License | --- | --- | --- |
Use
Per-user and per-device licensed apps running on supervised devices (scenarios 3 and 6 in the table above) continue to request updates when the app is in use or running in the background. Accepting the prompt to install the app may not result in the app being installed. To update the app, you must: close the app, start a sync, and keep your device unlocked while the app updates.
Use
Assigning VPP applications to kiosk mode devices using user licenses is not recommended.
Use
You cannot update apps while your device is locked in single app mode. You should leave single app mode long enough to update apps as needed. During this time, you need to limit the apps you can see as much as possible, except for Settings and other apps that cannot be blocked.
Application License Revocation
You may revoke any associated iOS/iPadOS or macOS program licenses for Volume Purchase (VPP) on a per-device, per-user, or per-application basis. However, there are some differences between iOS/iPadOS and macOS platforms.
| action | iOS/iPad operating system | MacOS |
|---|---|---|
| Unassign an app | Removing an app assignment is a prerequisite for revoking an app license. If you remove an app assignment for a user, Intune does not reclaim the user or device license until you change the assignment touninstall. If the app is unassigned during installation and is never assigned asuninstall, it remains installed, but the user or device is no longer offered to install it. | Removing an app assignment is a prerequisite for revoking an app license. If you remove an app assignment for a user, Intune does not reclaim the user or device license until you change the assignment touninstall. If the app is unassigned during installation and is never assigned asuninstall, it remains installed, but the user or device is no longer offered to install it. |
| Application license revoked | After changing the app assignment touninstall, you can claim a user or device application license usingrevoke licenseAction. You need to change the assignmentuninstallto remove the app from the device and revoke the app license. | After changing the app assignment touninstall, you can claim a user or device application license usingrevoke licenseAction. The revoked licensed macOS app can be used on the device but cannot be updated until a license is reassigned to the user or device. According to Apple, these apps will be removed after a 30-day grace period. You need to change the assignmentuninstallto remove the app from the device and revoke the app license. |
Use
- Intune restores app licenses when an employee leaves the company and is no longer part of AAD groups.
- By assigning a purchased appuninstallintentionally, Intune retrieves the license and uninstalls the app.
- App licenses are not restored when a device is removed from Intune management.
- Intune revokes app licenses when the user is removed from Azure AD.
Elimination of VPP tokens
You can remove an Apple Volume Purchase Program (VPP) token through the console. This may be necessary if you have duplicate instances of a VPP token. Deleting a token also deletes all associated apps and roles. Deleting a token revokes licenses for associated apps, but doesn't uninstall the apps.
Use
Intune cannot revoke app licenses after a token is removed.
To revoke the license of all VPP applications for a specific VPP token, you must first revoke all application licenses associated with the token and then delete the token.
Renewal of VPP tokens or Apple Business Manager location tokens
You can renew an Apple Business Manager Location Token (Apple VPP Token) by downloading the token fromApple CEOÖApple-Schulmanageragain and update the existing token in Intune.
Follow these steps to renew an Apple Business Manager location token (Apple VPP token):
- navigate toApple CEOÖApple-Schulmanager.
- Download the existing token atApple Business (oder School) Manager, choosepreferences>Payments and Billing>applications and books>Server-Token.
- Refresh token activatedMicrosoft Endpoint Manager Admin CenterchooseTenant Management>connections and guides>Apple VPP-Token.
- Select the VPP token you want to renew and clickEditIn the Basic category, upload the new token to this page and save your changes.
Use
You must renew your existing Apple VPP token or location token if the user who established the token in Apple Business Manager changes their password or the user leaves the Apple Business Manager organization. Tokens that are not renewed show an invalid status in Intune.
Delete a VPP application
You can remove purchased apps that have no associated available or used licenses. This may be necessary to clean up unassigned apps.
Follow these steps to remove a VPP application:
- Create a new location inApple CEOÖApple-Schulmanager.
- Revoke all app licenses that use the associated location token. InMicrosoft Endpoint Manager Admin Center, chooseto form>alle Apps>Select the app to remove>App Licenses>revoke licenses.
- In Apple Business Manager or Apple School Manager, transfer all app licenses from the original location to the new location.
- Sync location token enabledMicrosoft Endpoint Manager Admin Center.
- Delete the app inMicrosoft Endpoint Manager Admin Centerchooseto form>alle Apps>Right-click the app to remove it>Extinguish.
Deleting a VPP application has the following results:
- Associated app assignments are removed.
- If the VPP app has licenses assigned when trying to remove it, you will receive an error message.
Use
Purchased books associated with a VPP token will not be removed.
Assign custom role permissions for VPP
Access to the location token and Apple Business Manager apps (Apple VPP tokens and VPP apps) can be independently controlled by permissions assigned to custom admin roles in Intune.
- To allow an Intune custom role to manage Apple Business Manager location tokens, select in the Microsoft Endpoint Manager admin centerTenant Management>connections and guides>Apple VPP-Token, Assign Permissionsmanaged applications.
- To allow an Intune custom role to manage apps purchased with activated iOS/iPadOS VPP tokensto form>alle Apps, Assign Permissionsmobile Apps.
Further information
Apple provides direct support for creating and renewing VPP tokens. For more information, seeDistribute content to your users with Volume Purchase Program (VPP)as part of the Apple documentation.
EAssigned to external MDMappears in Intune, you (the administrator) must remove the VPP token from the third-party MDM before you can use the VPP token in Intune.
If the state isGutfor one token, then multiple tokens with the sametoken locationwere loaded. Delete the duplicate token to restart token synchronization. You can still assign and revoke licenses for tokens marked as duplicates. However, licenses for new apps and purchased books may not reflect if a token is marked as duplicate.
Frequently Asked Questions
How many tokens can I take with me?
You can upload up to 3000 tokens to Intune.
How long does it take for the portal to update the license count after an app is installed or removed from the device?
The license must be updated within hours of installing or uninstalling an application. Please note that if the end user removes the app from their device, the license will still be assigned to that user or device.
Is it possible to oversubscribe an application and if so, under what circumstances?
Yes. An app can be subscribed to by your Intune administrator. Example: The admin buys 100 licenses for the XYZ app and then targets the app to a group with 500 members. The first 100 members (users or devices) will get the assigned license, the remaining members will not pass the license assignment.
Use
If the number of licenses in use is greater than or equal to 50% of the total available licenses for a given application, an alert is displayed on the Subscription Alerts tab. The warning disappears when the number of licenses in use is less than 50% of the total available licenses for the application.
Next Steps
verhow to monitor appsfor information to help you monitor application assignments.
verHow to fix app problemsInformation for solving application-related problems.