During a recent iOS Deployment Essentials class the question came up what happends when you move a VPP token from one server to an other.
We had some expectations, and the results are .. interesting 🙂
In normal situations you should not move VPP Tokens between servers (or Apple Configurator) instances. If you do, you will (depending on the software) invalidate all instances except the last added server.
The proper way
The proper way is to move all clients and VPP token from Server 1 to Server 2 is:
- Revoke all licenced on Server 1
- Un-enroll all devices from Server 1
- remove VPP token from Server 1
- Install VPP token on Server 2
- Assign software to devices/groups on Server 2
- Re-enroll all devices to Server 2
Now there are few cases where not all things go according to plan. Like a server disaster with no working backup, unmanaged devices, etc.
If all devices are in DEP the re-enrollment can be made easy by appointing all devices to Server 2, and do a wipe from Server 1. Backup should be done by the user.:-)
Our Test setup Server 1
We have a VPP token (for VPPfirstname.lastname@example.org) installed on a Profile Manager (Server 5.2 on 10.12.2).
There is a free App ‘Battery Memory System’ where we have 3 licences.
There is a device group ‘Managed iPads’ which has the Battery Memory System assigned to it.
There is an ‘iPad 5’ (member of device group Managed iPads) which has the app installed (therefore 2 out of 3 available in screenshot above) and can use the App.
We wanted to see what is the result for the Server 1 and the client if we do the migration the nasty way.
We installed the VPP Token into a JSS (Jamf Pro v 9.96 on a demo server we have available) without steps 1-3 above.
In the JSS we added a VPP account with the following details (and uploaded the same token as is currently in use on Server 1)
using the following details:
Press Save, and you see that the JSS is contact the VPP store:
And although there is an error reported (we did reclaim yet): the amount of licences for Battery Memory System Status Monitor: 0 out of 3 in use (note the difference in reporting: available vs used)
Huh? the one licence is still available on iPad 5, and the app works..
When we go to managed devices in the JSS: we can assign the App to an iPad
The iPad ‘iPad Retina’ is managed by the JSS, and to have fun we added the BMSSM app to the Self-Service app on this iPad like this:
and installed the app on the ‘iPad Retina’:
and the iPad can use the new App.
Remind us: we have still NOT reclaimed the VPP token yet!
On the (still running) Server 1 the licence is not visible as used.
For testing we assigned an other app (from the VPP+5 token) and pushed this to the ‘Managed iPads’, and this installs and runs fine on ‘iPad 5′
Interesting thing #1: You can assign VPP licences to devices using 2 servers, both servers state 1 licence is used, 2 free, while 2 iPads use the app. (?!)
I know this is not the way an admin should manage VPP tokens, and maybe the fact that I test with a free app makes the behaviour different, but one can temporarily assign VPP licences twice !
Let’s do the next steps.
Reclaming the Token
Result: on Server 1 eventually the VPP licences are missing. This takes a while to update (a stop and start of Profile Manager speeds this up).
and the Profile Manager has VPP un-configured
The managed iPad still has the app installed!
The VPP apps are no longer in the list of apps, only the Enterprise (in-house) apps show up:
This short list of apps is what I expect, but what I did not expect is that the iPad 5 can still use the app, and has no warning at all. I expected a warning similar to the warning one gets when an VPP licence is removed (with the usual 30 days grace period).
We can push additionally enterprise apps, remove apps, update info, so the MDM still functions. (but does not remove/revoke the BMSSM app automatically)
The JSS is giving more information about the VPP tokens, so let’s see what happends when we move the VPP token back to Server 1.
On server 1 we install the VPP token (again), and get these messages:
We continued and the result is similar: We can assign VPP licences to managed iPads, while the iPads managed by ‘old’ Server 2 still can use the apps too.
The info as shown by the JSS:
You notice the warning at the top, the button to Reclaim Service Token. Revoking All Apps does NOT remove the app from the managed ‘iPad Retina’ (similar to the first migration). The VPP page shows this:
The difference is that a JSS can use more than one VPP token simultaneous, and stores VPP apps that has been assigned in it’s database.
Removing the VPP account..
will remove the VPP apps list:
The iPad Retina can still use the BMSSM app (similar to first migration), and the licence is not visible on the MDM server in charge of the VPP token (Server 1)
Update Jan 10
I tried this with several apps because App developers can select their ‘grace period’ when a licence is revoked/removed. 30 days is most common grace period.
I tested: MS Word, MS Remote Desktop, DropBox, Aston Martin Configurator, AirPort Utility, WebDAV navigator, IBM Watson trend, AppleTV Remote.
All behave similar.
Update Jan 18
I have been pointed to the text in Apple’s Volume Purchase Program Guide, page 5:
Step 3. Revoke and reassign apps. When apps you’ve assigned are no longer needed by a device or a user, you can revoke and reassign them to different devices or users. If assigned to a user, the user will have the opportunity to buy a personal copy. If the app was deployed as a managed app with MDM for iOS, the administrator has the additional option of removing the app and all data immediately. In this case, it’s a best practice to give users some notice or a grace period before removing apps from their devices. Once distributed, books remain the property of the recipient and cannot be revoked or reassigned.
This explains the behaviour we found but it still does not feel right to be able assign licences twice, even if it is temporarily during the ‘grace period’ as defined by the developers. And again: this is tested with free apps only, and most admins will not move VPP tokens from one MDM to another very often 🙂
If a VPP token is migrated from Server 1 to Server 2 (and back), the VPP licences are NOT automatically removed from the iPads by Server 1. You can assign the VPP licences (again) to new iPads, so effectively use the licences twice.
(Note: This is not how you are supposed to manage VPP tokens, and it may be only for free apps.)
Related training courses from LAI
VPP is discussed in the 2 days iOS deployment Essentials training, but I would recommend the 3 days Managing Apple Devices training because you will have much more hands-on in the latter course, including the DEP and VPP portal at Apple.
Questions? See my info on the contact page.