This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can use the Apple Volume Purchase Program (VPP) to purchase apps in bulk and distribute them to all iOS devices in your organization. To do so, you connect Apple Business Manager with your Google Workspace or Cloud Identity subscription. You can purchase app licenses and install licensed apps on managed devices.
Before you begin
- Turn on advanced mobile management for the organizational unit that will use the devices. For details, go to Set up advanced mobile management.
- Apple VPP is available for user-enrolled iOS devices running iOS 15.5 and later and device-enrolled iOS devices running iOS 7 and later.
- Make sure you have sign-in details for the Google Admin console and Apple Business Manager or Apple School Manager.
- To distribute VPP apps to certain users, put their accounts in an organizational unit (to control access by department) or add them to an access group (to allow access for users across or within departments).
Step 1: Purchase app licenses
You need licenses for the Google Device Policy app and any other apps that you want to distribute to iOS devices.
- Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
- At the left, click Apps and Books.
- Find Google Device Policy app and click it.
- Select the location to which you want to assign the app licenses.
Note: If you can’t find the location you want, you can create it. For details, go to Configure locations in Apple Business Manager. - Enter the number of licenses you want to purchase and click Get.
- Purchase licenses for the other apps you want to distribute to users.
Step 2: Upload a content token to the Admin console
To distribute apps to users in the Admin console, you need a content token. You get the token from Apple Business Manager or Apple School Manager. The token expires annually. To avoid interruption of service, set a calendar reminder to download an updated token and upload it to the Admin console before your current token expires. If you replace your token with one that was associated with a different mobile device management provider, your app license assignments will be cleared.
- Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
- Click PreferencesPayments and BillingsApps and Books.
- Under Content Tokens, next to the location token you want to download, click Download.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click Apple Volume Purchase Program (VPP).
- Choose an option:
- To upload a new token, click Upload Apple VPP token.
- To replace an existing token, click Replace token.
- Locate the content token you downloaded earlier and click Upload.
- Click Save.
- To import the apps associated with the token, click Sync VPP.
Note: If you purchase more app licenses later, you need to sync VPP again.
Step 3: Distribute VPP apps to users
Users can get apps in the Google Device Policy app on their device. If you turn on VPP Mandate Install for an app, users cannot access any work data on their device until they install that app.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the name of the app you want to distribute to users. To find VPP apps:
- Click Add a filterPlatformiOSApply.
- Click Add a filterDistribution typeVolume Purchase Program (VPP).
- Click User access and distribution.
- At the left, click the group or organizational unit you want to set app access for. By default, the top organizational unit is selected and the change applies to your entire organization.
- Select Make this app available to users in this organizational unit and Allow this app to be distributed to users via Volume Purchase Program.
Note: When you turn on app access for a group, the group setting overrides organizational unit settings. However, you can't explicitly turn off app access for a group. When you select Off, users in that group inherit the setting from higher-ranked groups or the user's organizational unit. For example:
When you turn off VPP Distribution, existing VPP licenses are revoked. When you turn VPP Distribution back on, the licenses are reassigned on the next device sync.
If you move a user from an organizational unit with VPP Distribution on for an app to one with VPP Distribution off for the same app, the user’s VPP license is revoked. If the user is then moved to an organizational unit with VPP Distribution on for the app, the license is reassigned on the next device sync.
- To hide the app for all users, turn App access off for the top organizational unit.
- To distribute the app for only some users, turn App access and VPP Distribution off for the top organizational unit and turn them on for child organizational units or groups.
- (Optional) To require users to install the app to access Google Workspace on their device, select the required devices:
- Require users to install this app for User Enrollment
- Require users to install this app on user-owned devices for Device Enrollment
- Require users to install this app on company-owned devices
The app is installed during device setup. For company-owned devices, mandated apps are also installed during device sync. If a required app is already on the device, it becomes managed.
- If you set user access and distribution for multiple groups, review the order of the groups and set their precedence:
- At the left, click Groups.
- Drag the groups into the order you want their settings to apply to a user who belongs to more than one. Put the group with the highest precedence at the top.
- Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.
Manage and monitor VPP app distribution
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click Apple Volume Purchase Program (VPP).
- Next to the VPP token name, click .
- Click Save.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the name of the app. To find VPP apps:
- Click Add a filterPlatformiOSApply.
- Click Add a filterDistribution typeVolume Purchase Program (VPP).
- To review the organizational units and groups that have app access, for App access, click Org units. A panel opens that lists the groups and organizational units and their app access status.
- To review the VPP distribution you've configured for groups and organizational units, for Volume purchase program distribution, click Org units. A panel opens that lists the groups and organizational units and their VPP status.
You can get a list of users that have a specific VPP app license assigned to them:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu DirectoryUsers.
- Click Add a filterVPP purchase program app.
- Enter a keyword for the app and click Apply.
To see the VPP apps that are have been distributed to a device:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click the device nameInstalled apps.
- See which apps are distributed by VPP in the Distribution column.
How you revoke a license depends on whether the device is user-enrolled or device-enrolled.
Revoke a license from a user-enrolled device
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to DirectoryUsers.
- Click the user’s nameApps. The user’s VPP apps are listed under Volume Purchase Program (VPP) apps.
- Click Revoke next to the app name.
The VPP license is removed from the device immediately, but the user can continue to use the app for 30 days.
Revoke a license from a device-enrolled device
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu DevicesMobile & endpointsDevices.
- Click Add a filterVPP purchase program (VPP).
- Enter a keyword for the app and click Apply.
- Click the deviceInstalled apps.
- Next to the app, click Revoke VPPRevoke.
The VPP license is removed from the device immediately, but the user can continue to use the app for 30 days.