Distribute iOS apps with Apple VPP

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can use the Apple Volume Purchase Program (VPP) to purchase apps in bulk and distribute them to all iOS devices in your organization. To do so, you connect Apple Business Manager with your Google Workspace or Cloud Identity subscription. You can purchase app licenses and install licensed apps on managed devices.

Before you begin

  • Turn on advanced mobile management for the organizational unit that will use the devices. For details, go to Set up advanced mobile management
  • Apple VPP is available for user-enrolled iOS devices running iOS 15.5 and later and device-enrolled iOS devices running iOS 7 and later.
  • Make sure you have sign-in details for the Google Admin console and Apple Business Manager or Apple School Manager.
  • To distribute VPP apps to certain users, put their accounts in an organizational unit (to control access by department) or add them to an access group (to allow access for users across or within departments). 

Step 1: Purchase app licenses

You need licenses for the Google Device Policy app and any other apps that you want to distribute to iOS devices.

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. At the left, click Apps and Books
  3. Find Google Device Policy app and click it.  
  4. Select the location to which you want to assign the app licenses. 
    Note: If you can’t find the location you want, you can create it. For details, go to Configure locations in Apple Business Manager.
  5. Enter the number of licenses you want to purchase and click Get.
  6. Purchase licenses for the other apps you want to distribute to users. 

Step 2: Upload a content token to the Admin console

To distribute apps to users in the Admin console, you need a content token. You get the token from Apple Business Manager or Apple School Manager. The token expires annually. To avoid interruption of service, set a calendar reminder to download an updated token and upload it to the Admin console before your current token expires. If you replace your token with one that was associated with a different mobile device management provider, your app license assignments will be cleared.

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. Click Preferencesand thenPayments and Billingsand thenApps and Books.
  3. Under Content Tokens, next to the location token you want to download, click Download
  4. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  5. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  6. Click Apple Volume Purchase Program (VPP).
  7. Choose an option: 
    • To upload a new token, click Upload Apple VPP token.
    • To replace an existing token, click Replace token.
  8. Locate the content token you downloaded earlier and click Upload.
  9. Click Save
  10. To import the apps associated with the token, click Sync VPP.
    Note:
    If you purchase more app licenses later, you need to sync VPP again.

Step 3: Distribute VPP apps to users 

Users can get apps in the Google Device Policy app on their device. If you turn on VPP Mandate Install for an app, users cannot access any work data on their device until they install that app.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the name of the app you want to distribute to users. To find VPP apps:
    1. Click Add a filterand thenPlatformand theniOSand thenApply.
    2. Click Add a filterand thenDistribution typeand thenVolume Purchase Program (VPP).
  4. Click User access and distribution.
  5. At the left, click the group or organizational unit you want to set app access for. By default, the top organizational unit is selected and the change applies to your entire organization.
  6. Select Make this app available to users in this organizational unit and Allow this app to be distributed to users via Volume Purchase Program.

    Note: When you turn on app access for a group, the group setting overrides organizational unit settings. However, you can't explicitly turn off app access for a group. When you select Off, users in that group inherit the setting from higher-ranked groups or the user's organizational unit. For example: 

    When you turn off VPP Distribution, existing VPP licenses are revoked. When you turn VPP Distribution back on, the licenses are reassigned on the next device sync.

    If you move a user from an organizational unit with VPP Distribution on for an app to one with VPP Distribution off for the same app, the user’s VPP license is revoked. If the user is then moved to an organizational unit with VPP Distribution on for the app, the license is reassigned on the next device sync. 

    • To hide the app for all users, turn App access off for the top organizational unit.
    • To distribute the app for only some users, turn App access and VPP Distribution off for the top organizational unit and turn them on for child organizational units or groups.
  7. (Optional) To require users to install the app to access Google Workspace on their device, select the required devices:
    • Require users to install this app for User Enrollment
    • Require users to install this app on user-owned devices for Device Enrollment
    • Require users to install this app on company-owned devices

    The app is installed during device setup. For company-owned devices, mandated apps are also installed during device sync. If a required app is already on the device, it becomes managed. 

  8. If you set user access and distribution for multiple groups, review the order of the groups and set their precedence:
    1. At the left, click Groups.
    2. Drag the groups into the order you want their settings to apply to a user who belongs to more than one. Put the group with the highest precedence at the top.
  9. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Manage and monitor VPP app distribution

Expand all  |  Collapse all

Remove a content token from the Admin console
If you decide not to use VPP to distribute apps, you can remove the content token. Current users will not lose access to their apps, but new users won’t be assigned app licenses. 
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Apple Volume Purchase Program (VPP).
  4. Next to the VPP token name, click .
  5. Click Save
Review how apps are distributed
You can review all the organizational units and groups that have access to a specific app:
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the name of the app. To find VPP apps:
    1. Click Add a filterand thenPlatformand theniOSand thenApply.
    2. Click Add a filterand thenDistribution typeand thenVolume Purchase Program (VPP).
  4. To review the organizational units and groups that have app access, for App access, click Org units. A panel opens that lists the groups and organizational units and their app access status.
  5. To review the VPP distribution you've configured for groups and organizational units, for Volume purchase program distribution, click Org units. A panel opens that lists the groups and organizational units and their VPP status. 
See a users’ VPP apps

You can get a list of users that have a specific VPP app license assigned to them:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenUsers.
  3. Click Add a filterand thenVPP purchase program app.
  4. Enter a keyword for the app and click Apply.
See a device’s VPP apps

To see the VPP apps that are have been distributed to a device:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click the device nameand thenInstalled apps.
  4. See which apps are distributed by VPP in the Distribution column.
Revoke VPP licenses

How you revoke a license depends on whether the device is user-enrolled or device-enrolled. 

Revoke a license from a user-enrolled device

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Directoryand thenUsers.
  3. Click the user’s nameand thenApps. The user’s VPP apps are listed under Volume Purchase Program (VPP) apps.
  4. Click Revoke next to the app name.

The VPP license is removed from the device immediately, but the user can continue to use the app for 30 days.

Revoke a license from a device-enrolled device

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenDevices.
  3. Click Add a filterand thenVPP purchase program (VPP).
  4. Enter a keyword for the app and click Apply.
  5. Click the deviceand thenInstalled apps.
  6. Next to the app, click Revoke VPPand thenRevoke

The VPP license is removed from the device immediately, but the user can continue to use the app for 30 days.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1017808588084649726
true
Search Help Center
true
true
true
false
false