Differentiate between a Mac app store app installed via the app store or VPP ?

May
Contributor III

Hi

Just starting to dig into VPP testing, i'd like to replace an application that was installed via the App store with the latest version that's delivered via the JSS/VPP, if i scope the Device Assignable app to a Mac that has an older version that was instaled from the app store it will not update, if i delete the older App Store version then the latest VPP one will install.

I'm looking for a way to tell the difference between an appliaction that was installed via the App store and via JSS/VPP, looking at Mac App Store Apps in History it shows all applications regardless of how they were installed, is there anything that will identify a VPP installed application ?

thanks,
Andy591b9599ef4f4974aa4332d6c3a3ef36

1 ACCEPTED SOLUTION

May
Contributor III

Hi @reon

Found a way to tell if an app was installed via VPP or the App Store.

This Krpted article shows how to pull some application data using the Spotlight command mdls

i ran mdls /Applications/SonicWALL Mobile Connect.app/ on a VPP and App store installed application then compared the output.

There is an item called kMDItemAppStoreReceiptIsVPPLicensed

0 is non VPP
1 is VPP

can use this to get just that detail

mdls /Applications/SonicWALL Mobile Connect.app/ -name kMDItemAppStoreReceiptIsVPPLicensed

it also has kMDItemAppStoreReceiptOrganizationDisplayName which could help differentiate as the VPP one has our VPP registration name.

View solution in original post

12 REPLIES 12

reon
Contributor

Hi Andy,

Please correct me if I got you wrong.

First of all, please understand that an APP must be tied with an Apple ID. No Apple ID = no download.

Mac APP Store will prompt end users to key in, download and install the APP by using users' Apple ID.
Because at current moment, the APP has yet been tied with any Apple ID.
Different users will be using different Apple ID to download the APP in same organization. Let's call this Apple ID as 'A'.

VPP, to bulk buy an APP in volumes by using 1 Apple ID(usually created by organization), scoped users are not required to key in any Apple ID. Because the APP has already tied with organization's Apple ID.
Let's call this Apple ID as 'B'.

Now, an APP downloaded by 'A' is outdated, you can't user 'B' to update 'A' APP right?
and 'B' APP can't be installed on the Mac because 'A' APP is still existing, logically you can't install 2 same APP in 1 Mac.

Under VPP Content, there are informations of quantity of APP purchased and number of in use.
If you purchased 30 contents because you have 30 Macs, but in used only 28, which means remaining 2 are still using 'A' APP.

I hope I answered to your question. Cheers.

May
Contributor III

Thanks @reon

You've described what the scenario i have is.
What i'd like to do is find out whether the current application on the Mac was installed using a unique AppleID 'A' or if it was from the Apple ID associted with our VPP 'B'

I wonder if there's a way to pull which Apple ID was used from the application or receipt, i'll have a look now.

reon
Contributor

Well, you did mentioned 'A' APP is outdated.

Assuming latest version is 5.1
You can make use of computer smart group feature, create a smart group with criteria "application version is not 5.1", then it shall give you a list of Mac with outdated APP.

Hope I helped.

May
Contributor III

@reon

That was my first thought, though ideally i'd like something that we can use to replace any apps that were not installed with the VPP Apple ID but for this particular application i'll use the older version to locate them, thanks for your input

May
Contributor III

Hi @reon

Found a way to tell if an app was installed via VPP or the App Store.

This Krpted article shows how to pull some application data using the Spotlight command mdls

i ran mdls /Applications/SonicWALL Mobile Connect.app/ on a VPP and App store installed application then compared the output.

There is an item called kMDItemAppStoreReceiptIsVPPLicensed

0 is non VPP
1 is VPP

can use this to get just that detail

mdls /Applications/SonicWALL Mobile Connect.app/ -name kMDItemAppStoreReceiptIsVPPLicensed

it also has kMDItemAppStoreReceiptOrganizationDisplayName which could help differentiate as the VPP one has our VPP registration name.

May
Contributor III

Another interesting result is how many times the application has been opened

mdls /Applications/SonicWALL Mobile Connect.app/ -name kMDItemUseCount

erichughes
Contributor II

Anybody better at scripting than me want to turn that into an Extension Attribute? I would be grateful, as would others I'm sure.

msw
Contributor

@May Thanks May, that mdls command just helped me now. Still a valid way to check VPP status

@erichughes you'd want to do something like like

#!/bin/sh
VPPtest=`mdls /Applications/ApplicationName -name kMDItemAppStoreReceiptIsVPPLicensed | cut -d = -f 2 | xargs`

[[ "$VPPtest" == "1" ]] && echo "<result>VPP Licensed</result>" || echo "<result>Not VPP Licensed</result>"

This assumes you just have 1 application you want to check for. Replaced ApplicationName with your app name, the cut step only prints the field after the = sign, xargs drops any spaces, and then the final line tests if VPPtest is 1 — if it is, the extension attribute will print VPP Licensed; if it's anything else, it prints Not VPP licensed. Hope this helps you get something operational

erichughes
Contributor II

Thank you very much for that. It will help a lot in transitioning apps to VPP, without just removing them all.

Hugonaut
Valued Contributor II

This feature request would help with the deployment of your VPP apps to the computers already utilizing the App via an App Store download in one policy - https://www.jamf.com/jamf-nation/feature-requests/8213/add-script-option-to-vpp-deployment-macos

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

msw
Contributor

@erichughes the only thing I would be aware of is that VPP apps don't always receive their license immediately. I found that running the mdls command immediately after an app was installed usually returned (null) because the VPP field doesn't exist at all yet. Within a pretty small amount of time (I didn't test rigorously but let's say 5-10 mins) the license was assigned and I got the expected 1 response.

erichughes
Contributor II

I'm using the mdls to populate a smart group that then is scoped to a policy to remove the non VPP version of the app. The computer then falls into another smart group that is scoped to receive the VPP version. Works pretty well, we have a lot of computer in the population that use personal Apple IDs to download and install AppStore apps that we are moving to VPP. The biggest issue currently is the lag between app removal and new VPP app push. Sometimes super fast some times not so much.