Jamf Nation Community

Speaking from my experience, when doing device-based VPP assignment, the apps are never actually installed until a user logs in (which makes about Joe sense if you ask me). They just sit in "Pending". If you have a lab full of students all logging in to freshly imaged machines, they may frown on the fact that the apps won't be ready to roll. May take a little while to get things going, too, as the entire lab will be trying to install all of its VPP apps at the same time. I may end up going that way this year anyway (haven't decided yet), I'm just voicing a possible reason for NOT doing device-based VPP assignment.

@jcarr To be honest, I just haven't made time to request the apps

@cgalik That's good to know--thanks!

Eric

For what it's worth:
1) We do use device-based VPP and DEP. The local account created during setup is automatically MDM enabled. So this triggers the installation of the VPP-apps nicely. All Students have AD-accounts. AD-accounts are also automatically MDM enabled. That works - but as you said - for the first login it is a delay.
We requested that the "managed by account" is automatically MDM enabled - so this would run anyway without having to define a local account creation in the DEP profile: https://jamfnation.jamfsoftware.com/featureRequest.html?id=4823

2) We use autopkg. There is also a repo for AppStore Apps from Nick McSpadden https://github.com/autopkg/nmcspadden-recipes

a) So we have a OS X "build machine" that gets the AppStore apps assigned by VPP - the recipes only work when the apps are actually on the machine!
b) On this machine we install autopkg with the Nick McSpadden recipes. c) Make a recipe for each AppStore app - e.g. munki or .jss.recipe

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Identifier</key>
    <string>com.uyourcompany.git.department.munki.Keynote</string>
    <key>Input</key>
    <dict>
        <key>MUNKI_REPO_SUBDIR</key>
        <string>apps/apple/%NAME%</string>
        <key>NAME</key>
        <string>Keynote</string>
        <key>description</key>
        <string>Easily create gorgeous presentations.</string>
        <key>PATH</key>
        <string>/Applications/%NAME%.app</string>
        <key>pkginfo</key>
        <dict>
            <key>catalogs</key>
            <array>
                <string>testing</string>
            </array>
            <key>display_name</key>
            <string>%NAME%</string>
            <key>name</key>
            <string>%NAME%</string>
            <key>unattended_install</key>
            <true/>
        </dict>
    </dict>
    <key>ParentRecipe</key>
    <string>com.github.nmcspadden.munki.appstore</string>
</dict>
</plist>

d) autopkg run the recipes - the "Nick McSpadden-magic" downloads the latest version. - Btw.: Many thanks to Nick for the great recipes!

If you create a blank receipt package for all of the Apps and include that in your policy, the App Store will not give you notifications that the Apps need to be updated.

You can use this script or install the software on a test Mac and drag the receipt into Composer from this path: /Applications/"App Name"/Contents/_MASReceipt/receipt

I usually create one package each with all of the receipts for iLife and iWork.

Hope that helps!

MM

@Mike_Meyers : Interesting. Does that only prevent the initial, incorrect update needed notification I am seeing, or does it also prevent future valid notifications when an update is released?

Thanks,
Eric

@Mike_Meyers I am fairly sure that the _MASReceipt solution no longer works on machines running 10.11.5, are you able to confirm in your environment?

If it doesn't, then our only option to prevent users seeing the updates is to install the apps via device-assigned VPP licenses. I'd be interested to know if someone has a solution to migrate from _MASReceipt-mangled apps to the app store version without having to delete the application from the computers first.