Moving from single Apple ID to VPP

nchan-jn
New Contributor II

My company has been using a single Apple ID to download apps like Xcode for many computers. We're finally on VPP and want to get all of our computers onto the program but without needing to uninstall the app, and re-installing it.

Does anyone have insight or have a working process on:
a. Signing out of the App store for all computers

b. Scoping VPP content to computers without the computer needing to uninstall the original app that was downloaded from the App Store via single Apple ID

Things that I've tried:
a. MAS-CLI (https://github.com/mas-cli/mas) . This works in signing out of the App store when ran locally on the computer but I have not been able to get this to run correctly via Jamf policy. I've tried creating a LaunchAgent to run it, but it doesn't work either. Using launchctl asuser, or sudo -u, isn't working either.

b. Deleting com.apple.appstore files/folders and other folders that I thought were associated with the App store. I can't get the App Store to sign out.

c. Assigning VPP to a computer with an app that was already installed from an Apple ID. This doesn't change the app automatically to VPP. Running "mdls /Applications/[app name] kMDItemAppStoreReceiptIsVPPLicensed" doesn't return with 1.

1 REPLY 1

joshuasee
Contributor III

Why are you so intent on not reinstalling apps? On macOS, their containers, and thus settings and data, should be preserved even when the app is overwritten, so letting them reinstall would seem the way to go. You didn't note doing anything about the _MASReceipt folders. Have you tried deleting those? It will make the computer forget which AppleID installed an app, but usually triggers a reinstall.

As far as I can tell, MAS-CLI needs to be run by a corporeal user while they are logged into the GUI, and with an unrestricted Mac App Store. It is likely marionetting settings or called high level APIs in MAS to do what it does. It has proven immune to any tricks I know to get it to run headlessly. Also, since MAS logins are per user, it makes sense that it you can't readily sign out of the store for the computer as a whole.