Jamf Nation Community

You will also need to "purchase" all of your free apps through your AVPP account now if you want to distribute them that way. It is how Apple does the licensing for it. You don't actually pay anything you are buying a free app to add to the catalog, this is the only way they can require you not to use an AppleID though.

We're actually having the issue with our paid apps - it is prompting to be logged in with an iTunes account. We don't have any restrictions set to require a password, so we're not sure where this is coming from. Is there some other setting we're missing?

D'oh...updating iPads to iOS 9 now...

I have an iPad updated to 9 and tested pushing an app out via jamf, it's a free app. I am still getting prompted for an iTunes sign in. There are no restrictions on this iPad.

We're still having this problem with paid apps after updating to iOS 9.0.2. Same issue on four iPads so far.

I read over in this thread that the app must also support device based licensing. Maybe the apps you are trying to assign this way don't support it yet. There in information in that thread on how to check.

Rebooted JSS and database servers, still no luck.

Sadly, it looks like that isn't the answer either. I haven't checked all apps, but Notability says VPP licensing is enabled, as does Minecraft. Thanks for the link to that thread.

I also tried adding a specific device serial number thinking perhaps it was a group issue. No luck there either.

For apps to be installed without an account, is it a requirement that they have been purchased with the MDM method from VPP? And not purchased via the spreadsheet method?

It seems to work for some of our Notability apps (though giving fits on other ipads). For Notability we have 500 licenses for MDM plus another 1000+ previously purchased via spreadsheets. Most of our other apps have previously only been purchased with spreadsheets that have since been uploaded to JSS.

@david.yenzer it's my understanding that in order to use device based assignment of apps, the app must first support it and then you have to purchase the app as a managed license rather than VPP codes. I believe it's possible to convert any VPP codes that have not been redeemed into managed licenses. But if the 1000+ VPP codes you purchased for Notability have been redeemed then you cannot convert them to managed licenses.

Thanks, that helps make sense of the issue. Now to research how to convert redeemable codes into MDM!

Hey David,

Here's the form to submit to Apple to get redemption codes changed to managed distribution licenses: https://www.apple.com/ca/support/itunes/vpp-edu/

Hope this helps!
~Joe

@david.yenzer I am seeing the same issue on my end. So, right out of the gate, I went to VPP and purchased 10 free copies of Evernote. I added the app in JAMF and deployed it to my test iPad (ios 9.0.2) and it worked beautifully. So, I wanted to test a few more apps. The next 2 apps, OneNote and iTunes U, I followed the same method I did with Evernote but when I deployed them to my test iPad, I was prompted with the message, “ Sign in to Itunes to allow “jamf….” To manage and install apps”. It was very similar to App assignment by user instead of device.

I then tested the same method on a different iPad. I was again able to deploy Evernote without needing to login. Onenote and iTunes U prompted me to login to iTunes on this iPad as well.

But, here is the kicker, I tried one more app, Angry Birds Start Wars II. On my iPad I was prompted to login. On the second ipad, the app installed without requiring a user to login.

So, there appears to be some inconsistency with the product.

Interesting...Hope to test this new way of app distribution early next week. Too bad to see it's not consistent yet. How is everyone else experiencing it?

Quick update. My account rep pointed out to me that if a device is assigned to a user, the app deployment by device will not work. After I unassigned the device from a user, I was then able to deploy apps to devices without being prompted to login with an Apple ID. I'll need to make a few changes in my environment to accommodate this requirement. I like to assign those iPads to a user for inventory and so that I also have an extra attribute in the JSS to key off of.

We are also having an issue with Self Service installing. It continually prompts for an itunes account which defeats the purpose of setting up a device without one. The device was not set up with a user. We set up a new prestage enrollment without requiring authentication. There is no way to "install" self service except to have it pushed from the JSS. Otherwise it is not connected to the database properly. Pushing a paid app to the device without the Apple ID worked great though.

We got a response from Apple, and I have a point I'd like clarified if some of you folks might be able to chime in...

• All previously purchased redemption codes that were redeemed with Apple Configurator will be converted to managed distribution.

Does that mean exactly what it says? We had been using the old method of distributing apps, which was redeemable codes via Apple Configurator (and sometimes iTunes). The general usage for a classroom of 30 was that 1 license would be burned for the app and the other 29 were recovered and loaded into the JSS. It sounds like this point is saying that the 1 burned app would be invalidated for use with Apple Configurator? Is that accurate? What happens on the user's end? Does the app just go away or become unusable until the license is reassigned and the app is downloaded again via Self Service?

We do plan on moving all iPads over to this method, but the plan wasn't to do them all right now at once, which would involve a lot of resetting and erasing of user data.

Everything deployed the old way still works - nothing breaks. So you have plenty of time to migrate existing devices over.

Thanks Chris. I also confirmed with our Apple rep, in person, and he explained that while all the codes are invalidated, it will not prohibit continued use of already redeemed licenses. Except that it will not work to push apps to new (previously unassigned) devices, so if you try to push out an app with configurator to a device that previously didn't have that app, it shouldn't work.

I believe that takes care of our concerns and we will proceed with this conversion to MDM licenses.

Thanks everybody!

I, too, am seeing some inconsistencies with pushing managed VPP apps to devices on 9.0.2. All of our shared devices have a unique apple ID for them since they've been out in the wild for a year or two. Here's my workflow:

1) purchase VPP app
2) scope app to vpp assignment for a given set of users
3) scope the app in the app catalog to the user's devices (VPP is NOT checked in the app catalog for this app).

The app gets pushed to the ipads, but they all get stuck at "prompting" and waiting for the apple ID's password. I really need to be able to push apps to devices and NOT need to go around to every ipad I've pushed it to for the password input......

As of today I think we've got it mostly working. We had an issue with our JSS that required support help, but after renewing my hatred for java I think we've got us mostly back up and running.

So we proceeded and had Apple convert our redeemable codes to MDM. Then we went to Global Management > VPP Accounts > and had to Update Purchased Content for each individual app (FUN!)...because apparently it's too difficult to have a seamless integration. (Note: The new app didn't appear in the list for me until after you hit edit/save. You could do multiple apps, probably all of them, but it didn't seem like the app would even appear into the list until you hit edit/save. Maybe it would it you were more patient than me, but I found you could kind of give it a push with the edit/save process.)

Then you get to go back to Mobile Devices > Apps > and update each app to Assign VPP Content (FUN!)

Then you get to figure out that the prior issue with the JSS somehow blew up one of the certificates and none of it works at all! So you go update your cert...or all of them...in that process...

Then try again and you get a message stating you "must login" to download the app. Cancel...and it installs anyway. I then poked the 12 other bears and they all installed. Did not have to enter a user/pw but did see that message pop up a few times. All of these were free apps that we purchased. Will test some paid apps tomorrow, but they worked in the first round so I suspect will work similarly now.

So I think we're mostly rolling now. Probably a few kinks to work out somewhere, either in a JSS update (to get rid of that message when it isn't needed) or something else we need to fix in our settings.

@david.yenzer The issue with VPP MD apps not showing up in the JSS automatically has been a problem for several months now. Last winter, it was working great when we were buying VPP MD apps and assigning to our 1-to-1 users. You'd buy an app in the VPP store and a few minutes later it would be available in the JSS automatically, ready to assign to a user. But sometime last spring, it stopped working and required going in to the JSS and clicking Update Purchased Content on each app as you outlined above. Hopefully this issue will be resolved soon. It is filed with JAMF support under D-009059.

I started deploying shared student carts using AC2 last week. I summarized and posed the workflow here.

~Joe

@smith.kyle I am seeing the same problem and did the exact same steps as you. I got prompted for an id, hit cancel, not the app just says pending in self service.

@mmacpherson You can re-push it for auto install (if you have that selected) with an update inventory/blank push. But I haven't seen that fix the password issue.

If you have an app that is in your JSS and it isn't recognizing the Device-based assignment in the VPP options of the app even through in VPP it shows as device assignable, you may need to force an app refresh

• Go to your JSS Settings> Global Settings > VPP Accounts and click your VPP account
• Select the Content Tab > Find the App > Click refresh next to the app

We had an issue where Self Service iOS in the JSS was not picked up the device-assignable option even through it is there through VPP and refreshing the app pulled in the option.

@rsaeks How has pushing Self Service without an Apple ID been working for you so far? Our tests had a mixed result. 100% of the time, it pushed fine. 100% of the time, it could not connect to the JSS for unknown reasons making the app completely useless.

@McAwesome - It has been OK. I think what it is going to make us to is change our Self Service option down the road so rather than require it on all devices, we will scope it on the device-level.

My System has been working quite flawless just need to make sure your smart groups do not have alot of criteria of 10 or more sometime at 5-6 it causes issues as well. So i changed it all over again and my criteria changed from 10 items down to 1 and it has worked great to enroll and deploy and remove and re-deploy so far no hiccups and I'm so glad in moving toward JSS it has helped greatly -

Thanks
Dr. Dan
D87
iOS 9.1 - 700+ JSS 9.81.1 Hosted
www.iOSGenius.com

This is frustrating beyond belief.

1) DEP --> VPP --> JSS is set up correctly with APNS cert, etc.
2) Apps, free and not-free, are "purchased" via the VPP portal at deploy.apple.com
3) PreStage enrollment is happening for OOB iPads. Names are being assigned properly. Supervision set. Configuration profile being applied successfully.
4) VPP user is set up in JSS without issue.
5) Apps, in JSS, are set to be installed automatically upon enrollment.
6) Some Apps do not support device-assgnement yet. For testing, I'm working only with Apps that I've verified to support this in iOS 9 and above.

Results:

1) Even Self Service Mobile App is asking for AppleID login and password on the enrolled device.
2) One prompt for every App that is asking to be installed.

The goal is to distribute iPads with DEP --> JSS --> VPP-purchased Apps but without an AppleID. This is supposed to be possible. Apple's documentation says it's possible. JAMF's documentation says it's possible. My reality is that it doesn't work.

If I put in any AppleID on the iPad, the apps then install, but that defeats what I'm trying to do. I don't want to distribute iPads with an institutional AppleID on them.

JSS is at 9.81

Do you see the apps listed under vpp accounts>content? Also, in the app configuration do you have the vpp information set?

Yes, I see the non-free apps in Global Management --> VPP Accounts --> Content. The free ones do not show up there.

On Free App Store apps, In Mobile Devices --> Apps --> Select the App --> VPP Tab, I see a "button" for "Device Assignments" but when I click on it, nothing happens. Yes, the Edit button is checked in bottom right.

On Purchased VPP App Store apps, I see the same "button" for "Device Assignments" and when I click on it, it gives me options for assigning to a mobile device. However, on the iOS side, it's still prompting for an Apple ID.

For the "google classroom" app which is free, I had to go into apple's vpp and basically purchase it again with the amount of licenses I wanted. The content it supposed to refresh in jamf, but doesn't always so I had to manually add it with update purchased content. It was very tedious to have go back and do this for all the free apps already setup in jamf.

The steps I did to ultimately get this to work were as follows:
1. Purchase an app through vpp, didn't matter if it was free or not.
2. Go into jamf>global management>vpp>ensure the app is listed in content. If it isn't then update purchased content.
3. Ipads have to be iOS 9
4. I have had better success if they are enrolled through DEP pre-stage enrollment
5. Assign the app as you have for "Coach's Eye" with the vpp account.

PS: I was able to have all my redeemable codes transfered to managed distribution licenses.

Ah ha! I think it's because I didn't actually "purchase" the free Apps in the VPP portal. Doh! That would explain why the one app shows up as device-assignable but the free ones don't. I'll test this and report back. Thanks for the walkthrough and steps.

@damienbarrett

I noticed in your screenshot for Coach's Eye that you also have VPP Codes available for that app. I ran into an issue when testing Device Assignments, if there were any VPP Codes assigned to the app I was attempting to deploy, then the device would prompt for Apple ID credentials. As soon as I deleted the VPP codes from the app, then the Device Assignment worked correctly. So keep an eye out for that too!

This is a long shot but it has worked for me ....
In Section Global Management / VPP Accounts / Contents if the REPORTED amount of free apps ordered was in RED writing therefore not equal to TOTAL the pushed apps would ask to log into the iTunes store. I hit refresh couple of times and when both were equal and push the app all went through correctly ....

Now ALL my apps PAID and FREE are opening without asking a iTunes login

Daniel Potvin, CS des Navigateurs
CCT in April -- Toronto Canada

Well the issue has now returned .... we had a major JSS server crash .... we reinstalled all including new JAVA and now on deploying the apps ALL devices ask for an AppleID ... this is getting a little frustrating ... and why doesn't JAMF put a GLOBAL APPS sync refresh to VPP server ?? an alphabetical listing would also be logical !!! Seems JAMF aren't reading this forum anymore....

Daniel Potvin

So, what we figured out is this:

• if the app is assigned to users, and you assign it to devices, it will ask for Apple ID and password if the app tries to install on device directly over device-based assignment
• if the app is not assigned to any user, and you assign it to a device, it will not ask for Apple ID and password and will install automatically

So the solution is, to unassign the app from users and assign it ONLY to devices. Works like a charm for us. Good luck :)

-J

@St0rMl0rD That sounds like a bug to me, did you contact your TAM? I haven't tested that yet but will add it to my list.