Using our VPP Token in two different MDMs.

Hackert
New Contributor III

We are using two MDMs (JSS and Apple Profile Manager). The first to manage the high school's 1:1 program, the second to manage a few mobile labs in the grade school. We are also using the same VPP token in both systems. At first we thought it was working well, any changes in VPP would immediately be reflected in both MDMs. But JSS is having a rough time getting the VPP invitations to connect to a user. I am getting 'user is retired' or 'user is already associated with this invitation' messages in the logs, but the invitation never registers over 0%.

Any ideas? Does anyone else use a VPP token in multiple spots? Has anyone heard if that should not be done?

Thanks,

Hackert

21 REPLIES 21

daniel_behan
Contributor III

We started using one VPP token for both Macs in Casper and iOS Devices in Airwatch. So far it's been fine, but we're still testing.

-Dan

cdenesha
Valued Contributor III

The 9.4 Admin Guide on page 79 says

Note: Each service token should only exist in one location at a time. If the service token you want to upload already exists in Apple's Profile Manager, delete the service token from Apple's Profile Manager before uploading it to the JSS.

However I have some students in my 1:1 program that had managed distribution apps purchased by another Program Administrator (Facilitator) for special education... am wondering if it will work..

chris

yellow
Contributor

Curious if anyone had thoughts on this 2 years into the future? Can I use 1 VPP token for different MDM solutions?

mlepich
New Contributor

I am also wondering about this. We currently use AirWatch for our IOS devices and will be starting to use JAMF for Mac devices within the next month. Any insight would be appreciated.

rdwhitt
Contributor II

The recommendation is that a single VPP token should not be used by multiple MDM servers. So if you have AirWatch and Casper you would have separate VPP tokens for each. Or, if you are moving from one to another, you would revoke your apps in the current one before adding it to the new server.

At some point Jamf added some kind of detection so that when you are adding a VPP token that was previously associated with a different MDM server, you will get this message:

380462a977944b62931ff521cdd67a9d

Then you'll see the reclaim button:

863934cc16df4a30aa8cb262fafaeb6d

StaciW
New Contributor II
New Contributor II

Hey Everyone,

I'd like to pop in here and just verify some information. We definitely NEVER want to have a VPP token in more than one MDM server at a time. If you do, it causes the MDM providers to constantly fight over licenses. The reclaim button simply just looks at the client context of the token and alerts you if it doesn't match your JSS client context. As of this writing, hitting the reclaim button does not make the JSS 'own' the token, like Profile Manager does.

The proper way to move VPP tokens from one MDM provider to another would be to remove the assignments from the current MDM, then remove the token. At that point, you can upload the VPP token to the new MDM provider. From there, you'll want to make sure that all licenses, minus eBooks, have an In Use count of 0. If they do not, you'll want to revoke all apps before proceeding with assigning them out in the JSS. This ensures that you have pulled back all licenses from any other MDM you previously had the VPP token in. Again, this will not make the JSS 'own' the token, so if you didn't take the token out of other MDMs you will continue to have issues with your VPP licensing.

rdwhitt
Contributor II

I was wondering if that button actually did anything other than make me feel good. Thanks for the clarification Staci!

Munkeee
New Contributor III

Hi everyone. Did anyone ever find a way to do this? I use Casper for our Macs, with VPP managing some apps., Now we are looking to use VPP on the iOS side (different MDM). I don’t see a way to create two tokens in an account, which would be an issue for assignments anyway. Is it possible to create a second VPP account with the same DUNS number?

ericjboyd
Contributor

First step is to create a new email alias and make sure it is not already in use as an Apple ID
second, in your deploy.apple.com console select the admins tab from the left nav bar.
Now click on the Add Admin Account link and fill out the email address and name fields. (I use an email address that describes where i will be using the token.)
Be sure to select the Allow Access to: Volume Purchase Program
6105763b36c1468b808879bef27fc20d
That email address will get an email inviting them(whoever you pointed the alias to) to create an Apple ID.
Once this is done, now you can purchase apps, download this accounts token and add it to your MDM server.

jsalisb
New Contributor

When following the method mentioned by ejboyd, by adding a second VPP administrator via deploy.apple.com, does this user get a unique sToken? Basically, if the second (new) admin downloads an sToken while they are logged in and imports it into a different MDM server, will it impact the functionality of the main account's sToken and associated purchases?

AVmcclint
Honored Contributor

I learned the hard way that if you set up 2 VPP tokens to go to 2 different MDMs, they cannot share the same $ balance on the account. You'd have to add money to them separately. It royally f'd up our plans for moving forward. We're having to rethink this whole process.

james_espinoza
New Contributor

@AVmcclint

How did you set yours up? I created two content managers (one for each mdm). Do they need to be assigned to different Locations within apple business manager?

AVmcclint
Honored Contributor

We haven't moved to Apple Business Manager yet. When we setup all our AppleIDs for all the various services, no one ever ave us warning that every single account would be segregated. As it is, I'm not sure that we will be able to migrate to ABM and still maintain all our current services. I'm planning on taking inventory of all our AppleIDs and the services they go to then I'm going to call Apple to help us unify them.

pmonegas
New Contributor

Use the same VPP account but need separate VPP agent for JAMF and VMware Airwatch

1. Log into your DEP account. In our case, https://business.apple.com 2. Click on Accounts 3. Click on the Add new account icon 4. For the 'Managed Apple ID' and 'email address field' be sure to use the same email address. Make sure that it's not currently an email address that's tied to an Apple ID. This process will create an Apple ID. It won't accept an email address that's already an Apple ID. 5. Choose the Administrator role. This will allow this Apple ID to sign into our existing VPP account as a separate agent using the same DUNS number. We can then download a separate token for our JAMF environment. 6. Click Save. 7. Click on Accounts. You should see the newly created account. Click on it. 8. Click on "Create Sign-In". Walk through the steps. 9. At this point the Apple ID is created. You can go to https://appleid.apple.com to edit account settings. 10. Now go to https://vpp.itunes.apple.com and sign in with your newly created Apple ID to download your token.

Use the same DEP account used for both JAMF and Vmware Airwatch.

  1. Sign into https://business.apple.com
  2. Click on Settings > Device Management Settings
  3. Click on Add MDM Server

pmonegas
New Contributor

I hope the below helps. We're in the process of implementing JAMF in our environment.

Use the same VPP account but need separate VPP agent for JAMF and VMware Airwatch

1. Log into your DEP account. In our case, https://business.apple.com 2. Click on Accounts 3. Click on the Add new account icon 4. For the 'Managed Apple ID' and 'email address field' be sure to use the same email address. Make sure that it's not currently an email address that's tied to an Apple ID. This process will create an Apple ID. It won't accept an email address that's already an Apple ID. 5. Choose the Administrator role. This will allow this Apple ID to sign into our existing VPP account as a separate agent using the same DUNS number. We can then download a separate token for our JAMF environment. 6. Click Save. 7. Click on Accounts. You should see the newly created account. Click on it. 8. Click on "Create Sign-In". Walk through the steps. 9. At this point the Apple ID is created. You can go to https://appleid.apple.com to edit account settings. 10. Now go to https://vpp.itunes.apple.com and sign in with your newly created Apple ID to download your token.

Use the same DEP account for both JAMF and Vmware Airwatch. Two separate MDM servers are required.

  1. Sign into https://business.apple.com
  2. Click on Settings > Device Management Settings
  3. Click on Add MDM Server

jcarr
Release Candidate Programs Tester

@pmonegas it's actually quite a bit easier than that. Each location in Apple Business Manager, or Apple School Manager will have it's own VPP token. This is the file that is uploaded to Jamf or AirWatch. You can simply create a location for Jamf and a location for AirWatch. Download the appropriate token from Settings -> Apps & Books -> My Server Tokens, and upload to the appropriate MDM.

You can then purchase Apps & Books and select the location where that purchase should be sent. You can also transfer purchases from one location to another as needs change.

Any admin, site manager, or content manager can purchase Apps & Books for locations to which they have rights.

evaldes
New Contributor III

With ASM, you can use the same email address account. The difference is just need to create a new location and assign the account as a Content Manager to that new location. Each location can represent an MDM server. We currently have 3 MDM servers and they all have their own token using the same Apple ID.

swapple
Contributor III

Whats the best practice for VPP in Prod and Sandbox Jamf Servers? We are wanting to test some free app deployments in the sandbox that will eventually replicate the steps in Prod.

Tribruin
Valued Contributor II

Create separate locations in ABM for your Prod and Sandbox environments and assign individual an Apps & Books token to each. You can move purchases between locations (as long as you are an Admin or are Content Manager in both locations.)

Having the same token in two MDMs is very bad.

dmcarter
New Contributor

I am getting this message Under VPP. The service token may be in use by another server. The service token can be reclaimed below for this Jamf Pro server. I clicked reclaimed a couple of times. I also tried to renew my token. I'm still getting the same error. I just one MDM Server. I'm just trying to see how to fix this.

alimbundu
New Contributor

Hi @dmcarter i'm also experiencing this same issue were you able to find a fix?

We've set-up two locations, however both vpp tokens certificates appear to be the same.