Citrix Endpoint Management

Apple Volume Purchase

You can manage iOS and macOS app licensing by using Apple volume purchase. The volume purchase solution simplifies the process to find, buy, and distribute apps and other data in bulk for an organization.

With volume purchase, you can use Endpoint Management to distribute public app store apps.

  • Volume purchase is not supported for MAM enrollment. You must enroll volume purchase devices in MDM or MDM+MAM.
  • Volume purchase is not supported for Citrix mobile productivity apps.
  • Although you can distribute the Endpoint Management public store apps with volume purchase, the deployment is not optimal. Enhancements to Endpoint Management and the Secure Hub store are required to address the limitations.
  • For a list of known issues with distributing the Endpoint Management public store apps through volume purchase, see this article in the Citrix knowledge center.

With volume purchase, you can distribute the applicable apps directly to your devices. Or, you assign content to your users by using redeemable codes. You configure settings specific to the Apple volume purchase in Endpoint Management.

Endpoint Management periodically reimports volume purchase licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from the volume purchase. By default, Endpoint Management refreshes the volume purchase license baseline a minimum of every 1440 minutes (24 hours). You can change the volume purchase baseline interval through the server property, VPP.baseline. For more information about the VPP.baseline server property, see Server properties.

The App auto update setting also relies in the VPP.baseline server property, and apps update on the same schedule set in that property.

This article focuses on using volume purchase with managed licenses, which enables you to use Endpoint Management to distribute apps. If you currently use redemption codes and want to change to managed distribution, see this Apple Support document: Migrate from redemption codes to managed distribution with the Volume Purchase.

For information about the Apple volume purchase, see To enroll in volume purchase, go to To access your volume purchase store in your Apple App Store account, go to

After you save these Apple volume purchase settings in the Endpoint Management console, the purchased apps appear on the Configure > Apps page.

Add an Apple volume purchase account

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Volume purchase. The Volume purchase configuration page appears.

    Volume purchase configuration screen

  3. Configure these settings:

    • Store user password in Secure Hub: Select whether to store a user name and password in Secure Hub for Endpoint Management authentication. The default is to store the information by using this secure method.
    • User property for Volume purchase country mapping: Type a code to allow users to download apps from country-specific app stores.

    Endpoint Management uses this mapping to choose the property pool of the volume purchase. For example, if the user property is United States, that user cannot download apps if the volume purchase code is for the United Kingdom. Contact your volume purchase plan administrator for more information about the country mapping code.

  4. For each volume purchase account you want to add, click Add. The Add a Volume purchase account dialog box appears.

    Volume purchase configuration screen

  5. Configure these settings for each account you add:


    If you use Apple Configurator 1, upload a license file: Go to Configure > Apps, go to a platform page, and then expand Volume purchase.

    • Name: Type the volume purchase account name.
    • Suffix: Type the suffix to appear with the app names obtained through the volume purchase account. For example, if you enter VP, the Secure Mail app appears in the apps list as Secure Mail - VP.
    • Company Token: Copy and paste the volume purchase service token obtained from Apple. To obtain the token: In the Account Summary page of the Apple volume purchase portal, click the Download button to generate and download the volume purchase file. The file contains the service token and other information, like the country code and expiry. Save the file in a secure location.
    • User Login: Type an optional authorized volume purchase account administrator name used to import custom B2B apps.
    • User Password: Type the volume purchase account administrator password.
    • App Auto Update: If On, volume purchase apps automatically update when an update exists on the Apple store. Default is Off.
  6. Click Save to close the dialog box.

  7. Click Save to save the Volume purchase configuration.

    A message notes that Endpoint Management adds the apps to the list on the Configure > Apps page. On that page, notice that the app names from your volume purchase account include the suffix you provided in the preceding configuration.

Configure the volume purchase apps

You can now configure the volume purchase app settings, tune your delivery group, and adjust device policy settings for iOS and macOS devices. After you complete those configurations, users can enroll their devices. The following notes provide considerations for those processes.

When configuring the volume purchase app settings for iOS devices (Configure > Apps), enable Force license association to device. Forcing the association allows Endpoint Management to assign the app to a device rather than to a user. As a result, users don’t have to use their Apple ID and can download the apps without signing into their Apple App Store account. Also, users don’t receive an invitation to join the volume purchase program.

For macOS, you assign the app at the user level. If you want to manage an unmanaged app that is already installed, use the Force app to be managed setting. Turn on the setting for that app and then deploy the app to the devices. The app automatically installs as a managed app. Users don’t receive any prompts. If you deploy an app to devices where the app doesn’t exist, the app is installed as a managed app regardless of the state of the setting. The setting is available on macOS 11.0 and later.

Apps configuration screen

To view the volume purchase info for that app, expand Volume purchase. Notice in the Volume purchase License Keys table, the license is associated with a device. If the user removes the token and then imports it again, the word Hidden appears instead of the serial number, due to Apple privacy restrictions.

Apps configuration screen

To disassociate a license, click the row for the license and then click Disassociate.

Apps configuration screen

If you associate volume purchase licenses with users, Endpoint Management integrates users into your volume purchase account. Endpoint Management also associates the Apple App Store IDs of users with the volume purchase account. The Apple App Store ID of users is never visible to your company or to the Endpoint Management server. Apple transparently creates the association to retain user privacy. You can retire a user from the volume purchase program, to disassociate all licenses from the user account. To retire a user, go to Manage > Devices.

Devices configuration screen

Sync a volume purchase account

Endpoint Management periodically reimports volume purchase licenses from Apple to ensure that the licenses reflect all changes. To force a sync with your volume purchase account, go to Settings > Volume Purchase and click Force synchronization.

After you click to confirm the action, Endpoint Management imports the volume purchase information. The import might take several minutes, depending on the number of volume purchase licenses. After the sync completes, Endpoint Management refreshes the Volume Purchase page and updates the sync date and time in the new Last Sync Date column.

Volume purchase configuration screen

  • When you assign an app to a delivery group, by default Endpoint Management identifies the app as an optional app. To ensure that Endpoint Management deploys an app to devices, go to Configure > Delivery Groups. On the Apps page, move the app to the Required Apps list.
  • When an update for a public app store app is available: When volume purchase pushes the app, the app automatically updates on devices. To push an update for Secure Hub, when assigned to a device and not to a user, do the following. In Configure > Apps, on a platform page, click Check for Updates and apply the update.

    Apps configuration screen

    Endpoint Management displays a License Expiration Warning when Apple volume purchase has expired.

    License Expiration Warning screen

Upload new tokens for your Apple volume purchase account

To update your volume purchase account on Endpoint Management:

  1. From the Apple Business Manager or Apple School Manager portal, download an updated token.

  2. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  3. Click Volume Purchase. The Volume Purchase configuration page appears.

  4. Edit your volume purchase account with the updated token info for that location.

Apple Volume Purchase