iOS Volume Purchase Program

You can manage iOS app licensing by using the Apple iOS Volume Purchase Program (VPP). The VPP solution simplifies the process to find, buy, and distribute apps and other data in bulk for an organization. With VPP, you can use Endpoint Management to distribute public app store apps. VPP is not supported for Citrix mobile productivity apps or for apps wrapped by using the MDX Toolkit. Although you can distribute the Endpoint Management public store apps with VPP, the deployment is not optimal. Further enhancements to Endpoint Management and the Secure Hub store are required to address the limitations. For a list of known issues with deploying the Endpoint Management public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center.

With VPP, you can distribute the applicable apps directly to your devices. Or, you assign content to your users by using redeemable codes. You configure settings specific to the iOS VPP in Endpoint Management.

Endpoint Management periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from VPP. By default, Endpoint Management refreshes the VPP license baseline a minimum of every 720 minutes. You can change the baseline interval through the server property, VPP baseline interval (vpp.baseline). For information, see Server properties.

This article focuses on using VPP with managed licenses, which enables you to use Endpoint Management to distribute apps. If you currently use redemption codes and want to change to managed distribution, see this Apple Support document: Migrate from redemption codes to managed distribution with the Volume Purchase Program.

For information about the iOS VPP, see To enroll in VPP, go to To access your VPP store in iTunes, go to

After you save these iOS VPP settings in Endpoint Management, the purchased apps appear on the Configure > Apps page in the Endpoint Management console.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click iOS Settings. The iOS Settings configuration page appears.

    iOS Settings configuration screen

  3. Configure these settings:

    • Store user password in Secure Hub: Select whether to store a user name and password in Secure Hub for Endpoint Management authentication. The default is to store the information by using this secure method.
    • User property for VPP country mapping: Type a code to allow users to download apps from country-specific app stores.

    Endpoint Management uses this mapping to choose the property pool of the VPP. For example, if the user property is United States, that user cannot download apps if the VPP code for the app is for the United Kingdom. Contact your VPP plan administrator for more information about the country mapping code.

  4. For each VPP account you want to add, click Add. The Add VPP account dialog box appears.

    iOS Settings configuration screen

  5. Configure these settings for each account you add:


    If you use Apple Configurator 1, upload a license file: Go to Configure > Apps, go to a platform page, and then expand Volume Purchase Program.

    • Name: Type the VPP account name.
    • Suffix: Type the suffix to appear with the names of apps obtained through the VPP account. For example, if you enter VPP, the Secure Mail app appears in the apps list as Secure Mail - VPP.
    • Company Token: Copy and paste the VPP service token obtained from Apple. To obtain the token: In the Account Summary page of the Apple VPP portal, click the Download button to generate and download the VPP file. The file contains the service token and other information, like the country code and expiry. Save the file in a secure location.
    • User Login: Type an optional authorized VPP account administrator name used to import custom B2B apps.
    • User Password: Type the VPP account administrator password.
    • App Auto Update: If On, VPP apps automatically update when an update exists on the Apple store. Default is Off.
  6. Click Save to close the dialog box.

  7. Click Save to save the iOS settings.

    A message appears stating that Endpoint Management adds the apps to the list on the Configure > Apps page. On that page, notice that the app names from your VPP account include the suffix you provided in the preceding configuration.

You can now configure the VPP app settings and then tune your delivery group and device policy settings for VPP apps. After you complete those configurations, users can enroll their devices. The following notes provide considerations for those processes.

  • When configuring VPP app settings (Configure > Apps), enable Force license association to device. An advantage of using Apple VPP and DEP with supervised devices: The ability to use Endpoint Management to assign the app at the device (rather than user) level. As a result, you don’t have to use an Apple ID device. Also, users don’t receive an invitation to join the VPP program. Users can also download the apps without signing into their iTunes account.

    Apps configuration screen

    To view the VPP info for that app, expand Volume Purchase Program. Notice in the VPP ID Assignment table, the license is associated with a device. If the user removes the token and then imports it again, the word Hidden appears instead of the serial number, due to Apple privacy restrictions.

    Apps configuration screen

    To disassociate a license, click the row for the license and then click Disassociate.

    Apps configuration screen

    If you associate VPP licenses with users, Endpoint Management integrates users into your VPP account and associates their iTunes ID with the VPP account. The iTunes ID of users is never visible to your company or to the Endpoint Management server. Apple transparently creates the association to retain user privacy. You can retire a user from the VPP program, to disassociate all licenses from the user account. To retire a user, go to Manage > Devices.

    Devices configuration screen

    Endpoint Management periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. To force a sync with your VPP account, go to Settings > iOS Settings and click Force synchronization.

    After you click to confirm the action, Endpoint Management imports the VPP information. The import might take several minutes, depending on the number of VPP licenses. After the sync completes, Endpoint Management refreshes the iOS Settings page and updates the sync date and time in the new Last Sync Date column.

    iOS Settings configuration screen

  • When you assign an app to a delivery group, by default Endpoint Management identifies the app as an optional app. To ensure that Endpoint Management deploys an app to devices, go to Configure > Delivery Groups. On the Apps page, move the app to the Required Apps list.
  • When an update for a public app store app is available: When VPP pushes the app, the app automatically updates on devices. To push an update for Secure Hub, when assigned to device and not to a user, do the following. In Configure > Apps, on a platform page, click Check for Updates and apply the update.

    Apps configuration screen

    Endpoint Management displays a License Expiration Warning when Apple VPP or DEP tokens are nearing expiration or have expired.

    License Expiration Warning screen

    License Expiration screen

iOS Volume Purchase Program