iOS Volume Purchase Program

You can manage iOS app licensing by using the Apple iOS Volume Purchase Program (VPP). The VPP solution simplifies the process to find, buy, and distribute apps and other data in bulk for an organization.

With VPP, you can use XenMobile to distribute public app store apps. VPP is not supported for mobile productivity apps or for apps wrapped by using the MDX Toolkit. Although you can distribute the XenMobile public store apps with VPP, the deployment is not optimal. Further enhancements to the XenMobile Server and the Secure Hub store are required to address the limitations. For a list of known issues with deploying the XenMobile public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center.

With VPP, you can distribute the applicable apps directly to your devices. Or, you assign content to your users by using redeemable codes. You configure settings specific to the iOS VPP in XenMobile.

XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from VPP. By default, XenMobile refreshes the VPP license baseline a minimum of every 720 minutes. You can change the baseline interval through the server property, VPP baseline interval (vpp.baseline). For information, see Server properties.

This article focuses on using VPP with managed licenses, which enables you to use XenMobile to distribute apps. If you use redemption codes and want to change to managed distribution, see this Apple Support document: Migrate from redemption codes to managed distribution with the Volume Purchase Program.

For information about the iOS VPP, see To enroll in VPP, go to To access your VPP store in iTunes, go to

After you save these iOS VPP settings in XenMobile, the purchased apps appear on the Configure > Apps page in the XenMobile console.

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Platform, click iOS Settings. The iOS Settings configuration page appears.

    Image of iOS Settings configuration screen

  3. Configure these settings:

    • Store user password in Secure Hub: Select whether to store a user name and password in Secure Hub for XenMobile authentication. The default is to store the information by using this secure method.
    • User property for VPP country mapping: Type a code to allow users to download apps from country-specific app stores.

    XenMobile uses this mapping to choose the property pool of the VPP. For example, if the user property is United States, that user cannot download apps if the VPP code for the app is for the United Kingdom. Contact your VPP plan administrator for more information about the country mapping code.

  4. For each VPP account you want to add, click Add. The Add VPP account dialog box appears.

    Image of iOS Settings configuration screen

  5. Configure these settings for each account you add:


    If you use Apple Configurator 1, upload a license file: Go to Configure > Apps, go to a platform page, and then expand Volume Purchase Program.

    • Name: Type the VPP account name.
    • Suffix: Type the suffix to appear with the names of apps obtained through the VPP account. For example, if you enter VPP, the Secure Mail app appears in the apps list as Secure Mail - VPP.
    • Company Token: Copy and paste the VPP service token obtained from Apple. To obtain the token: In the Account Summary page of the Apple VPP portal, click the Download button to generate and download the VPP file. The file contains the service token and other information, like the country code and expiry. Save the file in a secure location.
    • User Login: Type an optional authorized VPP account administrator name used to import custom B2B apps.
    • User Password: Type the VPP account administrator password.
  6. Click Save to close the dialog box.

  7. Click Save to save the iOS settings.

    A message appears stating that XenMobile adds the apps to the list on the Configure > Apps page. On that page, notice that the app names from your VPP account include the suffix you provided in the preceding configuration.

You can now configure the VPP app settings and then tune your delivery group and device policy settings for VPP apps. After you complete those configurations, users can enroll their devices. The following notes provide considerations for those processes.

  • When configuring VPP app settings (Configure > Apps), enable Force license association to device. An advantage of using Apple VPP and DEP with supervised devices: The ability to use XenMobile to assign the app at the device (rather than user) level. As a result, you don’t have to use an Apple ID device. Also, users don’t receive an invitation to join the VPP program. Users can also download the apps without signing into their iTunes account.

    Image of Apps configuration screen

    To view the VPP info for that app, expand Volume Purchase Program. Notice in the VPP ID Assignment table, the license is associated with a device. The device serial number appears in the Associated Device column. If the user removes the token and then imports it again, the word Hidden appears instead of the serial number, due to Apple privacy restrictions.

    Image of Apps configuration screen

    To disassociate a license, click the row for the license and then click Disassociate.

    Image of Apps configuration screen

    If you associate VPP licenses with users, XenMobile integrates users into your VPP account and associates their iTunes ID with the VPP account. The iTunes ID of users is never visible to your company or to the XenMobile Server. Apple transparently creates the association to retain user privacy. You can retire a user from the VPP program, to disassociate all licenses from the user account. To retire a user, go to Manage > Devices.

    Image of Devices configuration screen

  • When you assign an app to a delivery group, by default XenMobile identifies the app as an optional app. To ensure that XenMobile deploys an app to devices, go to Configure > Delivery Groups. On the Apps page, move the app to the Required Apps list.
  • When an update for a public app store app is available: When VPP pushes the app, the app doesn’t automatically update on devices until you check for updates and apply them. To push an update for Secure Hub, when assigned to device and not to a user, do the following. In Configure > Apps, on a platform page, click Check for Updates and apply the update.

    Image of Apps configuration screen

    XenMobile displays a License Expiration Warning when Apple VPP tokens are nearing expiration or have expired.

    Image of License Expiration Warning screen

iOS Volume Purchase Program