How to Create a VPP Token
In iOS 7 and later or OS X 10.9 and later, VPP App Assignment allows an organization to assign apps to users. Later, if a user no longer needs an app, you can reclaim the app license and assign it to a different user. On iOS 9 and later or OS X 10.11 and later, VPP can assign a license to the device serial number, so no Apple ID is required to download the app.
A secure token has to be added into Asset Vision to manage licenses. You can obtain a token by logging into https://vpp.itunes.apple.com/ and in the Account Summary page, clicking on the Download button to generate and download a text file containing the new token. The secure token blob itself is a JSON object in Base64 encoding. When decoded, the resulting JSON object contains three fields: token, expDate, and orgName.
Navigate to VPP Token Menu and Click New
Navigate to Setup > App Administration > Client Manager > VPP Token and click New.
- Enter the token in the Token Source field.
- Click Test to decode the value from Token Source field so you can review the token’s expiration date and organization name.
- Click Save.
Note: At any given time only 1 VPP token can exist. Adding a new token will always result in updating the existing one.
Security
Security around VPP service is designed in a way that if you have read access to the VPP Tokens table (mdm_vpp_token) then you can manage licenses using Managed Distribution. By default, only admins have such access. This behavior can be changed in Role Management.
All tables engaged in VPP functionality are read-only with restricted access. Entities are added and deleted after synchronization by VPP service only.
Sync and Token Expiration Notifications
During its initial installation, VPP Managed Distribution service creates a new sync job (VPP sync) and notification job (VPP notification job) to monitor the expiration date of the VPP token and it should serve as a reminder that it is time to get a new secure token blob in order to avoid any service disruption.
The VPP sync job runs every 12 hours and synchronizes local data with VPP servers.
If the provided VPP token is within the expiration warning period (currently 15 days before the expiration date), then the VPP Notification Job starts sending warning messages to users specified in Expiration Address field. If Expiration Address is empty then the job sends notification to all users with a role of either admin or cmadmin. Such notifications are sent every day and can be easily turned off by setting Expiration Warning to false.