By Jon Xavier
If there’s one thing you learn quickly in the world of Apple IT, it’s that it’s full of acronyms. Virtually every Apple project or program for enterprise has a long name that quickly gets shorthanded to a different set of initials in day-to-day conversation.
Confusingly, it even seems like there are sometimes multiple acronyms to refer to the same thing. One such program is Apple Business Manager. It’s commonly referred to as ABM, but depending on the context you’ll also hear admins throw around terms like VPP and DEP when discussing its functionality. We’re going to cut through some of the noise here and give you an overview of ABM and its components, and explain why it’s something Apple admins will probably want in their toolkit.
About Apple Business Manager (ABM)
Apple Business Manager (ABM) is Apple’s latest foray into meeting the needs of enterprise IT. It gives companies some important tools for managing Apple devices, as well as greater convenience and control around ordering, inventory and licenses.
The important thing to note about ABM is that much of it wasn’t really new when it was released in 2018. At its core are two popular pre-existing enterprise management programs, the Device Enrollment Program and the Volume Purchase Program. So it’s probably more accurate to call ABM a reimagining of Apple’s existing device management offerings than an entirely new thing. It puts everything in one place to give admins better flexibility and convenience, and it also adds role-based access control (RBAC), making it appropriate for larger companies with more complicated security needs.
To get the best possible device management experience, all Apple admins will eventually want to set up Apple Business Manager. It’s free, and it provides a lot of things that most companies won’t want to be without:
- A nearly “zero-touch” deployment experience for new devices
- The ability to customize the setup assistant which new hires run through the first time they get on their computer.
- Management through Apple Mobile Device Management (MDM) which cannot be removed or circumvented by end users.
- Centralized license management for apps purchased through the App Store.
- The ability to push apps to iOS and tvOS.
One thing that’s important to note, however, is that ABM is not a complete device management solution on its own. It’s intended to supplement and extend device management through mobileconfig profiles—either those installed manually through Apple Configurator or pushed remotely through the Apple MDM protocol. So you’ll need to integrate ABM with an MDM provider like Fleetsmith to get the most out of it.
What’s the difference between Apple Business Manager and Apple School Manager?
ABM isn’t the only management program offered by Apple. There’s also Apple School Manager (ASM), a parallel program intended for IT managers at schools and universities, rather than companies. So what’s the difference between the two?
At the core, not a lot. Both programs implement both DEP and VPP, and the high-level value prop is the same: important tools for managing device and app inventory in a single easy-to-use package.
Yet while school IT has a lot of the same challenges that confront most IT admins, there are also a number of unique ones that arise from having to support both a stable population of employee devices and a class of devices used by a large, varied, and always-changing student body.
So ASM includes a few other features that are very specific to schools:
- Integration with Student Information Systems.
- Additional role based access management options for teachers and students.
- Functionality related to tracking which classes devices are assigned to.
- Federated access management through Microsoft Azure.
- Integration with Itunes U, Apple’s school-focused app store, and Classroom, an app that helps teachers digitally augment their lessons with iPads.
Device Enrollment Program (DEP) Overview
Apple’s Device Enrollment Program, or DEP, is the Apple program that allows for nearly zero-touch deployment of management on new Apple devices.
Device deployment is often one of the biggest time sucks for IT administrators. Every time a new employee starts or a new device arrives, there’s a whole process of creating new accounts, installing necessary software, drivers, and WiFi credentials; enabling encryption and storing the keys; and configuring the device to meet security and compliance guidelines. Done manually, this can easily add up to a couple of hours of work per device. It’s not uncommon for admins to spend their entire Sunday setting up devices if a large group of new hires is starting on Monday.
DEP is intended to largely eliminate that workload. Once it’s set up, any devices purchased from Apple or an authorized retailer will come “pre-enrolled” in MDM, before they’re even unboxed. This allows admins to define the set-up steps ahead of time in their device management system and have them executed automatically on setup.
This all works through a step the OS takes automatically once it boots up for the first time. Upon powering on and connecting to WiFi, it will poll Apple’s servers to see if it is supposed to be managed by an MDM server. Apple will respond with a mobileconfig that will enroll the device, allowing the MDM to take over from there.
What’s more, MDM enrollment that happens through DEP is special in a few ways:
- macOS devices enrolled through DEP are automatically considered to have User Approved MDM (UAMDM) without requiring any additional approval steps from the user.
- iOS devices enrolled through DEP are automatically consider supervised devices.
- The MDM enrollment cannot be removed or circumvented by the user if the admin chooses to enforce this option in Apple Business Manager.
DEP is really nice compared to the ways that admins used to have to deploy new devices. So why doesn’t Fleetsmith consider it to be a “true” zero touch deployment? This is because there’s still usually a few extra touches with MDM+DEP before a device is completely set up: user accounts, apps, app configuration. There are also some limitations to management through MDM which mean it might not be enough to meet your needs on its own.
In our case, Fleetsmith installs the Fleetsmith Agent as its first order of business once enrollment through DEP is complete. That lets us complete any extra deployment steps seamlessly with no additional work from the admin. We call this True Zero Touch Deployment.
Volume Purchase Program (VPP) Overview
The Volume Purchase Program, or VPP, is the other major component of Apple Business Manager. VPP simplifies the process of buying apps and ebooks through Apple and provides tools for centrally managing software licenses.
Without VPP, any app that is bought through the app store is the property of the user who buys it, not the company itself. That makes it difficult or impossible to reclaim that license and redeploy it in the event the user leaves, creating extra costs and extra headaches for IT.
VPP allows admins to purchase licenses in bulk ahead of time, assign them to devices, and then reclaim them when the devices are decommissioned or re-deployed. Although ebooks can also be purchased through VPP, they work a little differently—they can be bought in bulk ahead of time, but once they’re deployed to a device, they can’t be recovered. Another nice thing about VPP is it gives you the option of doing app purchases through purchase orders, rather than credit cards, which is more in line with purchasing practices at larger companies.
In addition to purchasing licenses, VPP can also be used to deploy apps to devices. There are two models for this: redeemable codes, and managed distribution.
Redeemable codes is just what it sounds like: VPP generates a discount code that the user enters when purchasing an app through the App Store which results in one of the company’s licenses being assigned to them when they check out. Licenses assigned this way are permanent and can’t be revoked, however, so you should probably not use it as your primary solution for distribution.
Managed distribution requires a connected MDM provider, and works differently depending on which OS the device is running:
- For devices running macOS 10.9 or later or iOS 7.0 or later, there’s the option to assign apps to a user. This requires the user to enroll their personal Apple ID in the company’s VPP program, which doesn’t give the company any access to their ID but does allow apps to be assigned to that user, which will cause them to be downloaded onto the device the user is logged in to. This can happen immediately or take a few hours, depending on when the device next checks in. These app licenses can be revoked as usual, but revoking a license does not remove the app from a user’s device. Instead, they’ll be prompted to buy their own license the next time they try to open the app.
- Starting in macOS 10.10 and iOS 9.0, there’s the option to assign the app to the device instead. This does away with the separate Apple ID enrollment step, and also allows the app to be pushed directly to the device through MDM. It also gives admins the option to remove the app and its data from the device entirely when they revoke a license.
On Mac, deployment through VPP is not ideal, because the MDM protocol is less feature-rich than other device management options—in particular, it can be a pain to keep software up-to-date without more robust package management functionality. VPP is the only centrally-managed way to get apps onto iOS devices, however. If you need to manage a lot of iPads or iPhones, it’s going to be especially important to you.
There are a few other caveats to keep in mind with VPP:
- Licenses sit in a big pot that MDM grabs from when an app is deployed. It’s usually not possible to deploy a specific license to a specific device or user, and you must keep an eye on your supply when deploying to avoid errors.
- VPP is designed to handle everything through an app license, which is not ideal in the case of apps that are free. You still need to “buy” free licenses for these apps through VPP, and you must have sufficient licenses on hand to deploy these apps.
- VPP can be used to deploy internally-developed or custom applications, but this requires an extra submission process through Apple.
- For iOS, there’s a distinction in how VPP deployment operates between devices that are supervised and those that are unsupervised. For unsupervised devices, the user will have actually approve each download before it can be installed. For supervised devices, the apps will just appear on the device.
How to sign up for Apple Business Manager
To get started with Apple Business Manager, you’ll need to register as a licensed agent of your business with Apple by completing a short sign-up process.
Signing up for ABM isn’t difficult, but it does require you to have a couple things which may trip you up. The first is the D-U-N-S Number (pronounced dunz number) for your business. The D-U-N-S Number is a unique identifier assigned to companies by Dun & Bradstreet, a private research firm tracks corporate data. Your business probably already has a D-U-N-S Number (you can look it up here), but in case you don’t, it’s easy and free to sign up for one.
Once you’ve got a D-U-N-S number, the other thing you’ll need is a corporate email address associated with the same domain as your business website. A normal consumer gmail account won’t work. If you’re using a seperate domain for corporate email, it can still work, but will probably delay your application.
It will take a little while for Apple to complete your ABM sign-up. You should factor a few days to a couple weeks of waiting into your launch plans, longer if you also have to go through a sign-up process with Dunn & Bradstreet.