Solution

  • Workspace ONE

Type

  • Document

Level

  • Intermediate

Category

  • Operational Tutorial

Product

  • Workspace ONE UEM

OS/Platform

  • iOS

Phase

  • Manage

Managing iOS Custom Apps: VMware Workspace ONE Operational Tutorial

Workspace ONE 2003 and later iOS 13 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment.

With Apple Business Manager or Apple School Manager, Workspace ONE administrators can privately and securely distribute applications to specific partners, clients, and franchisees. Administrators can also distribute proprietary apps to their internal employees. These business-to-business and business-to-self apps, known as custom apps, work similar to public App Store apps but with a tightly controlled distribution. This tutorial aims to provide knowledge on how to procure, sync, and manage custom apps with Workspace ONE.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with Apple technologies is assumed, including Apple Business Manager, iOS, and Mobile Device Management. Knowledge of additional technologies such as VMware Workspace ONE UEM is also helpful.

Prerequisites

This operational tutorial covers topics specific to iOS device management. You must have the following components installed and configured:

  • Apple Business Manager or Apple School Manager
  • Custom app published to your Apple Business Manager (or Apple School Manager) Organization ID
  • Workspace ONE UEM 2003 and later
  • iOS 13 and later
  • Optionally, an iOS app to publish as a custom app

Note: Some of these steps apply to earlier versions of Workspace ONE UEM and iOS. Workspace ONE UEM 2003+ and iOS 13+  are specified as prerequisites for all sections of this tutorial to apply.

Publish iOS Apps as Custom Apps

Introduction

A key feature of custom apps for iOS is the ability to leverage the Apple App Store without making your application available to the public. Because the app is not made public, a Custom App developer needs a method of identifying businesses that should have access to the application. To control access, Apple leverages Apple Business Manager (or Apple School Manager). When a Custom App is uploaded through App Connect, the developer must list the Organization ID's to which the Custom App should be made available.

In this section, you enable Apple Business Manager for custom apps and ensure that distribution is configured correctly.

Developer Notes About Custom Apps

If you are publishing a custom application for yourself (business-to-self) or another organization (business-to-business), developers should note the following features that differ from traditional "Enterprise Signed" iOS software:

  1. Custom apps must go through App Store approval.  
  2. If your custom app requires login information or backing data, you must provide Apple sanitized logins and data to illustrate the app's functionality during App Store Approval.
  3. Custom apps can be beta tested with TestFlight, in a similar fashion to a public App Store application.

Prerequisites

In this activity, you perform the following prerequisite tasks for custom apps:

  • Obtain the organization ID for distribution back to your organization (business-to-self) or a customer organization (business-to-business).
  • Enable Apple Business Manager (or Apple School Manager) for custom apps functionality.

1. Browse to Enrollment Information

Within Apple Business Manager or Apple School Manager:

  1. Click Settings.
  2. Click Enrollment Information.
  3. Note the Organization ID. You enter this number in App Store Connect when configuring an app for Custom App Distribution.

2. Enable Custom Apps

  1. Check that Custom Apps are Enabled.
  2. If not Enabled, click the Enable button.

Configuring Distribution for Custom Apps

If your development team wants to distribute custom apps, it is critical to publish the app correctly in App Store Connect. The two key focus areas of this activity illustrate how to set the distribution appropriately and where to enter the Organization ID for each customer who should have access to license and distribute the app.

1. Configure Your App for Custom App Distribution

Custom Apps and App Store Connect

Within App Store Connect, make the appropriate configurations for your application as follows:

  1. Ensure the App Store pane is selected.
  2. Click Pricing and Availability.
  3. Click Available Privately as a custom B2B app.

2. Enter Organization IDs to Authorize Private Distribution

In App Store Connect:

  1. Select DEP ID for Type.
  2. Paste the Organization ID from Apple Business Manager or Apple School Manager into the ID text box. This is the organization ID you obtained from the previous exercise.
  3. Enter the Organization Name.

You can continue to add additional DEP ID information to your Distribution settings as necessary.

License Custom Apps in Apple Business Manager

Introduction

Custom apps are volume-licensed through Apple Business Manager and Apple School Manager in a similar way to public store apps. Like public apps, managed distribution licenses for custom apps are associated with Apple Business Manager locations. When you export a location token and import it to Workspace ONE, custom apps are managed and assigned in the Workspace ONE UEM console together with all other volume purchased applications.

However, unlike public store apps, custom apps appear in Apple Business Manager (and Apple School Manager) in a separate content search container. This specific section shows how to purchase managed distribution licenses for custom apps in Apple Business Manager.

Volume Licensing Custom Apps

In this activity, you get licenses from Apple Business Manager (or Apple School Manager) for your custom app.

Get Managed Licenses for a Custom App

Custom Apps and Managed licenses in Workspace ONE UEM

Within Apple Business Manager (or Apple School Manager):

  1. Click Custom Apps.
  2. Select the Custom App which has been assigned to your Organization ID.
  3. Select the Managed license type.
  4. Choose the Location to assign the licenses.
  5. Enter a Quantity of licenses to purchase.
  6. Click Get.

Sync Custom Apps to Workspace ONE

Introduction

In this section, you sync your custom app to Workspace ONE. The exercises include adding a location token to Workspace ONE UEM, syncing volume purchase licenses, and bulk-enabling device based licensing.

Adding Location Token to Workspace ONE UEM

An Apple Business Manager (or Apple School Manager) location is a container that ties a set of books and apps to one or more content managers. Each location has a token that can be uploaded to Workspace ONE to allow App and Book management within the Workspace ONE UEM organization group. The token provides the credentials by which Workspace ONE authenticates to Apple Business Manager to sync assets and manage license assignment.

1. Download Token from Apple Business Manager

App and Books in Apple Business Manager

Within Apple Business Manager (or Apple School Manager):

  1. Click Settings.
  2. Click Apps and Books.
  3. Click Download for the Server Token next to your Location.
  4. For macOS Catalina, click Allow to allow the download from Apple Business Manager.

2. Select VPP Managed Distribution

In Workspace ONE UEM:

  1. Click Groups & Settings.
  2. Click Configurations.
  3. Scroll the list of Configurations.
  4. Select VPP Managed Distribution.

3. Upload Location Token

  1. Ensure the Current Setting is set to Override.
  2. Enter a friendly name for the Location.
  3. Click Upload.
  4. In the dialog box, click Choose File. Browse to and select the vpptoken file downloaded in Download Token from Apple Business Manager and select Choose.
  5. Click Save.
  6. Click Save.

4. Cancel Warning About License Usage in Other Environments

If you unexpectedly receive a message about the sToken being used in another environment, click Cancel. An Apple Business Manager (or Apple School Manager) location can be managed by only one (1) MDM or UEM system at a time. You should resolve the reason for this message before attempting to upload the Token. Alternatively, create a new location in Apple Business Manager.

Note: Instead of uploading the same Token in both your Testing and Production Workspace ONE UEM instance, you should create a second location in Apple Business Manager. Within Apple Business Manager, you can allocate unused licenses between locations allowing you to purchase additional licenses (or move a subset) into your second Location for testing.

For questions regarding Apple Business Manager, refer to Apple Support.

Syncing Volume Purchase Licenses

By default, Workspace ONE syncs managed distribution licenses for custom apps and volume-licensed public apps daily. The sync is scheduled automatically, allowing Workspace ONE to reconcile newly purchased licenses and updated metadata (descriptions and images). When you upload a location token, you can speed up this process by manually initiating a license sync.

Sync Licenses from Apple Business Manager

Custom Apps in Workspace ONE UEM

In the Workspace ONE console:

  1. Click Apps & Books.
  2. Click Native.
  3. Click Purchased.
  4. Click Sync Assets.

Tip: For license and metadata sync to work for on-premises Workspace ONE customers, admins must allow access to *.itunes.apple.com over TCP port 80 and 443. Refer to Use Apple Products on Enterprise Networks for the full list of hosts and ports required to manage and use Apple products on enterprise networks.

Bulk-Enabling Device-Based Licensing

Managed distribution licenses can be assigned on a per-user, or per-device basis. For the per-user licensing model, the end-user of the device is prompted to enter their Apple ID credentials into the device to assign the license. In other words, per-user license distribution requires that all users have an Apple ID. In the per-device licensing model, managed distribution licenses are assigned directly to the device regardless of whether the user has entered Apple ID information. The end-user is not required to have an Apple ID in order for the app to be assigned to the device and installed from the App Store.

For more information, refer to Managed Distribution by Device Serial Number.

Note: If a device is supervised, the user does not get prompted to participate in volume-purchased app management.

Warning: If you convert an application to device-based licensing, you cannot revert it back to user-based licensing.

Bulk-Enable Device-Based Licensing

Custom Apps in Workspace ONE UEM

In the Workspace ONE UEM Console:

  1. Click Apps & Books.
  2. Click Native.
  3. Select Purchased.
  4. Select one or more Public and/or Custom Apps.
  5. Click Enable Device Assignment.
  6. Click Ok to enable device-based licensing for the selected apps.

Assign and Manage Custom Apps

Introduction

In this section, you assign custom apps to a device and learn how to update custom apps.

Assigning Custom Apps to Devices

Custom apps are assigned to devices in the same way as a volume-licensed public app. In this activity, you assign a custom app to one or more groups of iOS devices.

1. Select a Custom App

Custom Apps in Workspace ONE UEM

In the Workspace ONE UEM Console:

  1. Click Apps & Books.
  2. Click Native.
  3. Select Purchased.
  4. Select a Custom App.

2. Modify Categories

  1. Select Details.
  2. Click and select one or more Categories.
  3. If necessary, remove a category by clicking the [X].

Note: Categories are used to group applications in the user's app catalog in the Workspace ONE Intelligent Hub.

3. [Optional] Configure SDK Profile

If the Custom App has the Workspace ONE SDK embedded, configure the SDK profile. If the app does not use the Workspace ONE SDK, you can skip this step.

  1. Select the SDK tab.
  2. Select an SDK Profile.
  3. If a certificate is required, select the appropriate Application Profile.

4. Save and Assign Application

Click Save & Assign.

5. Configure Distribution Options

  1. Enter a descriptive Name for the distribution.
  2. Click into the Assignments Groups text box and select an existing assignment group.
  3. Enter the number of managed distribution licenses to allocate that assignment group.
  4. If necessary, click Add to include additional assignment groups and allocate licenses.
  5. Select the Delivery method.  

Note: Regarding the delivery method, Auto is delivered immediately upon membership to the assignment. On-Demand holds the application delivery until the user selects the install from their application catalog.

6. Configure Restrictions

  1. Click Restrictions.
  2. Enable Remove on Unenroll.
  3. [Optional] Enable Prevent Application Backup.

7. [Optional] Configure Tunnel and Other Attributes

  1. Click Tunnel & Other Attributes.
  2. Select the Per-App Tunnel profile the Custom App should use.
  3. If the application requires any Apple-defined Application Attributes, enable Other Attributes.
  4. If an XML document is provided by the Custom App developer, click Upload XML, browse, and select the XML file to populate the list of app attribute key-value pairs.
  5. Enter or modify the attribute configuration key.
  6. Select the value type.
  7. Enter the value, or select the plus sign [+] to insert a lookup value.
  8. Click Add if additional attribute key-value pairs are required.

Note: Unlike Application Configuration (or AppConfig) key-value pairs which are defined by the app developer, app attribute key-value pairs are defined by Apple. Custom App developers might provide an XML document or listing of the key-value pairs to simplify your configuration task, but the keys are defined by Apple. As of the initial publishing of this document, only two keys are supported by Apple:

  • VPNUUID: This is already covered by the "Per-App VPN Profile" select list in step 2 of this heading.
  • AssociatedDomains: Allows you to specify which domains are owned by the app owner's organization, which is typically used for SSO Extensions created by Identity Providers.

8. [Optional] Configure Application Configuration (AppConfig)

  1. Select Application Configuration.
  2. If Application Configuration (AppConfig) values are required, enable them by clicking the slider.
  3. If the Custom Apps vendor has provided an XML document defining all the AppConfig values, click Upload XML, select the XML document and click Choose. This will pre-populate the list of key-value pairs.
  4. If required, enter a Configuration Key Name.
  5. Select the Value Type.
  6. Enter the value or click the plus sign [+] to insert a lookup value.
  7. If additional Key-Value pairs are required, click Add.

For more information about Application Configuration (AppConfig) values, see the AppConfig Community.

9. Create Assignment

When the Assignment is configured, click Create.

10. [Optional] Add Assignment and Modify Priority

  1. If Additional Assignments are required, click Add Assignment and repeat from Configure Distribution Options.
  2. To modify assignment priority, select a new priority value for the particular assignment.

11. Save Assignment(s)

Click Save.

12. Publish Assignment(s)

Click Publish.

Updating Custom Apps

Custom apps are updated similar to volume-purchased applications within Workspace ONE. When you view the Purchased app list, the Update Status column shows when an app update is available. Note that as of Workspace ONE UEM 2003 and later, both custom apps and volume licensed apps distributed via device-based licensing can be updated by Workspace ONE. App updates are performed manually, or can be set to automatic. When an administrator elects to update a custom app, Workspace ONE delivers a command to all devices with the app installed but that currently have an outdated version of the app. Apps can only be updated to the most recently released version.

Update a Custom App

Custom Apps in Workspace ONE UEM
  1. Click Apps & Books.
  2. Click Native.
  3. Select Purchased.
  4. Select a Custom App by clicking the checkbox.
  5. Update any assigned devices with the Custom App installed to the most recent version by clicking Update App.
  6. Optionally, click More Actions > Enable Auto Updates to have Workspace ONE issue commands to update the app on installed devices whenever the version changes.

Summary and Additional Resources

Conclusion

This operational tutorial provided exercises to help you publish iOS apps as custom apps.

Procedures included how to license custom apps in Apple Business Manager, syncing custom apps to Workspace ONE, and assigning and managing your custom apps.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Author

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

  • Workspace ONE
  • Intermediate
  • Operational Tutorial
  • Document
  • Workspace ONE UEM
  • iOS
  • Manage