Managing iOS Custom Apps: Workspace ONE Operational TutorialWorkspace ONE 2003 and later
iOS 13 and later
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment.
With Apple Business Manager or Apple School Manager, Workspace ONE administrators can privately and securely distribute applications to specific partners, clients, and franchisees. Administrators can also distribute proprietary apps to their internal employees. These business-to-business and business-to-self apps, known as custom apps, work similar to public App Store apps but with a tightly controlled distribution. This tutorial aims to provide knowledge on how to procure, sync, and manage custom apps with Workspace ONE.
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with Apple technologies is assumed, including Apple Business Manager, iOS, and Mobile Device Management.
This operational tutorial covers topics specific to iOS device management. You must have the following components installed and configured:
- Apple Business Manager or Apple School Manager
- Custom app published to your Apple Business Manager (or Apple School Manager) Organization ID
- Workspace ONE UEM 2003 and later
- iOS 13 and later
- Optionally, an iOS app to publish as a custom app
Note: Some of these steps apply to earlier versions of Workspace ONE UEM and iOS. Workspace ONE UEM 2003+ and iOS 13+ are specified as prerequisites for all sections of this tutorial to apply.
Publish iOS Apps as Custom Apps
A key feature of custom apps for iOS is the ability to leverage the Apple App Store without making your application available to the public. Because the app is not made public, a Custom App developer needs a method of identifying businesses that should have access to the application. To control access, Apple leverages Apple Business Manager (or Apple School Manager). When a Custom App is uploaded through App Connect, the developer must list the Organization ID's to which the Custom App should be made available.
In this section, you enable Apple Business Manager for custom apps and ensure that distribution is configured correctly.
Developer Notes About Custom Apps
If you are publishing a custom application for yourself (business-to-self) or another organization (business-to-business), developers should note the following features that differ from traditional "Enterprise Signed" iOS software:
- Custom apps must go through App Store approval.
- If your custom app requires login information or backing data, you must provide Apple sanitized logins and data to illustrate the app's functionality during App Store Approval.
- Custom apps can be beta tested with TestFlight, in a similar fashion to a public App Store application.
In this activity, you perform the following prerequisite tasks for custom apps:
- Obtain the organization ID for distribution back to your organization (business-to-self) or a customer organization (business-to-business).
- Enable Apple Business Manager (or Apple School Manager) for custom apps functionality.
1. Browse to Enrollment Information
Within Apple Business Manager or Apple School Manager:
- Click Settings.
- Click Enrollment Information.
- Note the Organization ID. You enter this number in App Store Connect when configuring an app for Custom App Distribution.
2. Enable Custom Apps
- Check that Custom Apps are Enabled.
- If not Enabled, click the Enable button.
Configuring Distribution for Custom Apps
If your development team wants to distribute custom apps, it is critical to publish the app correctly in App Store Connect. The two key focus areas of this activity illustrate how to set the distribution appropriately and where to enter the Organization ID for each customer who should have access to license and distribute the app.
1. Configure Your App for Custom App Distribution
Within App Store Connect, make the appropriate configurations for your application as follows:
- Ensure the App Store pane is selected.
- Click Pricing and Availability.
- Click Available Privately as a custom B2B app.
License Custom Apps in Apple Business Manager
Custom apps are volume-licensed through Apple Business Manager and Apple School Manager in a similar way to public store apps. Like public apps, managed distribution licenses for custom apps are associated with Apple Business Manager locations. When you export a location token and import it to Workspace ONE, custom apps are managed and assigned in the Workspace ONE UEM console together with all other volume purchased applications.
However, unlike public store apps, custom apps appear in Apple Business Manager (and Apple School Manager) in a separate content search container. This specific section shows how to purchase managed distribution licenses for custom apps in Apple Business Manager.
Volume Licensing Custom Apps
In this activity, you get licenses from Apple Business Manager (or Apple School Manager) for your custom app.
Get Managed Licenses for a Custom App
Within Apple Business Manager (or Apple School Manager):
- Click Custom Apps.
- Select the Custom App which has been assigned to your Organization ID.
- Select the Managed license type.
- Choose the Location to assign the licenses.
- Enter a Quantity of licenses to purchase.
- Click Get.
Sync Purchased Apps to Workspace ONE
In this section, you sync your custom app to Workspace ONE. The exercises include adding a location token to Workspace ONE UEM, syncing volume purchase licenses, and bulk-enabling device based licensing.
Adding Location Token to Workspace ONE UEM
An Apple Business Manager (or Apple School Manager) location is a container that ties a set of books and apps to one or more content managers. Each location has a token that can be uploaded to Workspace ONE to allow App and Book management within the Workspace ONE UEM organization group. The token provides the credentials by which Workspace ONE authenticates to Apple Business Manager to sync assets and manage license assignment.
1. Download Token from Apple Business Manager
Within Apple Business Manager (or Apple School Manager):
- Click Settings.
- Click Apps and Books.
- Click Download for the Server Token next to your Location.
- For macOS Catalina and later, click Allow to allow the download from Apple Business Manager.
2. Select VPP Managed Distribution
In Workspace ONE UEM:
- Click Groups & Settings.
- Click Configurations.
- Scroll down through the list of Configurations.
- Select VPP Managed Distribution.
3. Upload Location Token
- Ensure the Current Setting is set to Override.
- Enter a friendly name for the Location.
- Click Upload.
- In the dialog box, click Choose File. Browse to and select the vpptoken file downloaded in Download Token from Apple Business Manager, and select Choose.
- Click Save.
- Click Save.
4. Cancel Warning About License Usage in Other Environments
If you unexpectedly receive a message about the sToken being used in another environment, click Cancel. An Apple Business Manager (or Apple School Manager) location can be managed by only one (1) MDM or UEM system at a time. You should resolve the reason for this message before attempting to upload the Token. Alternatively, create a new location in Apple Business Manager.
Note: Instead of uploading the same Token in both your Testing and Production Workspace ONE UEM instance, you should create a second location in Apple Business Manager. Within Apple Business Manager, you can allocate unused licenses between locations allowing you to purchase additional licenses (or move a subset) into your second Location for testing.
For questions regarding Apple Business Manager, refer to Apple Support.
Syncing Volume Purchase Licenses
By default, Workspace ONE syncs managed distribution licenses for custom apps and volume-licensed public apps daily. The sync is scheduled automatically, allowing Workspace ONE to reconcile newly purchased licenses and updated metadata (descriptions and images). When you upload a location token, you can speed up this process by manually initiating a license sync.
Sync Licenses from Apple Business Manager
In the Workspace ONE console:
- Click Resources.
- Expand Apps and click Native.
- Click Purchased.
- Click Sync Assets.
- Click Refresh to view assets that have been updated from the sync.
Tip: For license and metadata sync to work for on-premises Workspace ONE customers, admins must allow access to *.itunes.apple.com over TCP port 80 and 443. Refer to Use Apple Products on Enterprise Networks for the full list of hosts and ports required to manage and use Apple products on enterprise networks.
Bulk-Enabling Device-Based Licensing
Managed distribution licenses can be assigned on a per-user, or per-device basis. For the per-user licensing model, the end-user of the device is prompted to enter their Apple ID credentials into the device to assign the license. In other words, per-user license distribution requires that all users have an Apple ID. In the per-device licensing model, managed distribution licenses are assigned directly to the device regardless of whether the user has entered Apple ID information. The end-user is not required to have an Apple ID in order for the app to be assigned to the device and installed from the App Store.
For more information, refer to Managed Distribution by Device Serial Number.
Note: If a device is supervised, the user does not get prompted to participate in volume-purchased app management.
Warning: If you convert an application to device-based licensing, you cannot revert it back to user-based licensing.
Assign and Manage Custom Apps
In this section, you assign custom apps to a device and learn how to update custom apps.
Assigning Custom Apps to Devices
Custom apps are assigned to devices in the same way as a volume-licensed public app. In this activity, you assign a custom app to one or more groups of iOS devices.
1. Select a Custom App
In the Workspace ONE UEM Console:
- Click Apps & Books.
- Click Native.
- Select Purchased.
- Select a Custom App.
2. Modify Categories
- Select Details.
- Click and select one or more Categories.
- If necessary, remove a category by clicking the [X].
Note: Categories are used to group applications in the user's app catalog in the Workspace ONE Intelligent Hub.
3. [Optional] Configure SDK Profile
If the Custom App has the Workspace ONE SDK embedded, configure the SDK profile. If the app does not use the Workspace ONE SDK, you can skip this step.
- Select the SDK tab.
- Select an SDK Profile.
- If a certificate is required, select the appropriate Application Profile.
4. Save and Assign Application
Click Save & Assign.
5. Configure Distribution Options
- Enter a descriptive Name for the distribution.
- Click into the Assignments Groups text box and select an existing assignment group.
- Enter the number of managed distribution licenses to allocate that assignment group.
- If necessary, click Add to include additional assignment groups and allocate licenses.
- Select the Delivery method.
Note: Regarding the delivery method, Auto is delivered immediately upon membership to the assignment. On-Demand holds the application delivery until the user selects the install from their application catalog.
6. Configure Restrictions
- Click Restrictions.
- Enable Remove on Unenroll.
- [Optional] Enable Prevent Application Backup.
7. [Optional] Configure Tunnel and Other Attributes
- Click Tunnel & Other Attributes.
- Select the Per-App Tunnel profile the Custom App should use.
- If the application requires any Apple-defined Application Attributes, enable Other Attributes.
- If an XML document is provided by the Custom App developer, click Upload XML, browse, and select the XML file to populate the list of app attribute key-value pairs.
- Enter or modify the attribute configuration key.
- Select the value type.
- Enter the value, or select the plus sign [+] to insert a lookup value.
- Click Add if additional attribute key-value pairs are required.
Note: Unlike Application Configuration (or AppConfig) key-value pairs which are defined by the app developer, app attribute key-value pairs are defined by Apple. Custom App developers might provide an XML document or listing of the key-value pairs to simplify your configuration task, but the keys are defined by Apple. As of the initial publishing of this document, only two keys are supported by Apple:
- VPNUUID: This is already covered by the "Per-App VPN Profile" select list in step 2 of this heading.
- AssociatedDomains: Allows you to specify which domains are owned by the app owner's organization, which is typically used for SSO Extensions created by Identity Providers.
8. [Optional] Configure Application Configuration (AppConfig)
- Select Application Configuration.
- If Application Configuration (AppConfig) values are required, enable them by clicking the slider.
- If the Custom Apps vendor has provided an XML document defining all the AppConfig values, click Upload XML, select the XML document and click Choose. This will pre-populate the list of key-value pairs.
- If required, enter a Configuration Key Name.
- Select the Value Type.
- Enter the value or click the plus sign [+] to insert a lookup value.
- If additional Key-Value pairs are required, click Add.
For more information about Application Configuration (AppConfig) values, see the AppConfig Community.
9. Create Assignment
When the Assignment is configured, click Create.
10. [Optional] Add Assignment and Modify Priority
- If Additional Assignments are required, click Add Assignment and repeat from Configure Distribution Options.
- To modify assignment priority, select a new priority value for the particular assignment.
11. Save Assignment(s)
12. Publish Assignment(s)
Updating Custom Apps
Custom apps are updated similar to volume-purchased applications within Workspace ONE. When you view the Purchased app list, the Update Status column shows when an app update is available. Note that as of Workspace ONE UEM 2003 and later, both custom apps and volume licensed apps distributed via device-based licensing can be updated by Workspace ONE. App updates are performed manually, or can be set to automatic. When an administrator elects to update a custom app, Workspace ONE delivers a command to all devices with the app installed but that currently have an outdated version of the app. Apps can only be updated to the most recently released version.
Update a Custom App
- Click Apps & Books.
- Click Native.
- Select Purchased.
- Select a Custom App by clicking the checkbox.
- Update any assigned devices with the Custom App installed to the most recent version by clicking Update App.
- Optionally, click More Actions > Enable Auto Updates to have Workspace ONE issue commands to update the app on installed devices whenever the version changes.
Notes about Custom App Updates
When you are notified about an update to a Custom App by a Custom App developer, the following guidance should apply prior to updating:
- Once an update is uploaded through App Store Connect, it may not be immediately available due to the app approval process.
- Once approval is granted, there may be a slight delay from when the app is updated to when it is available across the entire App Store content delivery network.
- While the App Store publishing process is running, an update may not immediately display as an available update in the Workspace ONE console.
- Once the app update is available in the Custom App Store listings, there may be a slight delay until the update is discovered by the scheduled process within Workspace ONE that syncs Apple Business Manager licensed content metadata (versioning, images, icons, and text).
Summary and Additional Resources
This operational tutorial provided exercises to help you publish iOS apps as custom apps.
Procedures included how to license custom apps in Apple Business Manager, syncing custom apps to Workspace ONE, and assigning and managing your custom apps.
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management Activity Path .
The content in this section helps you establish a basic understanding of Windows 10 management in the following categories:
- Getting Started
- Adoption & Migration
- Device Onboarding
- Configuring Policies & Baselines
- Deploying Applications
- Updates & Patches
- Scripting & Sensors
- OEM Integrations
- Troubleshooting & Tools
- Case-Studies & Communities
Managing Windows 10 can be complicated. Let us demystify it, and make you a hero!
About the Author
This tutorial was written by:
- Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.