Deploying Enterprise Apps
When deploying apps within a company there’s the good, the bad ad the ugly way of doing it.
- The ugly: buy the app once and allow all users to install it with a shared Apple ID. Or, in other words, welcome to 2010.
- The bad: have users buy and install apps with their own AppleID, refund via iTunes Credits or use Vouchers from Apple’s Volume Purchase Program do deploy the apps.
- The good: buy apps via the Volume Purchase Program and distribute them via device based assignment with an Mobile Device Management tool.
Why is the good, the good? Mobile Device Management platforms like Jamf allow you to assign apps to devices without the use of an AppleID. This way you control who has which apps, users can install and update the apps without passwords and, as a company, you retain control of your licenses making it both easier to revoke access when someone leaves the company, and easier to proof that all software used in the office is legally purchased.
You can buy licenses to distribute App Store apps to devices via Apple’s Volume Purchase Program. This portal is linked to your company, you buy x amount of apps via a central AppleID/Credit card, and the apps show up in your management system of choice.
Once the license shows up in your MDM system you can assign the app to a device or group of devices (e.g. the new OmniOutliner 3 to all IT Support engineers) and they can immediately use the app.
Recently a couple of big Productivity apps made the switch from pay up front to get the app for free and unlock it completely via IAP. One of the bigger examples is The Omni Group, who made all their apps free, and allow you to unlock e.g. OmniGraffle fully via an In App Purchase. (They even allow you to get a discount if you’ve got a prior version installed).
Similarly, apps like Ferrite or Notability allow you to unlock extra features like new paper types or longer track duration via an IAP. There’s also apps like Ulysses, that are only useable when you have a subscription.
But currently there is no way to distribute these IAP to users. You can install Notability, or OmniGraffle but you can’t unlock the app for your users. Worse, when users try to unlock the IAP themselves, they can’t, since there is no AppleID involved.
Regular users face a similar issue when sharing apps via Family Sharing. If one family member unlocks all levels of Civilization, no one else can get that level unless they unlock, and pay, for the level themselves. It’s understable since most IAP are consumables for games and you can’t spend the same item twice. But when IAP are feature unlocks, or worse, ways to get the full app, the lack of IAP sharing across family members is a limiting, and often frustrating fact.
At least, within a family you can pay up twice (or trice) and get your IAP. But for enterprise users this is not possible. If you want someone in your company to use an app that unlocks via IAP you have to resort to the bad and ugly installation methods.
A Terrible solution or two
- Developers could create specific enterprise SKUs in the App Store that allow you to pay fully up front. But this results in duplicate apps, user confusion and a lot of support tickets from users buying the wrong SKU. Plus it means they need to maintain two different versions of the same app.
- Some developers allow you to buy the Mac app directly from their own store with seperate licenses. They can easily be installed via JAMF Pro but lacks the convenience of VPP distribution + it’s yet another serial key to track. Plus, you can’t use this on iOS.
- You could go the way of Office365, 1Password, Dropbox,… and link the apps’ features to a user account that’s licensed. Downside of this approach: it’s yet another username and password for your users to remember, it’s yet another thing to manage seperately for your IT department. And not every app has need for a username.
A Better solution
With the launch of the new App Store, Apple also launched a better way to Promoting in-app purchases within the store. You can sometimes even buy an IAP directly from the App Store. Why can’t they expose that IAP within the IAP portal and allow us to distribute both the app and the IAP via the known VPP distribution methods within an MDM server?
You buy an app via the VPP Portal, and also buy the related IAP. On your MDM server you then assign both the app and the IAP to your user and voila, problem solved.
With macOS server focused more heavily on Device Management, and Apple promoting IAP and subscriptions as a way to provide upgrades for apps and give developers a means to get money for their work, it’s time for Apple to take these features to an Enterprise level.
So put this on my WWDC 2018 wishlist: Apple, please allow us to distribute IAP via VPP.
If you want this too, please create a radar and reference #37531416, which contains a copy of this post.