Tag Archives: mdm

Mac Security Mass Deployment MobileMe Network Infrastructure

Network Port Testing With Netcat

You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.

In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):

/usr/bin/nc -v www.apple.com 80

The result would be pretty verbose

found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 10.10.20.176 port 50575
dst 23.78.138.214 port 80
rank info not available
TCP aux info available

Connection to www.apple.com port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Tue, 29 Jul 2014 15:41:34 GMT
Content-Type: text/html
Content-Length: 218
Expires: Tue, 29 Jul 2014 15:41:34 GMT

<HTML><HEAD>
<TITLE>Request Timeout</TITLE>
</HEAD><BODY>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser’s request.<P>
Reference&#32;&#35;2&#46;48cf4d17&#46;1406648494&#46;0
</BODY></HTML>

If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:

/usr/bin/nc -vz -4 feedback.push.apple.com 2196

Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:

/usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196

Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:

/usr/bin/nc -l 2196

Then I can scan myself:

/usr/bin/nc 127.0.0.1 2196

I could also do this as a range if I forgot which port I used per host:

/usr/bin/nc 127.0.0.1 2195-2196

Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:

/usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196

Fun times with push notifications. Enjoy.

Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacAdmins 2015

I was super-bummed that I missed the MacAdmins conference at Penn State University. But, all is not lost as MacAdmins will be held July 8-10 in 2015 at the Penn Stater Conference Center and I’ll be able to see all those awesome people there next year!

In the meantime, something fun and new is the 2014 MacAdmins Playlist to maybe get exposed to some new stuff: http://spoti.fi/VTdxLX.

As an aside, here’s a fun pic of @derflounder and I (and others) doing a round table from a few years ago on the Penn State site:

Screen Shot 2014-07-15 at 1.25.10 PM

 

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Minneapolis

Come One, Come All: To The JAMF Nation User Conference

If you do deployments of Apple products, there are a few conferences to look at. Based on where you are and what industry you are in, some of these are better than others. But if you use the Casper Suite or are considering doing so, it would be really hard to beat JNUC, the JAMF Nation User Conference.

jamf-nation-user-conference-2014_1140_464_84_1399405603

And yes, I’d of said all this and posted this even if I hadn’t of come to work here a week and a half ago! So come one, come all to Minneapolis. And if you’re really nice, we’ll hook you up with some good old fashioned Minnesota lutefisk!

iPhone

Apple Configurator 1.4.1 Now Available

About Apple Configurator 1.4.1 is now out, to complement iOS 7.0.3 and OS X 10.9 Mavericks. Configurator 1.4.1 is available from the Updates tab of the Mac App Store and requires OS X Mountain Lion or later, as well as iTunes 11.1 or later.

Per http://support.apple.com/kb/HT5995?viewlocale=en_US&locale=en_US

What’s new in Configurator 1.4.1

• Options to configure which Setup Assistant steps display during device setup
• Fixes an application quitting issue that could occur when saving a profile with invalid options
• No longer removes Mobile device management (MDM) enrollment profile from a supervised device when refreshing it
• Fixes creation of Font profiles for iOS 7
• Renames the Supervision Profile which appears on devices to Configurator Trust Certificate. For more information, see this article.

iPhone Mac OS X Mac OS X Server

Using Profile Manager 3 In Mavericks Server

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple added a number of new features to Profile Manager and revved the software to Profile Manager 2.0, most notably adding the ability to push certain types of apps to mobile devices. In Mavericks Server (Server 3), Apple provides new options and streamlines a bunch of things, most notably App Store and VPP integration. But we can talk about this stuff all day long, instead let’s just show ya’!

Preparing For Profile Manager

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.

sudo scutil --set HostName mavserver.pretendco.lan

Then the ComputerName:

sudo scutil --set ComputerName mavserver.pretendco.lan

And finally, the LocalHostName:

sudo scutil --set LocalHostName mdm

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.201
Current HostName = mavserver.pretendco.lan
DNS HostName = mavserver.pretendco.lan
The names match. There is nothing to change.
dirserv:success = "success"

f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:

Screen Shot 2013-10-07 at 3.04.48 PMProvided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Profile Manager is built atop the web service, APNS and Open Directory. Next, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

Screen Shot 2013-10-07 at 3.10.32 PMOnce the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to OS X Server page loads.

Screen Shot 2013-10-07 at 3.11.42 PM

Setting Up Profile Manager

Provided the Welcome to OS X Server page loads, click on the Profile Manager service. Here, click on the Configure button.

Screen Shot 2013-10-07 at 3.12.53 PMAt the first screen of the Configure Device Management assistant, click on Next.

Screen Shot 2013-10-07 at 3.14.39 PMAssuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen.

Screen Shot 2013-10-07 at 3.22.00 PMThen click on Next. At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.Screen Shot 2013-10-07 at 3.22.27 PMAt the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

Screen Shot 2013-10-07 at 3.23.13 PMAt the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

Screen Shot 2013-10-07 at 3.23.40 PMThe Open Directory master is then created. At the Organization Information screen, enter the name of the contact information for an administrator and click on the Next button.

Screen Shot 2013-10-07 at 3.23.40 PMEven if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.

Screen Shot 2013-10-07 at 3.26.04 PMThis can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

Screen Shot 2013-10-07 at 3.26.42 PM

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

Screen Shot 2013-10-07 at 3.27.39 PM

You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Screen Shot 2013-10-07 at 3.39.01 PMProvided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

Screen Shot 2013-10-07 at 3.40.05 PMWhen the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

Screen Shot 2013-10-07 at 3.40.35 PMThe Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

Screen Shot 2013-10-07 at 3.41.07 PMUnless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.

Screen Shot 2013-10-07 at 3.41.33 PMIf you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

One of the upgrades in Profile Manager 2.2 is the ability to distribute objects from the App Store Volume Purchase Program through Profile Manager. To use this option, first sign up on the VPP site. Once done, you will receive a token file. Using the token file, check the box for “Distribute apps and books from the Volume Purchase Program” and then use the Choose button to select the token file.

Screen Shot 2013-10-07 at 3.43.22 PMNow that everything you need is in place, click on the ON button to start the service and wait for it to finish starting (happens pretty quickly).

Screen Shot 2013-10-07 at 3.44.27 PMOnce started, click on the Open Profile Manager link and the login page opens. Administrators can login to Profile Manager to setup profiles and manage devices.Screen Shot 2013-10-07 at 3.45.29 PMThe URL for this (for mavserver.pretendco.lan) is https://mavserver.pretendco.lan/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.Screen Shot 2013-10-07 at 3.46.12 PM

Enrolling Into Profile Manager

To enroll devices for management, use the URL https://mavserver.pretendco.lan/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

Screen Shot 2013-10-07 at 3.48.18 PMFrom Profiles, click or tap the Enroll button. The profile is downloaded and when prompted to install the profile, click Continue.

Screen Shot 2013-10-07 at 3.50.16 PMThen click Install if installing using a certificate not already trusted.

Screen Shot 2013-10-07 at 3.50.40 PMOnce enrolled, click on the Profile in the Profiles System Preference pane to see the settings being deployed.

Screen Shot 2013-10-07 at 3.51.12 PMYou can then wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article and note that there are new options in dscl for removing all managed preferences and working with profiles in Mavericks (10.9).

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips

The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.

When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.

Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management

Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. Click on Devices in the Profile Manager sidebar.

Screen Shot 2013-10-07 at 3.56.32 PMClick on a device in Profile Manager’s admin portal, located at https://<SERVERNAME>/profilemanager (in this case https://mavserver.pretendco.lan/profilemanager).

Screen Shot 2013-10-07 at 3.58.09 PMThe device screen is where much of the management of each device is handled.

Screen Shot 2013-10-07 at 3.58.09 PMFrom the device (or user, group, user group or device group objects), click on the Settings tab and then click on the Edit button.

Screen Shot 2013-10-07 at 4.00.22 PMHere, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad.

Screen Shot 2013-10-07 at 4.01.05 PMClick on Passcode, then click on Configure.

Screen Shot 2013-10-07 at 4.01.22 PMAt the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes.

Screen Shot 2013-10-07 at 4.01.22 PM

Once configured, click Save. At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later (screens look the same in iOS 7 pretty much).

The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can install an Enterprise App from your library or browse to it using the VPP program if the app is on the store. Before you start configuring apps, click on the Apps entry in the Profile Manager sidebar.

Screen Shot 2013-10-07 at 4.08.32 PM

At the Apps screen, use the Enterprise App entry to select an app or use the Volume Purchase Program button to open the VPP and purchase an app. Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Replicants) and click on the Apps tab.

Screen Shot 2013-10-07 at 4.03.42 PMFrom the Apps tab, click on the plus sign icon (“+”).Screen Shot 2013-10-07 at 4.04.49 PMAt the Add Apps screen, choose the app added earlier and then authenticate if needed, ultimately selecting the app. The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.

At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

Note: If you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.

At the Wipe screen, click on the device and then click Wipe. When prompted, click on the Wipe button again, entering a passcode to be used to unlock the device if possible. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Screen Shot 2013-10-07 at 4.11.13 PM

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion

So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:

Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.

Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, MaaS360, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.

iPhone

SimpleMDM Now With Apps

SimpleMDM has updated their Mobile Device Management solution (my original writeup is here) to now include the ability to manage apps. The apps functionality really comes in two flavors. The first is the ability to load up an app. This is handled handed by clicking on Settings in the right hand navigation bar and then at the Settings pop-over, clicking on Apps. Here, you can load up an internal, enterprise app or an App Store app.

Once you’ve loaded an app you can deploy it to devices by clicking on a group and then using the contextual menu to “Assign Apps.” Simple, as the name implies.

The second aspect of SimpleMDM is to white and blacklist apps. Doing so is done by clicking on the contextual menu and then clicking on Rules. Here, you can Allow or Disallow any app that has been loaded into the app catalog.

 

certifications iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

Penn State MacAdmins Back for 2013

Last year, I had a great time at the Penn State MacAdmins conference. There were tons of smart people to mingle with and everyone had plenty to discuss when it came to managing the Mac. There were a lot of people from education but also plenty from companies. The talks were well run and the conference location, the Penn Stater, was awesome. I love how it’s like a big winding maze.

Having gone to school in a town like State College (Athens, GA), I’ve always had a warm spot for cute college towns. And State College is clearly a special place. I’d recommend a trip there to anyone that loves places like Ann Arbor, Norman, Stillwater, Opelika, Corvallis, Blacksburg, Madison, Manhattan (Kansas), Ithaca, Iowa City, Ames, Morgantown, Lafayette (Indiana), Lawrence, Champaign, Logan, College Station and of course, Oxford Mississippi (Ole Miss is a truly special place).

So you’re lucky then, ’cause the Penn State MacAdmins Conference is back for 2013, being held in beautiful State College, PA at Penn State University. The Conference is May 22nd through 24th with a new introductory Boot Camp being held the day before (May 21st) to prep admins for the rest of the conference. And May is one of the best times to visit a place like this. Spring is in the air, kids are getting ready to graduate, the flowers are in bloom and of course, there’s no more snow to be shoveled. A month later and the school would practically be shut down, the town a ghost town.

But in late May, college towns are electric. So don’t just stay at the Penn Stater the whole time, go explore downtown and that Nittany Lion thing – and the spot where Joe Pa’s statue used to be. Take a carriage ride, swing by the Governor’s Pub, have some red meat at Otto’s and of course, perform the underclassmen ritual of throwing up on College Ave! And yes, there’s a College Ave, as there should be. Anyway, the social element of a conference like this is great. Meet those people you tell to RTFM on the ‘ole Enterprise List, the people whose feeds you read and the people whose feeds you deleted  ’cause they talk about college football too much…

The Call for Proposals is now open, so to submit a talk, use http://macadmins.psu.edu/conference/submit-proposals.

This year, there will also be sponsors. To sponsor, see http://macadmins.psu.edu/conference/sponsorships.

Or to attend, see http://macadmins.psu.edu/conference/registration.

To sign up for the conference newsletter, see http://psu.us4.list-manage.com/subscribe?u=acd8b6acc541596a7bdf8e517&id=d37a7e26fd.

And for an example of what you are in store for:

PS – There are 12 teams in the Big 10. While at State College, make sure to remind everyone wearing blue of this fact.

Mac OS X Mac OS X Server Mass Deployment

Keynote From JAMF Nation

In case you were there and would like a copy, here’s the slides from the presentation I did this week at the JAMF Nation User Conference 2012. If you weren’t there, then perhaps they will help you in some way.

JNUC2012

The session was recorded so I’ll try and post when it becomes available for download.

iPhone

Restricting Access To Sites On iOS Devices

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. The best, in my experience, has been using a proxy.

In Apple Configurator 1.2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps.

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

The above has I am all about layered defense, though. Or if a proxy is not an option then having an alternative. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator, see the below profile.

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watch, Mobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

iPhone

Volume Purchasing Program Now Available In More Countries

The Volume Purchasing Program is a program from Apple that allows you to buy gift codes en masse for distribution to users, either by mail merging them and sending them out or using a special tool for distribution, such as Apple Configurator or an MDM solution. If you’re in the United States and work with iOS, you’ve likely been using the Volume Purchasing Program for awhile. But for users in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain and the United Kingdom, the Volume Purchasing Program is new and probably being well received.

The Volume Purchasing Program allows users to receive the codes and install/purchase software without being gifted money to do so, although in most cases the users will need Apple IDs. This is because the Volume Purchasing Program still requires codes to be redeemed, although if you’re using Apple Configurator you can deploy apps without tying them to unique AppleIDs.

Overall, the Volume Purchasing Program is a great way to be able to control and manage app expenditures, and for users in the newly added countries, will help with deployments large and small. To access the Volume Purchasing Program site, see http://www.apple.com/business/vpp. To quote Apple:

Deliver essential business apps to your employees with the Volume Purchase Program, now available in Australia, Canada, France, Italy, Germany, Japan, New Zealand, Spain, the UK, and the US. VPP makes it easy to purchase iOS apps in any quantity and distribute them to your users. You can also have custom apps built for your company’s unique needs. Search thousands of useful apps, specify any quantity, and use a corporate credit card to complete your purchase. Download the updated VPP Guide for details.