Modified: 05/10/19 with additional info regarding Apps and Books migration for the legacy account.
Until Apple Business Manager (ABM) was released, managing Apple DEP and VPP require accessing through two different web portals. Also, it wasn’t possible to have more than one agent set up for both portals. I was overjoyed when I found out both web portals now fall under a single pane of glass.
There are also changes when it comes to account naming. Specifically:
- Agent in DEP is now called Administrator in ABM
- You can now have up to five administrators in ABM
- Admin in DEP is now called Device Manager in ABM
- Admin in VPP is now called Content Manager in ABM
- Admin who can create/edit other admin is called People Manager in ABM
Also, the existing Apple ID of these admins will be converted into Managed Apple ID once they sign into ABM for the first time.
While the entire process may take as little as five minutes, I suggest reviewing the URLs below before upgrading. Also, keep in mind you will lose access to Apple DEP portal once the upgrade is completed.
- Upgrade your organization to Apple Business Manager
- VMware Supports Apple Business Manager
- Migrating VPP Accounts to Locations Best Practices
- VPP Location Tokens for Apple Business Manager
- Invite Volume Purchase Program (VPP) Purchasers to Apple School Manager or Apple Business Manager
- Migrate to Apps and Books in Apple School Manager and in Apple Business Manager
- Apple Business Manager Help
I also suggest reviewing this PDF from Apple. If you are not familiar with Apple DEP or VPP at all, this PDF is definitely for you.
From reading through the articles above, you will want to pay close attention to VPP before upgrading. Pay particular attention to the texts in red.
- “For DEP accounts migrating, there is no expected change to these accounts. However, for VPP accounts, they will need to be associated to a location. A location is a new feature that allows licenses to freely move from one location to another. This means stale licenses that aren’t being used by a specific purchaser can be moved to another purchaser who can use the licenses.”
- “It is recommended to migrate a single VPP purchaser account to a single location in Apple Business Manager. Migrating multiple VPP accounts to a single location is not recommended.“
- “The recommended method for migrating VPP accounts into Apple Business Manager (ABM) or Apple School Manager (ASM) is to create a new, unique location for every VPP purchaser account in your organization. This prevents orphaning licenses on old VPP accounts and ensures you will be able to renew the corresponding tokens configured in the Workspace ONE UEM console.”
- “When should I renew my tokens in AirWatch? It is best to renew all your tokens before associating your purchaser accounts to locations. This will provide the maximum time of one year if any issues arise when renewing a legacy purchaser token with a new location token.”
Apple DEP to Apple ABM
Once you are ready to upgrade, proceed to the Apple DEP portal and log in with your existing account.
Clicking Learn more within the pop-up will take you to the link below:
Clicking Upgrade Now within the same pop-up, or Get Started in the smaller window on the bottom left-hand corner will take you to the link below:
Check off the box next to each agreement and click Agree.
Once you choose a Time Zone and click Save, you are ready to manage Apple DEP within the new portal! More on Apple VPP migration in just a moment.
Note the warning message at the top about lack of additional administrator for the company. Make sure you set up at least one additional administrator just in case by following the steps outlined after clicking Learn More.
Separately, existing Apple DEP admins will receive an email from Apple Business Manager to upgrade their Apple IDs to Managed Apple IDs.
When they click Get Started, it will open a web page to continue with the setup. If Internet Explorer 11 and below is set as the default browser, admins will need to access the site at https://business.apple.com/#upgrade via the browsers shown below:
Your Apple ID should already have two-factor authentication set up to access Apple Business Manager. While the Apple document states that two-factor authentication is required, you can only set up two-step verification within Apple ID portal.
The choice to the next question is totally up to you. Personally, I would not trust it to ensure the utmost security.
As a reminder, you can no longer sign onto Apple DEP portal once you upgrade to Apple Business Manager.
In the past, multiple admins can manage Apple DEP devices within the portal. However, only the administrator will receive an email notification when new devices are assigned to the portal. With Apple Business Manager, any admin with Device Manager role will receive the notification as well.
Apple VPP to Apple ABM
The above basically takes care of transitioning from Apple DEP to Apple Business Manager. What about Apple VPP? Let’s take a look at the steps involved.
A word of caution is to take your time to research and ask questions before proceeding. If this is not done properly, you could end up spending countless hours re-purchasing all the apps and re-assigning them back to your devices. More importantly, during the process apps that were already assigned/installed on existing devices might be revoked/lost due to change with the sToken!
Check out the posts below from the AirWatch community forum to learn more.
- Apple Business Manager
- Re-Download Apps after Apple Business Manager Upgrade?
- Apple Business Manager VPP issue
Asides from the links I mentioned at the beginning of this blog post, the link from Apple below will provide additional insight also.
If your account also has Content Manager role, you may continue to access the legacy VPP portal as well. Or click Apps and Books and Get Started to begin the migration.
Pay attention to the next step as there’s no rollback once you proceed.
- If BOTH of your Apple DEP and Apple VPP account are the same, then select the default location click OK.
- If BOTH of your Apple DEP and Apple VPP account are NOT the same, STOP and read on before proceeding further.
Once it’s set up, you should see the apps that were previously purchased within the same portal. No more visiting Apple VPP portal separately to purchase apps!
A nice change with this is that multiple admins with the Content Manager role will now have access to the same content as the VPP account within the location/company. This avoids confusion with app purchase or possible corruption of the server token (also known as sToken) linked to the same MDM server.
*source: Location-based licenses
In my set up, I have a single account for managing both Apple DEP and VPP for my production environment. I have a separate account for managing Apple VPP only for my QA environment. To migrate this standalone VPP account to ABM, I would first need to invite my VPP-only account to be added to my organization. The instruction can be found via this link.
You may also hold off on moving the standalone account from Legacy VPP to Apple Business Manager because doing so requires the VPP only account to be set up with two-factor authentication. Migrating to ABM, however, does offer you the flexibility to transfer any unassigned licenses from one location to another (i.e. from QA to production). The choice is totally up to you.
If you wish to proceed, go ahead and create a new location for any additional environment such as QA.
Fill in the information and click Save.
Next, go to Settings -> Enrollment Information and click on Invite VPP Program Facilitator under Legacy VPP Accounts.
The standalone VPP account will receive an email similar to the one below.
When you click Join Apple Business Manager, it will open a web page to continue with the setup. If Internet Explorer 11 and below is set as the default browser, admins will need to access the site at https://business.apple.com/#upgrade via the browsers shown below:
Another reminder is that any account that needs access to Apple Business Manager must already have two-factor authentication configured whether it’s for managing DEP devices and/or VPP apps.
Also, if you forget the answers to your security questions, you will have to wait 72 hours (3 days) before you can enable two-factor verification for your Apple ID.
Once the migration completes for this standalone/legacy VPP account, an additional account with the Content Manager role will be created and assigned accordingly. However, we are not done yet!
Up until now, we only finish migrating the legacy VPP account over to Apple Business Manager. Apps and Books, on the other hand, requires a separate migration process similar to the above.
I consulted with both VMware AirWatch and Apple Enterprise Support to understand this process at a deeper level. After all, I only want to do this once.
To migrate from user-based license (legacy) to location-based license (ABM), there are two steps you should take:
- Create a unique location before migrating Apps and Books for the standalone VPP account (unless BOTH of your Apple DEP and VPP accounts are the same which means you would have finished the migration by now.)
- To ensure a successful migration for Apps and Books, I couldn’t empathize enough the importance of creating a new location first to ensure both unassigned and assigned licenses are transferred over from legacy-based to location-based tokens properly.
- Make sure the same legacy account migrated above has access to the new location with at least the Content Manager role.
- Also, it’s best to limit the VPP account from accessing any location other than the new location to avoid transferring licenses to the wrong location which is a big NO NO.
After taking the necessary steps mentioned above, the remaining steps are the same as before (click Get Started, etc.)
If you see the below after clicking Get Started, STOP and consult with Apple support before proceeding further.
If you do NOT wish to proceed, you can certainly continue to use the legacy VPP portal at vpp.itunes.apple.com (at least until Apple retires this portal.)
Here are some additional comments from Apple support which you may find useful.
- YES the same phone number can be used by more than one Apple managed ID for 2-factor authentication.
- Mapping Content Managers to locations isn’t so important during the ABM migration, it’s during the Apps & Books migration that this becomes significant. Each time you migrate licenses to Apps & Books you should do so to a location that has a unique Content Manager assigned to it but which has not been used previously as the destination for a prior license migration. If you only have two content managers, they each are associated with one of your first two locations then you don’t necessarily need the (new, and third) UAT location as a migration destination because you can migrate all the Apps & Books into the first two. If you intend to create the UAT location so that you can assign licenses to it separately then you could create it before the Apps & Book migration, assign it a unique Content Manager, and then do the Apps & Books migration into it – but if you waited until after all the licenses were migrated to create the UAT location, you could skip the step of assigning that location a unique Content Manager. Again, these location-based silos are only required for the Apps & Books migration, once that is complete everything is free to move where ever you like.
- Once the ABM migration and the Apps & Books migration are complete, the Content Managers can be associated or re-associated with the first (top-most) location, and by doing so granting management access to any of the newer and therefore underlying locations, or to one of those other locations (only) as you please. Similarly, unassigned licenses will be able to be transferred laterally between locations by Content Managers with the appropriate authority to do so. Just to clarify the full flexibility you will have at this point, you would even be able to consolidate all existing licenses into the single original location (created during the ABM migration), delete the other locations, make new locations, and redistribute everything among the new ones. In other words, once the Apps & Books migration is complete you have free rein to reorganize things to your preference in terms of Content Managers, locations, and licenses.
As always, stay mobile!