Help

Scoping of VPP iOS apps

Simmo
Contributor II
Contributor II

Posted on ‎01-19-2016 02:58 PM

When first setting up VPP, I created assignments for user groups and assigned multiple apps to them, however I have been told by JAMF support this isn't best practice, and I should be creating one assignment for each app.

Now when I have come to do the swap over and re-do all of my assignments, I have running in to issues with scoping only being able to do EITHER Users/(Smart/Static) User groups OR LDAP groups.
I'm in a school environment and I am wanting to scope many of the 100~ apps to say a year level + certain staff members, but I have no way to do that without an LDAP group for these assortments of staff members.

Am I missing something here? It feels really limiting only being able to scope to an LDAP group only but not single LDAP users as well. I don't really want to have to create two assignments for each app, one for an LDAP group and one for all other specific users..

It was much easier being able to set up the group I wanted to scope apps to and then just select all of the apps that group needed. Scoping to devices isn't viable for us due to the inability for users to save any data to iCloud.

0 Kudos
2 REPLIES 2

bumbletech
Contributor III

Posted on ‎01-20-2016 05:03 AM

With device-based assignment that makes sense, because that's all you can do, but for AppleID/user-based assignment? Seems a bit excessive. I suppose for the sake of organization, clarity, and generally making down-the-road changes easier on yourself—or if there's multiple VPP tokens involved—but I'm not coming up with any "catastrophic" reasons to avoid it from my experience.

I would say it does make it easier to revoke a certain app to a few users/groups in a larger scope when they're all separate, or at least broken down into groups of apps that are always distributed together. For example, we needed to take the iLife apps away from a particular cart since they were rarely used on it and there was demand for them elsewhere. Moving that around took a little finesse, and now we have an assignment just for the iLife apps for that district so we can make those changes a bit more quickly. So, I suppose the basic idea (possibly) behind JAMF's suggestion is, "Set your assignments up in a way that makes it easier to move things around down the road without affecting the users/groups who don't need those changes."

0 Kudos

dmillertds
Contributor

Posted on ‎01-20-2016 07:40 AM

I'm in the same boat. I may be able to go to device-based deployment, but not until this summer at the earliest. Like you, I have 200+ apps, and have grouped them logistically, with as many as 15-20 apps per user group (mostly LDAP, but some JSS). I was also told that I should break these up into one app per group, but to do so would be a major planning and execution effort. And frankly, the whole VPP deployment process has been so difficult and unreliable, I'm afraid to "touch" anything that's already working.

FWIW, the hint I got when I asked why one-to-one was "best practice" was simply that the JSS could handle it better, avoiding some of the problems I've had, but from experience, it's just as likely to fail to deploy with a single app as with multiple.

Sorry - not much help. I too would like to see a more flexible/robust (and hopefully bulletproof) way to assign and deploy VPP, especially since both Apple and JAMF are pushing it so hard.

0 Kudos