Justin Rummel

Father, husband, Apple enthusiast. 🏊 🚴 🏃 with #speedsherpanation, #fxckcancertriteam, and #bikelaw

Working with VPP and DEP Apple IDs

These are notes about getting the Apple IDS and their two-step verification authentication ready for Apples Volume Purchasing Program (VPP) and Device Enrollment Program (DEP). WORST case give yourself two weeks to complete all the items listed below, but realistically it can be done within three business days.

You will be creating a LOT of Apple IDs. Do yourself a favor and get a password manager, or have some other secure method of recording what/how each new Apple ID is being used. There are two levels of Apple IDs.

[VPP | DEP] Program Agent

This is the individual with purchasing power and/or signature authority.

[VPP | DEP] Program Admin

This is the technical individual that needs to do the work.

If you are the same person, still create multiple accounts as tokens are necessary to make VPP and DEP work and they will expire every year, OR if the password is changed on that account.

Day 1 “Monday”

The assumption is that you do not have an existing VPP account, and since DEP is new, you don’t have an account for that program either.

You will need to create two NEW Apple IDs at https://deploy.apple.com: one for VPP and one for DEP. Both of these may take five days for Apple to validate the individual that made the request (or was requested by someone on their staff) is the responsible person of the organization. The person identified for these accounts MUST be someone within your institution or company that has “signature authority”. In terms of the Job Title, be sure that if there are any public facing websites or social media listings of the person that will be listed as the Program Agent, it matches to what you submit to Apple (Owner, Vice President, Director, etc). Apple has staff validating the information you submit, not an automated system. Apple will call you and verify the information that has been submitted is accurate, so be sure to enter a cell number as the primary way to contact the individual who needs to approve the account.

  • vppmd@domain.tld
  • dep@domain.tld

Day 8 “Monday”

After five business days, you should now have two new Apple IDs. Begin enabling two-step verification authentication as described at: https://support.apple.com/kb/HT5570. Just because you created a VPP or DEP account does not mean that two-step verification authorization has been enabled. You must do this after you login to the new Apple ID accounts. Two-step verification is required for VPP and DEP… so begin two-step verification started immediately once you login. If you happen to be using an old VPP account because you still have money available, your account will need to be converted to allow two-step verification, thus it may take 72 hours for Apple to perform some background routines.

When you enable two-step verification DO NOT CHANGE ANYTHING ELSE. If you change an address, phone number, or security questions it may raise red flags to Apple, thus causing you delays.  1 2

Day 11 “Thursday”

We can now invite Admin accounts for VPP and DEP. VPP Admins should be for specific Profile Manager servers OR for specific departments (who have their own Profile Manager) 3 that need to control expenses on what apps are purchased. So think of it as:

  • pm01@domain.tld
  • pm02@domain.tld
  • pm03@domain.tld

We can also now invite our DEP Admin. DEP Admins should be invites to individual’s work email account as it identifies the individual who can add devices to your MDM server. However, if that account already exists just create “DEP” accounts as needed. 4

Footnotes

  1. DEP cannot use iCloud, therefore you MUST be able to accept SMS messages on your phone. Remember, two factor authentication is for login and purchases. The cell phone with SMS must be the “Admin’s” phone, because as soon as you begin to purchase apps (Free or Paid), you will get a request for the SMS four digit code each time as you must authentication with two-step verification if items are purchased! 

  2. If iPhones are issued by a School or a Government agency, sometimes cellular providers impose a block on SMS to prevent unnecessary charges (such as the ability to vote for your favorite singer on American Idol). This restriction may stop any Apple SMS messages; call your provider to get the block removed. 

  3. If you are using another MDM besides Profile Manager, you only need one token per department or sub-organization that wants to control what apps are being purchased. See your MDM Provider for details. 

  4. At this point it reminds me that Google Accounts automatically have an alias feature where you can add a plus sign and something else between the username and the “@” symbol. So an example: email address: myaccount@gmail.com — alias address: myaccount+dep1@gmail.com — Both emails will be sent to the same gmail account, however, they are still unique and different so this trick could be used to create additional Apple ID accounts based off your work address. 

Comments

Doreen

Hi Justin,

thanks for these steps. Do you know if its possible to change the Apple ID for DEP and VPP? We want to use a technical user for this whom can be used by more users than one - is it possible to do this or has it always be a real person? Also the two-step-verification: is it always needed or can I disable it? For me its hard to understand how Apple thinks this will work in a Company with a group of administrators for the Business Apple Environment…

Justin

Hello Doreen,

It has been a while since I’ve worked with DEP and VPP (almost two years now). When I used to do this for other people, we definitely had a unique ID who’s purpose was to do Administration vs. Purchasing vs. a User. If you are coming from a Business Environment, I would suggest getting to know your local Apple Store’s Business representative. They are they to help answer questions from that perspective vs. the “general user”. You may also be reference to an Apple Consultant that the store frequently works with to assist businesses that need guidance in helping to understand how Apple “thinks”. ;)

As for 2FA, I would guess that is still required as in Apple’s eyes this is sensitive information which requires that level of security.

Comments are closed. If you have a question concerning the content of this page, please feel free to contact me.

New binaries in Yosemite

New binaries in Yosemite

Every year I like to dig a little around some default paths to see what new binaries will be available to assist in deployment or troubleshooting. I use a simple easy script that generates a list ...