This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to update IOS apps installed with Configurator2 VPP

We started with Sophos MDM, but i can't find where i'm going wrong. How i work: We have Apple Configurator2, connected with an Apple VPP account. In a blueprint I push some apps like SMC and the iPad is showing up connected and managed in SMC (cloud version). From there I can run further tasks eand profiles. It seems all OK.

The users can make there own iTunes account in de the iPad to install apps of there own liking. But now some of the apps i installed with Configurator (also the SMC app itself) asking for updates on the iPad. I can klik "update" but then an pop-up appears to log in at iTunes.

But the app is installed via Configurator under VPP licence! So how to update these apps over the air? Asking them to come back to the office and update thru configurator is not an option. 

This thread was automatically locked due to age.
  • the apps thats installed via the vpp account on configurator2 will be associated with the vpp apple account so will require updating using that account, however i have not tested this but i would suggest you add the VPP account into SMC, import the vpp apps into SMC and then push out the apps to the devices from SMC, SMC should take over management of the app and update to the latest version.

  • I guess you are rigth. It makes however the concept of VPP less interesting. Why on earth would an (large) orginisation use VPP in Configurator2  when its not capable to update the apps on the iPad over the air.

    Two Questions remain:

     To pre-enroll the iPad for the user i want to install SMC and prepaire the iPad with Configurator2 to be visible and managed in Sophos MDM. So updating SMC on the iPad in the future keeps an problem (was the chicken or the egg first kind of thing if you ask me).


    I have VPP installed in my Sophos manager, does SMC take (automatic) care of the updates of apps when they are available? Or does My apps on the iPad do that?     

  • we use configuator2 to add config that SMC cant but we dont link configuartor2 to our VPP, configuator2 is good only in my opinion to build devices for a specific need as it is not over the air.

    why not use DEP to auto enrol all apple devices? it installs SMC app via the VPP account, when you take the device out of the box and boot it it goes through your config options and install apps via the VPP account, installs your configurations profiles etc etc etc, you can automate everything. devices can in essence be delivered direct to the end users and have zero touch from IT, you can also ensure that replaceddevices stay within your organisation (not handed to an employee son for games) as they device can only be setup when via a valid employee user account.


    smc does not auto update no which is good and bad, good because you can ensure app are on the same version but bad as if you have no patch management apps can become outdated.

  • Thank you for the fast response. So you never install the Control app with Configurator2?  How can you enforce the installation of Sophos Control on (new) ipads without DEP? If I want to install this before handing over the device, it seems my only other option is to create an iTunes account on the iPad on behalf of the user.   We are also working with DEP (first steps)  But we stil have couple 100 "old" iPads too.

  • nope we dont. historically our IT have setup the device for users so they created an applie ID for the users using our corporate email address.

    since putting dep into action this is done no more, everything is automated. DEP makes everything very easy, we have about 2500 devices, all new devices are auto enrolled and have automated setup when taken out of the box. all old devices currently on smc are also added to DEP so as soon as they are hard reset the device will boot into DEP setup and cannot be bypassed.

    if DEP is setup correctly an end user account bypass the setup, they cannot remove management and if they hard rest the device it will reboot back into the DEP setup and force them to enroll again within SMC.

  • Looks like our history/methods where the same in the past. Only one things triggers me: "all old devices currently on smc are also added to DEP "

    As far as I know this can be done with devices from the last few years, only with help from your DEP device supplier. But in our case our supplier and not all of his suppliers are Apple authorised DEP dealers. So i.m.h.o. then its bad luck for my ipads and they can't become DEP afterwards.

  • yeah you need to use approved re-seller, 2011 for us is the oldest device added to DEP.

Reply Children
No Data