Inquiry: Inconsistent VPP UpdateBehavior with DDM (auto-update timing + manual-update gating)

Business & Education Device Management
DevicesTeam OP
Created 2d
Replies 1
Boosts 0
Views 272
Participants 2

Hi there,

We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml

Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this:

  "AppStoreID": "1231325957",
  "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}",
  "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}"
}

What we’re seeing

Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload.

Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent:

“<App Name> cannot be updated because it was refunded or purchased with a different Apple Account.”

Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available.

Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update.

Repro summary

App: VPP, device-assigned license

Declaration: AutomaticAppUpdates = AlwaysOn, install required

Device A: not signed into App Store → manual update allowed

Device B: signed into App Store → manual update blocked with “refunded/different account” error

Auto-update did not occur after waiting several hours post-release

Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one.

Thanks,

Replies  1
Boosts  0
Views  272
Participants  2
Device Management Engineer OP
Apple
1d

Once an app is managed, all operations on that app should be performed using MDM. The user should never use App Store to update the app.

Organizations are expected to purchase licenses for all apps they assign to users or devices, even if the app is free. The user should never have to purchase an app to get a license. The MDM server should assign a license to the device or user before sending the DDM configuration.

DDM app updates happen automatically, but it may be more than 24 hours before a given device notices the update, and then the device will wait for a good time to install the update. App configurations that specify a Version are installed immediately; these are not considered to be updates.

0
Inquiry: Inconsistent VPP UpdateBehavior with DDM (auto-update timing &#43; manual-update gating)
First post date Last post date
 
 
Q