Applications and books management

Applications and Books Management is a license management capability to manage applications and eBooks installed on Apple mobile devices. As an organization, if you decide to purchase a large volume of applications and electronic books for employees, this functionality helps you to license and distribute those assets on Apple devices. In this case, you retain ownership of the assets such that digital licenses can later be reclaimed are associated to other devices. Note that eBooks license management is slightly different as licenses can only be assigned to users and cannot be reclaimed afterwards. BMC Client Management supports the management of applications and eBooks applied to mobile devices.

Managed locations

Applications and Books management requires one or more Apple Business Manager locations. These locations are virtual groups in which customers can associate purchased assets, such as applications and eBooks. They must be created and configured in the customer’s Apple Business Manager account and imported in BMC Client Management. To import a new location, first download the associated location token from the Apple web-based portal. Each location token is a small base64 encoded JSON content from which BMC Client Management extracts the organization name, expiration date and authentication token. This last element being critical, it is encrypted before being imported into the solution.

To import a location token:

1. Select the Application and Book Management node in the Mobile Device Management Apple Configuration area and select Add a location in the contextual menu.
   
   

2. You can also perform the operation through from the main menu.
   
   
   
   

   Note

   • You must configure one or more mobile device managers to use this feature. Otherwise, the system will inform you that no manager is available, either because they have not been selected or if they were not properly configured.
   • You must register the Apple Push Certificate to use this feature. The Apple Push Certificate is a preliminary requirement prior to any management operation applied to Apple mobile devices.
3. Enter the name of the location in the Add a location pop up. 
   
   
4. Provide a unique name for the new location in the location configuration popup and the token downloaded from the Apple web-based portal. Once imported, the system displays the new location in the panel view. You can import multiple locations if you need to manage the assets using different logical groups, such as locations that match the geographical criteria.
   
   
   
   The system automatically synchronizes the location assets using the configured delay. If the location tokens expire, they are automatically disabled. 
   
   
   
   By default, BMC Client Management synchronizes all the locations once a day. You can change it from the Application and Book Management panel view in the Mobile Device Management > Configuration > Apple tree node.
   
   
5. Update the Location Synchronization Interval to match the desired frequency, in seconds. To disable the automatic locations synchronization, set the interval to the special value zero. You can synchronize the locations manually, if required in this case.
6. To renew a location, download a new token from the Apple web-based portal, for the location to refresh, select the location in the user interface for the appropriate operation in the contextual menu.
   
   
7. You can also perform the operation through from the main menu after you select the location.
   
   
   
   The renew operation only refreshes the location authentication token, and so the location name cannot be modified. 
   
   
8. Select the new token that you download from the Apple web-based portal and click OK. If the operation succeeds, the system updates the location token and synchronizes the expired location after few seconds. 
   
   

The synchronization process lists all the applications and books that belong to the locations, along with the digital licenses assigned to devices and Apple users. All the locations can be selected in the tree panel and displays basic information. The child nodes in the tree view provide access to the different referenced objects, which you can be manage by using different applications in the contextual menu. 

In case of a location synchronization failure, the synchronization error count is incremented. After five consecutive errors, the system disables the automatic synchronization. However, manual synchronization is still possible. This reduces the problem if errors are caused by a temporary external event, such as a network outage. The system resets the error counter to zero after each successful synchronization.

Managed applications

Apple Business Manager is designed to purchase mobile applications in volume so that they can be assigned to devices and users. This operation is performed on the Apple web-based portal. In other words, it is not possible to execute the purchase operations through the mobile device management solution. Instead, the mobile device solution can synchronize the purchased applications for each location. The synchronization process automatically creates Apple managed applications, available in the Managed Mobile Applications tree node.

Each synchronized application includes the following attributes:

Managed Applications Configuration

The synchronized managed applications available in this view are simply references to the assets purchased via the Apple Business Manager program. To get those elements utilizable in BMC Client Management, they must be turned into real mobile application objects, so they can be utilized in the product. For instance, the application installation command requires real mobile applications, not simple references. The Configuration Status and Last Status Update are attributes used to implement the creation of mobile applications, based on the managed mobile application references. When a new managed mobile application reference is created, BMC Client Management tries to get additional information from the Apple store using the asset identifier. Then, a new mobile application is created, unless it already exists. The Configuration Status reflects this operation status. Once created, the mobile applications are available in the Mobile Applications tree view.

By default, BMC Client Management creates the mobile applications using the English language. This is changed by using the options from the Application and Book Management panel view available in the Mobile Device Management > Configuration > Apple tree node.

You must configure the Asset Creation Language to select the preferred language from the available values. This preferred language is used to automatically create the mobile applications to match the synchronized managed assets.

Applications from the Mobile Applications node and reference applications from the Managed Mobile Applications node are linked. However, it is possible to delete elements from these nodes. If a reference application is deleted from Managed Mobile Applications, then it is created again during the next location synchronization operation. For this reason, any associated application from Mobile Applications will not be automatically deleted. To delete a synchronized application from a location, use the standard Delete option from the context menu.

The Delete command is also available from the menu buttons. It is possible to delete multiple applications at once.

If a mobile application is deleted from Mobile Applications, then its associated reference application from Managed Mobile Applications is marked as not configured. This last remark is applicable for all the locations in which the removed application may be referenced, because a single application may be purchased in multiple locations.

Applications are not automatically re-configured. Instead, they are moved to the configuration paused state. To activate the re-configuration of synchronized applications, select the Configure Mobile Application option.

This option re-creates the application in Mobile Applications, using the current preferred language. Deleting applications from Mobile Applications, updating the preferred language, and re-configuring the synchronized assets are the preferred steps to change the applications language. The Configure Mobile Application option is also available from the menu buttons.

Managed users

Managed applications are associated to devices and users whereas managed books are only associated to users. To associate assets to users, you need to create a relationship between two different entities:

• The user known and managed by the MDM application.
• The user known and managed by Apple.

Users from the mobile device application are different than users managed by Apple. BMC Client Management users are managed at the application level and enroll mobile devices in the solution whereas Apple users are identified using their iTunes identifier and authenticate to the mobile device services, such as the Apple Store. In other words, Apple does not have information about the end users to whom managed books are associated and deployed.

You need to have an intermediate entity, such as managed users to link the mobile device management users and the Apple users. Managed users are part of the location synchronized elements. Each synchronized user includes the following attributes:

Managed Users Configuration

Managed users are part of the synchronized location entities. Automatic connection with existing BMC Client Management users is performed at the location inventory integration, based on the managed user email address. For this reason, you need to wait for the next location synchronization (or to execute a new synchronization manually) to trigger the automatic connection of users for which you have modified the email.

If required, you can also link managed users to BMC Client Management users manually. For instance, the Apple managed user and the BMC Client Management user may not share the email address. In this case, the automatic connection between the two cannot be established.

1. To manually link a BMC Client Management user with an Apple managed user, select the relevant row and click the Link User option from the contextual menu, or from the similar button in the menu bar.
   
   
2. The Select a user popup displays. Search or select the BMC Client Management user to link and then click OK.
   
   
   
   

If the selected BMC Client Management user is already connected to another Apple managed user for the same location, then the system rejects the link. This additional verification is required because you need to create a unique relationship. If an asset is associated to an application user, you need to identify the relevant Apple managed user to which the digital license is assigned to. Once associated to the desired user, the users view panel displays the change.

You can manually link a managed user, even if this managed user is already linked. In this case, the new BMC Client Management user replaces the previous one and the two users will no longer share their email IDs. For example, we can relink the managed user with email mdmuser@bmc.com to match a different BMC Client Management user, using the Link User option.

The location inventory integration does not automatically relink users based on their email IDs. If a managed user is already linked, it is not modified. Managed users can also be unlinked.

1. To unlink managed users, right click and select the relevant rows and then select the Unlink User option.
   
   
   
   

   Note

   You can also select the Unlink User option from the main menu.

Once you unlink the managed users, they are automatically linked to BMC Client Management users during the next location inventory integration, if the user email IDs match.

You can also remove or retire managed users from their location. By using the Delete option, you can remove the managed user object from the BMC Client Management application, but it still exists in the Apple location. Therefore, the next location synchronization creates that managed user object again. By using the Retire option, you can remove the managed user object both from the BMC Client Management application and Apple location.

1. To retire Apple managed users, right click and select the rows and select the Retire User option.
   
   
   
   

   Note

   You can also select the Retire User option from the main menu.

As you need to remove the managed user from the Apple location, you also need to perform additional tasks in the mobile device manager. You need to maintain a configuration status and last status update information.

You need to have multiple web service calls to perform this deletion process. The system then removes the managed user from the application and does not create it again after a successful location inventory integration.

Managed users creation

To assign managed applications and books to BMC Client Management users, you need to have a linked Apple managed user for each application user. Also, you need to associate these managed users to an iTunes account. If these prerequisites are not fulfilled, the digital licenses association is not established, and the assets installation cannot be performed.

Managed users may already exist in the location, and you can automatically or manually link them to the BMC Client Management users. If not, you need to create new managed users in the Apple locations. This process requires multiple operations to ensure that the users are created, verified, associated, and validated. The managed users configuration status and last status update information is used to perform this process.

You can automatically create managed users if the managed applications or books are associated to BMC Client Management users, and if no managed users are currently linked to them. You can prevent managed users to be automatically created by using the Enable User Creation option in the Application and Book Management panel from the Mobile Device Management > Configuration > Apple tree node.

The process to create managed users involves multiple steps. Most of them are web service calls to create the managed user in the desired location. However, the association of the newly created managed user with an iTunes account cannot be done automatically. The end user needs to accept the terms and conditions, and manually login to the iTunes account if the user is not connected to the service yet. This process is implemented through a mobile device management notification sent to one mobile device. After getting the notification, the end user needs to read and accept the terms. Then the managed user is moved to the Associated status, and the creation process continues likewise with digital license processing.

The above process also known as the invitation process as the system invites the end user to join the program. It makes the whole operation complex because it is asynchronous. The system pauses the asset installation steps until the end user receives the invitation notification and processes it. There is a connection between the BMC Client Management user to whom the asset was assigned, and the physical device on which the system sends the invitation. The device needs to be enrolled by the same application user.

The process is time consuming and can even be lost or retried several times. You can use the User Invitation Count option in the Application and Book Management configuration to configure the number of times the system can send the invitation notification to end users. If you set it to special value zero, then the system disables the notifications, and the asset installation commands fail. You can also monitor the time of sending the notifications so that you can specify them as lost if they take a long time. You can configure this in the Vision64Database.ini configuration file > CommandThread section> LostAssignmentDelay parameter.

When the end user receives and accepts the notification, BMC Client Management synchronizes the managed user again to verify the status. If the status of the managed user is moved to Associated, then the system resumes the asset installation process after the managed user is ready.

Managed asset assignments

You need to perform the digital license assignment before you install the asset on a mobile device. When a managed application or book is associated to a device or user, then a license for this asset is assigned to the device or user before the asset delivery. For managed applications, the assignment is performed at the device or at the user level whereas for managed books, the assignment is done at the user level.

The installation process needs to come to the asset assignment step, and all the preliminary operations and all the prerequisites need to be completed. For example, an asset associated to a managed user needs to follow all the steps that ensure the managed user is ready, including the user association to an iTunes account through a successful 'invite to program' command execution.

The managed asset assignment process creates an association between a device and an asset or between a managed user and an asset. If the association already exists, the process ignores this step as a digital license is already assigned to the recipient. The list of existing asset assignments is part of the synchronized information for each location.

Each synchronized asset assignment includes the following attributes:

• Name: Defines the managed asset unique identifier.
• Pricing Param: Defines the product quality in the iTunes Store. Possible values are STDQ for standard quality and PLUS for high quality.
• Application Name: Defines the name of the application if the asset is a managed application. This value can be empty if no managed application exists in BMC Client Management for this asset identifier.
• Book Name: Defines the name of the book if the asset is a managed book. This value can be empty if no managed book exists in BMC Client Management for this asset identifier.
• Apple User ID: Defines the user unique identifier if the asset is assigned to a managed user.
• Username: Defines the BMC Client Management username if the asset is assigned to a managed user, and if a relationship exists between the managed user and a BMC Client Management user.
• Serial Number: Defines the device unique identifier if the asset is assigned to a managed device.
• Device Name: Defines the BMC Client Management mobile device name if the asset is assigned to a managed device, and if a relationship exists between the managed device and a BMC Client Management mobile device.
• Configuration Status: Defines the asset assignment status at the BMC Client Management level (see Managed Asset Assignments Configuration).
• Last Status Update: Defines the last day and time the asset assignment status was updated (see Managed Asset Assignments Configuration).

Managed asset assignments configuration

You can automatically create asset assignments for managed users and managed mobile devices. If an asset is installed by using the install application for managed applications or install media for managed books, then the system verifies and creates the asset digital license assignment. This process involves multiple web service calls to create, verify and validate the assignment. The system updates the Configuration Status and Last Status Update asset attributes, based on the assignment process.

You can use these attributes when asset allocations are decoupled from the managed user or managed mobile device, as digital licenses can be reclaimed.

1. Select the asset assignments and select Disassociate.
   
   
   
   

This process enables you to remove the assignment between a recipient, and an asset. A digital license is available for this asset. As a result, a new digital license will be available for this asset, in the location for which the asset assignment is disassociated. The disassociation process also involves multiple web service calls to remove the asset assignment and validate the operation.

After you validate the disassociation process, the system deletes the asset assignment row, and a new digital license is available.

Asset assignments can also be deleted from BMC Client Management. In this case, the system removes only the objects from the application. The asset assignments are still referenced in the Apple location and will be created again during the next location synchronization.