The New Challenge for Institutions with Purchasing Apple Software: Apple IDs and the App Store

INTRODUCTION

Whitman College Technology Services has problems with Apple IDs and the Apple App Store.  In this post, I’ll describe those problems and explain the strategies we are employing to address them.

DEFINING THE APPLE ID

Apple has decided that all new or upgraded software (I’ll call them “apps”) for Mac OS X and iOS will be done almost exclusively through their App Store.  In order to do this, a person purchasing needs to have an Apple ID.  The Apple ID is a system of authentication– a username and password– which individuals can create for use with a variety of Apple products and resources, in this case the App Store. The Apple ID username is tied to an email address, such as johndoe@institutionname.edu.  (Wikipedia has more specifics on Apple IDs.)  Once an app is purchased, it is tied to the Apple ID under which it was purchased.  This means that if the app is damaged or lost, it can be downloaded again for free, and updates to the app can only be downloaded via authentication using the Apple ID.

BUT THE PROBLEM IS…

As noted above, Apple IDs are used by “a person” or “individuals.”  This creates two main complications for institutions, enterprises, companies, and groups (henceforth “institutions”) who seek to centrally control software purchase and management:

  1. When an app is purchased, by Apple’s terms of use, that software becomes the property of the Apple ID, regardless as to whether or not institutional funds have been used in the original purchase, and can not be transferred to another person.  Unregulated, this has the potential to drive up software costs for the institution, since control of software ownership can be legally lost.
    — If the end user purchases an app with institutional funds using a non-institutional Apple ID username, e.g. johndoe@gmail.com, then the end user will own the app outright, even if they leave the institution.
    — If the end user purchases an app using an Apple ID username associated with the institution, e.g. johndoe@institutionname.edu, and leaves the institution and/or wishes to transfer ownership of the app, too bad:  this is not possible.
  2. Site or volume licensed apps purchased by central IT can be distributed around the institution, however since the original app must be downloaded from the App Store with a single Apple ID, the only way for end users to update their apps is to know the original purchaser’s Apple ID credentials.  In essence, this would mean that everyone at the institution who uses the app(s) would share the same Apple ID, which is an untenable solution for institutions.

WHITMAN COLLEGE’S STRATEGIES IN RESPONSE

According to our research, Apple does not currently have enterprise-level tools or solutions for institutions to manage Apple IDs or purchasing through the App Store.  However, in consultation with Apple, Whitman College Technology Services (WCTS) has developed the strategies for purchase and management.  None of the strategies are without drawbacks or limitations, and are subject to change as circumstances change.

For iOS devices (iPhone, iPad, iPod Touch):  the email alias

In order to retain ownership of apps, WCTS has begun creating email aliases for individuals who wish to purchase apps using institutional funds.  The alias is directed to the email account of the individual who will purchase the app.  The email alias can be used to create an Apple ID.  If the individual leaves the institution or transfer of the app to another individual is desired, the email alias can be directed to a new individual by WCTS.

Generic example:  Professor John Doe in the Zoology Department wants to purchase Final Cut Pro.  He is assigned the email alias zoology01@institutionname.edu by the IT department, (which routes to his email johndoe@institutionname.edu), which becomes his Apple ID username.  He sets his own password for the Apple ID, and IT creates the security question and answer.  Time passes and Professor Doe leaves the institution.  IT reassigns zoology01@institutionname.edu to a new faculty member, enabling that person to “own” and update Final Cut Pro.  In the process, IT accesses the Apple ID account using the security question and answer to reset the password.

The greatest drawback WCTS has discovered with the email alias system is scalability.  Currently, we have less than 25 email aliases on campus created for this purpose, but as time passes and the number of aliases grow dramatically, management of this system may become quite difficult.

A different possible solution is to use the Casper Suite for iOS for management.  WCTS is beginning to explore this option.

Mac OS X devices (desktops, notebooks) in faculty/staff offices

As of OS 10.7 Lion, Mac OS X devices (I’ll call them “computers”) have begun to demand an Apple ID use for updating all non-core OS Apple software (e.g. iPhoto, Keynote, Final Cut Pro, etc).  This means that when an image is created then distributed, end users can run Apple apps, but can not update them without the Apple ID credentials used by WCTS staff during the image creation process.

Rather than follow the same procedures outlined above for iOS devices, at Apple’s suggestion, we are looking for ways to distribute (push?) updates to Apple apps from on campus.  According to Apple, when an update is available for an Apple app, what is available for download via the App Store is not an update package for an existing app.  Rather, it is a brand new application that replaces the existing application on the end user’s computer.  Thus, it is possible for an IT organization to use its own Apple ID credentials– the same ones used during the image creation process– to download the update (i.e. “new” app), then distribute that app as its end users. (Naturally, IT must have the appropriate number of licenses to do this.)  Apple recommended that this distribution be done via a software management technology, such as Casper Suite for OS X.  WCTS is beginning to explore this option.

Only one final element remains.  For apps meant for widespread campus distribution, it is likely that an IT organization will purchase licenses through the Apple Education Licensing Program or Apple Volume Licensing.  In such a purchase, Apple will provide download codes, 1 per seat.  For example, 500 seats of iPhoto will result in 500 download codes.  In creating an image for distribution on campus, only one download code needs redemption.  The remaining codes need only be securely stored.

Mac OS X devices (desktops, notebooks) in Labs

In labs maintained by WCTS, the WCTS Apple ID will be used exclusively to create and update lab images.  Since end users do not administer lab computers, control for WCTS is relatively simple.  Apple suggested that we consider creating different Apple IDs for our different labs, but at present we will not pursue this.  Our strategy for labs will probably not scale for medium and large size institutions.  For them, the strategy described above for “Mac OS X devices in faculty/staff offices” might be more appropriate.

*****

An alternative method:  “consumable cost”

To avoid all Apple ID management issues, an alternative strategy to the ones above is for institution to relinquish ownership of apps, discontinuing the system of app management..  In this strategy, apps are treated as a consumable supply.  Money is spent, and the app becomes the personal property of the individual employee.  The drawback to this method is that it could over time dramatically increase overall software costs for the institution.  WCTS is currently not employing this method, though it has recognized that due to the ease of creating Apple IDs and purchasing apps, individuals on campus may already be employing this method (not knowing about the complications described in this document) regardless of any of WCTS strategies.

FINALLY…

If you’ve read through this article, I suspect your institution is having the same challenges as Whitman with Apple IDs and the App Store.  Apple claims to be aware of the challenges for institutions, but in typical Apple style, is tight-lipped about the future solutions they might or might not offer. We have consulted with Apple in creating our strategies.  Nonetheless, in reading all of this, are we missing something?  Have you discovered different strategies than ours at your institution?  I welcome your comments and ideas!

9 Responses

  1. Adam Nielsen says:

    In your section on iOS devices (using email aliases) how would you handle a user having 2 or more apps assigned to their alias but only wanting to “give up” one of them, or wanting to “split up” who gets what apps when that person leaves. For example, if Joe Blow has Final Cut Pro and Aperture assigned to zoology01@institutionname.edu and Joe leaves the institution and you want to give Jane Blow Final Cut Pro and Bob Jones Aperture, you couldn’t do that with the solution described could you? I suspect with Apples model of requiring an Apple ID for all of their App Store purchases users will soon have dozens of apps “assigned” to their Apple ID (alias or not).

    • David says:

      Adam, you’re absolutely right. I was thinking about this very issue when I was editing my post. There’s no real pretty solution for the scenario you’re describing. One nice thing about email aliases is that you can have multiple people assigned to them. One solution would be to have Jane and Bob using the same email alias, and therefor the same Apple ID. That solution is just barely above “better than nothing.” Another solution, that might be better– if the two faculty/staff were in the same department, which would be a likely scenario at Whitman– would be to reassign the Apple ID to IT. Then with IT help, give App #1 to Jane, and App #2 to Bob. They can use them, but can’t update them. IT does the updates at their request (perhaps by employing Casper Suite or something else). This second solution is probably ok if it’s done on a case by case basis, and there aren’t a lot of cases… but I can’t imagine this scaling well for medium and large sized institutions.

      Bottom line is this is a mess! What’s going to happen if in future OSs, Apple *requires* an Apple ID just to have an account on the computer? What’s going to happen if Apple brings its “walled garden of apps” approach from iOS to OS X? Seems to me Apple will have to make a more firm choice sooner or later: “shall we pursue the individual customer exclusively, or do we do also sell to institutions?” Right now, I’m not that convinced that in the long run they’re that interested in the latter…

  2. Ryan Ingersoll says:

    Hi David, It sounds like you are in the thick of it. These are the questions I’ve been asking myself and Apple. Thanks for your extensive outline of the process you’ve gone through.

    One suggestion Apple gave me was to make an Apple ID for each device/machine. This could work in theory, but could be a lot to manage. Maybe the English department has 10 computers. Apple ID could be [school].[dept].[xxx]@apple.com or in my case, spu.eng.001@apple.com. The user of the computer could change the billing information to their own or the purchase card issued to them. Then when the person leaves the account still exists amd you don’t have to worry about someone’s name attached to it. Change the billing information and give it back to the new employee.

    If spu.eng.001 doesn’t want Final Cut Pro then maybe they could switch with spu.theo.030. I am pretty sure you can change the Apple ID login pretty easily as with the email address attached to it. But, I have not actually done this.

    I currently have one Apple ID I use for purchases, but I am working with library computers only. For software that I need more than one copy I purchased the boxed version (they still have iLife 2011!) and for Lion I paid for the volume license.

    I do hope Apple decides, commits, and offers an easy solution for educational institutions.

    I think your point about software becoming a consumable is very interesting. I never really thought that that, but it can make sense. Apps seems to be updated and are cheaper than they used to be. Maybe as paper use goes down (at least we try!) money could be increased for “consumable” software…

    Thanks for your post!
    Ryan

    • David says:

      Thanks for your thoughtful response, Ryan. Yes, I suppose the method Apple suggested to you would be another way to approach this, although with more and more Apple devices showing up, this could get kind of hairy. The element that I find most challenging is Apple essentially telling us “hey, you get to take care of managing all of this.” Also, I find it daunting that Apple would tell us one thing and you another…

      As far as consumable costs– this becomes very appealing when you’re talking about $10 apps (or cheaper or more expensive). It’s the ones that cost several hundred dollars that really give me pause.

      • Ryan Ingersoll says:

        “Also, I find it daunting that Apple would tell us one thing and you another…” I really don’t think Apple fully understands the ramifications of a Apple ID/App Store only method. Or, they don’t care. Probably the latter.

      • Ryan Ingersoll says:

        Hi again, I just found Apple’s Volume Purchase Program (http://www.apple.com/education/volume-purchase-program/).

        In the FAQ it says “Who owns the content purchased by an institution through the Volume Purchase Program?
        In the case of apps, your institution has the option of retaining ownership of the app. When a student moves on, your institution can make the app available to another student. In the case of books, the student as the end user must redeem the book using his or her own Apple ID, and the student owns the book.”

        I wonder if this could work?

  3. All of this speaks to a layered ownership model. Cart based iOS devices can be managed for Apps with VPP codes using configurator. The device comes back to configurator, gets wiped and VPP codes returned. But, that only works in COMPLETE institutional ownership. If there are user apps on the machine when it comes back to configurator, they are wiped along with the data.

    It is my understanding that all of the iOS MDM solutions do the same thing: Push a link to the end client to download the app. They do push with the link the VPP redemption code so the app is pre-purchased so to speak. There ends the institutional ownership pf the app. Thus the need for an Apple ID per device. Then comes the fun of creating those. Someone actually built an app to do this, but it only saves time once you get into the range of 25 IDs.

    Remember, to create >3 IDs from one machine, you need to get the IP (internal and external) whitelisted by EDU support. I am working with VPP on that now.

    Oh.. this does not need to be this difficult… volume licensing, apps call home, check volume number, done. But now that Apple is BIG time consumer, there is less reason ($) to jump on the EDU volume process. Soon come as they say down here…

    Gil Anspacher, Technology Coordinator
    Virgin Islands Montessori School & Peter Gruber International Academy

  4. Betsy Kelly says:

    Hi, now that several months have passed since you posted this, can you tell us which method you chose for managing Mac OS X devices? With just a few installations of Final Cut we are able to keep control over the updates with an Apple ID account for our IT department to use, but we are still trying to figure out the best method for managing IDs. We have yet to create separate Apple IDs for each device, and it’s possible we would use our department Apple ID for expensive software, and purchase iTunes gift cards so that staff could buy cheaper apps and consider them consumables. Putting that in writing just now made me like that idea even more. We are in the process of buying Casper Suite, but that’s a ways off and I’m still unclear how we will be managing app store updates. Any thoughts you would like to share would be greatly appreciated.

  1. March 8, 2012

    […] a follow up to my post several weeks ago on managing Apple software, here’s some interesting news from Apple (completely overshadowed by everything else […]

Leave a Reply

Your email address will not be published. Required fields are marked *