Updates for managing iOS devices: user enrollment is now supported; purchase and distribute apps using the Apple Volume Purchase program

What’s changing 

We’re expanding mobile device enrollment options for iOS devices to include user enrollment. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. 


Additionally, admins can use the Apple Volume Purchase Program (VPP) to purchase and disturbed apps in bulk to user-enrolled iOS devices in their organization. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Managing how Workspace data is accessed is a cornerstone of security. The new user enrollment option ensures end users can keep their personal data separate from their work data, while admins can ensure their users are using and accessing apps appropriately. 


Using the VPP, admins can efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform.


Getting started

Admins: 
  • Volume Purchasing Program:
    • To begin, admins need to access Apple’s volume purchasing program with their Business Manager credentials. Through the VPP, admins can purchase app licenses that can be distributed to their employee’s devices in bulk. 

From the Apple Business Manager, you can purchase app licenses in bulk.


Once purchased, admins will need to download the content token, which needs to be uploaded into the Admin console.


VPP tokens can be uploaded in the Admin console at Devices > Mobile and endpoints > iOS settings > Apple Volume Purchase Program (VPP).


For complete instructions, use this Help Center about distributing iOS apps with Apple VPP and applying settings for iOS devices.

  • End users:

The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.




Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers

Resources




Store Sales Direct Uploads Not Supported in the Google Ads API

As of early October 2023, Google no longer supports Store Sales Direct (SSD) as a standalone product, and therefore SSD conversion upload requests to the Google Ads API are also no longer supported.

Users who were previously allowlisted for this feature will now receive a NOT_ON_ALLOWLIST_FOR_STORE_SALES_DIRECT error when attempting to upload SSD conversions. Existing SSD conversions will continue to be available in reports.

The removal of SSD is part of a simplification of the overall Store Sales product. Users who previously relied on SSD should review the Store Sales onboarding guide to understand if they are eligible for ongoing store sales measurement. If eligible, work with your Google Ads account team to update the feature. Please reference our Upload Store Sales Conversions guide, which has been updated to reflect these changes.

If you have any questions about this change, please feel free to contact us through the forum or at [email protected] for additional help.

- Ben Karl, on behalf of the Google Ads API Team

Two years later: a baseline that drives up security for the industry

Royal Hansen, Vice President of Privacy, Safety and Security Engineering, Google

Nearly half of third-parties fail to meet two or more of the Minimum Viable Secure Product controls. Why is this a problem? Because "98% of organizations have a relationship with at least one third-party that has experienced a breach in the last 2 years."

In this post, we're excited to share the latest improvements to the Minimum Viable Secure Product (MVSP) controls. We'll also shed light on how adoption of MVSP has helped Google improve its security processes, and hope this example will help motivate third-parties to increase their adoption of MVSP controls and thus improve product security across the industry.

About MVSP

In October 2021, Google publicly launched MVSP alongside launch partners. Our original goal remains unchanged: to provide a vendor-neutral application security baseline, designed to eliminate overhead, complexity, and confusion in the end-to-end process of onboarding third-party products and services. It covers themes such as procurement, security assessment, and contract negotiation.




Improvements since launch

As part of MVSP’s annual control review, and our core philosophy of evolution over revolution, the working group sought input from the broader security community to ensure MVSP maintains a balance between security and achievability.

As a result of these discussions, we launched updated controls. Key changes include: expanded guidance around external vulnerability reporting to protect bug hunters, and discouraging additional costs for access to basic security features – inline with CISA’s "Secure-by-Design" principles.

In 2022, we developed guidance on build process security based on SLSA, to reflect the importance of supply chain security and integrity.

From an organizational perspective, in the two years since launching, we've seen the community around MVSP continue to expand. The working group has grown to over 20 global members, helping to diversify voices and broaden expertise. We've also had the opportunity to present and discuss the program with a number of key groups, including an invitation to present at the United Nations International Computing Centre – Common Secure Conference.

Google at the UNICC conference in Valencia, Spain

How Google uses MVSP

Since its inception, Google has looked to integrate improvements to our own processes using MVSP as a template. Two years later, we can clearly see the impact through faster procurement processes, streamlined contract negotiations, and improved data-driven decision making.

Highlights

  • After implementing MVSP into key areas of Google's third-party life-cycle, we've observed a 68% reduction in the time required for third-parties to complete assessment process.

  • By embedding MVSP into select procurement processes, Google has increased data-driven decision making in earlier phases of the cycle.

  • Aligning our Information Protection Addendum’s safeguards with MVSP has significantly improved our third-party privacy and security risk management processes.

You use MVSP to enhance your software or procurement processes by reviewing some common use-cases and adopting them into your third-party risk management and/or contracting workflows .

What's next?

We're invested in helping the industry manage risk posture through continuous improvement, while increasing the minimum bar for product security across the industry.

By making MVSP available to the wider industry, we are helping to create a solid foundation for growing the maturity level of products and services. Google has benefited from driving security and safety improvements through the use of leveled sets of requirements. We expect the same to be true across the wider industry.


We've seen success, but there is still work to be done. Based on initial observations, as mentioned above, 48% of third-parties fail to meet two or more of the Minimum Viable Secure Product controls.


As an industry, we can't stand still when it comes to product security. Help us raise the minimum bar for application security by adopting MVSP and ensuring we as an industry don’t accept anything less than a strong security baseline that works for the wider industry.

Acknowledgements

Google and the MVSP working group would like to thank those who have supported and contributed since its inception. If you'd like to get involved or provide feedback, please reach out.



Thank you to Chris John Riley, Gabor Acs-Kurucz, Michele Chubirka, Anna Hupa, Dirk Göhmann and Kaan Kivilcim from the Google MVSP Group for their contributions to this post.