Hi there, i'm currently getting frustrated on the following problem:At first the outline: We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment".If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABMNo on to the issue:App Assignment for the App MS TeamsRequired:All devices, with an include filter (All ADE Devices), Device based licensingIdea: this should only happen when using corporate devicesAvailable:All Users, with an exclude filter (All ADE devices), User based licensingIdea: All devices which are not corporate should apply this one.App Assignment for the App MS WhiteboardNo Required AssignmentAvailable:All Users, with an exclude filter (All ADE devices), User based licensingIdea: All devices which are not corporate should apply this one.Azure AD Security Group with all Users using corporate ios devices, Device based licensingIdea: All devices which ARE corporate should apply this one.What is the result?The Whiteboard App is working perfectly:When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.)When using an User Enrolled device, the user based license is used. Great!As soon as an App has additionally a required assignment, the whole thing brokes up:When the user on the user enrolled devices tries to install the app from company portal, nothing happens.Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)"The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing)I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user don´'t has an apple-id. How can we achive this scenario?We totally don't want to have to choose between either ADE or User Enrollment. Any help, as always is highly appreciated. 🙂 Cheers,Patrick!

HeyPatrickF11 Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too. I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like. Hope that helps out. ThanksDanny

Markus Güntner Thanks for your reply.Thats what i thought too, he isn't using the user enrollment mode. (Any other mode isn't applicable in my opinion for "real BYOD" scenarios.And you're right: As per MS Docs User licensing is the only thing that should work. (Thats why i mentioned in my initial post that i'm already using this as licensing mode). Anyway:Are there any new thoughts on this one?Is there any one out there with the same issues? (Or with the same scenario without issues? 😉 I'm sure it's not that unusual to provide two enrollments:BYOD ► User can choose between "App Protection only" (automatically applied to all) or they can enroll in MDM with "user enrollment mode".Corporate owned (whether COPE, COBO or COSU) ► The device will get ADE enrolled with an appropriate configuration set.

Hi Kalaiarasu_M Thanks for sharing your thoughts.My Support Ticket wasn't that successful, yet. My Issues start getting even stranger. After many many tries all apps were installed. (BYOD and Corporate owned). I've tried revoking the VPP licensing in the intune portal, afterwards >most< Apps installled successful, but only a few ones reflected the successful installation back to intune. This is so annoying at the moment.The MS Support adviced me to try using dynamic device groups instead of all users / user groups.But the issue with that is, that dynamic groups are way slowlier what would result in way longer deployment progess.Nevertheless i'll try this in the next days and test it again and again and again.. I'm not giving up on this. 😄

In case anyone else comes across this error I will share my fix. I had assigned the apps to user(s) via a M365 group. Which seems to work but doesn't. Then I created a security group and assigned that instead and it instantly started installing.

Regardless of User or Device enrollment, i only use Device licenses. I never mix and match it causes issues.Switch all your software deployments to Device and test. I think you will see you now have 0 issues.

PatrickF11

Steel Contributor

Oct 14, 2022

VPP Licensing Issues

Hi there,

i'm currently getting frustrated on the following problem:

At first the outline:

We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment".
If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABM

No on to the issue:

App Assignment for the App MS Teams
- Required:
  - All devices, with an include filter (All ADE Devices), Device based licensing
    - Idea: this should only happen when using corporate devices
- Available:
  - All Users, with an exclude filter (All ADE devices), User based licensing
    - Idea: All devices which are not corporate should apply this one.
App Assignment for the App MS Whiteboard
- No Required Assignment
- Available:
  - All Users, with an exclude filter (All ADE devices), User based licensing
    - Idea: All devices which are not corporate should apply this one.
  - Azure AD Security Group with all Users using corporate ios devices, Device based licensing
    - Idea: All devices which ARE corporate should apply this one.

What is the result?

The Whiteboard App is working perfectly:
1. When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.)
2. When using an User Enrolled device, the user based license is used. Great!
As soon as an App has additionally a required assignment, the whole thing brokes up:
1. When the user on the user enrolled devices tries to install the app from company portal, nothing happens.
2. Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)"
  1. The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing)

I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user don´'t has an apple-id.

How can we achive this scenario?

We totally don't want to have to choose between either ADE or User Enrollment.

Any help, as always is highly appreciated. 🙂

Cheers,

Patrick!

ADE

Automated device enrollment

Intune

licensing

mobile device management (mdm)

Software Management

User Enrollment

VPP

19 Replies

foigus
Copper Contributor
Jun 13, 2025
PatrickF11
I ran into this same issue (Microsoft support case 2409110040011573‎, opening case submission at the end of this message). Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:
https://macadmins.slack.com/archives/C31HJUSRJ
), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:
Use the same Intent ("Required", "Available", etc)
Use different "License Types" ("Device" vs. "User")
Utilize Filters to target unique devices
Simplified, if you create the following assignments for an app:
"Required", Group A, "Include" Filter for ADE devices, Device License Type
"Required", Group B, "Include" Filter for ADUE devices, User License Type
Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device. IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:
"Required", Group A, Device License Type
"Required", Group B, User License Type
And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.

The solution I found was to:
Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
Assign/purchase licenses of the app in question to that Location
Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)
This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams). Making the following assignments utilizing the apps listed in Intune for each VPP token:
Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type
And everything works as expected--silent installations in all cases. A couple notes:
This issue & solution also applies to apps with multiple "Available" Intent assignments
This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
"Available", "All Users", "Include" Filter for ADE devices, Device License Type
"Available", "All Users", "Include" Filter for ADUE devices, User License Type
But with two Locations (and thus two apps), this is possible:
Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type

Case 2409110040011573‎ Opening Submission
----
I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:
For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator
points to this article:
https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration
which says in step 11 to "assign Microsoft Authenticator to groups as a required app."
For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity

Steps taken:
With the Microsoft Authenticator VPP app in Intune
Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity

Expected Result:
Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":
https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp

Actual Result:
The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."

Comments:
The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
Other apps assigned to the ADE-enrolled iPads install successfully
JutManGraham
Copper Contributor
Oct 27, 2023
Regardless of User or Device enrollment, i only use Device licenses. I never mix and match it causes issues.
Switch all your software deployments to Device and test. I think you will see you now have 0 issues.
- PatrickF11
  Steel Contributor
  Dec 04, 2023
  JutManGraham
  
  Even though i currently don't have any issues left: It is not possible to use device based licensing for every device, because of user enrolled devices in fact NEED user based licensing,.
  (because device-based licensing isn't supported on user enrolled devices. This is outlined here:
  Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Learn)
  - JutManGraham
    Copper Contributor
    Dec 05, 2023
    PatrickF11
    The problem seems to occur when you publish everything at User License then throw a single Device based license into the mix. It seems to break down the entire licensing on the device.
    I have published everything as Device License (see attached) regardless of if it is a user group based install through Company Portal OR publishing as Required to a device based on serial number directly or dynamic group. We do NOT use the Apple store in any way shape or form.
    
    We do NOT use the Managed Apple ID's which ties ABM to out internal domain for multiple reasons. Mostly which are around not trusting Apple and their data use scenario's.
    
    Also, we do not want or allow our colleagues to the Apple Store since we regulate what they can install due to security concerns.
SteffenSchwerdtfeger
Copper Contributor
Oct 07, 2023
I still had this issue for a handful of apps. I did not change the assignment because it should still be fast ("All devices" with filter). What helped was purchasing additional licenses of affected apps in ABM (even if there were enough left) and a quick sync of the token.
DBerry2
Copper Contributor
Oct 15, 2022
Hey Patrick,

I have a setup a lot like this and haven't run into this issue, we have BYOD (MDM enrolled) and ADE iOS devices with VPP licenses set to device based for both and haven't seen any issues.

both kinds of devices get a push from Intune to install the apps using VPP and do.

Maybe try device based licensing for both device types and see how you go?

hope that helps
Danny
- PatrickF11
  Steel Contributor
  Oct 15, 2022
  DBerry2
  Thank you for your reply.
  Based on my knowledge (learned through ms docs and trial and error on myself) device based licensing shouldn’t work at all for the „user enrollment“ method, only for ADE devices.
  The only supported licensing method for user enrollment MDM should be VPP user based licensing.
  (by the way: device based shouldn’t bring up a pop up message at all, that is one of the key benefits of this license method).
  
  Anyway: You are using app assignments with only „all user -> device based licensing“ for both? ADE & User enrollment? Are you using this for required AND available app assignments?
  - DBerry2
    Copper Contributor
    Oct 17, 2022
    HeyPatrickF11
    
    Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too.
    
    I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like.
    
    Hope that helps out.
    
    Thanks
    Danny

Forum Discussion

VPP Licensing Issues

19 Replies

Resources