Forum Discussion

PatrickF11's avatar
PatrickF11
MCT
Oct 14, 2022
Solved

VPP Licensing Issues

Hi there,   i'm currently getting frustrated on the following problem: At first the outline: We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type...
ADE
Automated device enrollment
Intune
licensing
mobile device management (mdm)
Software Management
User Enrollment
VPP
  • foigus's avatar
    foigus
    Jun 13, 2025

    PatrickF11​ ​ 

    I ran into this same issue (Microsoft support case 2409110040011573‎, opening case submission at the end of this message).  Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:

    https://macadmins.slack.com/archives/C31HJUSRJ

    ), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:

    • Use the same Intent ("Required", "Available", etc)
    • Use different "License Types" ("Device" vs. "User")
    • Utilize Filters to target unique devices

    Simplified, if you create the following assignments for an app:

    1. "Required", Group A, "Include" Filter for ADE devices, Device License Type
    2. "Required", Group B, "Include" Filter for ADUE devices, User License Type

    Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device.  IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:

    1. "Required", Group A, Device License Type
    2. "Required", Group B, User License Type

    And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.

     

    The solution I found was to:

    • Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
    • Assign/purchase licenses of the app in question to that Location
    • Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)

    This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams).  Making the following assignments utilizing the apps listed in Intune for each VPP token:

    • Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
    • ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type

    And everything works as expected--silent installations in all cases.  A couple notes:

    • This issue & solution also applies to apps with multiple "Available" Intent assignments
    • This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
      • "Available", "All Users", "Include" Filter for ADE devices, Device License Type
      • "Available", "All Users", "Include" Filter for ADUE devices, User License Type
    • But with two Locations (and thus two apps), this is possible:
      • Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
      • ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type

     

    Case 2409110040011573‎ Opening Submission

    ----

    I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:

    • For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:

    https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator

    points to this article:

    https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration

    which says in step 11 to "assign Microsoft Authenticator to groups as a required app."

    • For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity

     

    Steps taken:

    • With the Microsoft Authenticator VPP app in Intune
      • Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
      • Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
    • Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity

     

    Expected Result:

    • Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":

    https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp

     

    Actual Result:

    The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."

     

    Comments:

    • The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
    • If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
    • Other apps assigned to the ADE-enrolled iPads install successfully
DBerry2's avatar
DBerry2
Copper Contributor
Oct 15, 2022
Hey Patrick,

I have a setup a lot like this and haven't run into this issue, we have BYOD (MDM enrolled) and ADE iOS devices with VPP licenses set to device based for both and haven't seen any issues.

both kinds of devices get a push from Intune to install the apps using VPP and do.

Maybe try device based licensing for both device types and see how you go?

hope that helps
Danny
PatrickF11's avatar
PatrickF11
MCT
Oct 15, 2022

DBerry2 

Thank you for your reply.

Based on my knowledge (learned through ms docs and trial and error on myself) device based licensing shouldn’t work at all for the „user enrollment“ method, only for ADE devices.

The only supported licensing method for user enrollment MDM should be VPP user based licensing.

(by the way: device based shouldn’t bring up a pop up message at all, that is one of the key benefits of this license method). 

Anyway: You are using app assignments with only „all user -> device based licensing“ for both? ADE & User enrollment? Are you using this for required AND available app assignments?

  • DBerry2's avatar
    DBerry2
    Copper Contributor
    Oct 17, 2022

    HeyPatrickF11 

     

    Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too. 

     

    I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like.

     

     

    Hope that helps out.

     

    Thanks

    Danny

     

    • Markus Güntner's avatar
      Markus Güntner
      Copper Contributor
      Jan 18, 2023
      Hi, you are using the "legacy" device enrolment, not user enrolment. for user enrolment device licensing is not supported, following the ms docs.
      user enrolment mode makes absolutely sense, because apple is partitioning iOS devices into two apfs partitions, but that is only the case for user enrolment. you would have to setup "enrolment types" to enable that.
      • PatrickF11's avatar
        PatrickF11
        MCT
        Jan 24, 2023

        Markus Güntner 

        Thanks for your reply.

        Thats what i thought too, he isn't using the user enrollment mode. (Any other mode isn't applicable in my opinion for "real BYOD" scenarios.

        And you're right: As per MS Docs User licensing is the only thing that should work. (Thats why i mentioned in my initial post that i'm already using this as licensing mode).

         

        Anyway:

        Are there any new thoughts on this one?

        Is there any one out there with the same issues? (Or with the same scenario without issues? 😉

         

        I'm sure it's not that unusual to provide two enrollments:

        1. BYOD ► User can choose between "App Protection only" (automatically applied to all) or they can enroll in MDM with "user enrollment mode".
        2. Corporate owned (whether COPE, COBO or COSU) ► The device will get ADE enrolled with an appropriate configuration set.
    • PatrickF11's avatar
      PatrickF11
      MCT
      Oct 20, 2022

      DBerry2 Thank you very much for your answer. I'm going to try this next week.
      Just for clarification: When you're talking about BYOD you mean the enrollment type "User Enrollment", right? (so not Device Enrollment)

       

      • ABUOBAID's avatar
        ABUOBAID
        Copper Contributor
        Oct 28, 2022

        PatrickF11  

         

        I have the same exact issue ..

        user enrolment 

        unable to apply any App configuration policy to the device since the outlook is not VPP.. i am getting "not applicable"

        while i cant install VPP apps to user enrolled device

         

           

Resources