VPP Licensing Issues

PatrickF11​ ​ 

I ran into this same issue (Microsoft support case 2409110040011573‎, opening case submission at the end of this message).  Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:

https://macadmins.slack.com/archives/C31HJUSRJ

), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:

• Use the same Intent ("Required", "Available", etc)
• Use different "License Types" ("Device" vs. "User")
• Utilize Filters to target unique devices

Simplified, if you create the following assignments for an app:

1. "Required", Group A, "Include" Filter for ADE devices, Device License Type
2. "Required", Group B, "Include" Filter for ADUE devices, User License Type

Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device.  IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:

1. "Required", Group A, Device License Type
2. "Required", Group B, User License Type

And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.

The solution I found was to:

• Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
• Assign/purchase licenses of the app in question to that Location
• Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)

This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams).  Making the following assignments utilizing the apps listed in Intune for each VPP token:

• Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
• ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type

And everything works as expected--silent installations in all cases.  A couple notes:

• This issue & solution also applies to apps with multiple "Available" Intent assignments
• This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
  • "Available", "All Users", "Include" Filter for ADE devices, Device License Type
  • "Available", "All Users", "Include" Filter for ADUE devices, User License Type
• But with two Locations (and thus two apps), this is possible:
  • Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
  • ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type

Case 2409110040011573‎ Opening Submission

----

I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:

• For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:

https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator

points to this article:

https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration

which says in step 11 to "assign Microsoft Authenticator to groups as a required app."

• For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity

Steps taken:

• With the Microsoft Authenticator VPP app in Intune
  • Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
  • Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
• Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity

Expected Result:

• Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":

https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp

Actual Result:

The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."

Comments:

• The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
• If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
• Other apps assigned to the ADE-enrolled iPads install successfully