Forum Discussion
VPP Licensing Issues
I ran into this same issue (Microsoft support case 2409110040011573, opening case submission at the end of this message). Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:
https://macadmins.slack.com/archives/C31HJUSRJ
), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:
- Use the same Intent ("Required", "Available", etc)
- Use different "License Types" ("Device" vs. "User")
- Utilize Filters to target unique devices
Simplified, if you create the following assignments for an app:
- "Required", Group A, "Include" Filter for ADE devices, Device License Type
- "Required", Group B, "Include" Filter for ADUE devices, User License Type
Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device. IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:
- "Required", Group A, Device License Type
- "Required", Group B, User License Type
And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.
The solution I found was to:
- Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
- Assign/purchase licenses of the app in question to that Location
- Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)
This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams). Making the following assignments utilizing the apps listed in Intune for each VPP token:
- Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type
And everything works as expected--silent installations in all cases. A couple notes:
- This issue & solution also applies to apps with multiple "Available" Intent assignments
- This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
- "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- "Available", "All Users", "Include" Filter for ADUE devices, User License Type
- But with two Locations (and thus two apps), this is possible:
- Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type
Case 2409110040011573 Opening Submission
----
I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:
- For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator
points to this article:
https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration
which says in step 11 to "assign Microsoft Authenticator to groups as a required app."
- For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity
Steps taken:
- With the Microsoft Authenticator VPP app in Intune
- Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
- Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
- Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity
Expected Result:
- Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":
https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp
Actual Result:
The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."
Comments:
- The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
- If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
- Other apps assigned to the ADE-enrolled iPads install successfully
Switch all your software deployments to Device and test. I think you will see you now have 0 issues.
Even though i currently don't have any issues left: It is not possible to use device based licensing for every device, because of user enrolled devices in fact NEED user based licensing,.
(because device-based licensing isn't supported on user enrolled devices. This is outlined here:
Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Learn)
The problem seems to occur when you publish everything at User License then throw a single Device based license into the mix. It seems to break down the entire licensing on the device.
I have published everything as Device License (see attached) regardless of if it is a user group based install through Company Portal OR publishing as Required to a device based on serial number directly or dynamic group. We do NOT use the Apple store in any way shape or form.
We do NOT use the Managed Apple ID's which ties ABM to out internal domain for multiple reasons. Mostly which are around not trusting Apple and their data use scenario's.
Also, we do not want or allow our colleagues to the Apple Store since we regulate what they can install due to security concerns.
Thank you for your reply.
I understand what you are saying but based on your screenshot I can’t see, what type of devices you are using. Just in case we‘re talking of different things:
When I say „user enrolled devices“ I’m talking of personal devices using the deployment method called „user enrollement“. This isn’t the same thing as a corporate device enrolled via ADE as „enrolled with user affinity“. These are two totally different types of device management and app management. And for my understanding these types need different vpp app assignment.Regarding your screenshot: it doesn’t matter whether you’re using required assignment or available assignment in case of speaking of device based or user based licensing. And I’m not talking off groups containing user oder devices.
All my concerns and ideas belongs to the different deployment types and the different needs of vpp.
I hope i can express this right?
I already talked a lot to Microsoft’s support and the basics are totally clear to me (and to Microsoft :-D).
