Forum Discussion
VPP Licensing Issues
I ran into this same issue (Microsoft support case 2409110040011573, opening case submission at the end of this message). Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:
https://macadmins.slack.com/archives/C31HJUSRJ
), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:
- Use the same Intent ("Required", "Available", etc)
- Use different "License Types" ("Device" vs. "User")
- Utilize Filters to target unique devices
Simplified, if you create the following assignments for an app:
- "Required", Group A, "Include" Filter for ADE devices, Device License Type
- "Required", Group B, "Include" Filter for ADUE devices, User License Type
Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device. IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:
- "Required", Group A, Device License Type
- "Required", Group B, User License Type
And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.
The solution I found was to:
- Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
- Assign/purchase licenses of the app in question to that Location
- Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)
This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams). Making the following assignments utilizing the apps listed in Intune for each VPP token:
- Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type
And everything works as expected--silent installations in all cases. A couple notes:
- This issue & solution also applies to apps with multiple "Available" Intent assignments
- This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
- "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- "Available", "All Users", "Include" Filter for ADUE devices, User License Type
- But with two Locations (and thus two apps), this is possible:
- Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type
Case 2409110040011573 Opening Submission
----
I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:
- For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator
points to this article:
https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration
which says in step 11 to "assign Microsoft Authenticator to groups as a required app."
- For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity
Steps taken:
- With the Microsoft Authenticator VPP app in Intune
- Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
- Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
- Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity
Expected Result:
- Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":
https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp
Actual Result:
The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."
Comments:
- The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
- If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
- Other apps assigned to the ADE-enrolled iPads install successfully
I ran into this same issue (Microsoft support case 2409110040011573, opening case submission at the end of this message). Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:
https://macadmins.slack.com/archives/C31HJUSRJ
), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:
- Use the same Intent ("Required", "Available", etc)
- Use different "License Types" ("Device" vs. "User")
- Utilize Filters to target unique devices
Simplified, if you create the following assignments for an app:
- "Required", Group A, "Include" Filter for ADE devices, Device License Type
- "Required", Group B, "Include" Filter for ADUE devices, User License Type
Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device. IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:
- "Required", Group A, Device License Type
- "Required", Group B, User License Type
And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.
The solution I found was to:
- Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
- Assign/purchase licenses of the app in question to that Location
- Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)
This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams). Making the following assignments utilizing the apps listed in Intune for each VPP token:
- Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type
And everything works as expected--silent installations in all cases. A couple notes:
- This issue & solution also applies to apps with multiple "Available" Intent assignments
- This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
- "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- "Available", "All Users", "Include" Filter for ADUE devices, User License Type
- But with two Locations (and thus two apps), this is possible:
- Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type
Case 2409110040011573 Opening Submission
----
I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:
- For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator
points to this article:
https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration
which says in step 11 to "assign Microsoft Authenticator to groups as a required app."
- For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity
Steps taken:
- With the Microsoft Authenticator VPP app in Intune
- Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
- Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
- Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity
Expected Result:
- Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":
https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp
Actual Result:
The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."
Comments:
- The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
- If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
- Other apps assigned to the ADE-enrolled iPads install successfully
foigus Thank you very much for being part in this discussion / problem solving. 🥳(And sorry for my really late reply, my inbox is currently exploding.)
i'm torn between these to: On one hand i really like your idea in setting up two seperate vpp token (as you (and apple as well) called them "locations") in one abm instance, because this seems to work as you outlined in detail. Thank you!
On the other hand i think this is "way to heavy" as a neat solution to this issue. I would be really interested if microsoft gets in touch to you with a "better" answer, but i guess not.. :D
and by the way: didn't you wrote a private message to me? The tech community shows some unread messages, but when clicking on the messages icon there are zero items loading :/
PatrickF11 It turns out Microsoft Support liked my solution enough to record it in their knowledgebase. But yes, it doesn't scale very nicely since it doubles the number of apps to wrangle in Intune and increases the chance of error when assigning apps.
And yep--I did send a DM via the forum since I didn't know how "loudly" a forum post's "mention" would be delivered. That plus I'm apparently still new enough in the Tech Community forum to require a moderator/admin approval to post.