Forum Discussion
PatrickF11
Oct 14, 2022Steel Contributor
VPP Licensing Issues
Hi there,
i'm currently getting frustrated on the following problem:
At first the outline:
- We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment".
- If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABM
No on to the issue:
- App Assignment for the App MS Teams
- Required:
- All devices, with an include filter (All ADE Devices), Device based licensing
- Idea: this should only happen when using corporate devices
- All devices, with an include filter (All ADE Devices), Device based licensing
- Available:
- All Users, with an exclude filter (All ADE devices), User based licensing
- Idea: All devices which are not corporate should apply this one.
- All Users, with an exclude filter (All ADE devices), User based licensing
- Required:
- App Assignment for the App MS Whiteboard
- No Required Assignment
- Available:
- All Users, with an exclude filter (All ADE devices), User based licensing
- Idea: All devices which are not corporate should apply this one.
- Azure AD Security Group with all Users using corporate ios devices, Device based licensing
- Idea: All devices which ARE corporate should apply this one.
- All Users, with an exclude filter (All ADE devices), User based licensing
What is the result?
- The Whiteboard App is working perfectly:
- When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.)
- When using an User Enrolled device, the user based license is used. Great!
- As soon as an App has additionally a required assignment, the whole thing brokes up:
- When the user on the user enrolled devices tries to install the app from company portal, nothing happens.
- Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)"
- The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing)
I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user don´'t has an apple-id.
How can we achive this scenario?
We totally don't want to have to choose between either ADE or User Enrollment.
Any help, as always is highly appreciated. 🙂
Cheers,
Patrick!
- JutManGrahamBrass ContributorRegardless of User or Device enrollment, i only use Device licenses. I never mix and match it causes issues.
Switch all your software deployments to Device and test. I think you will see you now have 0 issues.- PatrickF11Steel Contributor
Even though i currently don't have any issues left: It is not possible to use device based licensing for every device, because of user enrolled devices in fact NEED user based licensing,.
(because device-based licensing isn't supported on user enrolled devices. This is outlined here:
Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Learn)
- JutManGrahamBrass Contributor
The problem seems to occur when you publish everything at User License then throw a single Device based license into the mix. It seems to break down the entire licensing on the device.
I have published everything as Device License (see attached) regardless of if it is a user group based install through Company Portal OR publishing as Required to a device based on serial number directly or dynamic group. We do NOT use the Apple store in any way shape or form.
We do NOT use the Managed Apple ID's which ties ABM to out internal domain for multiple reasons. Mostly which are around not trusting Apple and their data use scenario's.
Also, we do not want or allow our colleagues to the Apple Store since we regulate what they can install due to security concerns.
- SteffenSchwerdtfegerCopper ContributorI still had this issue for a handful of apps. I did not change the assignment because it should still be fast ("All devices" with filter). What helped was purchasing additional licenses of affected apps in ABM (even if there were enough left) and a quick sync of the token.
- DBerry2Copper ContributorHey Patrick,
I have a setup a lot like this and haven't run into this issue, we have BYOD (MDM enrolled) and ADE iOS devices with VPP licenses set to device based for both and haven't seen any issues.
both kinds of devices get a push from Intune to install the apps using VPP and do.
Maybe try device based licensing for both device types and see how you go?
hope that helps
Danny- PatrickF11Steel Contributor
Thank you for your reply.
Based on my knowledge (learned through ms docs and trial and error on myself) device based licensing shouldn’t work at all for the „user enrollment“ method, only for ADE devices.
The only supported licensing method for user enrollment MDM should be VPP user based licensing.
(by the way: device based shouldn’t bring up a pop up message at all, that is one of the key benefits of this license method).
Anyway: You are using app assignments with only „all user -> device based licensing“ for both? ADE & User enrollment? Are you using this for required AND available app assignments?
- DBerry2Copper Contributor
HeyPatrickF11
Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too.
I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like.
Hope that helps out.
Thanks
Danny