Forum Discussion

PatrickF11's avatar
PatrickF11
Steel Contributor
Oct 14, 2022

VPP Licensing Issues

Hi there,

 

i'm currently getting frustrated on the following problem:

At first the outline:

  • We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment".
  • If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABM

No on to the issue:

  • App Assignment for the App MS Teams
    • Required:
      • All devices, with an include filter (All ADE Devices), Device based licensing
        • Idea: this should only happen when using corporate devices
    • Available:
      • All Users, with an exclude filter (All ADE devices), User based licensing
        • Idea: All devices which are not corporate should apply this one.
  • App Assignment for the App MS Whiteboard
    • No Required Assignment
    • Available:
      • All Users, with an exclude filter (All ADE devices), User based licensing
        • Idea: All devices which are not corporate should apply this one.
      • Azure AD Security Group with all Users using corporate ios devices, Device based licensing
        • Idea: All devices which ARE corporate should apply this one.

What is the result?

  1. The Whiteboard App is working perfectly:
    1. When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.)
    2. When using an User Enrolled device, the user based license is used. Great!
  2. As soon as an App has additionally a required assignment, the whole thing brokes up:
    1. When the user on the user enrolled devices tries to install the app from company portal, nothing happens.
    2. Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)"
      1. The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing)

I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user don´'t has an apple-id.

 

How can we achive this scenario?

We totally don't want to have to choose between either ADE or User Enrollment.

 

Any help, as always is highly appreciated. 🙂

 

Cheers,

Patrick!

  • JutManGraham's avatar
    JutManGraham
    Brass Contributor
    Regardless of User or Device enrollment, i only use Device licenses. I never mix and match it causes issues.
    Switch all your software deployments to Device and test. I think you will see you now have 0 issues.
      • JutManGraham's avatar
        JutManGraham
        Brass Contributor

        PatrickF11 

        The problem seems to occur when you publish everything at User License then throw a single Device based license into the mix.  It seems to break down the entire licensing on the device.

        I have published everything as Device License (see attached) regardless of if it is a user group based install through Company Portal OR publishing as Required to a device based on serial number directly or dynamic group.  We do NOT use the Apple store in any way shape or form.

         

        We do NOT use the Managed Apple ID's which ties ABM to out internal domain for multiple reasons.  Mostly which are around not trusting Apple and their data use scenario's.  

         

        Also, we do not want or allow our colleagues to the Apple Store since we regulate what they can install due to security concerns. 

  • I still had this issue for a handful of apps. I did not change the assignment because it should still be fast ("All devices" with filter). What helped was purchasing additional licenses of affected apps in ABM (even if there were enough left) and a quick sync of the token.
  • DBerry2's avatar
    DBerry2
    Copper Contributor
    Hey Patrick,

    I have a setup a lot like this and haven't run into this issue, we have BYOD (MDM enrolled) and ADE iOS devices with VPP licenses set to device based for both and haven't seen any issues.

    both kinds of devices get a push from Intune to install the apps using VPP and do.

    Maybe try device based licensing for both device types and see how you go?

    hope that helps
    Danny
    • PatrickF11's avatar
      PatrickF11
      Steel Contributor

      DBerry2 

      Thank you for your reply.

      Based on my knowledge (learned through ms docs and trial and error on myself) device based licensing shouldn’t work at all for the „user enrollment“ method, only for ADE devices.

      The only supported licensing method for user enrollment MDM should be VPP user based licensing.

      (by the way: device based shouldn’t bring up a pop up message at all, that is one of the key benefits of this license method). 

      Anyway: You are using app assignments with only „all user -> device based licensing“ for both? ADE & User enrollment? Are you using this for required AND available app assignments?

      • DBerry2's avatar
        DBerry2
        Copper Contributor

        HeyPatrickF11 

         

        Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too. 

         

        I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like.

         

         

        Hope that helps out.

         

        Thanks

        Danny

         

Resources