Deploying iOS VPP Apps to Users?

Bronze Contributor

Hi,

 

We have just received our first batch auf DEP enrolled iOS devices. Until now we had to let the user manually enroll the company issued iOS devices and also create their own AppleID is with the business email.

 

What we wanted to achieve is that make the enrollment process as easy as possible and also eliminate the need for an AppleID. 

 

I've configured the Enrollment Profile with a VPP Token and can confirm that all this works. 

What I'm having trouble is deploying specific apps to specific subset of users. Previously I just targeted a user group. 

From what I understand is, that I could do this again, but then the user would have to provide an Apple ID again - at least I get that prompt in my test scenario.

I therefore created a Azure AD Device Groups for targeting my app deployments. This seems to work, but I have a couple of issues or questions about that:

 

  • When I don't want any Apple ID prompts, I have to use device licensing when I assigning VPP apps, correct?
  • I have noticed, that when I assign an app with device licensing to a user security group, that the app does not get deployed to the device. Is this expected behavior?
  • I have noticed that I can deploy apps with device licensing as "available" but the app does not appear in the iOS company portal. Users therefore cannot install them. Is this expected behavior?

  • Biggest question right now: How do I assign a specific app, to multiple specific users (more specifically their devices)?
    • The documentation mentions Azure AD Dynamic Device Groups based on the Device Category
      • those users don't share a device category
    • deploying to user groups doesn't work (see question above)
    • I would create an Assigned AAD Group with devices, but this leads to another problem:
      • all DEP enrolled iPhones are named "iPhone". When you try to add devices as members to a group, I cannot differentiate between any iPhone (i would need the username/serialnumber columns for that).
      • There is also no reverse way, by going to Intune > Devices and searching for it and then adding to a group, as there is no Action "Add to group" or something similar
      • I'm currently trying to rename the Intune Devices by adding our inventory label, but this process is manual, and sometimes fails with errors and I have no idea why.

 

Also some minor issue I have is, that I added my device manually to a device group after creating the device group but an AAD dynamic group based on this category is not picking up my device and I have no idea why.

 

Any help is appreciated

3 Replies
  • When I don't want any Apple ID prompts, I have to use device licensing when I assigning VPP apps, correct?
    •  Correct, since targeting a license to a user requires an Apple ID
  • I have noticed, that when I assign an app with device licensing to a user security group, that the app does not get deployed to the device. Is this expected behavior?
    • No, the app should get pushed to the device when targeting a user group with type Security.
  • I have noticed that I can deploy apps with device licensing as "available" but the app does not appear in the iOS company portal. Users therefore cannot install them. Is this expected behavior?
    • No, the app should be listed in the company portal application for the user. Sometimes it can take time before the app appears, how long have you waited?
  • Biggest question right now: How do I assign a specific app, to multiple specific users (more specifically their devices)?
    The documentation mentions Azure AD Dynamic Device Groups based on the Device Category
    those users don't share a device category
    deploying to user groups doesn't work (see question above)
    • Assigning to a user group instead of device is easier and something I would reccomend. It seems like you have config issues in your environment.
      Is your APNs certificate active?
      Is the device compliant?
    • Are you able to send any other commands to the device, remote lock etc? If the device is not supervised you will get a notification to which the user has to respond for the application to be installed. If supervised, it should be installed silently.
    • How have you setup the groups to which you are assigning apps?

 

@almennn Hi, I think you possibly crossed over to user licensing after question number 1?

We've previously used personal Apple IDs with User Licensing. But now that we have DEP-enabled devices the goal is that the user does not require an Apple ID at all.

 

Please verify:

  • DEP (or Apple Configurator) enrolled iOS Device
  • Security Group has Users, not Devices in them
  • App is assigned as available to that User Security Group
  • User can install the available app manually from the Company Portal

 

Right now I don't see any app at all in the Company Portal App. It say "no apps available" and there is a "Company Portal App" Text button below. When I click that link and log in, funnily enough, I see the app as "available". When I want to install it from the company portal website, I have to confirm that the iOS device is company managed, even though it already is listed as Corporate Owned. After that I can click Install and the app even installs in the background. It is still not listed within the Company Portal App though, even after it has installed successfully. 

 

See those screenshots.

 

Image.jpgImage-1.jpgImage-2.jpgImage-3.jpg

 

So I've done some further testing, and it seems that "available" (device licensed) apps do show on on the company portal website, but not directly in the app. Any idea why?