%3CLINGO-SUB%20id%3D%22lingo-sub-280173%22%20slang%3D%22en-US%22%3ESupport%20tip%3A%20Navigating%20the%20new%20Single%20App%20mode%20for%20Company%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Sep%2021%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20With%20Intune%20support%20for%20Multi-token%20DEP%2C%20admins%20are%20given%20the%20option%20of%20authenticating%20with%20Company%20Portal%20when%20enrolling%20devices%20with%20user%20affinity%20as%20we%E2%80%99ve%20shared%20previously%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fblogs.technet.microsoft.com%252Fintunesupport%252F2018%252F02%252F08%252Fsupport-for-multi-token-dep-and-authentication-with-company-portal%252F%26amp%3Bdata%3D04%257C01%257C%257C19820981635148e916a608d61ff8f717%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636731551485863495%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%253D%253D%257C-1%26amp%3Bsdata%3DQ%252BD0%252Fi1HamsEXHJMKicus%252FvRixbQ9mGV6LmbTMRZ8IY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20blog%20post%20%3C%2FA%3E%20.%20After%20a%20recent%20Intune%20release%2C%20admins%20have%20the%20ability%20to%20lock%20Company%20Portal%20in%20Single%20App%20mode%20so%20users%20have%20to%20sign%20in%20to%20the%20Company%20Portal%20before%20getting%20access%20to%20a%20device.%20In%20this%20post%2C%20we%E2%80%99re%20sharing%20some%20tips%20and%20troubleshooting%20about%20the%20experience%20that%20you%20may%20find%20useful.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Consider%20a%20case%20where%20you%20have%20enrollment%20settings%20configured%20as%20shown%20in%20the%20screenshot.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20351px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58707i546E07070BD3BEEA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20Company%20Portal%20provisioned%20through%20Apple%E2%80%99s%20Volume%20Purchase%20Program%20(VPP)%20can%20fail%20to%20install%20in%20case%20VPP%20tokens%20expire%2C%20run%20out%20of%20Company%20Portal%20licenses%2C%20get%20deleted%2C%20get%20assigned%20to%20another%20Intune%20tenant%20or%20get%20assigned%20to%20another%20MDM%20vendor.%20This%20could%20also%20happen%20due%20to%20a%20temporary%20outage%20in%20Apple%20services.%20In%20this%20situation%2C%20users%20on%20blocked%20devices%20can%20get%20stuck%20in%20the%20installation%20process%20for%20more%20than%20%3CSTRONG%3E%2010%20minutes%20%3C%2FSTRONG%3E%20and%20see%20screens%20similar%20to%20what%20is%20shown%20below.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20%3CI%3E%20Note%20that%20in%20normal%20cases%2C%20end%20users%20will%20see%20this%20screen%20for%20about%2045-60%20seconds%20while%20the%20Company%20Portal%20is%20installing%20in%20the%20background%20and%20launches%20in%20Single%20App%20mode.%20This%20is%20an%20OS%20limitation%20and%20we%20have%20a%20request%20in%20with%20Apple%20to%20be%20able%20to%20customize%20this%20message.%20%3C%2FI%3E%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20%3CEM%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20627px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58708i7C63351AEEEFE5F9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3ETroubleshooting%20VPP%20token%20issues%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Admins%20will%20need%20to%20figure%20out%20any%20issues%20with%20the%20VPP%20token%20to%20ensure%20that%20users%20do%20not%20get%20their%20devices%20in%20a%20blocked%20state.%20Any%20issues%20with%20the%20VPP%20token%20can%20be%20found%20by%20going%20to%20the%20Device%20enrollment%20blade%20in%20Intune%20and%20navigating%20to%20Apple%20enrollment%20%26gt%3B%20Enrollment%20program%20tokens%20%26gt%3B%20(token%20name)%20%26gt%3B%20Profiles%20%26gt%3B%20(profile%20name)%20%26gt%3B%20Manage%20%26gt%3B%20Properties.%20You%20should%20see%20a%20message%20with%20a%20reason%20for%20the%20block%20as%20in%20the%20sample%20screenshot%20below.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20369px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58709i66704CAF616BA423%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3EIssuing%20a%20remote%20wipe%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20After%20any%20VPP%20token%20issues%20have%20been%20resolved%2C%20devices%20should%20be%20wiped%2C%20and%20the%20enrollment%20process%20will%20have%20to%20be%20started%20from%20the%20beginning.%20Users%20can%20wipe%20a%20device%20by%20going%20to%20portal.manage.microsoft.com%20or%20ask%20an%20admin%20to%20issue%20a%20remote%20wipe.%20An%20admin%20can%20get%20a%20list%20of%20devices%20by%20going%20to%20Apple%20Enrollment%26gt%3B%20Enrollment%20program%20tokens%20%26gt%3B%20(token%20name)%20%26gt%3B%20Devices%20and%20filter%20for%20devices%20in%20%E2%80%9CBlocked%E2%80%9D%20state.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58710iD68BC6E1A1390DC9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Blocked%20devices%20can%20also%20be%20found%20at%20Enrollment%20program%20tokens%20%26gt%3B%20(token%20name)%20%26gt%3B%20Profiles%20%26gt%3B%20(profile%20name)%20%26gt%3B%20Monitor%20%26gt%3B%20Assigned%20devices.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20You%20can%20reach%20out%20to%20us%20if%20you%20have%20any%20questions%20or%20feedback%20on%20the%20experience!%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Post%20updates%3A%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%209%2F21%2F18%3A%20Updated%20to%20note%20that%20we%20have%20made%20a%20feature%20request%20to%20Apple.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-280173%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Sep%2021%2C%202018%20With%20Intune%20support%20for%20Multi-token%20DEP%2C%20admins%20are%20given%20the%20option%20of%20authenticating%20with%20Company%20Portal%20when%20enrolling%20devices%20with%20user%20affinity%20as%20we%E2%80%99ve%20shared%20previously%20in%20our%20blog%20post.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-280173%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eapple%20dep%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eend%20user%20guidance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eintune%20on%20azure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EiOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esingle%20app%20mode%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etroubleshooting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721800%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20tip%3A%20Navigating%20the%20new%20Single%20App%20mode%20for%20Company%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721800%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20changed%20my%20MDM%20Authority%20to%20Intune%20from%20SCCM%20this%20week%20and%20i%20am%20looking%20at%20this%20new%20method%20now%20and%20i%20am%20having%20a%20problem.%20I%20have%20stopped%20deploying%20Company%20Portal%20and%20now%20allowing%20DEP%20to%20install%20it%20from%20the%20profile%2C%20that%20seems%20to%20work%20now.%20But%20when%20i%20enable%20Single%20App%20mode%20I%20just%20get%20stuck%20after%20successful%20enrollment.%20I%20have%20let%20it%20sit%20for%208%20hours%20and%20i%20cant%20get%20out%20of%20Company%20Portal%20and%20i%20am%20forced%20to%20Wipe%20it.%20If%20i%20turn%20off%20single%20app%20mode%20everything%20works%20as%20expected%2C%20and%20after%20enrollment%20the%20user%20can%20use%20the%20device.%20Is%20there%20anything%20i%20should%20check%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1085497%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20tip%3A%20Navigating%20the%20new%20Single%20App%20mode%20for%20Company%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085497%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20most%20likely%20have%20to%20make%20the%20VPP%20app%20of%20the%20Company%20Portal%20a%20required%20app%20with%20device%20license%20to%20make%20your%20scenario%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E

First published on TechNet on Sep 21, 2018
With Intune support for Multi-token DEP, admins are given the option of authenticating with Company Portal when enrolling devices with user affinity as we’ve shared previously in our blog post . After a recent Intune release, admins have the ability to lock Company Portal in Single App mode so users have to sign in to the Company Portal before getting access to a device. In this post, we’re sharing some tips and troubleshooting about the experience that you may find useful.

Consider a case where you have enrollment settings configured as shown in the screenshot.



The Company Portal provisioned through Apple’s Volume Purchase Program (VPP) can fail to install in case VPP tokens expire, run out of Company Portal licenses, get deleted, get assigned to another Intune tenant or get assigned to another MDM vendor. This could also happen due to a temporary outage in Apple services. In this situation, users on blocked devices can get stuck in the installation process for more than 10 minutes and see screens similar to what is shown below.

Note that in normal cases, end users will see this screen for about 45-60 seconds while the Company Portal is installing in the background and launches in Single App mode. This is an OS limitation and we have a request in with Apple to be able to customize this message.



Troubleshooting VPP token issues

Admins will need to figure out any issues with the VPP token to ensure that users do not get their devices in a blocked state. Any issues with the VPP token can be found by going to the Device enrollment blade in Intune and navigating to Apple enrollment > Enrollment program tokens > (token name) > Profiles > (profile name) > Manage > Properties. You should see a message with a reason for the block as in the sample screenshot below.





Issuing a remote wipe

After any VPP token issues have been resolved, devices should be wiped, and the enrollment process will have to be started from the beginning. Users can wipe a device by going to portal.manage.microsoft.com or ask an admin to issue a remote wipe. An admin can get a list of devices by going to Apple Enrollment> Enrollment program tokens > (token name) > Devices and filter for devices in “Blocked” state.



Blocked devices can also be found at Enrollment program tokens > (token name) > Profiles > (profile name) > Monitor > Assigned devices.

You can reach out to us if you have any questions or feedback on the experience!

Post updates:

9/21/18: Updated to note that we have made a feature request to Apple.

2 Comments
Occasional Contributor

Just changed my MDM Authority to Intune from SCCM this week and i am looking at this new method now and i am having a problem. I have stopped deploying Company Portal and now allowing DEP to install it from the profile, that seems to work now. But when i enable Single App mode I just get stuck after successful enrollment. I have let it sit for 8 hours and i cant get out of Company Portal and i am forced to Wipe it. If i turn off single app mode everything works as expected, and after enrollment the user can use the device. Is there anything i should check for this?

Occasional Contributor

You most likely have to make the VPP app of the Company Portal a required app with device license to make your scenario work.