cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Support tip: Navigating the new Single App mode for Company Portal
By
Intune_Support_Team
Published Oct 30 2018 11:41 AM 5,771 Views
Intune_Support_Team
Microsoft
‎Oct 30 2018 11:41 AM

Support tip: Navigating the new Single App mode for Company Portal

‎Oct 30 2018 11:41 AM

First published on TechNet on Sep 21, 2018
With Intune support for Multi-token DEP, admins are given the option of authenticating with Company Portal when enrolling devices with user affinity as we’ve shared previously in our blog post . After a recent Intune release, admins have the ability to lock Company Portal in Single App mode so users have to sign in to the Company Portal before getting access to a device. In this post, we’re sharing some tips and troubleshooting about the experience that you may find useful.

Consider a case where you have enrollment settings configured as shown in the screenshot.



The Company Portal provisioned through Apple’s Volume Purchase Program (VPP) can fail to install in case VPP tokens expire, run out of Company Portal licenses, get deleted, get assigned to another Intune tenant or get assigned to another MDM vendor. This could also happen due to a temporary outage in Apple services. In this situation, users on blocked devices can get stuck in the installation process for more than 10 minutes and see screens similar to what is shown below.

Note that in normal cases, end users will see this screen for about 45-60 seconds while the Company Portal is installing in the background and launches in Single App mode. This is an OS limitation and we have a request in with Apple to be able to customize this message.



Troubleshooting VPP token issues

Admins will need to figure out any issues with the VPP token to ensure that users do not get their devices in a blocked state. Any issues with the VPP token can be found by going to the Device enrollment blade in Intune and navigating to Apple enrollment > Enrollment program tokens > (token name) > Profiles > (profile name) > Manage > Properties. You should see a message with a reason for the block as in the sample screenshot below.





Issuing a remote wipe

After any VPP token issues have been resolved, devices should be wiped, and the enrollment process will have to be started from the beginning. Users can wipe a device by going to portal.manage.microsoft.com or ask an admin to issue a remote wipe. An admin can get a list of devices by going to Apple Enrollment> Enrollment program tokens > (token name) > Devices and filter for devices in “Blocked” state.



Blocked devices can also be found at Enrollment program tokens > (token name) > Profiles > (profile name) > Monitor > Assigned devices.

You can reach out to us if you have any questions or feedback on the experience!

Post updates:

9/21/18: Updated to note that we have made a feature request to Apple.

5 Comments
Andrew Allston
Iron Contributor
‎Jun 26 2019 05:43 AM
‎Jun 26 2019 05:43 AM

Just changed my MDM Authority to Intune from SCCM this week and i am looking at this new method now and i am having a problem. I have stopped deploying Company Portal and now allowing DEP to install it from the profile, that seems to work now. But when i enable Single App mode I just get stuck after successful enrollment. I have let it sit for 8 hours and i cant get out of Company Portal and i am forced to Wipe it. If i turn off single app mode everything works as expected, and after enrollment the user can use the device. Is there anything i should check for this?

0 Likes
Like
Joni_Nieminen
Copper Contributor
‎Jan 02 2020 01:42 AM
‎Jan 02 2020 01:42 AM

You most likely have to make the VPP app of the Company Portal a required app with device license to make your scenario work.

0 Likes
Like
Daniel Flynn
Copper Contributor
‎Jan 20 2021 12:57 PM
‎Jan 20 2021 12:57 PM

It looks like the "Run Company Portal in Single App Mode until authentication" setting has been removed.  I noticed before it was removed on iOS 14 it didn't always work now the Yes/No box is gone from the Intune UI

 

We are on Service release 2011

 

intune-no-singleappmode.PNG

0 Likes
Like
Intune_Support_Team
Microsoft
‎Jan 20 2021 03:50 PM
‎Jan 20 2021 03:50 PM

Hi @Daniel Flynn, thanks for the comment! The "Run Company Portal in Single App Mode until authentication" Yes/No toggle will be shown when a VPP token is selected. If you haven't already configured a VPP token within Intune, see: Upload an Apple VPP or Apple Business Manager location token for more info. Once a VPP token is added and selected, this setting should then appear for you. To learn more on creating an Apple enrollment profile, see: Create an Apple enrollment profile. Hope this helps!

0 Likes
Like
Daniel Flynn
Copper Contributor
‎Jan 20 2021 04:28 PM
‎Jan 20 2021 04:28 PM

We have a VPP token loaded and are using it to install apps with Device License.  That syncs with ASM (Apple School Manager) and updates as expected.  That option used to be there.  I did notice that the "Take control of token from another MDM​" option is not set on the VPP token.  I enabled that and waited a few minutes then went back to the "Management Settings" in the enrollment profile and the VPP token was then in the box to be selected.  When that was selected the Single App Mode appeared again. 

 

Thanks

Version history
Last update:
‎Nov 30 2023 04:51 PM
Updated by: