Apr 21 2022 01:46 AM
We have customers with iOS and Android devices. Now, some apps need to be updated but I cannot find any option to do that in Endpoint Manager. Apps are deployed over app stores.
iOS:
- We blocked the app store
- There is no VPP
Android (fully-managed devices):
- Set option "automatic app-updates (work-profile) to: WiFi only
I found this article but am not sure if it still applies after the restrictions made:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add#app-types-in-microsoft-intune
Questions:
1. How can we handle automatic updates? e.g. block apps, allow updates NOW
2. Are app-updates made automatically?
Any help would be appreciated. We can even schedule a remote session.
Apr 21 2022 07:16 AM
Apr 21 2022 07:27 AM
@NielsScheffers Thank you for your input. In the iOS article it says "iOS store apps are automatically updated" which is not the case because I could see that there are newer versions of apps in the app store than on the iPad.
I am not sure if it is not working because we disabled the app store:
I have just confirmed that Android updates are working as soon as wi-fi is available.
Apr 21 2022 07:57 AM
Apr 21 2022 08:04 AM
Apr 22 2022 12:05 AM
Apr 22 2022 01:58 AM
Apr 29 2022 06:46 AM - edited Apr 29 2022 06:47 AM
Not sure I agree with you there. It's only the case in your specific setup constraints, being no VPP and a disabled App Store.
In this case Intune did it's job, imho, which is to signal the device to install an app from the App Store. Installing and updating it are then the App Store's responsibility. Intune doesn't even know there is an update available without VPP.
You can always implement VPP or unblock (and simply hide) the App Store.
Granted, "available" apps should be able to auto update in VPP as well, but that's not the issue here.
Apr 29 2022 07:14 AM
We do not have VPP because we are not using any purchased apps.
"Granted, 'available' apps should be able to auto update in VPP as well.." - You mean VPP should work if we set it up with non-purchased apps and are able to control app updates? Can we also set it to "manual" or "approve"?
In your opinion, what is best way to implement iOS devices in Intune for our setup (control app updates)? Currently, we set devices up with apple configurator (which is horrible). If we later update some configuration settings in Intune, these are not applied onto the devices.
May 01 2022 04:44 AM
SolutionHi @NielsScheffers , I'm jumping in ;)
@onax_pf Let me see if I understand your question:
Hopefully this will clear things up a bit. I'm only talking about iOS, since I believe your Android devices do update.
VPP/ABM=Apple Business Manager
VPP does not mean you'll have to buy licenses (spend money) for every app you sync through VPP. You can acquire both free and paid apps that are available in the App Store.
When dealing with free apps, it looks like you are buying licenses in VPP, but the costs will be $0.00. I know this can be confusing. Finally when you assign the apps to user/devices with a device license. The apps (assigned with license type "device licensing") will automatically update.
However, when you select "user licensing" for "license type" the apps store should not be blocked. Otherwise, apps will not update. Users need access to the app store to update.
For more info on VPP check out:
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios
Have a look at the table "How are purchased apps licensed?" as it also provides info on updates.
App store
Apps that are installed from the store should update automatically (provided the store is available). You can only assign free apps using this method.
Like @NielsScheffers mentioned, you should hide the store app, not block it. When you block the store app, your users have no option to update apps. In this case, you should use VPP.
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
Restricting apps
As far as I know, there is no easy way to block apps from being installed to iOS devices when users have access to the app store.
Create a Device configuration profile and configure restricted apps to stay informed about apps install status. It's a reporting feature and does not block app installs! You could use "Restricted apps" from within a compliance policy to mark devices non compliant when a certain app is installed, and block access to M365 using a conditional access policy.
What you could do:
If you ask me, option 1 is the best way to go, but that's just my opinion.
Hope this helps.
May 02 2022 01:17 AM
Well, I can't think of anything more to add to @Oktay Sari's reply. Thanks for the extensive write-up, mate!
May 02 2022 08:03 AM
@Oktay SariWhat an incredible reply of yours, I do understand the handling much better now!
Thanks for the help of you and @NielsScheffers!
Cheers
Feb 21 2023 04:46 PM
Dear @Oktay Sari , Dear All,
maybe the answer to my question is written in what you just discussed, but I could not decode it from the threads.
I have a company-supervised iPhone with Office 365 mobile apps installed. Outlook is my key e-mail and calendar client. I am frustrated by automated updates of Outlook and Teams mobile apps, because they start in a very uncompromising fashion without prior notification (e.g. a badge on the Appstore icon) and deactivate the app. Sod's laws ensure that this happens always at the least convenient time, when I need to use the app (working in automotive, busy job).
Is there a way how to control the installation time of the updates?
I asked our company IT and they keep saying they cannot do anything about it, that Apple is doing this and they cannot influence it. I am struggling to believe them, though.
Thank you.
Jul 21 2023 07:18 AM
May 01 2022 04:44 AM
SolutionHi @NielsScheffers , I'm jumping in ;)
@onax_pf Let me see if I understand your question:
Hopefully this will clear things up a bit. I'm only talking about iOS, since I believe your Android devices do update.
VPP/ABM=Apple Business Manager
VPP does not mean you'll have to buy licenses (spend money) for every app you sync through VPP. You can acquire both free and paid apps that are available in the App Store.
When dealing with free apps, it looks like you are buying licenses in VPP, but the costs will be $0.00. I know this can be confusing. Finally when you assign the apps to user/devices with a device license. The apps (assigned with license type "device licensing") will automatically update.
However, when you select "user licensing" for "license type" the apps store should not be blocked. Otherwise, apps will not update. Users need access to the app store to update.
For more info on VPP check out:
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios
Have a look at the table "How are purchased apps licensed?" as it also provides info on updates.
App store
Apps that are installed from the store should update automatically (provided the store is available). You can only assign free apps using this method.
Like @NielsScheffers mentioned, you should hide the store app, not block it. When you block the store app, your users have no option to update apps. In this case, you should use VPP.
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
Restricting apps
As far as I know, there is no easy way to block apps from being installed to iOS devices when users have access to the app store.
Create a Device configuration profile and configure restricted apps to stay informed about apps install status. It's a reporting feature and does not block app installs! You could use "Restricted apps" from within a compliance policy to mark devices non compliant when a certain app is installed, and block access to M365 using a conditional access policy.
What you could do:
If you ask me, option 1 is the best way to go, but that's just my opinion.
Hope this helps.