cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Handling of auto-updates on iOS and Android devices

onax_pf
Copper Contributor

‎Apr 21 2022 01:46 AM

‎Apr 21 2022 01:46 AM

Handling of auto-updates on iOS and Android devices

We have customers with iOS and Android devices. Now, some apps need to be updated but I cannot find any option to do that in Endpoint Manager. Apps are deployed over app stores.

 

iOS:

- We blocked the app store

- There is no VPP

 

Android (fully-managed devices):

- Set option "automatic app-updates (work-profile) to: WiFi only

 

I found this article but am not sure if it still applies after the restrictions made:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add#app-types-in-microsoft-intune

 

Questions:

1. How can we handle automatic updates? e.g. block apps, allow updates NOW

2. Are app-updates made automatically? 

 

Any help would be appreciated. We can even schedule a remote session.

8,488 Views
0 Likes
14 Replies
Reply
14 Replies
NielsScheffers

‎Apr 21 2022 07:16 AM

‎Apr 21 2022 07:16 AM

Re: Handling of auto-updates on iOS and Android devices

Not sure I'm clear on what it is you're asking... Assuming you've deployed your apps as iOS store or Managed Google Play apps, updates should be done automatically (if conditions like wi-fi et cetera are met).

There's loads of info in the docs, for instance:
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-android-for-work

Does this help at all?
0 Likes
Reply
onax_pf

‎Apr 21 2022 07:27 AM

‎Apr 21 2022 07:27 AM

Re: Handling of auto-updates on iOS and Android devices

@NielsScheffers Thank you for your input. In the iOS article it says "iOS store apps are automatically updated" which is not the case because I could see that there are newer versions of apps in the app store than on the iPad.

I am not sure if it is not working because we disabled the app store:

onax_pf_0-1650551211246.png

I have just confirmed that Android updates are working as soon as wi-fi is available.

0 Likes
Reply
NielsScheffers

‎Apr 21 2022 07:57 AM

‎Apr 21 2022 07:57 AM

Re: Handling of auto-updates on iOS and Android devices

Are you pushing apps as "required" or "available"? It's been a while but if I remember correctly, only "required" apps are auto-updated. The other apps need to be updated through Company Portal.
0 Likes
Reply
onax_pf

‎Apr 21 2022 08:04 AM

‎Apr 21 2022 08:04 AM

Re: Handling of auto-updates on iOS and Android devices

Apps are set as "required".
I also checked the company portal on the iPad where the app is visible but there is no option such as "update app"
0 Likes
Reply
NielsScheffers

‎Apr 22 2022 12:05 AM

‎Apr 22 2022 12:05 AM

Re: Handling of auto-updates on iOS and Android devices

Apologies, I'm telling you stuff that's relevant if VPP is in place, which you clearly say is not. I'm not even sure you can control app (or system) updates if you don't have that. You might actually have to leave the App Store available. Sorry I couldn't be of more help!
0 Likes
Reply
onax_pf

‎Apr 22 2022 01:58 AM

‎Apr 22 2022 01:58 AM

Re: Handling of auto-updates on iOS and Android devices

It's a pity that you cannot control iOS app updates over Endpoint Manager. In my opinion, that is a requirement for every MDM to enable or install app updates
0 Likes
Reply
NielsScheffers

‎Apr 29 2022 06:46 AM - edited ‎Apr 29 2022 06:47 AM

‎Apr 29 2022 06:46 AM - edited ‎Apr 29 2022 06:47 AM

Re: Handling of auto-updates on iOS and Android devices

Not sure I agree with you there. It's only the case in your specific setup constraints, being no VPP and a disabled App Store.

In this case Intune did it's job, imho, which is to signal the device to install an app from the App Store. Installing and updating it are then the App Store's responsibility. Intune doesn't even know there is an update available without VPP.

You can always implement VPP or unblock (and simply hide) the App Store.

Granted, "available" apps should be able to auto update in VPP as well, but that's not the issue here.

0 Likes
Reply
onax_pf

‎Apr 29 2022 07:14 AM

‎Apr 29 2022 07:14 AM

Re: Handling of auto-updates on iOS and Android devices

We do not have VPP because we are not using any purchased apps.

 

"Granted, 'available' apps should be able to auto update in VPP as well.." - You mean VPP should work if we set it up with non-purchased apps and are able to control app updates? Can we also set it to "manual" or "approve"?

 

In your opinion, what is best way to implement iOS devices in Intune for our setup (control app updates)? Currently, we set devices up with apple configurator (which is horrible). If we later update some configuration settings in Intune, these are not applied onto the devices.

0 Likes
Reply
best response confirmed by onax_pf (Copper Contributor)
Oktay Sari

‎May 01 2022 04:44 AM

‎May 01 2022 04:44 AM

Solution

Re: Handling of auto-updates on iOS and Android devices

Hi @NielsScheffers , I'm jumping in ;)

 

@onax_pf Let me see if I understand your question:

  1. you want to install and update apps automatically on supervised iOS devices
  2. you want to block (certain) apps from installing or from being used.

Hopefully this will clear things up a bit. I'm only talking about iOS, since I believe your Android devices do update.


VPP/ABM=Apple Business Manager

VPP does not mean you'll have to buy licenses (spend money) for every app you sync through VPP. You can acquire both free and paid apps that are available in the App Store.
When dealing with free apps, it looks like you are buying licenses in VPP, but the costs will be $0.00. I know this can be confusing. Finally when you assign the apps to user/devices with a device license. The apps (assigned with license type "device licensing") will automatically update.

 

However, when you select "user licensing" for "license type" the apps store should not be blocked. Otherwise, apps will not update. Users need access to the app store to update.

 

For more info on VPP check out:
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios 
Have a look at the table "How are purchased apps licensed?" as it also provides info on updates.


App store
Apps that are installed from the store should update automatically (provided the store is available). You can only assign free apps using this method.
Like @NielsScheffers mentioned, you should hide the store app, not block it. When you block the store app, your users have no option to update apps. In this case, you should use VPP.


https://docs.microsoft.com/en-us/mem/intune/apps/apps-add 
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios 
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy 

 

Restricting apps
As far as I know, there is no easy way to block apps from being installed to iOS devices when users have access to the app store.
Create a Device configuration profile and configure restricted apps to stay informed about apps install status. It's a reporting feature and does not block app installs! You could use "Restricted apps" from within a compliance policy to mark devices non compliant when a certain app is installed, and block access to M365 using a conditional access policy.

 

What you could do:

  1. Use VPP/ABM and block access to the app store. Assign the apps with a device license to enable automatic updates for apps.
  2. Use VPP/ABM- Setup federation between AAD and ABM and have users sign-in with their business accounts to the app store (this way you don't have to block the app store) 
  3. Continue to deploy apps using the app store, and hide the app store instead of blocking it.

If you ask me, option 1 is the best way to go, but that's just my opinion.

 

Hope this helps.

3 Likes
Reply
NielsScheffers

‎May 02 2022 01:17 AM

‎May 02 2022 01:17 AM

Re: Handling of auto-updates on iOS and Android devices

Well, I can't think of anything more to add to @Oktay Sari's reply. Thanks for the extensive write-up, mate!

1 Like
Reply
onax_pf

‎May 02 2022 08:03 AM

‎May 02 2022 08:03 AM

Re: Handling of auto-updates on iOS and Android devices

@Oktay SariWhat an incredible reply of yours, I do understand the handling much better now!

Thanks for the help of you and @NielsScheffers!

 

Cheers

2 Likes
Reply
Oktay Sari

‎May 02 2022 12:45 PM

‎May 02 2022 12:45 PM

Re: Handling of auto-updates on iOS and Android devices

your welcome @onax_pf
0 Likes
Reply
Vit_Matuska

‎Feb 21 2023 04:46 PM

‎Feb 21 2023 04:46 PM

Re: Handling of auto-updates on iOS and Android devices

Dear @Oktay Sari , Dear All,

maybe the answer to my question is written in what you just discussed, but I could not decode it from the threads.

I have a company-supervised iPhone with Office 365 mobile apps installed. Outlook is my key e-mail and calendar client. I am frustrated by automated updates of Outlook and Teams mobile apps, because they start in a very uncompromising fashion without prior notification (e.g. a badge on the Appstore icon) and deactivate the app. Sod's laws ensure that this happens always at the least convenient time, when I need to use the app (working in automotive, busy job).

Is there a way how to control the installation time of the updates?

I asked our company IT and they keep saying they cannot do anything about it, that Apple is doing this and they cannot influence it. I am struggling to believe them, though.

Thank you.

1 Like
Reply
JakePeters

‎Jul 21 2023 07:18 AM

‎Jul 21 2023 07:18 AM

Re: Handling of auto-updates on iOS and Android devices

Same . . . so what I am gonna try is a separate assignment to restrict app updates for a specific group of people (VIPS). Anyone had success with this approach yet?
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by onax_pf (Copper Contributor)
Oktay Sari

‎May 01 2022 04:44 AM

‎May 01 2022 04:44 AM

Solution

Re: Handling of auto-updates on iOS and Android devices

Hi @NielsScheffers , I'm jumping in ;)

 

@onax_pf Let me see if I understand your question:

  1. you want to install and update apps automatically on supervised iOS devices
  2. you want to block (certain) apps from installing or from being used.

Hopefully this will clear things up a bit. I'm only talking about iOS, since I believe your Android devices do update.


VPP/ABM=Apple Business Manager

VPP does not mean you'll have to buy licenses (spend money) for every app you sync through VPP. You can acquire both free and paid apps that are available in the App Store.
When dealing with free apps, it looks like you are buying licenses in VPP, but the costs will be $0.00. I know this can be confusing. Finally when you assign the apps to user/devices with a device license. The apps (assigned with license type "device licensing") will automatically update.

 

However, when you select "user licensing" for "license type" the apps store should not be blocked. Otherwise, apps will not update. Users need access to the app store to update.

 

For more info on VPP check out:
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios 
Have a look at the table "How are purchased apps licensed?" as it also provides info on updates.


App store
Apps that are installed from the store should update automatically (provided the store is available). You can only assign free apps using this method.
Like @NielsScheffers mentioned, you should hide the store app, not block it. When you block the store app, your users have no option to update apps. In this case, you should use VPP.


https://docs.microsoft.com/en-us/mem/intune/apps/apps-add 
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios 
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy 

 

Restricting apps
As far as I know, there is no easy way to block apps from being installed to iOS devices when users have access to the app store.
Create a Device configuration profile and configure restricted apps to stay informed about apps install status. It's a reporting feature and does not block app installs! You could use "Restricted apps" from within a compliance policy to mark devices non compliant when a certain app is installed, and block access to M365 using a conditional access policy.

 

What you could do:

  1. Use VPP/ABM and block access to the app store. Assign the apps with a device license to enable automatic updates for apps.
  2. Use VPP/ABM- Setup federation between AAD and ABM and have users sign-in with their business accounts to the app store (this way you don't have to block the app store) 
  3. Continue to deploy apps using the app store, and hide the app store instead of blocking it.

If you ask me, option 1 is the best way to go, but that's just my opinion.

 

Hope this helps.

View solution in original post

3 Likes
Reply