Intune and iOS App Deployment

Deleted
Not applicable

Hey all! I'm needing a bit of feedback. We are just getting started with Intune, and we are testing different iPad scenarios.  Right now, I have a group of four ipads -- two which have been Apple DEP enrolled into Intune and two that were enrolled using the Intune Company Portal.  We are looking to see if deploying apps to the two different enrollment type devices makes any difference. So, far it seems it does. 

 

In the classic console, when we add a free app from the App Store and then deploy it (Required; ASAP) the app goes out just fine to either type of device.  Both sets of devices recieve the app in short order as expected, and all is well.  However, when we try and deploy a VPP app only the  the devices with the Intune Company Portal app ever recieve the app.  The Apple DEP enrolled devices never recieve the app.

 

So, is this the expected behavior?  If so, why?  Are their other caveats we need to worry about when choosing our enrollment type?

 

Also, does Intune not support device based app delivery?  Will users have to allow and/or sign-in everytime we push an app to their device?

3 Replies

You cannot deploy vpp apps based on device assignment within the silverlight portal, this has changed in the Azure portal and you can assign vpp apps based on device, it wont even require an Apple ID on the device so minimises user interaction to get a new app.

 

I have found using the silverlight portal when assigning a VPP app I need to have an apple ID set up on the device app store.

- if there isnt an apple id setup it will prompt you to login and accept vpp terms and conditions.

- if the app store is blocked by policy and there is not apple id on the device then the app wont install and you probably wont see any pop ups or prompts.

- if there is an apple id on the device, and the app deployed to a user it will install in the background.

 

I would suggest waiting till you have access to the Azure portal and assign apps based on device or user as it works so seamless and i have set it up and got it working great.

 

I would also suggest having all iOS devices as DEP or supervised even if you dot use any supervisibn permissions, it adds scope and there are some very restriction permissions for supervised devices that come in use.

 

Happy to help out with questions :)

Thanks for the reply, John.   That's pretty much what I had assumed.  I think what was throwing me off is it appears that we have the Azure Intune portal, but looking at things closer it's only in part.  For example:  While, our Intune groups have moved to over to Azure (as expected), the Intune Service Admin can't create any new groups (like he should be able to).  Likewise, the several other features in the Azure Intune Portal (which is still listed as preview) don't appear to be fully functional.

 

Capture.JPGI get this screen when trying to access Apple Enrollment, Device Enrollment Managers,  and on the Mobile Apps blade, iOS VPP Tokens is grayed out so I can't configure it.

 

So, now that I know that I'm still in preview, I get why I'm seeing what I'm seeing with the notable exception of the group creation. I still don't understand why -- once the groups were moved to Azure -- the Intune Service Admin wouldn't be permissioned to be able to create groups like they are supposed to be able to do.   We can work around this, of course, but it's adding a step to the process that doesn't need to be there.

 

Thanks for the input.

 

 

 

 

 

it sounds liek your group service has been migrated and is now managed by teh Azure portal which could be why there are issues creatign groups as they nee to be created in Azure portal and suitable RBAC set up for permissions.