Intune iOS App deployment confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1776652%22%20slang%3D%22en-US%22%3EIntune%20iOS%20App%20deployment%20confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1776652%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20a%20difficult%20time%20getting%20a%20grasp%20of%20when%2Fwhy%20to%20deploy%20App%20Store%20apps%20or%20VPP%20apps%2C%20and%20when%20to%20use%20device%20or%20user%20licensing%20for%20iOS%20devices.%26nbsp%3B%20I've%20glanced%20and%20gleaned%20from%20different%20sources%2C%20but%20it%20doesn't%20seem%20easy%20to%20get%20succinct%20information%20other%20than%20lots%20and%20lots%20of%20testing%20and%20experience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20level-set%2C%20here%20are%20the%20things%20that%20I%20understand%20(possibly%20incorrectly)%3A%3C%2FP%3E%3CUL%3E%3CLI%3E'with%20enrollment'%20means%20that%20the%20device%20has%20been%20enrolled%20with%20Intune%2C%20regardless%20of%20ownership.%3CUL%3E%3CLI%3Efor%20iOS%2C%20this%20means%20through%20Apple%20ADE%2FDEP%20for%20corporate-owned%2C%20or%20manual%20install%2Flogin%20to%20Company%20Portal%20on%20BYOD%20(and%20corporate-owned%20that%20aren't%20in%20ADE%2FDEP).%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E'without%20enrollment'%20means%20that%20the%20device%20is%20not%20enrolled%20with%20Intune%2C%20but%20App%20Protection%20Policies%20may%20still%20apply%20to%20some%20apps%3C%2FLI%3E%3CLI%3EIn%20order%20for%20an%20iOS%20device%20to%20be%20'supervised'%2C%20it%20needs%20to%20be%20enrolled%20through%20ADE%2FDEP%2C%20or%20Apple%20Configurator.%26nbsp%3B%20Simply%20installing%20Company%20Portal%20and%20switching%20the%20device%20to%20Company%20owned%20does%20not%20enable%20supervision%3C%2FLI%3E%3CLI%3EiOS%2FiPad%20OS%20apps%20can%20be%20added%20to%20Intune%20either%20as%20App%20Store%20apps%20or%20through%20Apple%20VPP.%3C%2FLI%3E%3CLI%3EApps%20deployed%20with%20'Available'%20intent%20can%20only%20be%20targeted%20to%20user%20groups%3C%2FLI%3E%3CLI%3ETo%20silently%20install%20apps%20(without%20needing%20the%20user%20to%20be%20signed%20in%20to%20the%20App%20Store)%2C%20the%20app%20must%20be%20deployed%20with%20device%20license.%3C%2FLI%3E%3CLI%3EIf%20a%20'Required'%20app%20is%20deployed%20with%20a%20user%20license%2C%20the%20user%20must%20be%20signed%20into%20the%20App%20Store%20with%20an%20account%20(and%20accept%20that%20the%20organization%20can%20grant%20them%20temporary%20licenses%20for%20apps)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CUL%3E%3CLI%3EWhen%20the%20term%20'user%20affinity'%20is%20used%20in%20the%20MS%20docs%2C%20does%20this%20simply%20mean%20all%20scenarios%20other%20than%20devices%20used%20as%20kiosks%3F%3C%2FLI%3E%3CLI%3EI've%20experienced%20that%20the%20Company%20Portal%20(deployed%20as%20part%20of%20the%20Apple%20ADE%20enrollment%20process)%20does%20not%20automatically%20get%20updated%3B%20we've%20had%20users%20who%20have%20had%20versions%20several%20months%20(up%20to%20a%20year)%20old.%26nbsp%3B%20Does%20the%20Company%20Portal%20need%20to%20also%20be%20pushed%20as%20Required%20to%20these%20supervised%20devices%3F%26nbsp%3B%20Or%20is%20something%20wrong%20(should%20it%20be%20updating%20automatically%20when%20installed%20during%20automatic%20enrollment)%3F%3C%2FLI%3E%3CLI%3EFor%20'free'%20apps%20such%20as%20Microsoft%20OneDrive%2C%20Outlook%2C%20Office%2C%20etc.%2C%20should%20we%20prefer%20VPP-licensed%20apps%20over%20App%20Store%20ones%3F%3CUL%3E%3CLI%3EAre%20there%20any%20differences%20that%20I%20should%20be%20considering%20(I%20understand%20that%20the%20VPP%20ones%20are%20%22loaned%22%20to%20the%20user%20and%20can%20be%20revoked).%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EWe've%20experienced%20that%20app%20protection%20policies%20(APP)%20apps%20were%20applying%20to%20Microsoft%20apps%20and%20discovered%20that%20(1)%20the%20users%20installed%20the%20apps%20manually%20through%20the%20App%20Store%20and%20(2)%20IntuneMAMUPN%20app%20configuration%20policies%20were%20not%20pushed%20previously.%3CUL%3E%3CLI%3ECan%20these%20app%20configuration%20policies%20be%20pushed%20to%20manually%20installed%20App%20Store%20apps%2C%20or%20must%20the%20be%20deployed%20through%20Intune.%3C%2FLI%3E%3CLI%3EIf%20they%20must%20be%20pushed%2C%20must%20they%20be%20VPP%20apps%20or%20can%20they%20be%20App%20Store%20apps%3F%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EI%20understand%20that%20'Available'%20intent%20apps%20can%20only%20be%20targeted%20at%20user%20groups.%26nbsp%3B%20If%20we%20wanted%20to%20prevent%20certain%20apps%20from%20being%20available%20on%20certain%20devices%20(e.g.%20BYOD)%2C%20how%20could%20that%20be%20accomplished.%26nbsp%3B%20For%20example%2C%20since%20availability%20of%20an%20app%20assigned%20to%20the%26nbsp%3Buser%2C%20and%20the%20user%20has%20both%20a%20corp%20and%20BYOD%20device%2C%20how%20would%20we%20be%20able%20to%20prevent%20the%20user%20from%20seeing%2Fgetting%20the%20app%20from%20the%20Company%20Portal%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3CP%3EBryan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1776652%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779325%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20iOS%20App%20deployment%20confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4347%22%20target%3D%22_blank%22%3E%40Bryan%20Hall%3C%2FA%3E%26nbsp%3Byeah%2C%20you're%20pretty%20much%20spot%20on%20there.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20affinity%20is%20where%20the%20device%20is%20allocated%20to%20a%20particular%20user%2C%20shared%20devices%20(no%20user%20affinity)%20do%20not%20need%20to%20be%20set%20to%20kiosk%20(single-app)%20mode%2C%20this%20is%20ideal%20where%20devices%20are%20shared%20between%20multiple%20individuals%2C%20such%20as%20students%2C%20that%20require%20a%20host%20of%20applications.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20idea%2C%20currently%20having%20the%20same%20problem%20with%20Company%20Portal%2C%20assigning%20it%20as%20a%20required%20(VPP)%20app%20appears%20to%20cause%20a%20conflict%2Fissue%20(check%20under%20Device-Managed%20Apps%20or%20Apps-Monitor-App%20Install%20Status)%20it%20does%20actually%20get%20the%20app%20to%20update.%20Still%20trying%20to%20figure%20out%20where%20the%20blame%20lies%20for%20this%20'issue'%20at%20the%20moment.%20Technically%20it's%20a%20VPP%20app%2C%20issued%20from%20a%20token%20that%20is%20set%20to%20automatically%20update%20yet%20seems%20to%20be%20stuck%20at%20the%20version%20that%20was%20installed%20when%20the%20device%20was%20provisioned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20subjective%2C%20however%20I%20prefer%20to%20assign%20(to%20devices)%20any%20apps%20that%20are%20required%2C%20such%20as%20Teams%20or%20Office%20suite.%20This%20negates%20the%20need%20to%20issue%20a%20managed%20apple%20ID%2C%20and%20removes%20any%20reliance%20on%20the%20end%20user%20to%20operate%20an%20Apple%20ID.%20I%20don't%20believe%20you%20can%20assign%20non-VPP%20(or%20LoB%20apps)%20to%20a%20device...%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApp%20protection%20policies%20(APP)%20apply%20to%20(Intune-licensed)%20users%2C%20these%20apply%20to%20MAM-aware%20apps%20regardless%20of%20app%20ownership.%20APP%20can%20be%20split%20between%20BYOD%20or%20Managed%20devices%2C%20with%20app%20configuration%20policies%20(containing%20the%20IntuneMAMUPN)%20being%20applied%20to%20managed%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnder%20App%20assignment%20use%20Available%20for%20enrolled%20devices%20and%20then%20(separately)%20implement%20device%20restrictions%20that%20would%20prevent%20users%20from%20enrolling%20personal%20devices%20maybe%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20these%20help%2C%20please%20feel%20free%20to%20ask%20if%20anything's%20not%20clear%2C%20and%20I'll%20update%20this%20if%20I%20find%20anything%20else%20on%20the%20company%20portal%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1806887%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20iOS%20App%20deployment%20confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1806887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319913%22%20target%3D%22_blank%22%3E%40robunger%3C%2FA%3E%26nbsp%3BThanks%20for%20taking%20the%20time%20to%20respond.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20ticket%20open%20with%20MS%20regarding%20the%20Company%20Portal%20deployed%20during%20ADE-enrollment%20to%20see%20if%20that%20version%20is%20supposed%20to%20update%20itself.%26nbsp%3B%20So%20far%20they%20have%20not%20stated%20whether%20it%20should%20or%20should%20not%20behave%20that%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithout%20it%20being%20pushed%20as%20a%20VPP%2C%20required%20app%2C%20the%20out-dated%20Company%20Portal%20will%20prompt%20the%20user%20to%20Update%2C%20which%20will%20bring%20them%20to%20the%20regular%20App%20Store%2C%20but%20it%20won't%20let%20them%20install%20that%20one%20and%20will%20provide%20the%20error%20%22Cannot%20Update%20App.%26nbsp%3B%20Intune%20Company%20Portal%20cannot%20be%20updated%20because%20it%20was%20refunded%20or%20purchased%20with%20a%20different%20Apple%20ID%22.%26nbsp%3B%20But%20if%20we%20do%20push%20out%20the%20VPP%20Company%20Portal%20as%20required%2C%20it%20will%20install.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20scenario%2C%20Company%20Portal%20isn't%20used%20regularly%20by%20the%20user%20base%20(some%20may%20have%20never%20even%20opened%20it%20after%20the%20initial%20enrollment).%26nbsp%3B%20So%20we've%20observed%20that%20the%20versions%20of%20the%20Company%20Portal%20appear%20to%20still%20be%20on%20the%20version%20that%20was%20installed%20during%20initially%20enrollment.%26nbsp%3B%20It%20could%20be%20that%20under%20normal%20circumstances%20and%20regular%20usage%2C%20if%20the%20Company%20Portal%20is%20periodically%20opened%2C%20it%20will%20be%20within%20the%20supported%20version%20range%20that%20it%20will%20update%20itself.%26nbsp%3B%20I%20have%20no%20proof%20of%20that%20though%2C%20just%20speculation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'm having a difficult time getting a grasp of when/why to deploy App Store apps or VPP apps, and when to use device or user licensing for iOS devices.  I've glanced and gleaned from different sources, but it doesn't seem easy to get succinct information other than lots and lots of testing and experience.

 

To level-set, here are the things that I understand (possibly incorrectly):

  • 'with enrollment' means that the device has been enrolled with Intune, regardless of ownership.
    • for iOS, this means through Apple ADE/DEP for corporate-owned, or manual install/login to Company Portal on BYOD (and corporate-owned that aren't in ADE/DEP).
  • 'without enrollment' means that the device is not enrolled with Intune, but App Protection Policies may still apply to some apps
  • In order for an iOS device to be 'supervised', it needs to be enrolled through ADE/DEP, or Apple Configurator.  Simply installing Company Portal and switching the device to Company owned does not enable supervision
  • iOS/iPad OS apps can be added to Intune either as App Store apps or through Apple VPP.
  • Apps deployed with 'Available' intent can only be targeted to user groups
  • To silently install apps (without needing the user to be signed in to the App Store), the app must be deployed with device license.
  • If a 'Required' app is deployed with a user license, the user must be signed into the App Store with an account (and accept that the organization can grant them temporary licenses for apps)

 

Questions:

  • When the term 'user affinity' is used in the MS docs, does this simply mean all scenarios other than devices used as kiosks?
  • I've experienced that the Company Portal (deployed as part of the Apple ADE enrollment process) does not automatically get updated; we've had users who have had versions several months (up to a year) old.  Does the Company Portal need to also be pushed as Required to these supervised devices?  Or is something wrong (should it be updating automatically when installed during automatic enrollment)?
  • For 'free' apps such as Microsoft OneDrive, Outlook, Office, etc., should we prefer VPP-licensed apps over App Store ones?
    • Are there any differences that I should be considering (I understand that the VPP ones are "loaned" to the user and can be revoked).
  • We've experienced that app protection policies (APP) apps were applying to Microsoft apps and discovered that (1) the users installed the apps manually through the App Store and (2) IntuneMAMUPN app configuration policies were not pushed previously.
    • Can these app configuration policies be pushed to manually installed App Store apps, or must the be deployed through Intune.
    • If they must be pushed, must they be VPP apps or can they be App Store apps?
  • I understand that 'Available' intent apps can only be targeted at user groups.  If we wanted to prevent certain apps from being available on certain devices (e.g. BYOD), how could that be accomplished.  For example, since availability of an app assigned to the user, and the user has both a corp and BYOD device, how would we be able to prevent the user from seeing/getting the app from the Company Portal?

 

Thanks in advance!

Bryan

3 Replies
Highlighted

@Bryan Hall yeah, you're pretty much spot on there. 

 

User affinity is where the device is allocated to a particular user, shared devices (no user affinity) do not need to be set to kiosk (single-app) mode, this is ideal where devices are shared between multiple individuals, such as students, that require a host of applications.

 

No idea, currently having the same problem with Company Portal, assigning it as a required (VPP) app appears to cause a conflict/issue (check under Device-Managed Apps or Apps-Monitor-App Install Status) it does actually get the app to update. Still trying to figure out where the blame lies for this 'issue' at the moment. Technically it's a VPP app, issued from a token that is set to automatically update yet seems to be stuck at the version that was installed when the device was provisioned.

 

This is subjective, however I prefer to assign (to devices) any apps that are required, such as Teams or Office suite. This negates the need to issue a managed apple ID, and removes any reliance on the end user to operate an Apple ID. I don't believe you can assign non-VPP (or LoB apps) to a device...?

 

App protection policies (APP) apply to (Intune-licensed) users, these apply to MAM-aware apps regardless of app ownership. APP can be split between BYOD or Managed devices, with app configuration policies (containing the IntuneMAMUPN) being applied to managed devices.

 

Under App assignment use Available for enrolled devices and then (separately) implement device restrictions that would prevent users from enrolling personal devices maybe?  

 

Hopefully these help, please feel free to ask if anything's not clear, and I'll update this if I find anything else on the company portal issue.

 

 

 

 

Highlighted

@robunger Thanks for taking the time to respond.

 

I have a ticket open with MS regarding the Company Portal deployed during ADE-enrollment to see if that version is supposed to update itself.  So far they have not stated whether it should or should not behave that way.

 

Without it being pushed as a VPP, required app, the out-dated Company Portal will prompt the user to Update, which will bring them to the regular App Store, but it won't let them install that one and will provide the error "Cannot Update App.  Intune Company Portal cannot be updated because it was refunded or purchased with a different Apple ID".  But if we do push out the VPP Company Portal as required, it will install.

 

In our scenario, Company Portal isn't used regularly by the user base (some may have never even opened it after the initial enrollment).  So we've observed that the versions of the Company Portal appear to still be on the version that was installed during initially enrollment.  It could be that under normal circumstances and regular usage, if the Company Portal is periodically opened, it will be within the supported version range that it will update itself.  I have no proof of that though, just speculation.

Highlighted

Hi @Bryan Hall,

I've since received this response from MS support

The reason that the application is not updating is due to the VPP handling the deployment of the Company Portal application in the profile and not Endpoint/Intune.

To remedy this issue, simply deploy the VPP version of the Company portal to the devices using Device licensing in the assignment.

Doing so allows Endpoint to take over update control and will force the Company portal application to update to the latest version on the devices.

 

The assignment won't deploy the company portal to the device as it will already be deployed by the Enrollment profile/VPP, it will just handle the update.


I hope this helps?

 

Rob