10-13-2020 11:11 AM
10-13-2020 11:11 AM
I'm having a difficult time getting a grasp of when/why to deploy App Store apps or VPP apps, and when to use device or user licensing for iOS devices. I've glanced and gleaned from different sources, but it doesn't seem easy to get succinct information other than lots and lots of testing and experience.
To level-set, here are the things that I understand (possibly incorrectly):
Thanks in advance!
10-14-2020 06:09 AM
@Bryan Hall yeah, you're pretty much spot on there.
User affinity is where the device is allocated to a particular user, shared devices (no user affinity) do not need to be set to kiosk (single-app) mode, this is ideal where devices are shared between multiple individuals, such as students, that require a host of applications.
No idea, currently having the same problem with Company Portal, assigning it as a required (VPP) app appears to cause a conflict/issue (check under Device-Managed Apps or Apps-Monitor-App Install Status) it does actually get the app to update. Still trying to figure out where the blame lies for this 'issue' at the moment. Technically it's a VPP app, issued from a token that is set to automatically update yet seems to be stuck at the version that was installed when the device was provisioned.
This is subjective, however I prefer to assign (to devices) any apps that are required, such as Teams or Office suite. This negates the need to issue a managed apple ID, and removes any reliance on the end user to operate an Apple ID. I don't believe you can assign non-VPP (or LoB apps) to a device...?
App protection policies (APP) apply to (Intune-licensed) users, these apply to MAM-aware apps regardless of app ownership. APP can be split between BYOD or Managed devices, with app configuration policies (containing the IntuneMAMUPN) being applied to managed devices.
Under App assignment use Available for enrolled devices and then (separately) implement device restrictions that would prevent users from enrolling personal devices maybe?
Hopefully these help, please feel free to ask if anything's not clear, and I'll update this if I find anything else on the company portal issue.
10-21-2020 09:29 PM
@robunger Thanks for taking the time to respond.
I have a ticket open with MS regarding the Company Portal deployed during ADE-enrollment to see if that version is supposed to update itself. So far they have not stated whether it should or should not behave that way.
Without it being pushed as a VPP, required app, the out-dated Company Portal will prompt the user to Update, which will bring them to the regular App Store, but it won't let them install that one and will provide the error "Cannot Update App. Intune Company Portal cannot be updated because it was refunded or purchased with a different Apple ID". But if we do push out the VPP Company Portal as required, it will install.
In our scenario, Company Portal isn't used regularly by the user base (some may have never even opened it after the initial enrollment). So we've observed that the versions of the Company Portal appear to still be on the version that was installed during initially enrollment. It could be that under normal circumstances and regular usage, if the Company Portal is periodically opened, it will be within the supported version range that it will update itself. I have no proof of that though, just speculation.
Hi @Bryan Hall,
I've since received this response from MS support
The reason that the application is not updating is due to the VPP handling the deployment of the Company Portal application in the profile and not Endpoint/Intune.
To remedy this issue, simply deploy the VPP version of the Company portal to the devices using Device licensing in the assignment.
Doing so allows Endpoint to take over update control and will force the Company portal application to update to the latest version on the devices.
The assignment won't deploy the company portal to the device as it will already be deployed by the Enrollment profile/VPP, it will just handle the update.
I hope this helps?