Almost 2 years ago I posted athread about dealing with Apple Managed ID on DEP controlled devices via Intune. There weren't any really good answers to those questions then. I am re-visiting it now and it seems it still is a problem. Apple recommends Managed IDs for schools via theirschool.apple.comsite. These accounts have some really nice features for students and teachers like 200 GB of iCloud for free and managed app purchasing. The managed app purchasing relies upon a MDM to manage it. Intune is a MDM that supports IOS devices, however very poorly. One of the (intended) drawbacks of managed ids is that they don't have permissions to install apps via the store, rather the MDM is supposed to push to device. The problem is Intune relies upon the Company Portal app for enrollment in MDM. If you are using a managed ID you can't install the app. You get stuck in a loop and have a useless device.
I have found that if I choose to authenticate with Apple Setup Assistant rather than Company Portal it appears to do some device level install rather than user since the apps get installed. However if you do this you can't use a MFA account since it isn't supported.
Am I missing something or is this still the best Intune has to offer for IOS device management?
Not sure about Apple Managed ID, but to install apps by Intune you can use user license or device license. In last case user won't be asked for Apple ID or anything. To enable that you need to use VPP and set device license type in deployment.
For device licensing you still need to login and enroll device. The only two ways I know to do this is during setup of IOS device via remote management (this method doesn't support MFA accounts) or via the Company Portal app. One will work with Managed ID but not MFA accounts, the other will work with MFA but not managed ID. No way to have both.