Sep 30 2021 08:54 AM
We're in the process of migrating to Intune and we're starting with DEP devices. However we've noticed that as applications are updated in the App Store, the device itself is not updating the applications automatically but requires human intervention. Today we checked one of the devices and saw that the update failed with error 0x87D13B9F:
Application attempted to install
9/30/2021 6:43:12 AM
App installation failed
9/30/2021 4:13:53 AM
Hide details
Error code: 0x87D13B9F
An app update is available. Available apps can be updated using Company Portal and required apps will auto-update on device sync.
Suggested remediation
This code is returned when a VPP app is installed but there is a newer version available.
Our Apple VPP token is configured for automatic updates:
The Microsoft documentation confirms that:
Automatic app updates - Choose from Yes or No to enable automatic updates. When enabled, Intune detects the VPP app updates inside the app store and automatically pushes them to the device when the device checks in.
Note: Automatic app updates for Apple VPP apps will automatically update for both Required and Available install intents. For apps deployed with Available install intent, the automatic update generates a status message for the IT admin informing that a new version of the app is available. This status message is viewable by selecting the app, selecting Device Install Status, and checking the Status Details.
All this to say that this configuration should be working as the application in question is required
But it's not happening automatically
Did we miss something somewhere?
Any advice is greatly appreciated.
References:
Troubleshoot app installation issues - Intune | Microsoft Docs
App installation error codes - Intune | Microsoft Docs
Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Docs
0x87D13B9F App Install Error - Microsoft Tech Community
Oct 01 2021 01:58 AM
Oct 01 2021 04:46 AM
Oct 01 2021 04:53 AM
Oct 05 2021 08:14 PM
Oct 06 2021 05:23 AM
Nov 07 2021 09:44 AM
Dec 06 2021 10:47 AM
Dec 09 2021 05:57 AM
@GaryHerbstman Check your Apple VPP Token in Endpoint manager.
Even though ours was showing as active, when we drilled in to it, the token state was showing as 'Inactive'
Turns out our issue was that for some reason, we were using the same VPP token in 2 MDM Solutions, so had to create a secondary token so we had one for each MDM.
As soon as we did that, the apps started to update.
Might not be the same for you, but this solved our issue.
Dec 09 2021 07:26 AM
Hi,
I came across that same issue last week. Somebody already mentioned it here, but it really was the case that the token (under Home > Tenant admin > Connectors and tokens) would show as active, but when you would click on it (Home > Tenant admin > Connectors and tokens > "TokenName") the state of the token would say invalid even though the expiration date was not due yet. The only thing that helped was logging in to ABM downloading the VPP token and uploading it again. After a few minutes it would show the state as valid again and the apps would update on the devices affected by this.
Hope this helps.
Dec 09 2021 12:46 PM
@MattisJanos Thanks for following up on this and I appeciate the super hot tip. I did a quick check and everything seems to check out:
Although this it is a pretty standard operation, I'm going to submit a request for change (RFC) to re-import the token & see how that goes.
Question: We're transitioning from one MDM solution to Intune and I'm wondering if, since some apps were delivered using the other MDM solution, do need to set 'Take control of token from another MDM' to yes?
Dec 10 2021 01:32 AM
@Julius Perkins, your token looks fine, so that shouldn't be the issue here, you're right.
Regarding your question; This is what MS Documentation says;
"Take control of token from another MDM - Setting this option to yes allows the token to be reassigned to Intune from another MDM solution."
Not sure if I'd set this to yes, since you'll have to create a new MDM Server for Intune as a new solution in ABM anyways, so you'd also get a new token different from the one being used so far. I probably would leave it to no, since that what I also did when we had a migration project. It was from Intune to Intune, but the ABM tenant were two different ones and the users unenrolled their devices from the old Intune tenant before. Not sure if this information helps.