Forum Discussion
VPP Licensing Issues
I ran into this same issue (Microsoft support case 2409110040011573, opening case submission at the end of this message). Through a lengthy discussion with Microsoft Support (and discussions in the #microsoft-intune channel in MacAdmins Slack:
https://macadmins.slack.com/archives/C31HJUSRJ
), the best conclusion I could come up with is that Intune doesn't handle multiple app assignments well when those assignments:
- Use the same Intent ("Required", "Available", etc)
- Use different "License Types" ("Device" vs. "User")
- Utilize Filters to target unique devices
Simplified, if you create the following assignments for an app:
- "Required", Group A, "Include" Filter for ADE devices, Device License Type
- "Required", Group B, "Include" Filter for ADUE devices, User License Type
Matching either of these group+Filter assignments and being a member of both Group A & Group B causes Intune to ignore the Filter when picking the particular assignment to deliver the app to the device. IOW, if you match #2 above (User Group B, "Include" Filter for ADUE devices), Intune then evaluates the assignments as follows to determine which assignment (and thus the particular License Type) to deliver:
- "Required", Group A, Device License Type
- "Required", Group B, User License Type
And if the user or device is part of both Group A & Group B, Intune might pick the wrong assignment resulting in the wrong License Type being delivered.
The solution I found was to:
- Create a separate "Location" in Apple Business Manager (call it, say, "ADUE Location")
- Assign/purchase licenses of the app in question to that Location
- Add the Location's VPP token to Intune (thus having two VPP tokens pointing back to the same Apple Business Manager)
This creates a second listing of the App in Intune's App list, and Intune appears to treat the two App entries as separately as it would two absolutely unique apps (e.g. Outlook & Teams). Making the following assignments utilizing the apps listed in Intune for each VPP token:
- Regular Location VPP Token, "Required", User Group, "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Required", User Group, "Include" Filter for ADUE devices, User License Type
And everything works as expected--silent installations in all cases. A couple notes:
- This issue & solution also applies to apps with multiple "Available" Intent assignments
- This solution neatly gets around the issue that you can only make one assignment to the "All Users" group, so this combination of assignments for a single app isn't possible:
- "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- "Available", "All Users", "Include" Filter for ADUE devices, User License Type
- But with two Locations (and thus two apps), this is possible:
- Regular Location VPP Token, "Available", "All Users", "Include" Filter for ADE devices, Device License Type
- ADUE Location VPP Token, "Available", "All Users", "Include" Filter for ADUE devices, User License Type
Case 2409110040011573 Opening Submission
----
I'm attempting to silently distribute Microsoft Authenticator for iOS in two different scenarios on an iPad running iPadOS 17.6.1:
- For devices that have enrolled through Account Driven User Enrollment (ADUE), per "Set up account driven Apple User Enrollment" which in the "Step 1: Set up just in time registration and assign Microsoft Authenticator" section:
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment#step-1-set-up-just-in-time-registration-and-assign-microsoft-authenticator
points to this article:
https://learn.microsoft.com/en-us/mem/intune/enrollment/set-up-just-in-time-registration#set-up-jit-registration
which says in step 11 to "assign Microsoft Authenticator to groups as a required app."
- For devices that enroll into Intune through a particular Automated Device Enrollment (ADE) enrollment profile--one that is set up with User Affinity
Steps taken:
- With the Microsoft Authenticator VPP app in Intune
- Added a "Required" assignment to an "Included" Group of Users with an "Include" filter for devices enrolled through an ADUE enrollment with a "User" license type. NOTE my account is an member of this Group of Users
- Added a "Required" assignment to an "Included" Dynamic Group of supervised ADE Devices using a "Device" license type
- Enrolled an iPad into Intune via ADE in the desired Enrollment Profile, including signing in via Modern Authentication with my account--triggering User Affinity
Expected Result:
- Microsoft Authenticator is silently installed on the ADE-enrolled iPad, per scenario 6 of the "End-User Prompts for VPP":
https://learn.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#end-user-prompts-for-vpp
Actual Result:
The supervised ADE device displays the following prompt when trying to install Microsoft Authenticator: "Allow App and Book Assignment? [organization] would like to assign apps and books to you."
Comments:
- The ADUE-enrolled iPad successfully silently installs Microsoft Authenticator
- If I remove the Microsoft Authenticator ADUE enrollment app assignment Microsoft Authenticator successfully installs on the ADE-enrolled iPad
- Other apps assigned to the ADE-enrolled iPads install successfully
Hi PatrickF11
We recently rolled out to Intune and thought of having the same set up as you do and ran into the same issue however the error we receive when we use a user group with user licensing is VPP App licensing in progress. (0x87D13B91).
After 3-4 days this issue automatically resolved, and we got prompts on iOS BYOD user enrolled devices and apps got installed however it's happening again on newly enrolling devices as well.
Did you get any recommendations from MS or best practices to achieve this? Or if you have already figured it out, could you please share the details.
Hi Kalaiarasu_M
Thanks for sharing your thoughts.
My Support Ticket wasn't that successful, yet.
My Issues start getting even stranger. After many many tries all apps were installed. (BYOD and Corporate owned). I've tried revoking the VPP licensing in the intune portal, afterwards >most< Apps installled successful, but only a few ones reflected the successful installation back to intune.
This is so annoying at the moment.
The MS Support adviced me to try using dynamic device groups instead of all users / user groups.
But the issue with that is, that dynamic groups are way slowlier what would result in way longer deployment progess.
Nevertheless i'll try this in the next days and test it again and again and again.. I'm not giving up on this. 😄
- In case anyone else comes across this error I will share my fix. I had assigned the apps to user(s) via a M365 group. Which seems to work but doesn't. Then I created a security group and assigned that instead and it instantly started installing.
- Hi Patrick,
The issue "VPP App licensing in progress. (0x87D13B91" with iOS BYOD (User Enrollment) devices has been resolved in our environment.
Issue:
We had two ABM tenants and our VPP token was added from secondary ABM. Once we created a new VPP token in Primary ABM and synced with Intune. The app deployment was successful.
We are using User groups with Filters for app assignment. For users with ADE devices, its Required intent with Device licensing and for BYOD devices its Available intent with User licensing.
This also fixed our issue with App configuration policies showing as not applicable for BYOD devices reported by ABUOBAID. Just a quick reply after the ongoing tests:
- Dynamic Device Group based Assignments: Partially working well
- COPE iOS, ADE enrolled Device gets the correct required VPP Apps via Device licensing.
- COPE iOS, ADE enrolled Device is not able to install Apps marked as available. (as outlined in MS Docs: Available Assignment is only usable with user groups. So this seems quit legit.)
- BYOD iOS, User Enrollment Device gets the correct required VPP Apps via User licensing.
- BYOD iOS, User Enrollment Device is not able to install Apps marked as available. (same as COPE)
- Dynamic Device Group based Assignments: Partially working well
