@DBerry2 

Thank you for your reply.

Based on my knowledge (learned through ms docs and trial and error on myself) device based licensing shouldn’t work at all for the „user enrollment“ method, only for ADE devices.

The only supported licensing method for user enrollment MDM should be VPP user based licensing.

(by the way: device based shouldn’t bring up a pop up message at all, that is one of the key benefits of this license method). 

Anyway: You are using app assignments with only „all user -> device based licensing“ for both? ADE & User enrollment? Are you using this for required AND available app assignments?

Hey@PatrickF11 

Yeah we are using device based licensing for both BYOD and AED devices within our deployment and haven't seen any issues. when a BYOD user enrolls they do get pop ups for app installs but it is using VPP for the licensing and not the users iCloud account as the users doesn't have to be logged in to a iCloud account to setup and never has to use one if they don't want too. 

I use to also use the same kind of setup on a MobileIron deployment and never had any issues using device based licensing. I've also attached a screen shot of one of our app assignments just so you can see what it looks like.

Hope that helps out.

Thanks

Danny

@DBerry2 Thank you very much for your answer. I'm going to try this next week.
Just for clarification: When you're talking about BYOD you mean the enrollment type "User Enrollment", right? (so not Device Enrollment)

@PatrickF11  

I have the same exact issue ..

user enrolment 

unable to apply any App configuration policy to the device since the outlook is not VPP.. i am getting "not applicable"

while i cant install VPP apps to user enrolled device

@ABUOBAID  That sounds like a completely different topic. ;)
My problem is with licensing of apps, you're talking about the assignment of app configuration policies.

@Markus Güntner 

Thanks for your reply.

Thats what i thought too, he isn't using the user enrollment mode. (Any other mode isn't applicable in my opinion for "real BYOD" scenarios.

And you're right: As per MS Docs User licensing is the only thing that should work. (Thats why i mentioned in my initial post that i'm already using this as licensing mode).

Anyway:

Are there any new thoughts on this one?

Is there any one out there with the same issues? (Or with the same scenario without issues? ;)

I'm sure it's not that unusual to provide two enrollments:

1. BYOD ► User can choose between "App Protection only" (automatically applied to all) or they can enroll in MDM with "user enrollment mode".
2. Corporate owned (whether COPE, COBO or COSU) ► The device will get ADE enrolled with an appropriate configuration set.

Hi @PatrickF11 

We recently rolled out to Intune and thought of having the same set up as you do and ran into the same issue however the error we receive when we use a user group with user licensing is VPP App licensing in progress. (0x87D13B91).

After 3-4 days this issue automatically resolved, and we got prompts on iOS BYOD user enrolled devices and apps got installed however it's happening again on newly enrolling devices as well.

Did you get any recommendations from MS or best practices to achieve this? Or if you have already figured it out, could you please share the details.

Hi @Kalaiarasu_M 

Thanks for sharing your thoughts.

My Support Ticket wasn't that successful, yet. 

My Issues start getting even stranger. After many many tries all apps were installed. (BYOD and Corporate owned). I've tried revoking the VPP licensing in the intune portal, afterwards >most< Apps installled successful, but only a few ones reflected the successful installation back to intune.

This is so annoying at the moment.

The MS Support adviced me to try using dynamic device groups instead of all users / user groups.

But the issue with that is, that dynamic groups are way slowlier what would result in way longer deployment progess.

Nevertheless i'll try this in the next days and test it again and again and again.. I'm not giving up on this. :D

Just a quick reply after the ongoing tests:

1. Dynamic Device Group based Assignments: Partially working well
   1. COPE iOS, ADE enrolled Device gets the correct required VPP Apps via Device licensing.
   2. COPE iOS, ADE enrolled Device is not able to install Apps marked as available. (as outlined in MS Docs: Available Assignment is only usable with user groups. So this seems quit legit.)
   3. BYOD iOS, User Enrollment Device gets the correct required VPP Apps via User licensing.
   4. BYOD iOS, User Enrollment Device is not able to install Apps marked as available. (same as COPE)

@JutManGraham 

Even though i currently don't have any issues left: It is not possible to use device based licensing for every device, because of user enrolled devices in fact NEED user based licensing,.

(because device-based licensing isn't supported on user enrolled devices. This is outlined here:

Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Learn)

@PatrickF11 

The problem seems to occur when you publish everything at User License then throw a single Device based license into the mix.  It seems to break down the entire licensing on the device.

I have published everything as Device License (see attached) regardless of if it is a user group based install through Company Portal OR publishing as Required to a device based on serial number directly or dynamic group.  We do NOT use the Apple store in any way shape or form.

We do NOT use the Managed Apple ID's which ties ABM to out internal domain for multiple reasons.  Mostly which are around not trusting Apple and their data use scenario's.  

Also, we do not want or allow our colleagues to the Apple Store since we regulate what they can install due to security concerns. 

@JutManGraham 

Thank you for your reply.

I understand what you are saying but based on your screenshot I can’t see, what type of devices you are using. Just in case we‘re talking of different things:

When I say „user enrolled devices“ I’m talking of personal devices using the deployment method called „user enrollement“. This isn’t the same thing as a corporate device enrolled via ADE as „enrolled with user affinity“. These are two totally different types of device management and app management. And for my understanding these types need different vpp app assignment.

Regarding your screenshot: it doesn’t matter whether you’re using required assignment or available assignment in case of speaking of device based or user based licensing. And I’m not talking off groups containing user oder devices.

All my concerns and ideas belongs to the different deployment types and the different needs of vpp. 
I hope i can express this right? 
I already talked a lot to Microsoft’s support and the basics are totally clear to me (and to Microsoft :-D).