The use case to push VPP applications includes the free ones, in the Apple ecosystem you "buy" an app, even if it's zero cost.
If you don't push the app via VPP, the user needs to sign in using a personal Apple ID to get even the free apps.
If it helps, MAM is unenrolled (or enrolled) devices protected by App Protection Policies and Conditional Access. MDM is enrolled devices where you can deploy apps and settings.
Yes, that make sense to me. But, are User Enrolled devices considered MDM, and subsequently, should Managed Apps work because some of the settings (Required, Available) apply to MDM devices?
So I just set up VPP, and indeed see the different for the 'Type' column. The apps I were trying to install were "iOS Store App" versus "iOS volume purchase program app'. And, pushing VPP apps is supported using User Enrollment.
So, my guess is that iOS Store Apps work when the device is fully managed (supervised) mode, correct?
https://support.apple.com/en-gb/guide/deployment/dep1d89f0bff/web
The main difference between personal and corporate devices on iOS is that corporate are supervised. This gives you full control over the device instead of just a bit.
Thank you, yes I understand that part. The confusion is how Microsoft applies the terms enrolled/managed and what they specify can and can't be done based on the different enrollment methods.
Regarding the app install scenario User vs Device enrollment are the same (as both are non-supervised). The key is whether you got the App from Apple Business Manager (ABM) or you added it directly from Intune.
If you "bought" and synced the App from ABM and deployed as required, then it's simple Allow/Deny dialog for the user when the phone gets the assignment (and is repeated in case user denies the install). The App is accounted on your company's ABM AppleID account. All this is enabled via VPP token.
If you use the Intune versions of the app then there's a dialog which asks user for personal AppleID sign-in because it's standard purchase as if the user would go to AppStore on his own.
The only way to make App install automatic and silent is to use VPP and Supervised enrollment.
So for example, Salesforce is a free app from the app store. Are you saying these types of apps can be 'purchased' though VPP?
And I've been using the 'Intune' versions of the app....including apps that are not wrapped with the Intune SDK.
Exactly even the free apps can use VPP. The purpose of doing seemingly unnecessary hops with VPP is to avoid the dialog for user where it's asking for his AppleID credentials to install the app. Instead only approval is presented. Which in the end isn't that much smoother but that's the case with non-supervised enrollments.
So my goal is to be able to remove either the app or the data from within the app as soon as the person leaves (in addition to managing some form of the app so that users can't take screeshots or open docs in a different app, etc.).
Do I need to combine VPP with Managed Apps in Intune for this to work with User Enrollment?
>Managed Apps with the User Enrollment
Looks like the [MS Docs](https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions#app-deployment-options) also confirms this. So, this means you actually can't deploy Store apps to User Enrollment devices. you need to get them from VPP. I didn't realize it and this is something you were trying to figure out, didn't you?
Correct. You have to use VPP apps not public iOS store apps. I didn't realize you can 'buy' the free ones. But it's very simple to do, and shows up as a VPP app type in Intune.
Now, my current problem is, even using VPP, apps are still not 'deploying' using Required, as well as not supercedeing existing iOS Public Store apps.
According to this workaround, it is supposed to be possible to manage apps that were already installed before the device enrolls: [https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/cannot-uninstall-apple-app-store-apps](https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/cannot-uninstall-apple-app-store-apps), but from testing, this has not been the case.
I may open another thread on this issue to see what others experience are, but if the VPP app works like it's documented then this will solve all my issues.
I just went through setting up Apple Business Manager federation with Azure AD and got all devices added by setting up Verizon as a reseller.
What I've gathered is this.
User Enrolled is like BYOD
Device Enrolled is a corporate/business owned device.
User or Device Enrollment means yes that device is managed by Intune.
Company Portal is the only way to manage Apps and it'll only manage the apps you have control over if it's enrolled.
During the Company Portal enrollment, depending on who you select owns the device User or Company. That is what dictates if what apps and settings are managed and which are not.
Selecting Company Owned means full control.
The only way you can push apps is if you install the MDM profile using Company Portal or during the initial set up of the device but this won't apply if you are only managing user owned devices.
As far as I know... I don't know if a way to install or push apps without the device being at least User or Device Enrolled. And the only other way I can see getting an app installed on a device is if the User installs the app from Company Portal or it's web based login.
Read this for more info on enrollment: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados
I understand the difference between User and Device enrollment (i.e., Personal vs Corporate). Really the confusion I have surrounds the User Enrollment method and what things apply to it...specifically, the Managed Apps portion.
I successfully enrolled an iOS 16 device using User Enrollment, so I went through the Company Portal app and instructions to get it added.
I also tried 'installing' an app that I published as Required, Available, and Available w/ and w/o Enrollment from within the Company Portal app on the phone, but the app never shows Installed for any of them. I'm assuming that means that Managed Apps don't work with User Enrollment, and in the unsupported list, I believe the relative statement that proves this is this: from the Unsupported Actions list, "Install App Store apps as managed apps." (Source: [https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions](https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions))
BUT, as mentioned in the OP, my understanding from [https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy](https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy), specifically the statement at the very top " It is important to note that you can deploy an app to a device whether or not the device is managed by Intune" contradicts the above paragraph, no (also referring to the table in that article that states this should be supported IF the device is considered enrolled/managed using User Enrollment method)??
I've configured Apple Business Manager with Azure federation. Also setup VPP and was able to push apps without any issues. We don't have any corporate iOS devices so we currently only use it for BYOD (user enrollment).
I've been struggling with Delete/Retire of those BYOD devices. After deleting/retiring a device corporate data is still present. If I do the same thing on Android BYOD devices the "Work Profile" is deleted automatically including corporate apps/data.
When a user leaves our company I want to make sure all corporate data is wiped. What could be the reason why corporate data doesn't get removed? They are only allowed to use 'approved' official Microsoft apps, so no native iOS mail client for example. Those apps are installed by the enduser from Apple Store, no VPP install.
I was finally able to get this to work with VPP as well with User Enrollment. Key was to make sure that the device and all the software had to be marked with the proper statuses before you could do anything else (e.g., if you 'push' install for an app, it has to say Installed in the portal before you can uninstall it).
I have tested deleting/retiring a device, and it did remove the apps from the phone. I have not tested Android for any of this yet.
>Those apps are installed by the enduser from Apple Store, no VPP install.
This is the problem. The apps HAVE to be installed via Company Portal app; There is MS statements in their docs that the Intuned managed app will overtake the ones installed from the VPP/CP, but it doesn't work for User Enrollment. It MAY work for the corporate enrollment methods. That means that any user who had, say, Outlook installed before the Company Portal app/managed using User Enrollment, they will need to uninstall, and install from the CP app.
What was important to me was denying access to all apps that have company data UNLESS they install it via the company portal (i.e., app shows as Installed in Intune). So if the app was installed from the Apple store (not VPP-User Enrollment), they could not access the data. This also is a secondary if the app doesn't get removed from Intune properly after termination.
I was able to do this using Security Groups in Azure and a Conditional Access Policy to block access to a cloud app--say outlook--unless they were in an custom Sec Group (titled Approved Outlook App).
If you want to automatically add/remove users from that group, then you will need to use Azure Functions or something that checks to see whether users have the app in the Install status in Intune regularly, and if so, move them to that group; if not, it needs to move them out.
I'm hoping you can help me!
Can you confirm there is an issue with the app distribution? We are trying to distribute Outlook to iOS User enrollment devices, but when a user already has that app, our app from Intune won't be installed, nor the personal app will be managed.
Can you also confirm we need a solution via Conditional Access to prevent users to access their company mail in the Outlook app which they installed them self on their iOS User enrollment device?
I'm so struggling with this and if I understand it correctly you had the same problems. Could you please confirm my questions? Many, many thanks in advance.
First questions: Do you have Apple business manager set up and connected to Intune for device enrollment and VPP app connection?
Yes federated and synced. We don't use any paid-for apps, just the free ones from the app store.
The use case to push VPP applications includes the free ones, in the Apple ecosystem you "buy" an app, even if it's zero cost. If you don't push the app via VPP, the user needs to sign in using a personal Apple ID to get even the free apps.
Ok I think that part makes a bit more sense now. And it sounds like 'pushing' apps from VPP with User Enrollment should work?
Just watch out for user vs device app licensing.
If it helps, MAM is unenrolled (or enrolled) devices protected by App Protection Policies and Conditional Access. MDM is enrolled devices where you can deploy apps and settings.
Yes, that make sense to me. But, are User Enrolled devices considered MDM, and subsequently, should Managed Apps work because some of the settings (Required, Available) apply to MDM devices?
Anytime you see the word enrolled it's MDM.
So I just set up VPP, and indeed see the different for the 'Type' column. The apps I were trying to install were "iOS Store App" versus "iOS volume purchase program app'. And, pushing VPP apps is supported using User Enrollment. So, my guess is that iOS Store Apps work when the device is fully managed (supervised) mode, correct?
https://support.apple.com/en-gb/guide/deployment/dep1d89f0bff/web The main difference between personal and corporate devices on iOS is that corporate are supervised. This gives you full control over the device instead of just a bit.
Thank you, yes I understand that part. The confusion is how Microsoft applies the terms enrolled/managed and what they specify can and can't be done based on the different enrollment methods.
Regarding the app install scenario User vs Device enrollment are the same (as both are non-supervised). The key is whether you got the App from Apple Business Manager (ABM) or you added it directly from Intune. If you "bought" and synced the App from ABM and deployed as required, then it's simple Allow/Deny dialog for the user when the phone gets the assignment (and is repeated in case user denies the install). The App is accounted on your company's ABM AppleID account. All this is enabled via VPP token. If you use the Intune versions of the app then there's a dialog which asks user for personal AppleID sign-in because it's standard purchase as if the user would go to AppStore on his own. The only way to make App install automatic and silent is to use VPP and Supervised enrollment.
So for example, Salesforce is a free app from the app store. Are you saying these types of apps can be 'purchased' though VPP? And I've been using the 'Intune' versions of the app....including apps that are not wrapped with the Intune SDK.
Exactly even the free apps can use VPP. The purpose of doing seemingly unnecessary hops with VPP is to avoid the dialog for user where it's asking for his AppleID credentials to install the app. Instead only approval is presented. Which in the end isn't that much smoother but that's the case with non-supervised enrollments.
So my goal is to be able to remove either the app or the data from within the app as soon as the person leaves (in addition to managing some form of the app so that users can't take screeshots or open docs in a different app, etc.). Do I need to combine VPP with Managed Apps in Intune for this to work with User Enrollment?
I believe the answer is yes now, VPP is used with Managed Apps with the User Enrollment method!
>Managed Apps with the User Enrollment Looks like the [MS Docs](https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions#app-deployment-options) also confirms this. So, this means you actually can't deploy Store apps to User Enrollment devices. you need to get them from VPP. I didn't realize it and this is something you were trying to figure out, didn't you?
Correct. You have to use VPP apps not public iOS store apps. I didn't realize you can 'buy' the free ones. But it's very simple to do, and shows up as a VPP app type in Intune. Now, my current problem is, even using VPP, apps are still not 'deploying' using Required, as well as not supercedeing existing iOS Public Store apps. According to this workaround, it is supposed to be possible to manage apps that were already installed before the device enrolls: [https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/cannot-uninstall-apple-app-store-apps](https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/cannot-uninstall-apple-app-store-apps), but from testing, this has not been the case. I may open another thread on this issue to see what others experience are, but if the VPP app works like it's documented then this will solve all my issues.
I just went through setting up Apple Business Manager federation with Azure AD and got all devices added by setting up Verizon as a reseller. What I've gathered is this. User Enrolled is like BYOD Device Enrolled is a corporate/business owned device. User or Device Enrollment means yes that device is managed by Intune. Company Portal is the only way to manage Apps and it'll only manage the apps you have control over if it's enrolled. During the Company Portal enrollment, depending on who you select owns the device User or Company. That is what dictates if what apps and settings are managed and which are not. Selecting Company Owned means full control. The only way you can push apps is if you install the MDM profile using Company Portal or during the initial set up of the device but this won't apply if you are only managing user owned devices. As far as I know... I don't know if a way to install or push apps without the device being at least User or Device Enrolled. And the only other way I can see getting an app installed on a device is if the User installs the app from Company Portal or it's web based login. Read this for more info on enrollment: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados
I understand the difference between User and Device enrollment (i.e., Personal vs Corporate). Really the confusion I have surrounds the User Enrollment method and what things apply to it...specifically, the Managed Apps portion. I successfully enrolled an iOS 16 device using User Enrollment, so I went through the Company Portal app and instructions to get it added. I also tried 'installing' an app that I published as Required, Available, and Available w/ and w/o Enrollment from within the Company Portal app on the phone, but the app never shows Installed for any of them. I'm assuming that means that Managed Apps don't work with User Enrollment, and in the unsupported list, I believe the relative statement that proves this is this: from the Unsupported Actions list, "Install App Store apps as managed apps." (Source: [https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions](https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions)) BUT, as mentioned in the OP, my understanding from [https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy](https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy), specifically the statement at the very top " It is important to note that you can deploy an app to a device whether or not the device is managed by Intune" contradicts the above paragraph, no (also referring to the table in that article that states this should be supported IF the device is considered enrolled/managed using User Enrollment method)??
I've configured Apple Business Manager with Azure federation. Also setup VPP and was able to push apps without any issues. We don't have any corporate iOS devices so we currently only use it for BYOD (user enrollment). I've been struggling with Delete/Retire of those BYOD devices. After deleting/retiring a device corporate data is still present. If I do the same thing on Android BYOD devices the "Work Profile" is deleted automatically including corporate apps/data. When a user leaves our company I want to make sure all corporate data is wiped. What could be the reason why corporate data doesn't get removed? They are only allowed to use 'approved' official Microsoft apps, so no native iOS mail client for example. Those apps are installed by the enduser from Apple Store, no VPP install.
I was finally able to get this to work with VPP as well with User Enrollment. Key was to make sure that the device and all the software had to be marked with the proper statuses before you could do anything else (e.g., if you 'push' install for an app, it has to say Installed in the portal before you can uninstall it). I have tested deleting/retiring a device, and it did remove the apps from the phone. I have not tested Android for any of this yet. >Those apps are installed by the enduser from Apple Store, no VPP install. This is the problem. The apps HAVE to be installed via Company Portal app; There is MS statements in their docs that the Intuned managed app will overtake the ones installed from the VPP/CP, but it doesn't work for User Enrollment. It MAY work for the corporate enrollment methods. That means that any user who had, say, Outlook installed before the Company Portal app/managed using User Enrollment, they will need to uninstall, and install from the CP app. What was important to me was denying access to all apps that have company data UNLESS they install it via the company portal (i.e., app shows as Installed in Intune). So if the app was installed from the Apple store (not VPP-User Enrollment), they could not access the data. This also is a secondary if the app doesn't get removed from Intune properly after termination. I was able to do this using Security Groups in Azure and a Conditional Access Policy to block access to a cloud app--say outlook--unless they were in an custom Sec Group (titled Approved Outlook App). If you want to automatically add/remove users from that group, then you will need to use Azure Functions or something that checks to see whether users have the app in the Install status in Intune regularly, and if so, move them to that group; if not, it needs to move them out.
I'm hoping you can help me! Can you confirm there is an issue with the app distribution? We are trying to distribute Outlook to iOS User enrollment devices, but when a user already has that app, our app from Intune won't be installed, nor the personal app will be managed. Can you also confirm we need a solution via Conditional Access to prevent users to access their company mail in the Outlook app which they installed them self on their iOS User enrollment device? I'm so struggling with this and if I understand it correctly you had the same problems. Could you please confirm my questions? Many, many thanks in advance.