In Intune there are two ways to assign VPP licenses. You can use either user or device VPP licensing. Both license types have advantages and disadvantages. In this post I will describe some of the differences and challenges with VPP licencing types. The main difference between the VPP licensing types is quite obvious, with user licensing the users are linked to the user and with device licensing to the device.
Differences between Licensing types
Most of these differences between VPP Licensing types can be found on the Volume-purchased iOS apps page, but I’ve added some additional differences I could not find on the page. I also tried to describe some things more clearly.
|App Store sign-in||Required, an unique Apple ID needs to be signed in.||Not required|
|Apple ID required||Yes, the Apple ID of the user wil be associated to the MDM account.||No|
|Deployment method||Applications are assigned to users associated Apple ID||Applications are pushed by Intune to the device.|
|How are apps licensed||1 license can be used to install the app on a maximum of 5 devices||1 license for each device. Anyone using the device has access to the App|
|Migration to different Licensing||Yes, when using required assignment licenses can be silently migrated to device licenses||no|
|Support for Books||yes||no|
|Support for User Enrolled Devices||yes (Mananaged Apple ID only)||no|
|Support for Kiosk Mode||not recommended||yes|
|Use on multiple devices with different Apple IDs||not recommended||yes|
How to change VPP Licensing type
While assigning an application to a group, you can change the license type by selecting it.
By default, the license type is “User Licencing”. You can modify this by selecting “Device Licensing”.
Depending on the ownership, license model and whether the device is supervised, the notifications the user receives differ. This is something to keep in mind, because every prompt can cause an error if the user doesn’t accept (see Intune: VPP Error 0x87D13B92). In this overview you can see when which notification applies.
|Invite to Apple VPP program||App install prompt||Prompt for Apple ID|
When using user licensing, the licenses are linked to a user’s associated Apple ID. The user can use one license to deploy an application to a maximum of 5 devices. You can only associate one active Apple ID to each user account. When you a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues.
Before you can use user licenses on a device, you need be logged in to the App Store with a unique Apple ID. This can be either a personal Apple ID or a managed Apple ID. This Apple ID will be associated to the user account in the Itunes database (Picture 3).
To associate the Apple ID with the Company Portal will use the Apple ID that is used on the device to access the App Store. To allow this the user needs to allow that App and Books are assigned (See picture 4).
After the user agrees with the App and Book Assignment, the logged in Apple ID is associated with the user account. If no user is logged in to the App Store, the user will be asked to log in (Picture 5).
Depending on the situation, the user must agree to the Itunes terms and conditions to allow your organization to assign applications and books (Picture 6). This will only be displayed the first time you’re account is associated to the organization.
When the Apple ID is linked to the user’s account and the device is not supervised, the user will receive a notification to allow installation. (Picture 7)
When a user registers multiple devices with different apple ids to the same user account in Intune, problems will occur. One of the issues I’ve noticed is:
Error code: 0x87D13895: Can’t find VPP license for app.
Users may also recieve App Store notifications that licenses are no longer assigned to them (Picture 9).
In contrast to user licenses, device licenses are assigned to a device. Therefore you need a license for each device. Because the apps are assigned to the device, there is no need for an association with an Apple ID. That is why you should use device-based licenses for multi user scenarios such as kiosk mode devices.
In contrary to User-based you do not need an Apple ID to install Device-based applications. Once you installed the Intune Company Portal and the device in Intune required applications will be installed. If the device is supervised you will not even recieve a notification before an application is installed. On a not supervised device you do recieve an App Installation notification (Picture 10).
For this blogpost I used several sources including Microsoft and Apple documentation such as:
- Apple VPP Business Guide
- Apple Developer Documentation Device Management
- Apple MDM Protocol Reference
- How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune
I hope you liked this blog about VPP Licensing. Just leave a reply if you have questions or remarks about this post.