In Intune there are two ways to assign VPP licenses. You can use either user or device VPP licensing. Both license types have advantages and disadvantages. In this post I will describe some of the differences and challenges with VPP licencing types. The main difference between the VPP licensing types is quite obvious, with user licensing the users are linked to the user and with device licensing to the device.
Differences between Licensing types
Most of these differences between VPP Licensing types can be found on the Volume-purchased iOS apps page, but I’ve added some additional differences I could not find on the page. I also tried to describe some things more clearly.
|App Store sign-in||Required, an unique Apple ID needs to be signed in.||Not required|
|Apple ID required||Yes, the Apple ID of the user wil be associated to the MDM account.||No|
|Deployment method||Applications are assigned to users associated Apple ID||Applications are pushed by Intune to the device.|
|How are apps licensed||1 license can be used to install the app on a maximum of 5 devices||1 license for each device. Anyone using the device has access to the App|
|Migration to different Licensing||Yes, when using required assignment licenses can be silently migrated to device licenses||no|
|Support for Books||yes||no|
|Support for User Enrolled Devices||yes (Mananaged Apple ID only)||no|
|Support for Kiosk Mode||not recommended||yes|
|Use on multiple devices with different Apple IDs||not recommended||yes|
How to change VPP Licensing type
While assigning an application to a group, you can change the license type by selecting it.
By default, the license type is “User Licencing”. You can modify this by selecting “Device Licensing”.
Depending on the ownership, license model and whether the device is supervised, the notifications the user receives differ. This is something to keep in mind, because every prompt can cause an error if the user doesn’t accept (see Intune: VPP Error 0x87D13B92). In this overview you can see when which notification applies.
|Invite to Apple VPP program||App install prompt||Prompt for Apple ID|
When using user licensing, the licenses are linked to a user’s associated Apple ID. The user can use one license to deploy an application to a maximum of 5 devices. You can only associate one active Apple ID to each user account. When you a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues.
Before you can use user licenses on a device, you need be logged in to the App Store with a unique Apple ID. This can be either a personal Apple ID or a managed Apple ID. This Apple ID will be associated to the user account in the Itunes database (Picture 3).
To associate the Apple ID with the Company Portal will use the Apple ID that is used on the device to access the App Store. To allow this the user needs to allow that App and Books are assigned (See picture 4).
After the user agrees with the App and Book Assignment, the logged in Apple ID is associated with the user account. If no user is logged in to the App Store, the user will be asked to log in (Picture 5).
Depending on the situation, the user must agree to the Itunes terms and conditions to allow your organization to assign applications and books (Picture 6). This will only be displayed the first time you’re account is associated to the organization.
When the Apple ID is linked to the user’s account and the device is not supervised, the user will receive a notification to allow installation. (Picture 7)
When a user registers multiple devices with different apple ids to the same user account in Intune, problems will occur. One of the issues I’ve noticed is:
Error code: 0x87D13895: Can’t find VPP license for app.
Users may also recieve App Store notifications that licenses are no longer assigned to them (Picture 9).
In contrast to user licenses, device licenses are assigned to a device. Therefore you need a license for each device. Because the apps are assigned to the device, there is no need for an association with an Apple ID. That is why you should use device-based licenses for multi user scenarios such as kiosk mode devices.
In contrary to User-based you do not need an Apple ID to install Device-based applications. Once you installed the Intune Company Portal and the device in Intune required applications will be installed. If the device is supervised you will not even recieve a notification before an application is installed. On a not supervised device you do recieve an App Installation notification (Picture 10).
For this blogpost I used several sources including Microsoft and Apple documentation such as:
- Apple VPP Business Guide
- Apple Developer Documentation Device Management
- Apple MDM Protocol Reference
- How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune
I hope you liked this blog about VPP Licensing. Just leave a reply if you have questions or remarks about this post.
Nice Article explaining about VPP User license behavior. Most of the articles you see around about this error ask you to assign app using device license. Which is not real answer and more of like workaround.
I have got a query related to this if you can help me with.
I have installed VPP user license app using my personal Apple ID after accepting Apple VPP Agreement and all. But later i decided to change my Apple ID to Managed Apple ID. After changing my Apple ID, i couldn’t install any user license app again and getting this error (Error code: 0x87D13895) again and again. my queries are:
1. How can i make new Managed Apple ID as active with my MDM user account? it is not happening automatically and not prompting me for Apple VPP agreement again
2. I have also wiped off my CORP Supervised device and enrolled again but still giving me error.
3. I have tried revoking VPP user license in Intune for my user and tried again but still same error.
Intune doesn’t provide us any way to check what Apple ID is active against user’s MDM account. Also it is hard to troubleshoot if they are using different Apple ID on different devices with same MDM user account and it results in same error.
Thanks in advance.
The error “0x87D13895” most of the times occur when a user enrolls multiple apple devices with different Apple IDs. The first thing you need to check does the User (Azure AD) account has registered multiple Apple devices and check if all devices use the same Apple ID. You can prevent this issue by using Device licenses because these license are not linked to the Apple ID on the device.
1. The active Apple iD cannot be manually set, this is something which is managed by the Company Portal. I was able to trigger it by trying to install a available app from the company portal, but this does not always work.
2. The active Apple id is associated with an user account in the iTunes database. A reset of device will not solve the issue because it’s not on the device.
3. That’s correct this will not solve the problem because the “new” Managed Apple ID needs to be associated with the user account. When you reassign a license it will still be associated with the “old” personal Apple ID associated with the user account.
Thanks for this article about VPP licence.
nous avons l’apple ID qui est demandé dans le même scenario ,we are in a scenario where :
– device : Corp supervised device
– enrollment profile: it is configured with VPP
– license type : VPP apps are assigned to Device Licensing
on the other hand the apple ID is always requested.
Do you have any idea what it is about?
Thanks in advance.
In the properties of the enrollment profile you need to check the “Setup Assistant” settings. There is a setting called “Apple ID” which you can hide. Using this setting the user will not be prompted to enter his/her Apple ID during enrollment.
How do you change the user’s apple id association? Had a user that set up their iPad on their own and used their personal Apple ID instead of the managed Apple ID. I wiped the ipad and then tried to download apps with the managed ID and getting the same issue. They aren’t getting the prompt to allow Assignment. They only have one device but it appears their Intune/Office365 account is now associated with their personal email in the itunes Database which you alluded to. Is there a fix?
Error code: 0x87D13895: Can’t find VPP license for app.
I would suggest to switch from user to device licensing to prevent this issue. When a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues. The only thing which may work is checking if the user has multiple devices enrolled. Remove all devices and re-enroll with the correct Apple ID. The biggest issue is the association process.
Any idea if/how the consent for App and Books assignment can be revoked (user license assignment)?
As far as I know it’s currently not possible to revoke a consent.