VPP Licensing with Intune

      2 Comments on VPP Licensing with Intune

In Intune there are two ways to assign VPP licenses. You can use either user or device VPP licensing. Both license types have advantages and disadvantages. In this post I will describe some of the differences and challenges with VPP licencing types. The main difference between the VPP licensing types is quite obvious, with user licensing the users are linked to the user and with device licensing to the device.

 

Differences between Licensing types

Most of these differences between VPP Licensing types can be found on the Volume-purchased iOS apps page, but I’ve added some additional differences I could not find on the page. I also tried to describe some things more clearly.

UserDevice
App Store sign-inRequired, an unique Apple ID needs to be signed in.Not required
Apple ID requiredYes, the Apple ID of the user wil be associated to the MDM account.No
Deployment methodApplications are assigned to users associated Apple IDApplications are pushed by Intune to the device.
How are apps licensed1 license can be used to install the app on a maximum of 5 devices1 license for each device. Anyone using the device has access to the App
Migration to different LicensingYes, when using required assignment licenses can be silently migrated to device licensesno
Support for Booksyesno
Support for User Enrolled Devicesyes (Mananaged Apple ID only)no
Support for Kiosk Modenot recommendedyes
Use on multiple devices with different Apple IDsnot recommendedyes

 

How to change VPP Licensing type

While assigning an application to a group, you can change the license type by selecting it.

Picture 1

 

By default, the license type is “User Licencing”. You can modify this by selecting “Device Licensing”.

Picture 2

 

User Notifications

Depending on the ownership, license model and whether the device is supervised, the notifications the user receives differ. This is something to keep in mind, because every prompt can cause an error if the user doesn’t accept (see Intune: VPP Error 0x87D13B92). In this overview you can see when which notification applies.

Invite to Apple VPP programApp install promptPrompt for Apple ID
User Licensed
BYODYYY
CORPYYY
CORP SupervisedYNY
Device licensed
BYODNYN
CORPNYN
CORP SupervisedNNN
Kiosk SupervisedNNN

 

User licensing

When using user licensing, the licenses are linked to a user’s associated Apple ID. The user can use one license to deploy an application to a maximum of 5 devices. You can only associate one active Apple ID to each user account. When you a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues.

 

App assignment

Before you can use user licenses on a device, you need be logged in to the App Store with a unique Apple ID. This can be either a personal Apple ID or a managed Apple ID.  This Apple ID will be associated to the user account in the Itunes database (Picture 3).

Picture 3

 

To associate the Apple ID with the Company Portal will use the Apple ID that is used on the device to access the App Store. To allow this the user needs to allow that App and Books are assigned (See picture 4).

Picture 4

 

After the user agrees with the App and Book Assignment, the logged in Apple ID is associated with the user account. If no user is logged in to the App Store, the user will be asked to log in (Picture 5).

Picture 5

 

Depending on the situation, the user must agree to the Itunes terms and conditions to allow your organization to assign applications and books (Picture 6). This will only be displayed the first time you’re account is associated to the organization.

Picture 6

 

When the Apple ID is linked to the user’s account and the device is not supervised, the user will receive a notification to allow installation. (Picture 7)

Picture 7

 

Errors

When a user registers multiple devices with different apple ids to the same user account in Intune, problems will occur. One of the issues I’ve noticed is:

Error code: 0x87D13895: Can’t find VPP license for app.

Picture 8

 

Users may also recieve App Store notifications that licenses are no longer assigned to them (Picture 9).

Picture 9

 

Device licensing

In contrast to user licenses, device licenses are assigned to a device. Therefore you need a license for each device. Because the apps are assigned to the device, there is no need for an association with an Apple ID. That is why you should use device-based licenses for multi user scenarios such as kiosk mode devices.

 

App assignment

In contrary to User-based you do not need an Apple ID to install Device-based applications. Once you installed the Intune Company Portal and the device in Intune required applications will be installed. If the device is supervised you will not even recieve a notification  before an application is installed. On a not supervised device you do recieve an App Installation notification (Picture 10).

Picture 10

 

Sources

For this blogpost I used several sources including Microsoft and Apple documentation such as:

I hope you liked this blog about VPP Licensing. Just leave a reply if you have questions or remarks about this post.

2 thoughts on “VPP Licensing with Intune

  1. Pawan Kumar

    Hi Aad,
    Nice Article explaining about VPP User license behavior. Most of the articles you see around about this error ask you to assign app using device license. Which is not real answer and more of like workaround.
    I have got a query related to this if you can help me with.
    I have installed VPP user license app using my personal Apple ID after accepting Apple VPP Agreement and all. But later i decided to change my Apple ID to Managed Apple ID. After changing my Apple ID, i couldn’t install any user license app again and getting this error (Error code: 0x87D13895) again and again. my queries are:
    1. How can i make new Managed Apple ID as active with my MDM user account? it is not happening automatically and not prompting me for Apple VPP agreement again
    2. I have also wiped off my CORP Supervised device and enrolled again but still giving me error.
    3. I have tried revoking VPP user license in Intune for my user and tried again but still same error.

    Intune doesn’t provide us any way to check what Apple ID is active against user’s MDM account. Also it is hard to troubleshoot if they are using different Apple ID on different devices with same MDM user account and it results in same error.

    Thanks in advance.

    Reply
  2. Aad Lutgert Post author

    Hi Pawan,

    The error “0x87D13895” most of the times occur when a user enrolls multiple apple devices with different Apple IDs. The first thing you need to check does the User (Azure AD) account has registered multiple Apple devices and check if all devices use the same Apple ID. You can prevent this issue by using Device licenses because these license are not linked to the Apple ID on the device.

    1. The active Apple iD cannot be manually set, this is something which is managed by the Company Portal. I was able to trigger it by trying to install a available app from the company portal, but this does not always work.

    2. The active Apple id is associated with an user account in the iTunes database. A reset of device will not solve the issue because it’s not on the device.

    3. That’s correct this will not solve the problem because the “new” Managed Apple ID needs to be associated with the user account. When you reassign a license it will still be associated with the “old” personal Apple ID associated with the user account.

    regards, Aad

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *