VPP Licensing with Intune

      10 Comments on VPP Licensing with Intune

Buy Me a Coffee

In Intune there are two ways to assign VPP licenses. You can use either user or device VPP licensing. Both license types have advantages and disadvantages. In this post I will describe some of the differences and challenges with VPP licencing types. The main difference between the VPP licensing types is quite obvious, with user licensing the users are linked to the user and with device licensing to the device.

 

Differences between Licensing types

Most of these differences between VPP Licensing types can be found on the Volume-purchased iOS apps page, but I’ve added some additional differences I could not find on the page. I also tried to describe some things more clearly.

User Device
App Store sign-in Required, an unique Apple ID needs to be signed in. Not required
Apple ID required Yes, the Apple ID of the user wil be associated to the MDM account. No
Deployment method Applications are assigned to users associated Apple ID Applications are pushed by Intune to the device.
How are apps licensed 1 license can be used to install the app on a maximum of 5 devices 1 license for each device. Anyone using the device has access to the App
Migration to different Licensing Yes, when using required assignment licenses can be silently migrated to device licenses no
Support for Books yes no
Support for User Enrolled Devices yes (Mananaged Apple ID only) no
Support for Kiosk Mode not recommended yes
Use on multiple devices with different Apple IDs not recommended yes

 

How to change VPP Licensing type

While assigning an application to a group, you can change the license type by selecting it.

Picture 1

 

By default, the license type is “User Licencing”. You can modify this by selecting “Device Licensing”.

Picture 2

 

User Notifications

Depending on the ownership, license model and whether the device is supervised, the notifications the user receives differ. This is something to keep in mind, because every prompt can cause an error if the user doesn’t accept (see Intune: VPP Error 0x87D13B92). In this overview you can see when which notification applies.

Invite to Apple VPP program App install prompt Prompt for Apple ID
User Licensed
BYOD Y Y Y
CORP Y Y Y
CORP Supervised Y N Y
Device licensed
BYOD N Y N
CORP N Y N
CORP Supervised N N N
Kiosk Supervised N N N

 

User licensing

When using user licensing, the licenses are linked to a user’s associated Apple ID. The user can use one license to deploy an application to a maximum of 5 devices. You can only associate one active Apple ID to each user account. When you a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues.

 

App assignment

Before you can use user licenses on a device, you need be logged in to the App Store with a unique Apple ID. This can be either a personal Apple ID or a managed Apple ID.  This Apple ID will be associated to the user account in the Itunes database (Picture 3).

Picture 3

 

To associate the Apple ID with the Company Portal will use the Apple ID that is used on the device to access the App Store. To allow this the user needs to allow that App and Books are assigned (See picture 4).

Picture 4

 

After the user agrees with the App and Book Assignment, the logged in Apple ID is associated with the user account. If no user is logged in to the App Store, the user will be asked to log in (Picture 5).

Picture 5

 

Depending on the situation, the user must agree to the Itunes terms and conditions to allow your organization to assign applications and books (Picture 6). This will only be displayed the first time you’re account is associated to the organization.

Picture 6

 

When the Apple ID is linked to the user’s account and the device is not supervised, the user will receive a notification to allow installation. (Picture 7)

Picture 7

 

Errors

When a user registers multiple devices with different apple ids to the same user account in Intune, problems will occur. One of the issues I’ve noticed is:

Error code: 0x87D13895: Can’t find VPP license for app.

Picture 8

 

Users may also recieve App Store notifications that licenses are no longer assigned to them (Picture 9).

Picture 9

 

Device licensing

In contrast to user licenses, device licenses are assigned to a device. Therefore you need a license for each device. Because the apps are assigned to the device, there is no need for an association with an Apple ID. That is why you should use device-based licenses for multi user scenarios such as kiosk mode devices.

 

App assignment

In contrary to User-based you do not need an Apple ID to install Device-based applications. Once you installed the Intune Company Portal and the device in Intune required applications will be installed. If the device is supervised you will not even recieve a notification  before an application is installed. On a not supervised device you do recieve an App Installation notification (Picture 10).

Picture 10

 

Sources

For this blogpost I used several sources including Microsoft and Apple documentation such as:

I hope you liked this blog about VPP Licensing. Just leave a reply if you have questions or remarks about this post.

10 thoughts on “VPP Licensing with Intune

  1. Pawan Kumar

    Hi Aad,
    Nice Article explaining about VPP User license behavior. Most of the articles you see around about this error ask you to assign app using device license. Which is not real answer and more of like workaround.
    I have got a query related to this if you can help me with.
    I have installed VPP user license app using my personal Apple ID after accepting Apple VPP Agreement and all. But later i decided to change my Apple ID to Managed Apple ID. After changing my Apple ID, i couldn’t install any user license app again and getting this error (Error code: 0x87D13895) again and again. my queries are:
    1. How can i make new Managed Apple ID as active with my MDM user account? it is not happening automatically and not prompting me for Apple VPP agreement again
    2. I have also wiped off my CORP Supervised device and enrolled again but still giving me error.
    3. I have tried revoking VPP user license in Intune for my user and tried again but still same error.

    Intune doesn’t provide us any way to check what Apple ID is active against user’s MDM account. Also it is hard to troubleshoot if they are using different Apple ID on different devices with same MDM user account and it results in same error.

    Thanks in advance.

    Reply
  2. Aad Lutgert Post author

    Hi Pawan,

    The error “0x87D13895” most of the times occur when a user enrolls multiple apple devices with different Apple IDs. The first thing you need to check does the User (Azure AD) account has registered multiple Apple devices and check if all devices use the same Apple ID. You can prevent this issue by using Device licenses because these license are not linked to the Apple ID on the device.

    1. The active Apple iD cannot be manually set, this is something which is managed by the Company Portal. I was able to trigger it by trying to install a available app from the company portal, but this does not always work.

    2. The active Apple id is associated with an user account in the iTunes database. A reset of device will not solve the issue because it’s not on the device.

    3. That’s correct this will not solve the problem because the “new” Managed Apple ID needs to be associated with the user account. When you reassign a license it will still be associated with the “old” personal Apple ID associated with the user account.

    regards, Aad

    Reply
  3. latreche khaled

    Hello,
    Thanks for this article about VPP licence.
    nous avons l’apple ID qui est demandé dans le même scenario ,we are in a scenario where :
    – device : Corp supervised device
    – enrollment profile: it is configured with VPP
    – license type : VPP apps are assigned to Device Licensing
    on the other hand the apple ID is always requested.
    Do you have any idea what it is about?
    Thanks in advance.

    Reply
    1. Aad Lutgert Post author

      Hi,

      In the properties of the enrollment profile you need to check the “Setup Assistant” settings. There is a setting called “Apple ID” which you can hide. Using this setting the user will not be prompted to enter his/her Apple ID during enrollment.

      best regards,

      Aad Lutgert

      Reply
  4. Jonn

    How do you change the user’s apple id association? Had a user that set up their iPad on their own and used their personal Apple ID instead of the managed Apple ID. I wiped the ipad and then tried to download apps with the managed ID and getting the same issue. They aren’t getting the prompt to allow Assignment. They only have one device but it appears their Intune/Office365 account is now associated with their personal email in the itunes Database which you alluded to. Is there a fix?

    Error code: 0x87D13895: Can’t find VPP license for app.

    Reply
    1. Aad Lutgert Post author

      Hi John,

      I would suggest to switch from user to device licensing to prevent this issue. When a user enrolls a device with a different Apple ID logged in, this Apple ID will become active after accepting the user assignment. Because of this If an user enrolls multiple Apple devices in Intune with different Apple IDs this will cause issues. The only thing which may work is checking if the user has multiple devices enrolled. Remove all devices and re-enroll with the correct Apple ID. The biggest issue is the association process.

      regards, Aad

      Reply
  5. Nick Brown

    Any idea if/how the consent for App and Books assignment can be revoked (user license assignment)?

    Reply
  6. Particle

    Say user licensing was being used from Intune, user logged in with AppleId_1 on the device, app installation was successful. Then user went to AppStore and logged in with some other AppleId_2.
    1) Will the apps currently installed on the device stop working?
    2) New app installation – will that start failing, or require user to sign-in again ; if sign-in again, from which step – Picture 3 or Picture 5?

    Thanks so much.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *