Have you ever configured an Apple VPP token in Intune that it is also active on another MDM?
If you have done so, you have probably run into this token status: “Assigned to external MDM”. This will not prevent you from syncing the apps you have purchased through Apple Volume Purchase Program, although it will not let you push Company Portal on your profile for supervised devices. Continue reading to see what I am talking about! ♥
Working with a customer last week, I realized that we were not able to push Company Portal app on supervised devices when creating the profile, the token was not present on the “Install Company Portal with VPP” option even though it was previously configured in the tenant.
The only thing we did different when creating this token is that we didn’t take control from another MDM, since the vpp apps and licenses are still active on the other MDM and trust me you don’t want to mess with those on production.
To resolve this, we followed the steps below:
Create a New Location on Apple Business Manager
- In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
- Click Locations in the sidebar, then click at the top of the window.
- Enter the new location information, then click Save.
Assign Content Manager Role on new Location
- In Apple Business Manager , sign in with an account that has the role of Administrator
- Go to Accounts and select that admin account
- Grant Content Manager Role to the new Location.
- Click on Save
Assign Apps and Books to the new Location
Add the apps that you will syncronized to Intune, specially Intune Company Portal App.
Download new Token
- In Apple Business Manager , sign in with an account that has the role of Administrator
- Go to Apps and Books
- On My Server Tokens section, dowload the token recently created
Configure the new token in Intune
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Tenant administration > Connectors and tokens > Apple VPP tokens.
- On the list of VPP tokens pane, click Create.
- On the New VPP Token pane, specify the following information:
- VPP token file
- Apple ID
- Type of VPP account
- When you are done, click Create.
Validate Apple VPP Token Status
- Go to Connectors and tokens section and validate that the new token status now is showing as Active.
- Click on Sync
Complete profile for Corporate devices
- Go back to the User Affinity Profile and edit settings
- You will see the Token available on “Install Company Portal with VPP” option
- Select the token and click on Review + Save
Assign the profile to your user and test it!
Tip
If you previously created app protection or app configuration policies selecting apps coming from that VPP token, you will need to create those again since now you are using a new token!
If you are getting that warning status and want to configure a supervised profile, give it a try and let me know your comments or results! ♥
Great article Gianelli, best regards!!
LikeLiked by 1 person
Question, can you not go back to the VPP Token and select “YES” under the settings for “Take Control of Token From Another MDM”? What would be the impact of that?
LikeLike
Hi Joel, Thank you for your comment. If you select YES but the token is active in other MDM such as Airwatch, the licenses used on those managed devices, could be revoked and the users using those apps will lose the funciontality of them.
LikeLike
I have a question; can you create a second MDM server under Apple Business Manager, assign apps and a token from it?
LikeLike
Hi Gary, thank you for your comment
It is possible to create multiple MDM servers under ABM. Then you can create the token in Intune as usual.
LikeLike
Here is my 2 cents. I used Joel’s suggestion, but before I changed VPP Token from no to yes, I revoked the licenses and then changed it back from yes to no again.
LikeLike
Hi,
We also got the message “Assigned to external MDM” on the VPP token. We only have Intune as MDM.
The token was in status “Active” for some days ago. So I do not understand why/who is also using the token.
We have to locations, the first one uses the token, The second one was created just to move the apps that not longer are in use. It has not token at all.
How can we find out who else is using the token? Any logs?
What would happen if we just renew the token?
Thank you!
LikeLike
Good article. This worked for me. No mention of this specific issue in any MS documentation or other articles. Good deal! Thanks.
LikeLiked by 1 person
Hi R.V., I’m glad it worked for you!
LikeLike