“Assigned to external MDM” Apple token status in Intune

Have you ever configured an Apple VPP token in Intune that it is also active on another MDM?

If you have done so, you have probably run into this token status: “Assigned to external MDM”. This will not prevent you from syncing the apps you have purchased through Apple Volume Purchase Program, although it will not let you push Company Portal on your profile for supervised devices. Continue reading to see what I am talking about! ♥

Working with a customer last week, I realized that we were not able to push Company Portal app on supervised devices when creating the profile, the token was not present on the “Install Company Portal with VPP” option even though it was previously configured in the tenant.

The only thing we did different when creating this token is that we didn’t take control from another MDM, since the vpp apps and licenses are still active on the other MDM and trust me you don’t want to mess with those on production.

To resolve this, we followed the steps below:

Create a New Location on Apple Business Manager

  1. In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
  2. Click Locations in the sidebar, then click  at the top of the window.
  3. Enter the new location information, then click Save.

Assign Content Manager Role on new Location

  1. In Apple Business Manager , sign in with an account that has the role of Administrator
  2. Go to Accounts and select that admin account
  3. Grant Content Manager Role to the new Location.
  4. Click on Save

Assign Apps and Books to the new Location

Add the apps that you will syncronized to Intune, specially Intune Company Portal App.

Download new Token

  1. In Apple Business Manager , sign in with an account that has the role of Administrator
  2. Go to Apps and Books
  3. On My Server Tokens section, dowload the token recently created

Configure the new token in Intune

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Tenant administration > Connectors and tokens > Apple VPP tokens.
  3. On the list of VPP tokens pane, click Create.
  4. On the New VPP Token pane, specify the following information:
    • VPP token file 
    • Apple ID 
    • Type of VPP account
  5. When you are done, click Create.

Validate Apple VPP Token Status

  1. Go to Connectors and tokens section and validate that the new token status now is showing as Active.
  2. Click on Sync

Complete profile for Corporate devices

  1. Go back to the User Affinity Profile and edit settings
  2. You will see the Token available on “Install Company Portal with VPP” option
  3. Select the token and click on Review + Save

Assign the profile to your user and test it!

Tip

If you previously created app protection or app configuration policies selecting apps coming from that VPP token, you will need to create those again since now you are using a new token!

If you are getting that warning status and want to configure a supervised profile, give it a try and let me know your comments or results! ♥

References

Configure locations in Apple Business Manager

How to manage iOS/iPadOS eBooks you purchased through a volume-purchase program with Microsoft Intune

One thought on ““Assigned to external MDM” Apple token status in Intune

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s