“Assigned to external MDM” Apple token status in Intune

Have you ever configured an Apple VPP token in Intune that it is also active on another MDM?

If you have done so, you have probably run into this token status: “Assigned to external MDM”. This will not prevent you from syncing the apps you have purchased through Apple Volume Purchase Program, although it will not let you push Company Portal on your profile for supervised devices. Continue reading to see what I am talking about! ♥

Working with a customer last week, I realized that we were not able to push Company Portal app on supervised devices when creating the profile, the token was not present on the “Install Company Portal with VPP” option even though it was previously configured in the tenant.

The only thing we did different when creating this token is that we didn’t take control from another MDM, since the vpp apps and licenses are still active on the other MDM and trust me you don’t want to mess with those on production.

To resolve this, we followed the steps below:

Create a New Location on Apple Business Manager

  1. In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
  2. Click Locations in the sidebar, then click  at the top of the window.
  3. Enter the new location information, then click Save.

Assign Content Manager Role on new Location

  1. In Apple Business Manager , sign in with an account that has the role of Administrator
  2. Go to Accounts and select that admin account
  3. Grant Content Manager Role to the new Location.
  4. Click on Save

Assign Apps and Books to the new Location

Add the apps that you will syncronized to Intune, specially Intune Company Portal App.

Download new Token

  1. In Apple Business Manager , sign in with an account that has the role of Administrator
  2. Go to Apps and Books
  3. On My Server Tokens section, dowload the token recently created

Configure the new token in Intune

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Tenant administration > Connectors and tokens > Apple VPP tokens.
  3. On the list of VPP tokens pane, click Create.
  4. On the New VPP Token pane, specify the following information:
    • VPP token file 
    • Apple ID 
    • Type of VPP account
  5. When you are done, click Create.

Validate Apple VPP Token Status

  1. Go to Connectors and tokens section and validate that the new token status now is showing as Active.
  2. Click on Sync

Complete profile for Corporate devices

  1. Go back to the User Affinity Profile and edit settings
  2. You will see the Token available on “Install Company Portal with VPP” option
  3. Select the token and click on Review + Save

Assign the profile to your user and test it!


If you previously created app protection or app configuration policies selecting apps coming from that VPP token, you will need to create those again since now you are using a new token!

If you are getting that warning status and want to configure a supervised profile, give it a try and let me know your comments or results! ♥


Configure locations in Apple Business Manager

How to manage iOS/iPadOS eBooks you purchased through a volume-purchase program with Microsoft Intune

9 thoughts on ““Assigned to external MDM” Apple token status in Intune

  1. EP!! 14 October, 2020 / 4:40 pm

    Great article Gianelli, best regards!!

    Liked by 1 person

  2. JOEL GONZALEZ 22 January, 2021 / 4:38 pm

    Question, can you not go back to the VPP Token and select “YES” under the settings for “Take Control of Token From Another MDM”? What would be the impact of that?


    • Gianelli G 25 January, 2021 / 10:22 pm

      Hi Joel, Thank you for your comment. If you select YES but the token is active in other MDM such as Airwatch, the licenses used on those managed devices, could be revoked and the users using those apps will lose the funciontality of them.


  3. Gary Kruger 16 April, 2021 / 9:59 pm

    I have a question; can you create a second MDM server under Apple Business Manager, assign apps and a token from it?


    • Gianelli G 20 April, 2021 / 1:44 pm

      Hi Gary, thank you for your comment
      It is possible to create multiple MDM servers under ABM. Then you can create the token in Intune as usual.


  4. Danny 1 April, 2022 / 4:36 am

    Here is my 2 cents. I used Joel’s suggestion, but before I changed VPP Token from no to yes, I revoked the licenses and then changed it back from yes to no again.


  5. Veronica 5 May, 2022 / 2:06 pm

    We also got the message “Assigned to external MDM” on the VPP token. We only have Intune as MDM.
    The token was in status “Active” for some days ago. So I do not understand why/who is also using the token.
    We have to locations, the first one uses the token, The second one was created just to move the apps that not longer are in use. It has not token at all.
    How can we find out who else is using the token? Any logs?
    What would happen if we just renew the token?

    Thank you!


  6. R.V. 24 August, 2022 / 10:16 pm

    Good article. This worked for me. No mention of this specific issue in any MS documentation or other articles. Good deal! Thanks.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s