How can I allow my users to install or update their apps on Intune managed devices

Question

My users are constantly prompted to "Sign in to Itunes to allow "Company Name" to manage and install apps but are stopped with "Managed accounts can only be signed in under Settings > General > Device Management & VPN.

Answer 1

Hello Mike,

This issue occurs because Managed Apple Accounts cannot sign in to the App Store or iTunes directly, so when apps are assigned in a way that expects a user Apple ID sign-in, iOS blocks the action and shows the “Managed accounts can only be signed in under Settings > General > Device Management & VPN” message; to allow users to install or update apps smoothly on Intune-managed iOS devices, you should use Apple Business Manager with Intune and assign apps using device-based VPP licensing for fully managed or supervised devices, as device-licensed apps install and update silently through Intune without requiring any Apple ID sign-in, while user-based VPP licensing should only be used for User Enrollment scenarios where Managed Apple Accounts are supported and correctly enrolled through Settings > General > VPN & Device Management; it’s also important to ensure you are not mixing device and user licenses for the same app and that users are not attempting to install apps directly from the App Store outside of Company Portal. For full details, see the Microsoft Q&A explanation of this behavior, Apple’s documentation on Managed Apple Account restrictions https://support.apple.com/guide/apple-business-manager/service-access-with-managed-apple-accounts-axm171b3ee95/web, and Microsoft’s guidance on using Apple VPP with Intune https://learn.microsoft.com/en-us/intune/app-management/deployment/manage-vpp-apple

Answer 2

The prompts are caused by how Apple VPP licensing and Apple account–driven User Enrollment work together on Intune-managed iOS devices. To let users install or update apps without being blocked by the “Managed accounts can only be signed in under Settings > General > Device Management & VPN” message, adjust how apps and accounts are configured.

Use these controls:

1. Prefer device-licensed VPP apps for fully managed/supervised devices
   • In Intune, configure Apple VPP apps to use device licensing instead of user licensing for corporate/supervised devices.
   • Device-licensed VPP apps:
     • Do not require an App Store sign-in.
     • Install and update only via the MDM channel (Intune), not directly from the App Store.
   • This avoids repeated Apple ID prompts and App Store sign-in issues on managed devices.
2. Use user-licensed VPP apps only where supported and appropriate
   • User-licensed VPP apps:
     • Require each user to sign in with a unique Apple Account when prompted by the App Store.
     • Are supported on User Enrollment devices using Managed Apple Accounts.
   • Do not assign both device and user licenses for the same app to the same user/device, and do not use user licensing for the same Managed Apple Account across account-driven and non–account-driven enrollments. This can cause installation/update issues.
3. Understand behavior on User Enrollment (BYOD) devices
   • On account-driven User Enrollment devices, users must:
     • Enroll via Settings > General > VPN & Device Management, signing in with their work or school account or organization-provided Apple ID.
     • Approve remote management and wait for the management profile and Microsoft Authenticator to install.
     • Approve additional prompts to install required work apps.
   • Company Portal on User Enrollment devices only shows user-licensed VPP apps. Device-licensed apps are not visible there.
4. Explain the correct sign-in path to users
   • If users see “Managed accounts can only be signed in under Settings > General > Device Management & VPN”, instruct them to:
     1. Open Settings > General > VPN & Device Management.
     2. Sign in with their work or school account or the Managed Apple ID provided by the organization.
     3. Allow remote management and complete enrollment.
     4. Wait for Microsoft Authenticator and required apps to install, then tap Install on any app prompts.
   • They should not try to sign in with the managed account directly in the App Store; that is blocked by design for Managed Apple Accounts.
5. Avoid kiosk/user-licensed combinations and Single App Mode update issues
   • Do not assign VPP apps with user licensing to kiosk-mode devices; this is not recommended and causes prompt/update problems.
   • On supervised devices (including kiosk) with device- or user-licensed apps, app updates may still prompt if the app is running. To update:
     • Close the app, initiate a sync, and keep the device unlocked.
     • If the device is in Single App Mode, temporarily exit Single App Mode to allow updates, then reapply restrictions.
6. Ensure App Store access aligns with licensing choice
   • If App Store access is blocked by configuration:
     • Device-licensed VPP apps can still be installed and updated via Intune/Company Portal.
     • User-licensed VPP apps will not work because the Apple Business Manager invitation and App Store sign-in cannot complete.
   • For environments that must block the App Store, standardize on device licensing for VPP apps on those devices.

By aligning VPP license type (device vs user) with the enrollment type (fully managed vs User Enrollment) and ensuring users enroll and sign in only through Settings > VPN & Device Management for managed accounts, users can install and update apps without being blocked by the managed-account sign-in restriction.

---

References:

• How to Manage iOS and macOS Apps Purchased Through Apple Business Manager with Microsoft Intune
• Set up account driven Apple User Enrollment
• Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune
• Set up personal iOS device for work or school
• Deployment guide: Mobile Application Management (MAM) for unenrolled devices in Microsoft Intune
• Deploy and manage mobile apps