Hello
We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's. The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices. Can this be done using example User affinity enrolment profiles or any other way?
iPhone 12 mini, iOS 18
Yes, you can allow users to access the App Store using a personal Apple ID. Please note, this can get a little tricky to manage. Ideally, the organization should be providing all the apps that the user needs through VPP. This falls apart when In-App purchases are requires. If you need to support In-App purchases, the only option today is the use of personal Apple IDs.
However, there are some areas of concern when using Personal Apple IDs. Here is the most common concern regarding this:
Company buys hardware
Hardware is enrolled in MDM using automated device enrollment and it is fully supervised
Some apps are delivered via the VPP token
The App Store is not restricted by the MDM
The user creates a Personal Apple ID - the user owns and controls it - the ID may or may not use your company's domain in the email
The user enters a corporate credit card into the Apple ID and purchases Apps from the App Store that for some reason the company is not delivering via VPP
The user leaves the company
The company cancels the corporate credit card
The user continues to maintain the Apple ID and owns the apps
You as the organization have no control over the Personal Apple ID and you may have even paid for the apps. However, the user now owns them and can continue to use them after leaving your organization. Note, subscriptions can be stopped when you cancel the credit card. But any purchased app is owned by the user, not the company, regardless of card used to complete the transaction.
Also, Managed Apple IDs are not a solution as MAIDs cannot have payment information associated and thus cannot participate in any of the stores from a consumer standpoint.
As for how to achieve this, affinity or no affinity has nothing to do with it. Review your Restrictions payload and make sure you are allowing App Store and Apple IDs. Then the users will be able to log in with an Apple ID and purchase apps.
Hope this is helpful. The use of Personal Apple IDs is a can of worms most companies don't want to open. Try to find a solution that does not involve using PAIDs. Again, if you have In-App purchase requirements, you are stuck. But if these are just apps, volume purchase then and deliver via the MDM. Personal Apple IDs run the risk of crossing the professional/personal boundary and result in corporate data leakage. Also, you will not be able to effectively use managed open in if you are allowing individuals to add apps that presume to need access to corporate data.
David_231 wrote:
Yes, its pretty simple, just allow personal apple ID login and let the users do the rest.
That's not really good advice. These are phones owned by the company. If the user signs into the phone with their Apple ID, they control the phone. This is generally the opposite of what people want if the are putting an MDM on a phone.
Also, if the user leaves without logging out, the company is either going to have to go through a long process with Apple to unlock the phone or, if they don't have the proper documentation, recycle it.
Supervision generally denotes that the device is owned by the organisation, which provides additional control over its configuration and restrictions.
About Apple device supervision
Yes, its pretty simple, just allow personal apple ID login and let the users do the rest.
Users purchasing apps from the app store with managed devices
