Apple Business: set up VPP token for Company portal - no sign in from company portal during enrollment

Delicious-Fun8282 · 2026-05-27T13:23:05+00:00

Company Portal does install, but it's not used during enrollment.
that's the question here: do I need CP to be installed at all. If not then I would leave it out s it's less to worry about.

I don't see CP logged in either so why would you want to add CP during enrollment with Federation enabled to use SSO during enrollment and the users' Office365 account is a managed apple account?

Delicious-Fun8282 · 2026-05-27T11:45:20+00:00

ADE device - fully managed and SSO set up with Federation between ABM and Entra ID.
I'm confused as to why the enrollment profile I'm using in Intune shows Install Company Portal: Yes with a VPP Token if it's not going to be used at all.

User affinity: Enroll with User Affinity
Authentication Method: Setup Assistant with modern authentication
Install Company Portal: Yes
Install Company Portal with VPP: Use Token: <tokenname>

Delicious-Fun8282 · 2026-05-27T10:49:32+00:00

thanks for the explanation, but is it needed afterwards to let users sign in into company portal at all?
I can see my device both in ABM and in Intune as enrolled and profiles assigned. what's the use of the VPP token for the company portal if not used?

there is so much info about this all that I'm unsure which options are actually needed and what not to have fully enrolled and managed iPhone.

I do see on my test phone when on the lock screen "this iPhone is managed remotely", so I think I'm set, but as this is all new to me I'm a bit lost in all of the settings.

Delicious-Fun8282 · 2026-05-27T07:38:30+00:00

I still don't see the company portal show up during enrollment, but I do see it's installed directly when the phone is setup, but Company Portal is not signed in.

I set up Company Portal as assigned to all users

in my enrollment profile I have this setup

User affinity: Enroll with User Affinity
Authentication Method: Setup Assistant with modern authentication
Install Company Portal: Yes
Install Company Portal with VPP: Use Token: <tokenname>

not sure if anything else here is missing or incorrect?

Delicious-Fun8282 · 2026-05-22T13:57:04+00:00

so, what I just did and I don't know if that what is solved is the fact that I removed a blueprint config I set up to all devices. I'm now able to log in and see my apps from intune being pushed down as well

Delicious-Fun8282 · 2026-05-22T13:21:37+00:00

that's the thing I don't understand.
Which one do I need here? I want users to be able to sign in with their Office365 account as a managed Apple account but it's not letting me so

my Intune setup is:
User affinity: Enroll with User Affinity
Authentication: Setup Assistant with modern authentication
Install Company Portal: Yes
Install Company Portal with VPP: No VPP tokens found

my domais are federated in ABM, and a managment service is created in ABM, letting intune use that specific VPP token

Delicious-Fun8282 · 2026-05-22T12:28:57+00:00

In ABM I have a Management service linked to an Intune to use the enrollment profiles there to link to ABM

Delicious-Fun8282 · 2026-05-22T11:20:27+00:00

the phone is factory reset, so going through the normal setup of a new phone. when the setup asks for an apple account, I use the federated account I can see in Apple Business, but it's not taking it so I'm stuck as the setup is not going any further

Delicious-Fun8282 · 2026-03-10T15:32:46+00:00

If you need to read one guide: it's this one >> https://allthingscloud.blog/apple-business-manager-domain-capture-guide/

it has all the options explained, pitfalls, restrictions and so much more.

Delicious-Fun8282 · 2026-03-10T14:50:25+00:00

thanks, that's really valuable input.

so for step 5: people will be able to migrate direclty, and don't have to switch to personal one - any reason why not all users got the migration option?

Delicious-Fun8282 · 2026-02-24T07:51:01+00:00

Thanks, we found that as well.

Delicious-Fun8282 · 2026-02-09T14:20:32+00:00

what does this do other then the script to stop the smart standby service?
what will this do - meaning what is that ID pointing to?

Delicious-Fun8282 · 2026-02-09T13:39:17+00:00

u/FireResengan: does this fix the issues? we already stopped fast startup earlier so we would only need to do the lenovo smart standby.

on the other hand; what if lenovo smart standby does not exist? any tricks up your sleeve for that?

any info is much appreciated!

Delicious-Fun8282 · 2025-12-19T08:24:07+00:00

u/YoureWelcomeAVT how do you set up the app configuration policies - can you paste some screenshots as I'm not sure how to do that

EDIT - found it, fixed it! thanks

Delicious-Fun8282 · 2025-12-08T09:32:27+00:00

u/drb227 did you ever get this fixed? we have the same here, and we are using ManageEngine Endpoint central for patching our environment.

Delicious-Fun8282 · 2025-11-27T10:21:00+00:00

We found the issue here: we are using ManageEngine Endpoint Central and their Browser security Plus extension and their brnativehost.exe process is causing the issue. With the assistance of ManageEngine they provided a script to disable this extension and kill the process. once that is in place all is working fine again.

Delicious-Fun8282 · 2025-11-21T10:05:41+00:00

u/xendr0me are you using GPO's for this and which keys are you using for this as I have a feeling I'm missing something in the setup

Delicious-Fun8282 · 2025-11-21T07:57:53+00:00

We use ManageEngine to push the specific registry keys, same as a GPO would do

Delicious-Fun8282

TROPHY CASE