You manage a fleet of corporate iPhones through Microsoft Intune. Enrollment is automated through Apple Business Manager (ABM), apps deploy silently through the Volume Purchase Program (VPP), and users never see an App Store login. Then one day, your service desk starts getting tickets:
“Sign in to iTunes Store. Sign in to allow Contoso A/S to manage and install apps.”
A handful of devices show the prompt at first. A few days later, dozens. Users tap Cancel, the dialog disappears, and a few hours later it reappears. Some users sign in with personal Apple IDs to make it go away, which is exactly what you do not want on a corporate device.
This is one of those issues that looks like an Apple ID, ABM, or enrollment problem – but almost never is. In every case I have worked, the root cause was the same: somewhere in the tenant, an app was added as an iOS Store App when it should have been added as an iOS Volume Purchase Program app. This post walks through why those two app types behave so differently, how to confirm which one is causing the prompt, and how to fix the issue across a large device estate without disrupting users.
Why iOS Devices Ask for an Apple ID in the First Place
Intune offers several iOS app types in the admin center. Two of them install the same app from the same App Store listing, but they have completely different licensing and installation behavior:
- iOS Store App – A direct link to a public App Store listing. The app installs into the user’s iCloud account. The device must be signed in to the App Store with a personal or managed Apple ID for the install to complete. There is no concept of device-based licensing.
- iOS Volume Purchase Program app (VPP) – An app license that your organization owns through Apple Business Manager. With Device licensing, the license is assigned to the device itself – no Apple ID is required on the device for the install. The app simply appears.
The two app types look almost identical in the admin center. Both can point to the same App Store URL. Both can be assigned as Required, Available, or Uninstall. The difference is invisible until a device tries to install the app and discovers it has no Apple ID signed in.
When an iOS Store App is assigned as Required to a supervised device with no Apple ID, iOS does what it is told – it prompts the user to sign in so the install can proceed. That is the prompt your users are seeing.
Why You May Not Have Seen This Before
A fresh ABM enrollment with VPP apps assigned through Device licensing never triggers an Apple ID prompt because no app on the device needs one. The issue surfaces when somebody adds the same app a second time – as an iOS Store App – usually because they pasted the App Store URL into the wrong “Add app” wizard. The VPP version may still be present, but the iOS Store App duplicate is now competing for the same slot on the device, and only one of them can win.
How to Confirm This Is Your Issue
Before you start changing assignments, confirm the diagnosis. Three quick checks usually settle it.
Check 1: List All iOS Apps with Required Assignments
In the Intune admin center, go to Apps > iOS/iPadOS and filter the list. Look at every app where the App type column shows iOS store app. For each one, open the app and check Properties > Assignments.
Any iOS Store App with a Required assignment is a candidate for the prompt. iOS Store Apps assigned only as Available or Uninstall do not trigger the prompt – they sit quietly in the company portal or only act when the user actively removes the app.
Check 2: Cross-Reference with VPP
For each suspect iOS Store App, search for a VPP version of the same app. The naming will be similar but not identical – the VPP version typically shows the publisher and a different icon variant. If both versions exist, the iOS Store App is almost certainly redundant.
Check 3: Look at the Audit Log
Intune’s audit log will tell you exactly when each app was added and by which admin account. Go to Tenant administration > Audit logs and filter on the Mobile App category. Search for the app name and check the Create entries. In one recent case, an admin had bulk-added a dozen iOS Store App duplicates within a 20-minute window – clearly someone working through a list using the wrong wizard.
If checks 1 and 2 confirm the duplication and check 3 confirms when it happened, you have your root cause.
Why You Cannot Just Delete the iOS Store App
The natural reaction is to delete the iOS Store App duplicate and be done with it. Resist that urge until you have a rollout plan, because three things can go wrong:
- Users still see the prompt until iOS finishes its install queue. iOS does not automatically discard a pending install when its source is removed. The user has to Cancel the prompt at least once – sometimes more than once – before the MDM channel processes the change.
- Required and available install intent on a managed device is sticky. If the VPP version is not already assigned and licensed at the device level, removing the iOS Store App leaves users with no app at all.
- Filters and groups can overlap in non-obvious ways. If the iOS Store App is assigned to a broad group and the VPP version is assigned to a different broad group, deleting one may pull the app from devices that should still have it.
The safe sequence is: assign the VPP version with Device licensing first, validate on a single device, then remove the iOS Store App.
The Pilot Approach: Validate on One Device Using Assignment Filters
Before you touch a production assignment, prove the fix on one device. Intune’s Assignment Filters make this clean.
Step 1: Create a Single-Device Filter
In the Intune admin center, go to Tenant administration > Filters > Create.
- Platform: iOS/iPadOS
- Name: Something obvious like
Pilot-iPhone-XYZ123-only - Rule syntax:
(device.deviceName -eq "XYZ123")
Replace XYZ123 with the actual device name from Devices > iOS/iPadOS devices. Use Edit in advanced mode if you prefer to write the rule directly.
Step 2: Exclude the Pilot Device from the iOS Store App Assignment
Open the problematic iOS Store App in Intune. Go to Properties > Assignments > Edit. On the existing Required assignment, click Filter and set:
- Filter mode: Exclude
- Filter:
Pilot-iPhone-XYZ123-only
This tells Intune to apply the iOS Store App’s Required assignment to everyone except the pilot device. The pilot device is now isolated from the prompt – existing prompts may still need to be dismissed once, but no new ones will queue.
Step 3: Assign the VPP Version with Device Licensing to the Pilot Device
Open the VPP version of the same app. If it does not yet have a Required assignment to the same target group, create one:
- Assignment type: Required
- Group: The same group the iOS Store App was assigned to
- License type: Device
- Filter:
Pilot-iPhone-XYZ123-only - Filter mode: Include
This is the inverse of Step 2 – the VPP assignment now applies only to the pilot device. The rest of your estate still gets the (about to be removed) iOS Store App version; the pilot device gets the VPP version with a device-bound license.
Step 4: Have the Pilot User Dismiss the Prompt and Sync
Walk the pilot user through these exact steps:
- When the iTunes sign-in prompt appears, tap Cancel.
- Open Settings > General > VPN & Device Management > the MDM profile.
- Tap Sync to force a check-in.
Within a minute or two, the VPP version of the app installs silently. No Apple ID prompt. The app shows the small organisation marker indicating it was installed by MDM.
If the install fails or the prompt comes back, stop and investigate before going further – usually the cause is a missing VPP license assignment or an expired VPP token (more on tokens below).
Rolling Out the Fix to the Rest of the Estate
Once the pilot is green, the rollout is mechanical. For each affected app:
- On the VPP version, remove the
Pilot-XYZ123-onlyfilter so the Required + Device-licensing assignment applies to the full target group. - On the iOS Store App version, remove the existing Required assignment entirely. Do this before deleting the app to avoid an Intune sync that might re-prompt users.
- Delete the iOS Store App entirely once no devices reference it. This also makes sure nobody re-uses it accidentally later.
If you have several apps to fix, work through them one at a time. iOS handles MDM commands serially, so a batch change can produce more prompts than you would expect.
What Users Should Expect
Communicate clearly to end users before you flip the assignment. A short email along these lines works well:
Over the next 24 hours, you may see a sign-in prompt on your work iPhone asking you to log in to iTunes or the App Store. Please tap Cancel. Do not enter any Apple ID. The app you are missing will install automatically within a few minutes after you cancel the prompt.
The behaviour is non-obvious: iOS only processes the next MDM command after the current prompt is dismissed. Until the user taps Cancel, the device is effectively stuck waiting for the user.
Cleanup: Filters, Duplicates, and Audit Trail
After the rollout is complete, do not leave the scaffolding in place:
- Delete the pilot assignment filter (
Pilot-iPhone-XYZ123-only) so it does not get reused accidentally. - Confirm both iOS Store App duplicates are deleted – keeping them around “just in case” invites the same mistake again next quarter.
- Document what happened in your change log so future admins know the difference between iOS Store App and VPP and which to use.
- Run a tenant-wide review of remaining iOS Store Apps. Any iOS Store App with only Uninstall or Available (without enrollment) assignments is safe. Any iOS Store App with a Required assignment to a device group should be evaluated.
A Quick Reference: iOS Store App vs VPP at a Glance
| Aspect | iOS Store App | iOS VPP App (Device licensing) |
|---|---|---|
| Source | Public App Store URL | Apple Business Manager (purchased) |
| Requires Apple ID on device | Yes | No |
| Required-install on supervised devices | Triggers iTunes sign-in prompt | Installs silently |
| License consumed | None tracked by MDM | One per device |
| Revoke license | Not possible | Yes, from Intune |
| Update behavior | Same as App Store | Same as App Store |
| Cost | Free apps only (in practice) | Free and paid apps |
| Recommended for managed iOS | No | Yes |
The short version: on a corporate-owned iOS device managed through Apple Business Manager, VPP with Device licensing is the only app type that should appear as Required for first-party and approved third-party apps.
How to Prevent This from Happening Again
The root cause is almost always procedural – an admin selected the wrong app type from the Intune wizard. A few controls reduce the chance of recurrence:
- Document the standard. Add a one-line rule to your Intune operations doc: “All Required iOS apps must be added as iOS Volume Purchase Program apps. iOS Store Apps may only be used for Available or Uninstall assignments.”
- Restrict app creation with RBAC. Use scope tags and Intune’s role-based access control to limit app creation to a small group of admins who know the difference. The principle of least privilege applies to MDM tenants too.
- Use audit log alerts. Microsoft Graph + a small Logic App can email you whenever a new iOS Store App is created. Quick to set up, quick to react.
- Check the VPP token expiry. A frequent secondary cause is an expired VPP token. When a token expires, Intune cannot create or renew Device licenses, and admins reach for “iOS Store App” as a workaround that turns into a permanent footgun. Renew the token annually and set a calendar reminder a month in advance.
Healthy VPP Token Practices
A VPP token has a 12-month validity. When it is close to expiry, Intune shows a banner in the Tenant administration > Connectors and tokens > Apple VPP Tokens view. After expiry:
- Existing licensed apps continue to function.
- New licenses cannot be assigned.
- Token renewal requires a new
.vpptokenfile from Apple Business Manager.
If your token has just been renewed and apps are stuck in Failed state, revoke and re-assign licenses one app at a time. Bulk re-assignment occasionally fails for individual apps, and the only way to clear the failed state is a manual revoke + reassign cycle.
Troubleshooting: When the Prompt Will Not Go Away
If you have applied the fix and a specific device is still prompting, work through these in order:
- Has the user tapped Cancel at least once? iOS sometimes queues multiple install commands – the user may need to dismiss two or three prompts before the queue drains.
- Force a sync. From the device: Settings > General > VPN & Device Management > MDM profile > Sync. From Intune: Devices > select device > Sync.
- Confirm the device is licensed for the VPP version. Open the VPP app in Intune > Device install status. The device should be listed with Installed or Pending. If it is Not applicable, the assignment is not reaching the device – check group membership and filters.
- Check the VPP token health. Tenant administration > Connectors and tokens > Apple VPP Tokens. If the token shows any warning, address that first.
- Reboot the device. Last resort, but occasionally clears a stuck MDM channel.
If you have exhausted these, look at the device’s Managed Apps report. An app that should be VPP-licensed but appears under iOS Store App lineage indicates the old assignment is still active somewhere – usually a forgotten filter or a duplicate group assignment.
FAQ
Will users lose any data when I switch from iOS Store App to VPP?
No. The App Store install and the VPP install are the same app binary from the same listing. Local data and settings are preserved across the transition because iOS treats them as the same bundle ID.
Do I need a managed Apple ID for VPP with Device licensing?
No. Device licensing is the entire point – the license is bound to the device hardware identity, not to any Apple ID. The device can have no Apple ID signed in at all, and VPP apps will still install.
Can I keep using iOS Store Apps for some apps?
For apps you want to make optionally available to users through the Company Portal, yes – assign them as Available. For Required deployment to corporate-owned devices, no. Switch them to VPP.
What about iPadOS devices?
The same rules apply. iPadOS uses the same MDM commands and the same VPP licensing model as iOS. If you have iPads in the same affected group, they will exhibit the same prompt behaviour and be fixed by the same approach.
My VPP token was renewed by someone else and now apps are failing – is this related?
It can be. A token renewal sometimes leaves individual app licenses in a Failed state until they are re-assigned. This is a separate issue from the iOS Store App vs VPP problem, but you may encounter both at once if the same admin tried to “work around” the failed VPP state by adding iOS Store App versions. Treat the VPP licensing failures as a separate workstream once the prompt is gone.
Summary
If iOS devices managed by Microsoft Intune are showing an iTunes or App Store sign-in prompt, do not start with Apple ID configuration, ABM enrollment, or DEP profiles. Start with your app inventory. Look for iOS Store Apps with Required assignments that overlap with VPP versions of the same app. Fix one device first using assignment filters, then roll the change out to the rest of the estate, and finish by deleting the iOS Store App duplicates entirely.
The technical fix is simple. The harder part is preventing the next admin from making the same selection in the same wizard – so document the standard, restrict who can add apps, and keep your VPP token healthy. Your users will never see another iTunes prompt, and your service desk will get its mornings back.