Support tip: Navigating the new Single App mode for Company Portal

With Intune support for Multi-token DEP, admins are given the option of authenticating with Company Portal when enrolling devices with user affinity as we’ve shared previously in our blog post. After a recent Intune release, admins have the ability to lock Company Portal in Single App mode so users have to sign in to the Company Portal before getting access to a device. In this post, we’re sharing some tips and troubleshooting about the experience that you may find useful.

Consider a case where you have enrollment settings configured as shown in the screenshot.

single app1

The Company Portal provisioned through Apple’s Volume Purchase Program (VPP) can fail to install in case VPP tokens expire, run out of Company Portal licenses, get deleted, get assigned to another Intune tenant or get assigned to another MDM vendor. This could also happen due to a temporary outage in Apple services. In this situation, users on blocked devices can get stuck in the installation process for more than 10 minutes and see screens similar to what is shown below.

Note that in normal cases, end users will see this screen for about 45-60 seconds while the Company Portal is installing in the background and launches in Single App mode. This is an OS limitation and we have a request in with Apple to be able to customize this message.

singles App 2

Troubleshooting VPP token issues

Admins will need to figure out any issues with the VPP token to ensure that users do not get their devices in a blocked state. Any issues with the VPP token can be found by going to the Device enrollment blade in Intune and navigating to Apple enrollment > Enrollment program tokens > (token name) > Profiles > (profile name) > Manage > Properties. You should see a message with a reason for the block as in the sample screenshot below.

single app 3


Issuing a remote wipe

After any VPP token issues have been resolved, devices should be wiped, and the enrollment process will have to be started from the beginning. Users can wipe a device by going to or ask an admin to issue a remote wipe. An admin can get a list of devices by going to Apple Enrollment> Enrollment program tokens > (token name) > Devices and filter for devices in “Blocked” state.

single app 4

Blocked devices can also be found at Enrollment program tokens > (token name) > Profiles > (profile name) > Monitor > Assigned devices.

You can reach out to us if you have any questions or feedback on the experience!

Post updates:

9/21/18: Updated to note that we have made a feature request to Apple.

Comments (0)

Skip to main content