General Troubleshooting Checklist: Apps Failing to Install/Auto-Update
In the case that app installations or auto-updates do not occur, there are a few items to initially check. For starters, make sure the device is responding to MDM commands and all of the audits are up-to-date. If it is not, there may be an issue with MDM connectivity. A restart of the device may help or full re-enrollment may be necessary depending on the exact issue.
Be sure to verify if the Apple Apps token is valid and up to date. If those items check out, try deploying the app via GoLive to see if it successfully installs the updated version. If the app is still failing to install or update, review other common resolutions below.
App is Running
Apple Apps updates will only be installed if the target application is closed (not actively running) when the update command is sent.
Oftentimes when a device is not receiving regular updates for a certain application, we find that it is because that app is running at all times the device is in use.
We frequently see this problem with applications end-users must use daily throughout their entire workday (for example, apps in the Microsoft Suite).
Licenses Unavailable
Apple Apps licenses are consumed on a per-device basis. If you do not have enough licenses, you will receive an error on deployment reporting 'no license found'. If you are deploying via a policy, ensure sufficient licenses have been purchased for all devices in the policy.
To confirm which devices are using licenses, navigate to Policy > Integrations & Settings > Apple Apps and review the Apple Apps Assets section.
The Total, Assigned, and Available columns report the total number of licenses, number of devices using licenses, and remaining number of licenses for each app, respectively.
Select the number in the Assigned column for any app to verify which devices are consuming licenses.
More info about releasing app licenses can be found here: Releasing Apple Apps (Apps & Books) Licenses
If needed, additional app licenses can be purchased in Apple Business/School Manager.
Unsupervised Devices
Unsupervised devices will receive the following prompt when an Apple App is deployed:
If the prompt is not accepted, the app will not be installed on the device. Be sure to advise your end-users that these prompts must be accepted if you are working with unsupervised machines. Oftentimes we find that updates or installations are not occurring because this prompt is not being accepted.
For more information about device supervision, see: Overview: Device Supervision
Compatibility
Not all apps are universal. You can verify if an app is compatible with your devices by checking the "Supported Devices" column in the Apple Apps Assets section mentioned above.
Furthermore, the latest version of an Apple App may not be compatible with a device's current OS version. If you notice that a particular application is repeatedly attempting installation on device(s) but is not actually being installed, check the software's release notes/version compatibility to confirm if a later OS/iOS version is required.
Single App Mode
Apple Apps running in Single App Mode will not receive automatic updates. The single App Mode MDM Profile must be temporarily removed for the app to be updated. After the update is installed, the MDM Profile can be re-deployed to the device. As per Apple, this behavior is expected.
non-VPP Apps
A common reason an app may be failing to install or update on a macOS device is if a non-Apple Apps (VPP) version of the app is already installed (or is simultaneously being deployed to the device via Smart/Public Software, etc.).
To confirm if this is the case, the following command can be run on devices to determine whether an app was installed via VPP (change nameOfApp to the name of the application):
mdls /Applications/nameOfApp.app/ -name kMDItemAppStoreReceiptIsVPPLicensed
Output meaning:
- An output of 1 means the application was installed via Apple Apps.
- An output of 0 means it was not installed via Apple Apps.
If an app was not installed via Apple Apps, it will not be possible to update the app via Apple Apps and/or reinstall the app as an Apple App. The app would need to be uninstalled from the device before the Apple Apps version can be installed successfully.
Restrictions MDM Profile preventing Installation
If Addigy reports that an app has been successfully installed but it does not actually exist on the device, a Restrictions MDM Profile may be preventing deployment. The Restrictions MDM Profile provides the ability to allow-list certain applications for iOS and tvOS devices (Restrictions MDM Profile > Apps > Allow Listed Apps). If a profile that includes this setting is installed on an affected device, and the affected application is not included in this allow-list, this is what is preventing deployment. You can resolve this by adding the app to the allow list in the MDM Profile.
VPP Token
Tokens should not be used by more than one MDM server. If you have recently migrated your devices over from another MDM solution, or already have a token created for use in another Addigy tenant, those tokens should not be reused. It is necessary to create a new token for each individual MDM environment. Reusing tokens that have previously been used in another MDM solution (or other Addigy tenant) will cause various unexpected behavior for your Apple Apps deployments (even if the previous token is no longer actively being used).
Network Interference
Oftentimes we see that the installation of Apple Apps is prevented by a firewall or other network protection mechanism. Try placing an affected device on a Personal Hotspot and re-deploying Apple Apps to confirm if network interference is preventing installation. If this is the case, ensure the necessary port(s) are whitelisted for Addigy & Apple Apps to function: Complete Port Usage for Addigy
Common Errors & Resolutions
VPP Tokens
Apps & Books token metadata does not match our current records. Please renew token if you wish to keep using it!
-
This error occurs when the metadata of the Apple Apps location token is modified by a third party (used outside of the Addigy tenant).
Renewing or creating a new token should remediate this error. To prevent it from occurring, ensure that the location token is not being used outside of your Addigy tenant.
401 - error while retrieving token assets || 9621 - The token has expired. You need to generate a new token online using your organization's account at either school.apple.com or business.apple.com.
- This error occurs when the VPP token in use for a policy has expired. Addigy's Apple Apps integration requires communication with Apple Business Manager. The Location Token facilitates this communication, so make sure you are using a valid .vpp token that is up to date.
Bad status response[400]: "Error syncing token".
- This error indicates that the token is no longer valid or has been explicitly revoked by the server, which can almost always be resolved by renewing it. We also suggest ensuring the token is not currently in use/has not previously been used in another MDM server - if so, it should be replaced with a brand new token for sole use in Addigy.
Errors on Deployment
Code[506] Domain[ASDErrorDomain]: Duplicate Request
- This error occurs when the system receives multiple identical installation requests for the same app on the same device simultaneously. It blocks any redundant commands if an install request is already in progress or pending. In other words, it means the command to install the app has already been sent, which can typically be safely ignored.
Error deploying asset: bad status response[400]: "error associating asset to device: token is not active: 401 - error while retrieving token assets || 9625 - The server has revoked the sToken."
- This error occurs when the VPP Token has expired or is in use in another MDM server. To resolve, first try renewing the token. If the error persists, create a brand new token.
My question isn't here, what do I do?
If you have any further questions, please do not hesitate to reach out to us by contacting support@addigy.com