I was testing some configurations with scope tags and apps.

The setup is straight forward, I have 3 scope tags based upon security groups containing the devices to represent a region.

Prior to starting with the scope tags, there were already apps imported (Managed Google Play & Apple App Store). These are all assigned to the default scope tag.

Now when I’m logged as a delegated admin which only has permissions to add apps for a region, defined by the scope, I cannot see these apps which is expected because it’s not shown (assigned) for that scope (region). When I want to add one of these apps that are already imported, I see 2 different scenarios:

  • Import from Apple App Store: The app is imported in this scope and can be assigned. With the Intune Admin I see 2 instances of the app, one for the default scope and one for the regional scope. This is not blocking but confusing…
  • Import from Managed Google Play: As the app is already approved, there is no way to continue. For the regional admin/operator there is nothing available to import the app again, as the interface does not allow you to do anything. This is very confusing (and annoying) as the regional operator does not have any way to set any assignment for the app for the scope of devices.

I’ve been thinking about some workarounds for this:

  • creating a process around this, but that doesn’t resolve the confusing issue for managed Google Play apps
  • creating a delegation app admin which includes all the scopes so that at least the regional admins can see the apps. This isn’t perfect either in my opinion as it would conflict somewhat with the scoped setup.

Has anyone ever come across such a use case or would like to share any thoughts on this?