I was going through the config profiles and I currently have one setup to restrict App Store to software updates only, which has been working fine. Now I see there's an additional option to Restrict App Store to MDM installed apps and software updates. (see screenshot)
My question is, does the 'Restrict App Store to MDM installed apps and software updates' essentially include the 'Restrict App Store to software updates only'? Meaning should I unselect that and use only the MDM installed apps and software updates?
Our environment has been slow to move to newer versions due to the geographic locations of the various machines. So we essentially have 10.8 - 10.13 boxes, but I don't necessarily have access to the older boxes to test against. I don't remember exactly when config profiles came into play, but if the older OS's don't understand the restriction with the software updates and MDM installed apps and therefore not apply either restriction.
I honestly don't see where its helpful. The user can still login with their Apple ID and "GET" an app with the restrict App Store to MDM selected. I want my users to be able to browse the Mac App Store to see if there are any apps they want. However, I don't want them to install applications, thats why we have VPP. The Restrict App Store to software updates works great it does exactly what it says it will do. I like the fact that they receive just software updates, but I would also like for the users to be able to peruse for any apps they may want. I'm moving more and more to self-service at least for Faculty/Staff which is where I get most of my hiccups. For students they don't need the Mac App Store or the iOS App Store so I don't mind being restrictive towards their devices. In all honesty, I don't think I answered your question either. If you have been using the "Restrict App Store to software only," I would continue to use that and would just deselect the App Store MDM option until the glitch has been resolved. Or maybe its just on my end that its hiccuping. I have found out there is a lot of testing that should be completed before an actual deployment of a Configuration Profile to make sure you have what you want.
Have a great day!