After updating a few devices to iOS 10 to test our distribution, we found that we can't install any of our internal applications OTA.
All of our devices are managed. Some are supervised and some are unsupervised. We support from iOS 6 (4th gen iPods) to iOS 10.
The restriction that seems to be cause the problem is for restricting access to the Apple App Store. Previously this meant that the App Store would not show up and you couldn't install apps from the Apple App Store, but could still install our internal applications through either our web portal or an MDM solution. In iOS 10, that restriction is stopping installation OTA through our web portal. Removing the restriction allows OTA installation to work but then the devices have access to the Apple App Store, which is very undesirable for us.
Our OTA installation works using the itms-services:// protocol pointed to a manifest plist. With the restriction in place, it seems to reject this protocol. All previous versions of iOS worked fine. Changing between HTTP and HTTPS for the IPA and manifest plist files, makes no difference.