> Thanks again for your reply. You seem to be confirming the behaviour I found which to my mind can only be a bug somewhere in the Esri technology stack.
No this is not a bug, but by design. The Anonymous access Boolean really only applies to the _website_, It probably shouldn't even have been part of the SDK, since it's not that useful.
There's really two main properties here in your portal configuration that matters:
1. Can users of the portal share items publicly outside the organization.
2. Can users outside the organization perform searches against the org's public maps
Here's the scenario: "City of Foo has a portal that their employees can sign into and use. Citizens aren't able to access this portal. However any employee can create a map, share it publicly, then for instance embed it in their public-facing website for citizens to look at". This means if you already know the Map ID, you can get access o the webmap. If you don't want your employees to do this, disable "CanSharePublic".
The other part "CanSearchPublic" merely sets whether the search endpoint that can search for maps is available for anonymous users. This is really the one custom apps should look at, and not the anonymous access property talked about at first. Without it, it's near-impossible to make a usable portal app without signing in first, unless you ask users to enter map ids directly.
If you can search public, and you use the endpoint anonymously, only publicly shared maps are returned. If you sign in, more maps might be available to that user.