Managed apps for iPhone and iPad
Depending on your organization, you may need to control how apps that are distributed to your users connect to internal resources, and how data security is handled when a user leaves the organization. You can distribute free, paid, and in-house apps wirelessly via your mobile device management (MDM) solution, providing the right balance between organizational security and user personalization.
Apps installed using MDM are called managed apps. They often contain sensitive information, and you have more control over them than you have with apps downloaded by the user. The MDM solution can do the following with managed apps:
Specify whether managed apps and their data remain on the device when the user unenrolls from MDM
Prevent data from managed apps from being backed up to iTunes (in macOS 10.14 or earlier) or the Finder (macOS 10.15 or later) or iCloud
Convert unmanaged apps to managed apps without reinstalling the app or losing user data
If the device is supervised, the switch to a managed app from an unmanaged app happens without user interaction. If the device isn’t supervised, the user must formally accept management.
Managed apps can be removed from a device remotely by the MDM solution, or when a user removes a device from MDM. Removing an app also removes the data associated with it. If a managed app is still assigned to the user after it’s removed, the user can download that app from the App Store, but the app will no longer be managed. If an app license is revoked by MDM, it continues to function for a limited time. Eventually the app is disabled, and the user must purchase a copy to continue using it.
App restrictions and capabilities
Managed apps have the following restrictions and capabilities, providing improved security and a better user experience:
Managed Open In: Provides two functions for protecting your organization’s app data:
Allow documents from unmanaged sources in managed destinations. Enforcing this restriction prevents a user’s personal sources and accounts from opening documents in your organization’s managed destinations. For example, this restriction could prevent the user from opening a PDF from a random website in your organization’s PDF app.
Allow documents from managed sources in unmanaged destinations. Enforcing this restriction prevents an organization’s managed sources and accounts from opening documents in a user’s personal destinations. This restriction could prevent a confidential email attachment in your organization’s managed mail account from being opened in any of the user’s personal apps.
App configuration: App developers can identify configuration settings that can be set before or after the app is installed as a managed app.
App feedback: App developers can identify app settings that can be read using MDM. For example, a developer could specify a DidFinishSetup key that an MDM solution could query to determine if the app has been launched and set up.
Prevent backup: This restriction prevents managed apps from backing up data to iTunes (in macOS 10.14 or earlier) or the Finder (macOS 10.15 or later) or iCloud. Disallowing backup prevents managed app data from being recovered if the app is removed via an MDM solution but later reinstalled by the user.
Safari downloads from managed domains: Downloads from Safari are considered managed documents if they originate from a managed domain. For example, if a user downloads a PDF from a managed domain, it requires that PDF comply with all managed document settings.
iCloud document management: This restriction prevents managed apps from storing data in iCloud, but it allows data created by users in unmanaged apps to be stored in iCloud.
Restricting third-party keyboards
iOS and iPadOS support Managed Open In rules that apply to third-party keyboard extensions. These rules prevent unmanaged keyboards from appearing over managed apps.