Deploying managed apps and books
Managed apps
Depending on your organization, you may need to control how apps that are distributed to your users connect to internal resources, and how data security is handled when a user leaves the organization. You can distribute free, paid, and custom apps wirelessly using your mobile device management (MDM) solution, providing the right balance between organizational security and user personalization.
Apps installed using MDM are called managed apps. They often contain sensitive information, and you have more control over them than you have with apps downloaded by the user. The MDM solution can do the following with managed apps:
Specify whether managed apps and their data remain on the device when the user unenrolls from MDM
Prevent data from managed apps from being backed up to the Finder (in macOS 10.15 or later) and iTunes (in macOS 10.14 or earlier) or iCloud
Convert unmanaged apps to managed apps without reinstalling the app or losing user data
If the device is supervised, the switch to a managed app from an unmanaged app happens without user interaction. If the device isn’t supervised, the user must formally accept management. App conversion isn’t supported with User Enrollment into MDM.
The MDM solution can periodically check the App Store for new versions of public apps, then send an install app command to the device to update the app. This check also applies to custom apps.
Managed apps can be removed from a device remotely by the MDM solution or when a user removes a device from MDM. Removing an app also removes the data associated with it. If a managed app is still assigned to the user after it’s removed, the user can download that app from the App Store but the app will no longer be managed. If an app license is revoked by MDM, it continues to function for a limited time. Eventually the app is disabled, and the user must purchase a copy to continue using it.
App types | App Store | Custom | Proprietary in-house |
|---|---|---|---|
Purchaser | End user | Organization | Own organization |
Audience | General public | Business, education, or internal | Own organization |
Customization | Everyone gets the same app |
|
|
App Store distribution |
|
|
|
App review |
|
|
|
Managed proprietary in-house apps
Although all volume purchased apps and custom apps can be installed as managed, only certain proprietary in-house apps can be managed. To be manageable, the app package must:
Not contain any nested packages
Contain only a single app
Be installed in /Applications
Managed apps must remain in the /Applications folder to be considered managed.
Managed app restrictions and capabilities
Managed apps have the following restrictions and capabilities, providing improved security and a better user experience:
App configuration: App developers can identify configuration settings that can be set before or after the app is installed as a managed app.
App feedback: App developers can identify app settings that can be read using MDM. For example, a developer could specify a DidFinishSetup key that an MDM solution could query to determine whether the app has been launched and set up.
Prevent backup: This restriction prevents managed apps from backing up data to the Finder (in macOS 10.15 or later) and iTunes (in macOS 10.14 or earlier) or iCloud. Disallowing backup prevents managed app data from being recovered if the app is removed using an MDM solution but later reinstalled by the user.
Safari downloads from managed domains: Downloads from Safari are considered managed documents if they originate from a managed domain. For example, if a user downloads a PDF from a managed domain, it requires that the PDF comply with all managed document settings.
iCloud document management: This restriction prevents managed apps from storing data in iCloud, but it allows data created by users in unmanaged apps to be stored in iCloud.
Managed books
You can use mobile device management (MDM) to distribute managed books, EPUB books, and PDFs that you create or purchase.
EPUB books and PDFs distributed by MDM have the same properties as other managed documents—they can be updated with newer versions as needed, shared only with other managed apps, or emailed using managed accounts. The MDM solution can also prevent in-house books from being backed up. These books are assigned to users; however, they appear only on iPhone and iPad devices assigned to the user with MDM.
Some Apple Books content is not available in certain countries or regions. To learn whether certain Apple Books content is available in your country or region, see the Apple Support article Availability of Apple programs and payment methods for education and business.
Note: Books purchased through Apple School Manager or Apple Business Manager can be distributed through managed book distribution, but they can’t be revoked and reassigned.