Distribute Managed Apps to Apple devices
Depending on your organization, you may need to control how apps that are distributed to your users connect to internal resources, and how data security is handled when a user leaves the organization. You can distribute free, paid, and Custom Apps wirelessly using your mobile device management (MDM) solution, and manage the flow of data, providing the right balance between organizational security and user personalization.
Apps installed using MDM are called Managed Apps. They often contain sensitive information, and you have more control over them than you have with apps downloaded by the user.
Managed Apps can be removed from a device remotely by the MDM solution or when a user removes a device from MDM. On an iPhone or iPad, removing an app also removes its associated data in its data container. If a Managed App is still assigned to the user after it’s removed, the user can download that app from the App Store and the app continues to be managed.
If an app license is revoked through MDM on an iPhone or iPad and not removed, the app remains usable on the device for 30 days. If the app developer implements a receipt check, the app might become disabled earlier. On a Mac, apps remain usable until a receipt check occurs.
After an app is disabled, it can no longer be launched and the user is notified, but the app remains on the device and its data is preserved. After the user has purchased a copy, the app can be used again.
Managed App restrictions and capabilities
Managed Apps can have the following MDM capabilities and restrictions, providing improved security and a better user experience:
Unenrollment from MDM: Specify whether Managed Apps and their data remain on the device when the user unenrolls from MDM.
Convert apps: Convert unmanaged apps to Managed Apps.
If the device is supervised, the switch to a Managed App from an unmanaged app happens without user interaction if requested by the MDM solution. If the device isn’t supervised, the user must formally accept management. App conversion isn’t supported with User Enrollment into MDM.
App version updates: Periodically check the App Store for new versions of apps, then send an install app command to the device to update the app. This check also applies to Custom Apps. Device-assigned apps installed and managed through MDM must be updated by MDM; no app update notifications are shown to users in the App Store.
Allow Tap to Pay (iOS): In iOS 16.4 or later, a payment app running in the foreground can be marked to be used securely during a Tap to Pay transaction. When set, it requires a user to unlock their device with Face ID, Touch ID, or a passcode after every transaction during which the device was handed over to a customer to enter their card PIN.
Use Managed Open In restrictions (iOS and iPadOS): You can choose from three functions to protect your organization’s app data:
Allow documents from unmanaged sources in managed destinations. Enforcing this restriction helps prevent a user’s personal sources and accounts from opening documents in your organization’s managed destinations. For example, this restriction could prevent the user from opening a PDF from a random website in your organization’s PDF app.
Allow documents from managed sources in unmanaged destinations. Enforcing this restriction helps prevent an organization’s managed sources and accounts from opening documents in a user’s personal destinations. This restriction could prevent a confidential email attachment in your organization’s managed mail account from being opened in any of the user’s personal apps.
Managed pasteboard. In iOS 15 and iPadOS 15, or later, this restriction helps control the pasting of content between managed and unmanaged destinations. When the above restrictions are enforced, pasting of content is designed to respect the Managed Open In boundary between third-party or first-party apps like Calendar, Files, Mail, and Notes. Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. In iOS 16 and iPadOS 16.1, or later, this includes managed domains.
Mark apps as nonremovable (iOS and iPadOS): In iOS 14 and iPadOS 14, or later, you can mark Managed Apps as nonremovable. Previously, administrators had to completely lock the Home Screen and prevent the deletion of all apps, which constrained the user’s ability to manage their own apps. Users can continue to rearrange their apps, install new apps, and delete other apps they’ve installed. Administrators can mark their mission-critical Managed App as nonremovable. When users try to delete or offload a Managed App, the procedure is prevented and an alert is displayed. Nonremovable Managed Apps ensure that an organization’s users always have the apps they need on their devices.
Prevent Managed Apps from backing up data (macOS): You can help keep Managed Apps from backing up data to the Finder (macOS 10.15 or later) or iTunes (macOS 10.14 or earlier) or iCloud. Disallowing backup helps prevent Managed App data from being recovered if the app is removed using an MDM solution but later reinstalled by the user.
Use app configuration settings: App developers can identify configuration settings that can be set before or after the app is installed as a Managed App. For example, a developer could specify a SkipIntro setting to have the app skip intro screens for the Managed App.
Use app feedback settings that can be read by MDM: App developers can identify app settings that can be read using MDM. For example, a developer could specify a
DidFinishSetupkey that an MDM solution could query to determine whether the app has been launched and set up.
Download managed documents from Safari: Downloads from Safari are considered managed documents if they originate from a managed domain. For example, if a user downloads a PDF from a managed domain, it requires that the PDF comply with all managed document settings. For more information, see Managed domain examples.
Prevent Managed Apps from storing data in iCloud: Data created by users in unmanaged apps can still be stored in iCloud.
Note: Not all options are available in all MDM solutions. To learn which MDM options are available for your devices, consult your MDM vendor’s documentation.
You can also use an MDM solution to distribute managed books, EPUB books, and PDFs that you create.
EPUB books and PDFs distributed by MDM have the same properties as other managed documents—they can be updated with newer versions as needed, shared only with other Managed Apps, or emailed using managed accounts. The MDM solution can also prevent managed books from being backed up. These books are assigned to users; however, they appear only on iPhone and iPad devices assigned to the user with MDM.
Restricting third-party keyboards
iOS and iPadOS support Managed Open In rules that apply to third-party keyboard extensions. These rules prevent unmanaged keyboards from appearing over Managed Apps.