Distribute Managed Apps to Apple devices
Depending on your organization, you may need to control how apps that you distribute to your users connect to internal resources, and how you handle data security when a user leaves the organization. You can distribute free, paid, and Custom Apps wirelessly using your device management service, and manage the flow of data, providing the right balance between organizational security and user personalization.
Managed Apps
Apps that install using a device management service are called Managed Apps. They often contain sensitive information, and you have more control over them than you have with apps that the user downloads.
Managed Apps can be removed from a device:
Remotely by the device management service.
When a user unenrolls a device from a device management service.
On an iPhone, iPad, and Apple Vision Pro, removing an app also removes its associated data in its data container. If a device management service revokes an app license on an iPhone, iPad, or Apple Vision Pro, but doesn’t remove it, the app remains usable on the device for 30 days. If the app developer implements a receipt check, the app might become disabled earlier. On a Mac, apps remain usable until a receipt check occurs.
After an app is disabled, it can no longer be launched and the user is notified, but the app remains on the device and its data is preserved. After the user has purchased a copy, the app can be used again.
Managed App restrictions and capabilities
Managed Apps can have the following capabilities and restrictions, providing improved security and a better user experience:
Unenrollment from a device management service: Specify whether Managed Apps and their data remain on the device when the user unenrolls from a device management service.
Convert apps: Convert unmanaged apps to Managed Apps.
If the device is supervised, the switch to a Managed App from an unmanaged app happens without user interaction if a device management service requests it. If the device isn’t supervised, the user needs to formally accept management. App conversion isn’t supported with User Enrollment.
App version updates: Periodically check the App Store for new versions of apps, then send an install app command to the device to update the app. This check also applies to Custom Apps. Device-assigned apps that you install and manage through a device management service require updating by that service; app update notifications don’t appear to users in the App Store.
Allow Tap to Pay (iOS): For devices with iOS 16.4 or later, a payment app running in the foreground can be marked to be used securely during a Tap to Pay transaction. When set, it requires a user to unlock their device with Face ID, Touch ID, or a passcode after every transaction during which the device was handed over to a customer to enter their card PIN.
Use Managed Open In restrictions (iOS, iPadOS): You can choose from three functions to protect your organization’s app data:
Allow documents from unmanaged sources in managed destinations. Enforcing this restriction helps prevent a user’s personal sources and accounts from opening documents in your organization’s managed destinations. For example, this restriction could prevent the user from opening a PDF from a random website in your organization’s PDF app.
Allow documents from managed sources in unmanaged destinations. Enforcing this restriction helps prevent an organization’s managed sources and accounts from opening documents in a user’s personal destinations. This restriction could prevent a confidential email attachment in your organization’s managed mail account from being opened in any of the user’s personal apps.
Managed pasteboard. For devices with iOS 15 and iPadOS 15, or later, this restriction helps control the pasting of content between managed and unmanaged destinations. When the above restrictions are enforced, pasting of content is designed to respect the Managed Open In boundary between third-party or first-party apps like Calendar, Files, Mail, and Notes. Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. For devices with iOS 16 and iPadOS 16.1, or later, this includes managed domains.
Mark apps as nonremovable (iOS, iPadOS): For devices with iOS 14 and iPadOS 14, or later, you can mark Managed Apps as nonremovable. Previously, administrators had to completely lock the Home Screen and prevent the deletion of all apps, which constrained the user’s ability to manage their own apps. Users can continue to rearrange their apps, install new apps, and delete other apps they’ve installed. Administrators can mark their mission-critical Managed App as nonremovable. When users try to delete or offload a Managed App, the procedure is prevented and an alert is displayed. Nonremovable Managed Apps ensure that an organization’s users always have the apps they need on their devices.
Prevent Managed Apps from backing up data (macOS): You can help keep Managed Apps from backing up data to the Finder (macOS 10.15 or later), iTunes (macOS 10.14 or earlier), or iCloud. Disallowing backups helps prevent someone from recovering Managed App data if a device management service removes the app, and then a user reinstalls it later.
Use app configuration settings: App developers can identify configuration settings that can be set before or after the app is installed as a Managed App. For example, a developer could specify a SkipIntro setting to have the app skip intro screens for the Managed App.
Use app feedback settings that a device management service can read: App developers can identify app settings that a device management service can read. For example, a developer might specify a
DidFinishSetupkey that a device management service can query to determine whether an app launches and sets up correctly.Download managed documents from Safari: Downloads from Safari are considered managed documents if they originate from a managed domain. For example, if a user downloads a PDF from a managed domain, it requires that the PDF comply with all managed document settings. For more information, see Managed domain examples.
Prevent Managed Apps from storing data in iCloud: Data created by users in unmanaged apps can still be stored in iCloud.
Note: Not all options are available in all device management services. To learn which options are available for your devices, consult your developer’s device management service documentation.
Configuring Managed Apps
Organizations often need to customize the user experience of an app according to their specific needs or even for a particular group of users.
On devices with iOS 18.4, iPadOS 18.4, visionOS 2.4, or later, organizations can deploy app-specific configurations and secrets (like passwords, certificates, and identities) in a secure way to Managed Apps that adopt the ManagedApp framework. This allows organizations to customize the behavior of an app, streamline the user experience, and strengthen security with the com.apple.configuration.app.managed configuration. Examples include:
Preconfigure a Managed App or app extension for a specific device or user.
Use automatically provisioned identities for authentication and signing.
Securely receive API access tokens.
Acquire certificates for custom trust (pinning certificates).
Use hardware-bound keys and Managed Device Attestation for strong device authentication.
For more information, see the ManagedApp framework on the Apple Developer website.
Managed books
You can also use a device management service to distribute managed books, EPUB books, and PDFs that you create.
EPUB books and PDFs that a device management service distributes have the same properties as other managed documents. You can update them with newer versions as needed, share them only with other Managed Apps, or email them using a Managed Apple Account. The device management service can also prevent users from backing up managed books. Although you assign these books to users, they appear only on iPhone and iPad devices that a device management service assigns to those users.
Note: Managed books aren’t supported on Apple Vision Pro.
Restricting third-party keyboards
iOS and iPadOS support Managed Open In rules that apply to third-party keyboard extensions. These rules prevent unmanaged keyboards from appearing over Managed Apps.