Distribute Managed Apps to Apple devices
Apps installed using a device management service are called Managed Apps. They often contain sensitive information, and you have more control over them than you have with apps that the user downloads.
Managed Apps can be installed remotely using your device management service including app-specific configurations and secrets to customize the user experience of an app.
Install Managed Apps
A device management service can install apps using the following methods:
Declarative app management (iOS 17.2, iPadOS 17.2, macOS 26, visionOS 2.4, or later)
The
InstallApplicationcommand
If declarative app management is used for an app, it takes precedence and causes a command for the same app to fail. To allow for an easy transition, apps installed using the InstallApplication command can be converted to become managed using declarative app management.
Important: Prior to initiating the installation of an app purchased trough the Apps and Books section in Apple School Manager or Apple Business Manager, the device management service needs to assign a device-based or user-based license.
Declarative app management allows devices to autonomously install apps, and provides detailed insights using status reports. Using activation predicates you can also define rules for when to install an app. For example, the device only installs an app which requires a secure connection when the corresponding network relay configuration is applied and a passcode has been set on the device.
Using declarative app management, an app can either be defined as required or optional. Required apps are installed automatically and remain installed on a device. An optional app will be installed on-demand when requested by the user. Device management service developers can use the ManagedAppDistribution framework to create their own app to handle those optional app installs.
On supervised devices, apps are installed silently. Otherwise the user is prompted to approve the installation.
Apps installed on iPhone, iPad, Apple TV, and Apple Vision Pro devices are always managed. On a Mac, apps installed using declarative app management are also managed, otherwise the device management service can define the management state on a per app basis.
Install a specific app version
Usually the latest version of an app available in the App Store is installed. With declarative app management, you can alternatively define a specific version of the app to be installed. Previous versions of an app are retained by the App Store unless the developer decided to remove them.
To specify the version in the configuration, the ExternalVersionIdentifier of an app needs to be used.
When taking over management of an app the locally installed version is automatically updated to the version specified in the configuration. If the locally installed version is newer than the one specified, an error is returned to the device management service.
ManagedAppDistribution framework
After an app license has been assigned to the device or the user and the corresponding declarative app configuration got applied, a unified interface can be used to initiate the installation of an app using the ManagedAppDistribution framework. This framework can be implemented by device management services and allows the installation to occur on the device without additional actions from the device management service. It also provides a transparent progress and responsive experience to the user.
Configure Managed Apps
Organizations often need to customize the user experience of an app according to their specific needs or even for a particular group of users.
ManagedApp framework
For devices with iOS 18.4, iPadOS 18.4, visionOS 2.4, or later, you can deploy app-specific configurations and secrets (like passwords, certificates, and identities) in a secure way to Managed Apps that adopt the ManagedApp framework. This allows you to customize the behavior of an app, streamline the user experience, and strengthen security with declarative app management. Examples include:
Preconfigure a Managed App or app extension for a specific device or user.
Use automatically provisioned identities for authentication and signing.
Securely receive API access tokens.
Acquire certificates for custom trust (pinning certificates).
Use hardware-bound keys and Managed Device Attestation for strong device authentication.
For more information, see the ManagedApp framework on the Apple Developer website.
App attributes
On iPhone, iPad, and Apple Vision Pro, you can define additional attributes to be applied to an app:
Prevent Managed Apps from backing up data: Managed App data isn’t backed up to the Finder or to iCloud. Disallowing backups helps prevent someone from recovering Managed App data if a device management service removes the app, and then a user reinstalls it later.
Define a Network Relay or per-app VPN: Assign the app to a Network Relay or per-app VPN configuration which tunnels the traffic from the app.
Allow an app to be hidden or locked: On iPhone and iPad devices with iOS 18 and iPadOS 18 or later, users can optionally hide and even lock an app. For Managed Apps, you can restrict those functions. When you prevent the user from locking an app it also prevents the user from hiding it.
Associated domains and direct downloads: Configure associated domains for an app and define if the device can use direct downloads for associated domains.
Assign a content filter or DNS proxy: Assign a specific content filter or DNS proxy configuration to the app.
Assign the app to a cellular slice (iPhone and iPad only): Configure the app to use a specific cellular network slice. For more information, see Apple device support for 5G Network Slicing.
Allow Tap to Pay (iPhone only): For devices with iOS 16.4 or later, a payment app running in the foreground can be marked to be used securely during a Tap to Pay transaction. When set, it requires a user to unlock their device with Face ID, Touch ID, or a passcode after every transaction during which the device was handed over to a customer to enter their card PIN.
Allow downloads over cellular (iPhone and iPad only, declarative app management only): Indicates how the device uses a cellular network when it downloads or updates the app. You can allow downloads of any size, prevent cellular network from being used, or follow the settings of the App Store. This setting doesn’t apply to user-initiated actions.
For apps installed using the InstallApplication command on iOS 14, iPadOS 14, and tvOS 14, or later, an additional setting is available.
Mark apps as nonremovable: You can mark a Managed App as nonremovable. This allows users to rearrange their apps, install new apps, and delete other apps, but prevents your mission-critical Managed Apps from being removed. When users try to delete or offload a Managed App, the procedure is prevented and an alert is displayed. Nonremovable Managed Apps ensure that an organization’s users always have the apps they need on their devices.
Declarative app management automatically marks required apps as nonremovable.
Convert unmanaged apps to Managed Apps
If the user has installed an app already, the device management service can take over management of that app. On supervised devices this happens without user interaction, otherwise the user needs to formally accept management. App conversion isn’t available for account-driven enrollments.
Update Managed Apps
A device management service can control how a Managed App updates.
Update apps with declarative app management
Apps deployed using declarative app management can be updated in two ways:
Using automatic app updates
Install a new configuration specifying either no or a newer app version. If no version is specified, the latest version available is installed.
The update behavior setting can be used to define how apps update:
Automatically: The device periodically (typically very 24 hours) checks the App Store or the manifest file for new versions and automatically updates the app to the latest version.
Never: The device never automatically updates the app.
App Store settings: The device uses the settings of the corresponding store and also never automatically updates proprietary in-house apps.
On iPhone, iPad, and Apple Vision Pro, the app updates when the device is locked. On macOS the user is prompted to quit the app if needed.
Note: If a specific app version is specified in the configuration, the device ignores the update behavior configuration and disables automatic app updates.
Update apps using the app install command
If the app is installed using a command, the device management service periodically checks the App Store or manifest file for new versions and then sends an install app command to the device to update the app. This check also applies to Custom Apps. Device-assigned apps update only when the device management service sends an app install command; app update notifications don’t appear to users in the App Store.
If the device is supervised, the update is applied silently unless the app is running in the foreground, in which case the user is prompted about the update. On unsupervised devices, the user is asked to approve or cancel the update.
Remove Managed Apps
Managed Apps can be removed from a device:
Remotely by the device management service by removing the app configuration or sending a remove application command.
When a user unenrolls a device from a device management service.
Unenrollment also removes applied app configurations and their associated apps.
If the app was installed using the app installation command, an attribute can be set which defines whether the app gets removed upon unenrollment.
Managed Apps are always removed when unenrolling from an account-driven enrollment.
On an iPhone, iPad, and Apple Vision Pro, removing an app also removes its associated data in its data container.
Revoke an app license
A device management service can revoke the license of an app assigned to a device or a user.
Revoke the license of an app installed using declarative app management
If a device management service revokes an app license of an app installed using declarative app management, the app gets removed.
Revoke the license of an app installed using the app install command
If a device management service revokes an app license, but doesn’t remove it, the app remains usable until the app runs a receipt check.
After an app is disabled, it can no longer be launched and the user is notified, but the app remains on the device and its data is preserved. After the user has purchased a copy, the app can be used again.