Distribute Managed Apps to Apple devices
Depending on your organisation, you may need to control how apps that you distribute to your users connect to internal resources, and how you handle data security when a user leaves the organisation. You can distribute free, paid and Custom Apps wirelessly using your device management service, and manage the flow of data, providing the right balance between organisational security and user personalisation.
Managed Apps
Apps that install using a device management service are called Managed Apps. They often contain sensitive information, and you have more control over them than you have with apps that the user downloads.
Managed Apps can be removed from a device:
Remotely by the device management service.
When a user unenrols a device from a device management service.
On an iPhone, iPad and Apple Vision Pro, removing an app also removes its associated data in its data container. If a device management service revokes an app licence on an iPhone, iPad or Apple Vision Pro, but doesn’t remove it, the app remains usable on the device for 30 days. If the app developer implements a receipt check, the app might become disabled earlier. On a Mac, apps remain usable until a receipt check occurs.
After an app is disabled, it can no longer be launched and the user is notified, but the app remains on the device and its data is preserved. After the user has purchased a copy, the app can be used again.
Managed App restrictions and capabilities
Managed Apps can have the following capabilities and restrictions, providing improved security and a better user experience:
Unenrolment from a device management service: Specify whether Managed Apps and their data remain on the device when the user unenrols from a device management service.
Convert apps: Convert unManaged Apps to managed apps.
If the device is supervised, the switch to a Managed App from an unmanaged app happens without user interaction if a device management service requests it. If the device isn’t supervised, the user needs to formally accept management. App conversion isn’t supported with User Enrolment.
App version updates: Periodically check the App Store for new versions of apps, then send an install app command to the device to update the app. This check also applies to Custom Apps. Device-assigned apps that you install and manage through a device management service require updating by that service; app update notifications don’t appear to users in the App Store.
Allow Tap to Pay (iOS): For devices with iOS 16.4 or later, a payment app in use in the foreground can be marked to be used securely during a Tap to Pay transaction. When set, it requires a user to unlock their device with Face ID, Touch ID or a passcode after every transaction during which the device was handed over to a customer to enter their card PIN.
Use Managed Open In restrictions (iOS, iPadOS): You can choose from three functions to protect your organisation’s app data:
Allow documents from unmanaged sources in managed destinations. Enforcing this restriction helps prevent a user’s personal sources and accounts from opening documents in your organisation’s managed destinations. For example, this restriction could prevent the user from opening a PDF from a random website in your organisation’s PDF app.
Allow documents from managed sources in unmanaged destinations. Enforcing this restriction helps prevent an organisation’s managed sources and accounts from opening documents in a user’s personal destinations. This restriction could prevent a confidential email attachment in your organisation’s managed mail account from being opened in any of the user’s personal apps.
Managed pasteboard. For devices with iOS 15 and iPadOS 15, or later, this restriction helps control the pasting of content between managed and unmanaged destinations. When the above restrictions are enforced, pasting of content is designed to respect the Managed Open In boundary between third-party or first-party apps like Calendar, Files, Mail and Notes. Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. For devices with iOS 16 and iPadOS 16.1, or later, this includes managed domains.
Mark apps as non-removable (iOS, iPadOS): For devices with iOS 14 and iPadOS 14, or later, you can mark Managed Apps as non-removable. Previously, administrators had to completely lock the Home Screen and prevent the deletion of all apps, which constrained the user’s ability to manage their own apps. Users can continue to rearrange their apps, install new apps and delete other apps they’ve installed. Administrators can mark their mission-critical Managed App as non-removable. When users try to delete or offload a Managed App, the procedure is prevented and an alert is displayed. Non-removable Managed Apps ensure that an organisation’s users always have the apps they need on their devices.
Prevent Managed Apps from backing up data (macOS): You can help keep Managed Apps from backing up data to the Finder (macOS 10.15 or later), iTunes (macOS 10.14 or earlier) or iCloud. Disallowing backups helps prevent someone from recovering Managed App data if a device management service removes the app and then a user reinstalls it later.
Use app configuration settings: App developers can identify configuration settings that can be set before or after the App is installed as a Managed app. For example, a developer could specify a SkipIntro setting to have the App skip intro screens for the Managed app.
Use app feedback settings that a device management service can read: App developers can identify app settings that a device management service can read. For example, a developer might specify a
DidFinishSetupkey that a device management service can query to determine whether an app launches and sets up correctly.Download managed documents from Safari: Downloads from Safari are considered managed documents if they originate from a managed domain. For example, if a user downloads a PDF from a managed domain, it requires that the PDF comply with all managed document settings. For more information, see Managed domain examples.
Prevent Managed Apps from storing data in iCloud: Data created by users in unmanaged apps can still be stored in iCloud.
Note: Not all options are available in all device management services. To learn which options are available for your devices, consult your developer’s device management service documentation.
Configuring Managed Apps
Organisations often need to customise the user experience of an app according to their specific needs or even for a particular group of users.
On devices with iOS 18.4, iPadOS 18.4 or visionOS 2.4, or later, organisations can deploy app-specific configurations and secrets (like passwords, certificates and identities) in a secure way to Managed Apps that adopt the ManagedApp framework. This allows organisations to customise the behaviour of an app, streamline the user experience and strengthen security with the com.apple.configuration.app.managed configuration. Examples include:
Preconfigure a Managed App or app extension for a specific device or user.
Use automatically provisioned identities for authentication and signing.
Securely receive API access tokens.
Acquire certificates for custom trust (pinning certificates).
Use hardware-bound keys and Managed Device Attestation for strong device authentication.
For more information, see the ManagedApp framework on the Apple Developer website.
Managed books
You can also use a device management service to distribute managed books, EPUB books and PDFs that you create.
EPUB books and PDFs that a device management service distributes have the same properties as other managed documents. You can update them with newer versions as needed, share them only with other Managed Apps, or email them using a Managed Apple Account. The device management service can also prevent users from backing up managed books. Although you assign these books to users, they appear only on iPhone and iPad devices that a device management service assigns to those users.
Note: Managed books aren’t supported on Apple Vision Pro.
Restricting third-party keyboards
iOS and iPadOS support Managed Open In rules that apply to third-party keyboard extensions. These rules prevent unManaged keyboards from appearing over managed Apps.