Company-owned iOS devices can be entirely managed via MDM. For that purpose, the devices are set to supervised mode. In the following, we’ll show you how to place system applications (those that don’t come from the iTunes Store) on supervised devices onto a deny list or a allow list.
Aim
On a fully managed device (supervised device), a deny list can be used to block system applications (such as the mail app or the camera app) or any other apps (from the App Store). Whereas, if only genuine (system) applications are to be made available, they can be placed on a allow list. Then only the apps on the allow list will appear on the device – all other apps will be hidden. In this How-To you will learn how to create block or permission lists with the help of a policy and assign them to your users.
Note! Use kiosk mode if you only want users to have access to a single app.
Implementation
- Select Administration→ Policies in the Administration Portal.
- Click on the plus button to create a new Policy (arrow in illus.).
- Then select iOS/iPadOS.
- Keep the supervised devices enrollment method (arrow in the illus.).
- Under Restrict app usage you can choose between:
- Allow all apps
- Do not allow some apps (deny list)
- Only allow some apps (allow list).
- Select one of these options (example in illus., upper arrow).
- Use the search button (lower arrow) to add apps that are located in the Apple App Store onto the list (example in illus.).
- Enter the name of the app in the search field (arrow in illus.) and then click on the magnifying glass.
- In the example, the system apps Camera and Safari are allowed in addition to the Pages app (arrow in the illustration).
- Enter the bundle IDs of the (system) app/s. A list of the system apps can be found here.
- Now assign the policy to the users, groups or devices.
Note! The settings app and the phone app are always displayed and cannot be hidden with a deny list or a allow list.
- If you create a allow list for multiple apps, only those apps will be displayed on the device (example in illus.).
- Conversely, if you create a deny list with one or more apps, those apps will no longer be available to the user.
- In the example, the Photos, Music and FaceTime apps have been placed on the deny list (see the illus. on the right).
You can see a list of the bundle IDs of all system apps that are able to be deny list or allow list here:
| App Store | com.apple.AppStore |
| Calculator | com.apple.calculator |
| Calendar | com.apple.mobilecal |
| Camera | com.apple.camera |
| Clock | com.apple.mobiletimer |
| Contacts | com.apple.MobileAddressBook |
| FaceTime | com.apple.facetime |
| Files | com.apple.DocumentsApp |
| FindFriends | com.apple.mobileme.fmf1 |
| FindiPhone | com.apple.mobileme.fmip1 |
| com.apple.mobilemail | |
| Maps | com.apple.Maps |
| Music | com.apple.Music |
| News | com.apple.news |
| Notes | com.apple.mobilenotes |
| Photos | com.apple.mobileslideshow |
| Podcasts | com.apple.podcasts |
| Reminders | com.apple.reminders |
| Safari | com.apple.mobilesafari |