Company-owned iOS devices can be entirely managed via MDM. For that purpose, the devices are set to supervised mode. In the following, we’ll show you how to place system applications (those that don’t come from the iTunes Store) on supervised devices onto a deny list or a allow list.
On a fully managed device (supervised device), a deny list can be used to block system applications (such as the mail app or the camera app) or any other apps (from the App Store). Whereas, if only genuine (system) applications are to be made available, they can be placed on a allow list. Then only the apps on the allow list will appear on the device – all other apps will be hidden. In this How To you will learn how to use a Policy to create deny list or allow list and assign them to your users.
Note! Use the kiosk mode, if the user is only allowed access to a single app.
- Select Administration→ Policies in the Administration Portal.
- Click on the plus button to create a new Policy (arrow in illus.).
- Then select iOS/iPadOS.
- Keep the supervised devices enrollment method (arrow in the illus.).
- Under Restrict app usage you can choose between:
- Allow all apps
- Do not allow some apps (deny list)
- Only allow some apps (allow list).
- Select one of these options (example in illus.)
- Use the search button to add apps that are located in the Apple App Store onto the list (example in illus.).
- In the example, the system apps Camera and Safari are allowed in addition to the Pages app (arrow in the illustration).
- Enter the bundle IDs of the (system) app/s. A list of the system apps can be found here.
- Now assign the policy to the users, groups or devices.
Note! The settings app and the phone app are always displayed and cannot be hidden with a deny list or a allow list.
- If you create a allow list for multiple apps, only those apps will be displayed on the device (example in illus.).
- Conversely, if you create a deny list with one or more apps, those apps will no longer be available to the user.
- In the example, the Photos, Music and FaceTime apps have been placed on the deny list (see the illus. on the right).
You can see a list of the bundle IDs of all system apps that are able to be deny list or allow list here: