Block default iOS apps via Citrix XenMobile 2

Block iOS Apps Banner

As of iOS 9.0 Apple allows you to disable their native apps on your devices. From a administator perspective this means that you can disable any native or non-native application that is download from the App Store.

To disable those apps on a device you need to connect this device via Apple Configurator or Apple DEP to block those apps via a profile. If you are managing your devices via a Mobile Device Management solution this is the place were you want to disable or allow applications.

In this blogpost i’ll show you what needs to be done to block native iOS applications on either iPhone or iPad devices via Citrix XenMobile.

Supervised Mode (Required!!)

To block applications Apple requires you to put the device into a supervised mode, either via Apple DEP or Apple Configurator.

To supervise a device via Apple DEP you can check this blogpost:

To supervise a device via Apple Configurator you can check this blogpost:

Apple Configurator

We need to start with defining which apps we want to block, or which apps we only want to allow on a iOS device. Therefore we need to create a restrictions profile via the Apple Configurator software (only available for macOS). Whitin the Apple Configurator we need to create a new profile.

Select the New Profile option to create a new profile.

Apple Configurator - XenMobile - Create Profile

Specify the profile name and provide the details for this profile.

Apple Configurator - XenMobile - New Profile Details

Now click the restrictions page and select the “Apps” tab.

Notice that we have two options here, we can block all native apps and specify which apps we don’t want to block. Or we can specify which apps we want to block.

Apple Configurator - XenMobile - Restrict Apps

So if we want to only disable a couple of native apps we pick the “Do not allow some apps” option.

In this example we hide the native Mail, Camera and Safari app.

Apple Configurator - XenMobile - Block Some Native Apps

Or if we want to disable all native apps and only allow some of them we pick the “Only allow some apps” option.

In this example we allow only the native Safari, Photos and Phone app.

Apple Configurator - XenMobile - Allow Some Native Apps

Now that we have specified what applications we want to have available for our users either via above two options we can save the profile.

Apple Configurator - XenMobile - Save Profile

XenMobile Server

Now that we have created the profile were we have defined which applications we want to have available on the endpoints it’s time to add this profile to XenMobile

This can be done by creating a Device Policy “Import iOS & Mac OS X Profile”

XenMobile - New Policy - New iOS Profile

Since we only want to manage iOS and not macOS we uncheck the Mac OS X checkbox and specify the name of the policy.XenMobile - iOS Profile Policy Details

Now we click next and in the next screen we have to specify the profile template which we saved earlier via the Apple Configurator.

XenMobile - iOS Profile Template

After we click next we can assign this policy to some specific delivery groups or to all users.

XenMobile - iOS Profile Policy Assignment

Deploy a device

Now that we have created the device policy it is time to enroll a device. By default my iPad springboard looks like this:

iPad - XenMobile - Default Apps

After the device policy is pushed down to the device the springboard only shows the apps I do want to have available:

iPad - XenMobile - Block Apps


So why would you want to block the default iOS apps? Well there are several reasons like when you want to limit the applicationset for your users and only offer the applications they need to do their daily job.

Another important usecase is when offer MAM to your users and you want to require them to make use of the Secure Mail and Secure Web client. By default those users are still able to work with the native Mail and Safari app. Via this solution you require them to use the MAM apps.

Other restrictions

In this topic we focus on how to block applications on a iOS device. This blogpost can also be used to manage other supervised / non-supervised options that are available via the Apple Configurator and that are not already available via the builtin Citrix XenMobile MDM policies.

Apple Configurator - XenMobile - Manage Restrictions


In this blogpost i’ll show you how to disable the native or future apps that are available on a iOS device. Unforunately the device needs to be in supervised mode first before you can block the applications.

Special thanks to my co-worker Jan-Paul for sharing his experiences on this topic!

2 thoughts on “Block default iOS apps via Citrix XenMobile

  1. Reply Pim Dec 9,2016 10:23 am

    Just a question, what will happen with the Xen restrictions?
    For example, i have the camera on _OFF_ within the Xen restrictions.
    Now iam going to make a new profile with blocked native apps trough Apple Configurator 2.
    Do i need to change every option to the same options as my xen restrictions?

  2. Reply Ryan Deschaine May 27,2018 8:18 pm

    Great Information, my question is this.

    How do we setup the ability to disallow users from removing Secure Web and to disallow the uninstallation of the Secure Web Application?

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.