As of iOS 9.0 Apple allows you to disable their native apps on your devices. From a administator perspective this means that you can disable any native or non-native application that is download from the App Store.
To disable those apps on a device you need to connect this device via Apple Configurator or Apple DEP to block those apps via a profile. If you are managing your devices via a Mobile Device Management solution this is the place were you want to disable or allow applications.
In this blogpost i’ll show you what needs to be done to block native iOS applications on either iPhone or iPad devices via Citrix XenMobile.
Supervised Mode (Required!!)
To block applications Apple requires you to put the device into a supervised mode, either via Apple DEP or Apple Configurator.
To supervise a device via Apple DEP you can check this blogpost: https://www.antonvanpelt.com/zero-touch-installation-ios-xenmobile/
To supervise a device via Apple Configurator you can check this blogpost: https://www.antonvanpelt.com/lite-touch-installation-ios-through-xenmobile/
Apple Configurator
We need to start with defining which apps we want to block, or which apps we only want to allow on a iOS device. Therefore we need to create a restrictions profile via the Apple Configurator software (only available for macOS). Whitin the Apple Configurator we need to create a new profile.
Select the New Profile option to create a new profile.
Specify the profile name and provide the details for this profile.
Now click the restrictions page and select the “Apps” tab.
Notice that we have two options here, we can block all native apps and specify which apps we don’t want to block. Or we can specify which apps we want to block.
So if we want to only disable a couple of native apps we pick the “Do not allow some apps” option.
In this example we hide the native Mail, Camera and Safari app.
Or if we want to disable all native apps and only allow some of them we pick the “Only allow some apps” option.
In this example we allow only the native Safari, Photos and Phone app.
Now that we have specified what applications we want to have available for our users either via above two options we can save the profile.
XenMobile Server
Now that we have created the profile were we have defined which applications we want to have available on the endpoints it’s time to add this profile to XenMobile
This can be done by creating a Device Policy “Import iOS & Mac OS X Profile”
Since we only want to manage iOS and not macOS we uncheck the Mac OS X checkbox and specify the name of the policy.
Now we click next and in the next screen we have to specify the profile template which we saved earlier via the Apple Configurator.
After we click next we can assign this policy to some specific delivery groups or to all users.
Deploy a device
Now that we have created the device policy it is time to enroll a device. By default my iPad springboard looks like this:
After the device policy is pushed down to the device the springboard only shows the apps I do want to have available:
Usecases
So why would you want to block the default iOS apps? Well there are several reasons like when you want to limit the applicationset for your users and only offer the applications they need to do their daily job.
Another important usecase is when offer MAM to your users and you want to require them to make use of the Secure Mail and Secure Web client. By default those users are still able to work with the native Mail and Safari app. Via this solution you require them to use the MAM apps.
Other restrictions
In this topic we focus on how to block applications on a iOS device. This blogpost can also be used to manage other supervised / non-supervised options that are available via the Apple Configurator and that are not already available via the builtin Citrix XenMobile MDM policies.
Conclusion
In this blogpost i’ll show you how to disable the native or future apps that are available on a iOS device. Unforunately the device needs to be in supervised mode first before you can block the applications.
Special thanks to my co-worker Jan-Paul for sharing his experiences on this topic!
Just a question, what will happen with the Xen restrictions?
For example, i have the camera on _OFF_ within the Xen restrictions.
Now iam going to make a new profile with blocked native apps trough Apple Configurator 2.
Do i need to change every option to the same options as my xen restrictions?
Or
Great Information, my question is this.
How do we setup the ability to disallow users from removing Secure Web and to disallow the uninstallation of the Secure Web Application?