Have your Apps and eat it too

Valued Contributor II

Many of us in education have a requirement to distribute iPads to students with the App Store turned off. Historically this has presented a huge challenge. Do we send kids home to install all the apps and then have someone at school verify what they downloaded and set a restriction to turn the app store off? Do we setup all the iPads with configurator so the apps are preloaded with the App Store off? Do we have students download 50 apps during a class session and then try to lock the app store before they leave class for the day? None of these have proven to be good solutions. The reality is that it's a huge pain to manage iPads if the App Store must be disabled.

Thanks to some changes in 9.5, we’ve come up with what we believe is an effective alternative to these methods. Casper 9.5 contains Mobile Smart Group criteria called “Apps Not In the App Catalog Are Installed.” Setting this to True will find iPads that have installed apps outside of your Mobile Device App Catalog. Add in some extra criteria to identify student usernames, certain grades, etc and now we’re getting somewhere.

So now that we’ve identified a bunch of iPads that have installed unapproved apps what do we do? First, make sure that your iPads are submitting full inventory submission 1 once per day. Next we create a configuration profile with a restrictions payload. We will go to Media Content and set Apps to “Don’t Allow Apps.” We will also go to Applications and uncheck “Allow use of Safari.” All that’s left is to scope this restriction profile to the Smart Group we just created.

Great, so how does this work you ask? A student installs an app from the App Store. This still works as expected. They think nothing of this until their iPad submits inventory the next time. At that time the JSS sees they have an app installed outside of your approved list and applies this new restrictions config profile we just created. Immediately every app on the iPad becomes hidden and inaccessible. Safari is also removed. The student now has no option but to reset their iPad to defaults so they can have a usable device again.

So what if they just download an app, use it for a while, and delete it you ask? For this reason, our student iPads all have app deletion disabled as part of a restrictions profile that is applied to every student device. So, yes, they will be able to download and use an unapproved app for a short amount of time. However, they will not be able to remove that app and their iPad will become locked down in the near future.

For us this provides a way to leave the app store turned on. Students can go home and download apps, keeping the traffic off our network. Apps can still be updated. They can download any apps in Self Service and they can even download apps from the App Store as long as they are apps that are in our Mobile Device app catalog. However, if they download an unapproved app they will be forced to reset their iPad. We don't think it will take too many kids getting their iPads bricked before they realize it's not worth it.

Hope this helps someone out…


New Contributor III

I'm absolutely horrible at the search string stuff. Could you share what the search setup looks like? I would like to know the apps not in the app catalog is true (which I did figure out). But then I'd like to know who it is, what grade and what the apps are. Could you either share that here or just send me a message please?
Also, when you refer to the "app catalog" are you referring to what is available in the self-service app? If that is the case, how do you handle purchased apps for specific people in self-service?

Valued Contributor II

The who it is and what grade they are in depends on your setup. We put some information into the "title" attribute in AD which is then populated into "position" in the JSS.

Yes, app catalog and self service are somewhat synonymous here. This rule only cares whether or not the app has been added to your app catalog. It doesn't care if the app is scoped to the user or not.

Here is what one of our smart groups looks like.

external image link

Contributor III

Does the smart group setting "Apps Not In the App Catalog Are Installed" work for you? We were testing something similar to yours however students that only have apps from the app catalog installed are still showing up in that smart group. Do the apps have to be managed?

New Contributor


We use an incredibly similar procedure as the one outlined by the OP. We have noticed that the only problem with this workflow is that the JSS was capturing certain students who only showed they had the approved apps on their device. The JSS seemed to detect additional apps (can be found under the apps tab on the mobile device management) that weren't actually showing up. This was because some of our students had (for lack of a better term) illegitimately downloaded apps from a source other than the app store. Even after removing the app sometimes the data remains in tact. This app data seems to be stored somewhere different than the typical /Applications folder for iOS. The JSS still detects it and locks the iPad into the smart group. The only fix we've found is to set an exception for that app to that iPad (this is where the parentheses come in handy in the smart group) or to simply reset the iPad.

Hope that helps.