How does iOS hide blocked apps on Supervised devices?

Question

I need to explain to some colleagues the technical details of what exactly happens on a Supervised iOS device when an app that has been blocked by a Restrictions profile is installed. I know that restricted apps already installed on a device when the Restriction profile is installed are "hidden" from the user, rather than uninstalled from the device, and the user can still search for and install blocked apps on the App Store but they are immediately hidden.

My question is: how does iOS accomplish this? I think it is revoking all permissions to blocked apps from the User profile on the iOS device, and I swear I read those words somewhere at one point, but today I could not find anything online to support or refute my assumption. All the Apple and Jamf docs that I read simply refer to the allow/block list in general terms, and nothing about what happens under the hood--e.g., "Any apps other than Settings or Phone (on iPhone) can be placed on either an approved list or a disapproved one." (https://support.apple.com/guide/deployment/restrictions-for-supervised-devices-dep6b5ae23e9/web)

Does anyone have a reference to how this functions? Thanks!

mm2270 · Accepted Answer

I think @adayne already knows this. They stated in the 2nd sentence that they knew the apps are just hidden and not uninstalled. The question is how does iOS accomplish this. I wish I knew, but I do not myself.

@adayne if you have an Apple rep/Apple SE to contact, I would reach out to them about this. They often have access to resources or can point to documentation that would shed some light on how this works. That's the best I can offer, other than telling your colleagues that it's just "Apple pixie dust magic"

PaulHazelden · Answer

We use a different MDM to manage our IOS devices. In that I run a blacklist of Apps, so that when there is no user signed in on the device all they can do is see the Sign in app and settings. However the sign in app is actually a web clip and it uses Safari to run. Even if Safari is on the blacklist, the webclip still works. So my understanding is the blacklisting removes the entry from the home screen and thus prevents their access to the app that way. And none of the blacklisted apps are actually uninstalled, or really blocked. When our users sign in the apps all appear again straight away, if they were re-installing it would take a long time to put them all back one at a time.

On some devices there will be multiple home screen pages, and the sign in app could be two or three pages over, this remains the case even when everything else is blocked.

Hope this helps

This. It works the same for when parents use Jamf Parent to have some control over their children's iPad whilst at home. A parent can restrict specific apps of their choosing. The only thing that happens on the student's device is that apps get hidden on the home screen. Once they remove the restrictions the apps re-appear.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded