iOS - App Store Disabled, but students still able to install Apps / Remotely remove Apps

Hey @jacinferreira ,

We have been having problems with this as well. Specifically, students are "gaming" the Self Service Portal to get it stuck open or open long enough to grab Apps from the legitimate App Store. We also have kids installing things like HiPStore and vShare which allow them access to illegitimate App Stores that have nothing to do with Apple.

Unfortunately, there is no way to remove these Apps remotely, as they are not "managed" by Casper. The only way to remove the Apps is to delete them from the device by "touching the glass," which is Apple's sexified term for doing it by hand.

The idea I found on this forum was to place all "approved" Apps in the App Catalog in some way, whether or not you make them available through scoping. This allows you to have a list of Apps that are considered to be "okay" to have. For instance, iTunes U and Find My Friends, along with some other benign Apps that we aren't actually providing in Self Service, were added to our App Catalog so they aren't flagged by what we do next.

Next up, we create a smart group where we match on the search option "Apps Not In the App Catalog Are Installed" and have that set to "True". We also constrain it down so that only student iPads are matched.

To this smart group, we scope a separate, very heavy restrictions profile (mobile devices > configuration profiles > new > restrictions). Basically the only thing we have checked is the ability to remove Apps, since we want the end user to have a way out of their predicament. The real kicker here is going to "Media Content" and setting Apps to "Don't Allow Apps", and also disabling Safari under "Applications". As you might imagine, an iPad isn't much fun without a browser or Apps. The users can still remove the Apps under Settings > General > Usage / iCloud Storage and Usage > Manage. After their device checks in again, they get the heavy restrictions profile removed since they fall out of the smart group.

Is this a perfect execution? No. Does it interrupt instructional capacity? Absolutely. But with 15% of our kids doing this, we decided to implement a technical solution on top of the discipline they get at the social level, and this is the best I've found so far.

Kudos to the posters here for providing this idea and the information on how to execute it: https://jamfnation.jamfsoftware.com/discussion.html?id=17101

Are your devices on iOS 9? I don't think the app store appears and disappears with managed app installations in 9 like it did with 8.

@jbourdon it looks like the offending iPads are mostly on iOS 9.0.2 / iOS 9.1, but I'll have to spend more time investigating this afternoon.

@cpdecker thanks for all this information! This is interesting.. I'm going to have to play with this.. so basically if I understand this correctly, if there is an app outside of the "allowed" apps in the smart profile then you are heavily restricting the iPad where it is nearly unusable? Then the student must notify the teacher and apps can be removed. Right?

The app store appearing/disappearing loophole happens in iTunes account based distribution. It shouldn't happen under device-based scoping, which is what we plan to do next year.

We're currently using a similar smart group that detects non-app catalog apps, but the weakness seems to be that the inventory only runs once a day, so there's a window where students can install inappropriate apps, then delete them after an hour or two, before the next inventory cycle catches them.

@jacinferreira , yep, the point is to either annoy the user so they quit doing it or make it obvious to their teacher that they have done something they shouldn't have, maybe even purposefully interrupt their classroom instruction time so that it becomes obvious, rather than asking teachers to search every iPad every day. We let the teachers know what was up before rolling this out slowly--it's still a work in progress.

An example that might clarify what I said eariler: if you didn't want to distribute the Calculator App above, but you didn't want people to be flagged as having "bad" apps if they had it since its really pretty benign, you could add it to your App Catalog and just leave the scope set to no one. To test if this works or not, you can add an App to the App Catalog and then see if it still shows up under "Other Apps" in that section you provided a screenshot of.

@Emmert is correct--this isn't foolproof and one of the weaknesses is that the iPad only checks in once per day. I am running manual inventory updates for that offending smart group in some cases just to let people "out of jail early" so to speak, once the user has been talked to. Also who is to say I won't log in from home when I'm feeling bored and send inventory updates to random groups or send them out during the work day! So maybe the students don't know when the check-ins will really occur, and will be extra paranoid.

Another reason we are employing this method is because it seems to be effective against vShare and HiPStore type Apps that don't even come from the App Store.

My biggest gripe about the students getting Apps they shouldn't have is the number of commands being generated to the Casper server while they attempt to break the App Store open (I've seen as many as 5700 on a single iPad--busy kid!), and also the bandwidth being consumed by hundreds of students downloading a 2 gigabyte game on our network.

If the iPads are on iOS9 or higher and the JSS is version 9.8 or higher, you should be able to set the restrictions profile to not have the app store pop open for app installations no matter what distribution model is being used.

Pre iOS9 or JSS 9.8 this is not an option as it was not in the Apple MDM spec at that time to allow app installations without opening the app store.

There is a little bit of a trick to setting the restrictions profile correctly though in the 9.8 JSS or higher the app store closed restriction is a three deep set of nested options. If you uncheck just the top level and leave the lower levels checked it does not properly prevent the app store from opening when an app is installed via self service. If you uncheck all the boxes from the deepest nested option up to the top, then the app store will not open when installing apps via self service on iOS 9 or higher.

Thanks.. I'll start poking around tonight.

I did get some feedback from the teacher.. he is unable to uninstall any of the unauthorized apps.. since the profile restricts app deletion. It looks like I'll have to adjust that also.

@Jookyseacap Thanks.. Can you expand on how and where to set the restrictions profile you are referring to? We are running 9.8.1 JSS but I can't find this option so far.

Thanks!

Sure, here's what you should see when you have the restriction profile to set to allow every iOS to be able to install apps. You uncheck the bottom option first, up to unchecking the top option last to ensure that the app store will stay closed when installing apps via self service on iOS9. There appears to be an issue if you just uncheck the top option, where the bottom two stay checked(though you can't see that at that time as the nested options disappear once the top option is unchecked), where the app store closes, but will reopen when installing apps via self service on iOS9.

Thanks Jookyseacap, this is great! It looks like I'll be updating all of our problem iPads to iOS 9.