Prevent login to App Store

imy
New Contributor III

I'm working on moving users away from using the App Store to install apps and instead using Self Service. To make this transition easier, I want users to be able to open and browse the App Store, but not install anything. That way, if the user needs an app, it's simply a matter of the user getting a screenshot of what they need and submitting a ticket with the request, and I will then add it as a Self Service app.

The most straightforward way of doing this seems to be to just prevent users from logging on to the App Store, but I'm not sure how to do this. We are not currently using managed Apple IDs.

A similar question to this has been asked several times, but it looks like no one has presented the solution I am looking for:
https://community.jamf.com/t5/jamf-pro/disabling-app-store-access/td-p/46605
https://community.jamf.com/t5/jamf-pro/config-profile-restrict-app-store-and-restrict-app-store-to-m...
https://community.jamf.com/t5/jamf-pro/restrict-app-store-apps/td-p/219061
https://community.jamf.com/t5/jamf-pro/restrict-app-store-to-mdm-installed-apps-and-software-updates...

I would want this on Macs for now, but if the provided method would work on iPads and iPhones as well that may help me in the future.

@vickih It looks like you were looking for similar behavior. Were you ever able to find a solution?

 

1 ACCEPTED SOLUTION

mainelysteve
Valued Contributor II

No middle ground unfortunately. There are a few considerations but for the most part it's either restricted or it's not.

For Macs your options are:

  1. Enforce a MAID(which doesn't allow e-commerce purchases). They can still browse, but can't buy.
  2. Turn on Require admin password to install or update apps in a restrictions config profile. If they already have local admin privileges then this won't work or you'll get lots of tickets for the username and password to "install my super fun, definitely work appropriate app".
  3. Restrict it fully and use a website like Fnd to search the App Store. Can't browse, but they can at least search.

iPads:

  1. Use a MAID like mentioned above. They can browse but can't buy

Submit feedback to Apple and bug your state or regions Apple SE and account management team(s). One easy way for them to implement something like this is to create a role in Apple School/Business Manager that allows staff to view(browse) the ASM/ABM App Store. Presently the only role that comes close is Content Manager, but they have a buy permission that can't be revoked. 

View solution in original post

4 REPLIES 4

mainelysteve
Valued Contributor II

No middle ground unfortunately. There are a few considerations but for the most part it's either restricted or it's not.

For Macs your options are:

  1. Enforce a MAID(which doesn't allow e-commerce purchases). They can still browse, but can't buy.
  2. Turn on Require admin password to install or update apps in a restrictions config profile. If they already have local admin privileges then this won't work or you'll get lots of tickets for the username and password to "install my super fun, definitely work appropriate app".
  3. Restrict it fully and use a website like Fnd to search the App Store. Can't browse, but they can at least search.

iPads:

  1. Use a MAID like mentioned above. They can browse but can't buy

Submit feedback to Apple and bug your state or regions Apple SE and account management team(s). One easy way for them to implement something like this is to create a role in Apple School/Business Manager that allows staff to view(browse) the ASM/ABM App Store. Presently the only role that comes close is Content Manager, but they have a buy permission that can't be revoked. 

imy
New Contributor III

Thanks. this is really helpfu. I was totally unaware of https://fnd.io/. 
We will likely go with MAID eventually but I'm looking for something quick I can do now, so blocking the app it is.

vantive
New Contributor III

Stupid question... what is MAID? Other than something my spouse wants... google did not help me on this one. 

mainelysteve
Valued Contributor II

There are no stupid questions ;)

MAID is shorthand for Managed Apple ID. It’s not the stranger you pay to run the vacuum for you.