Restrict App Store to MDM installed apps and software updates


Can someone please explain exactly what this feature does within the Configuration Profile? At first glance it makes me believe that you can still browse through the App Store you just can't make purchases unless they are VPP updates and/or macOS updates. Am I misunderstanding what this restriction actually does?



New Contributor III

I've been hunting for an answer to this as well with no luck :(. I have it set restrict to mdm installed apps and software updates but, I am not able to open the app store on a machine at all. It's kind of frustrating since I would like to run it as I do with iOS allowing a user to browse the app store so they can find an app and easily send me a screenshot or accurate name in their request but not allow them to install anything unless they do so through Self Service.
Is this possible?

New Contributor

I've think I've come across the answer to this.

The Payload key for "Restrict App Store to MDM installed apps and software updates" is "restrict-store-mdm-install-softwareupdate-only" according to

According to Apple's Developer docs ( there is a similar key "restrict-store-softwareupdate-only" which states the restriction prevents App Store for running. The documentation is probably not updated however it appears new key is the latest version of the old key.