7

We are looking to deploy iPads from inside our organization. We want to be able to install apps for users, which can be done via Mobile Device Management. However, we do not want users to be able to purchase apps, as these apps can be purchased with their internal purchasing account. Apps purchased that way should not be allowed to leave the organization, but a user could purchase an app on their personal Apple account, allowing them to use it on their other devices, even though they purchased it with their organizational purchasing account.

I cannot find a way to disallow purchasing of apps on an iOS device, either through local restrictions or through Mobile Device Management. All I can seem to do is:

  • Restrict installing of ALL apps (unacceptable, because then we cannot push apps to devices)
  • Setting up an organizational iCloud account on all the devices, and restricting changing account settings locally (unacceptable, because the password needs to be entered to accept MDM-pushed app installs)

Is there a way to block only app purchases? Is there an MDM suite that provides this functionality?

Jonah H.
  • 203
  • 3
  • 8
  • `Is there an MDM suite....` - yes, pretty much all of them. This site not for product recommendations. Please see FAQ. – symcbean Feb 19 '13 at 09:45
  • There may be MDM suites, but looking into it myself, none seem to offer the kind of restrictions Crazydog is looking for. Honestly, doesn't look like it's supported by iOS – Insomnia Feb 26 '13 at 20:59

4 Answers4

1

The way to to this is to generate a number of AppleIDs with no credit card associated, to which the end-users do not have access, and use an MDM (and possibly Configurator) to push the profiles to the devices. As long as the end-user doesn't know the password to the AppleID they won't be able to access the App store at all and apps authorized to that ID won't run elsewhere.

THEN you need to prevent the user from modifying/deleting that that profile, that's actually the tricky part. Apple's IOS MDM framework supports password locks etc. on profiles, but not all MDMs make it obvious (or possible). You can do this with supervised Configurator but then you have to be hands-on with every device.

Here's a somewhat outdated list of MDM providers. This might be a good place to start.

Here's a link on generating AppleIDs in bulk:

http://www.enterpriseios.com/wiki/Batch_Apple_ID_Creator

If you're running a BYOD configuration (as opposed to you providing the devices) I think it's quite a bit more difficult, but not impossible (some MDMs support policy agents on the device).

Here's a link to parameters available in a profile (Apple Developer registration required). This should give an idea of what's possible: https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

I don't have an Apple Developer Enterprise account so I don't have access to the full MDM API documentation.

quadruplebucky
  • 5,041
  • 18
  • 23
  • I might add that this a technical solution to what is really a behavioral problem. If I am given a computer (or anything) by my employer and am told that is to be USED ONLY FOR BUSINESS (which any company worth its salt does) I will comply if I expect to keep my job, period. – quadruplebucky Feb 20 '14 at 01:31
0

Currently there is no interface in iOS to block it the way you'd like.

meilon
  • 141
  • 8
0

Apple puts the end-user first. End user experience is more important to them than control for admins. As it is.. if you use MDM with iOS, the end-user can always decide that they don't need any Device Management and remove your profiles and install anything they want..

I think this statement is wrong and is the only way to go:

Restrict installing of ALL apps (unacceptable, because then we cannot push apps to devices)

Use the "Enterprise appstore" some of the MDM solutions have.

That is, if you really want to make a restriction. Because that does not make much sense anyway, since users can do whatever they want anyway.

The only way it will really work with iOS devices is through policies. Policies that are not based in software. You can 'police' this by setting up triggers in your MDM service (if your MDM service supports that), set a trigger to apps that aren't allowed that will take an action on the device that is not compliant. E.g. send a warning, then if necessary delete it's corporate e-mail, wifi and other settings that are required to use it for the purpose it is meant for. Or wipe the device, they come to your support desk in no time at all..

Don't forget to file a bug report with Apple, maybe one day they will agree that this is a mistake on their part, not a feature.

Chris
  • 241
  • 2
  • 8
-1

Contact APPLE to set up a corporate account. Allow NO money to be spent purchasing Apps. Anyone needing to purchase a legitimate app for their business account should do so externally on their own, or an HR-owned IPad. That purchase can be handled via normal reimbursement procedures. Then, the app can be transferred to their official company iPad.

To address issues of users having 'unapproved' apps on their iPads: don't PREVENT: INSPECT. Mention that there will be regular, unannounced inspections of corporate iPads looking for installation of unapproved apps. Just like laptops where people install their own software, don't worry about preventing it, this is fruitless given bypasses people can enact. Instead, threaten inspections and do occassional ones to put the fear-of-God in the userbase.

Kevin J. Rice
  • 101
  • 2
  • The useful thing about this comment is that it correctly identifies the problem as a human one and not a technical one. But that's it. – quadruplebucky Feb 20 '14 at 01:51