# Apple policy: Apps & profiles

 This section documents how to configure managed applications and account payloads for Apple devices.

## App management

 The **App management** panel contains both general app-related restrictions and a list of managed apps.

### General app restrictions

- **Allow app clips**
- **Allow app installation**
- **Allow app removal**
- **Allow automatic app downloads**
- **Allow apps to be hidden**
- **Allow apps to be locked**
- **Allow In-App Purchases**

### Managed apps

 Use **Add application** to add an app to the policy. Each managed app is displayed as a card. You can expand the card to edit its settings and remove the app using the delete action.

- **App Store ID**: the App Store identifier of the managed app.
- **Bundle ID**: the app bundle identifier.
- **Install behavior**: controls whether the app must remain installed or can be installed/removed by the user.
- **Assignment**: license assignment type.
- **VPP license**: VPP license type used for installation through the App Store.

## Accounts

 The **Accounts** panel lets you configure accounts that are applied to managed devices. It also includes a restriction toggle for account modification.

### Restriction

- **Allow account modification**: when disabled, users cannot modify accounts such as Apple Accounts and internet accounts.

### Add accounts

 Use **Add Google account** or **Add mail account** to add account payloads to the policy. Each account appears as a card with its configuration fields.

### Account credentials from users

 Both Google and Mail account cards provide a **Account credentials from users** toggle. When enabled, the system applies account credentials on a per-user basis. When disabled, you enter the account identity in the policy.

### Google account fields

- **Visible name**: the name shown to the user for the account.
- **Google email address**: the user email address.
- **Full name**: the user’s full name.

### Mail account fields

 Mail accounts include identity fields plus incoming/outgoing server configuration. Host names are required.

- **Visible name**: the name shown to the user for the mail account.
- **Email address**: the user email address.
- **Full name**: the user’s full name.

#### Incoming server

- **Server type**: mail protocol (for example IMAP or POP).
- **Authentication Method**: authentication method for the server.
- **IMAP path prefix**: shown only when Server type is IMAP.
- **Host name**: required.
- **Port**: server port (1–65535).

#### Outgoing server

- **Authentication Method**
- **Host name**: required.
- **Port**: server port (1–65535).

### S/MIME options

 For Mail accounts, you can also configure S/MIME encryption and signing behavior.

#### Encryption

- **S/MIME encryption**
- **Identity user-overrideable**
- **Per-message switch enabled**
- **User overrideable**

#### Signing

- **S/MIME Signing**
- **Identity user-overrideable**
- **User overrideable**

<p class="callout info"> Account and restriction options include tooltips in the dashboard that document prerequisites and supported OS versions. </p>