Skip to main content

Apple policy: Apps & profiles

This section documents how to configure managed applications and account payloads for Apple devices.

App management

The App management panel contains both general app-related restrictions and a list of managed apps.

General app restrictions

  • Allow app clips
  • Allow app installation
  • Allow app removal
  • Allow automatic app downloads
  • Allow apps to be hidden
  • Allow apps to be locked
  • Allow In-App Purchases

Managed apps

Use Add application to add an app to the policy. Each managed app is displayed as a card. You can expand the card to edit its settings and remove the app using the delete action.

  • App Store ID: the App Store identifier of the managed app.
  • Bundle ID: the app bundle identifier.
  • Install behavior: controls whether the app must remain installed or can be installed/removed by the user.
  • Assignment: license assignment type.
  • VPP license: VPP license type used for installation through the App Store.

Accounts

The Accounts panel lets you configure accounts that are applied to managed devices. It also includes a restriction toggle for account modification.

Restriction

  • Allow account modification: when disabled, users cannot modify accounts such as Apple Accounts and internet accounts.

Add accounts

Use Add Google account or Add mail account to add account payloads to the policy. Each account appears as a card with its configuration fields.

Account credentials from users

Both Google and Mail account cards provide a Account credentials from users toggle. When enabled, the system applies account credentials on a per-user basis. When disabled, you enter the account identity in the policy.

Google account fields

  • Visible name: the name shown to the user for the account.
  • Google email address: the user email address.
  • Full name: the user’s full name.

Mail account fields

Mail accounts include identity fields plus incoming/outgoing server configuration. Host names are required.

  • Visible name: the name shown to the user for the mail account.
  • Email address: the user email address.
  • Full name: the user’s full name.

Incoming server

  • Server type: mail protocol (for example IMAP or POP).
  • Authentication Method: authentication method for the server.
  • IMAP path prefix: shown only when Server type is IMAP.
  • Host name: required.
  • Port: server port (1–65535).

Outgoing server

  • Authentication Method
  • Host name: required.
  • Port: server port (1–65535).

S/MIME options

For Mail accounts, you can also configure S/MIME encryption and signing behavior.

Encryption

  • S/MIME encryption
  • Identity user-overrideable
  • Per-message switch enabled
  • User overrideable

Signing

  • S/MIME Signing
  • Identity user-overrideable
  • User overrideable

Account and restriction options include tooltips in the dashboard that document prerequisites and supported OS versions.

Back to top