.mobileconfig with Managed App Configuration on enrolled devices for Public Unlisted App

Business & Education Device Management
Shebuka
Shebuka OP
Created 3d
Replies 2
Boosts 0
Views 386
Participants 2

Hello,

We are working with an iOS app that is distributed as a Public Unlisted App Store app. Our MDM allows us to import the app by URL, but when added this way, the app is marked as unmanaged in the inventory. Because of that, we cannot assign a Managed App Configuration payload to it in the normal way.

What we are trying to achieve:

  • Deliver a configuration profile to all enrolled devices before the app is installed.
  • When the user installs the app from the MDM catalog, the app should immediately see the configuration values.

Questions we’re hoping to clarify:

  1. Is it technically feasible to pre-provision a Managed App Configuration for an app in this scenario, by pushing a .mobileconfig profile to all devices?
  2. If yes, what would be the correct payload format and content of such a .mobileconfig file?

We’ve tested a profile format we found here that uses com.apple.managed-app-config PayloadType and a ManagedAppConfiguration key with the bundle ID nested inside, but iOS reports this as “payload not recognized.” From what we understand, that may not be part of Apple’s schema.

Any guidance from Apple or the community on whether this use case is possible (and, if so, what the valid profile format should look like) would be very helpful.

Note: For a complicated company policy, at the moment we are not able to participate in ABM.

Thanks in advance!

Replies  2
Boosts  0
Views  386
Participants  2
Apple Staff, Device Management Engineer
Device Management Engineer OP
Apple
3d

There's three systems for configuring a managed app: The new declarative app configuration, the legacy managed app config, and managed preferences (macOS only). The first two cannot be set by a configuration profile (a .mobileconfig file). All three systems can ensure the app has admin-specified configuration available before it is launched for the first time. It's up to the app developer to tell you which system(s) the app supports and how to configure the app.

Our MDM allows us to import the app by URL, but when added this way, the app is marked as unmanaged in the inventory.

On first impression that seems like an issue with your device management service. If it is triggering installation of the app, the app should be managed. I think you need to resolve that issue first.

what the valid profile format should look like

Most device management services support the legacy managed app config, and some of them are adding support for declarative app configuration. They should provide an admin interface for specifying the configuration for the app and format the MDM command or DDM declarations appropriately. The format of the configuration itself is up to the app developer, so they need to document what keys and values to put in the configuration.

Note: For a complicated company policy, at the moment we are not able to participate in ABM.

You do not need an Apple Business Manager account in order to configure managed apps. All the methods of configuring managed apps are available for all device management enrollment types.

0
Shebuka
Shebuka OP
1d

Thank you for replying so swiftly.

We are using Managed App Config, and the issue comes from how our MDM vendor handles app installation. They state that if an app is added via URL (as would be the case with a Public Unlisted App), it is treated as unmanaged. Because of this, no MDM commands can be applied (the app only shows up in the device’s MDM catalog).

The reason I mentioned ABM is that the vendor’s proposed solution is to add the app through ABM, which makes it managed again and restores functionality. Unfortunately, due to company policy, this approach is not available to us.

Your clarification about declarative app configuration and legacy managed app configuration not being applicable via a .mobileconfig makes sense, and confirms that this path isn’t possible as a workaround.

That leaves us with only two potential options:

  1. Ask the MDM vendor to treat URL-added apps as managed, or
  2. Republish the application as a Public Listed App.

And no other workaround is possible?

0
.mobileconfig with Managed App Configuration on enrolled devices for Public Unlisted App
First post date Last post date
 
 
Q