Protect your devices from the App Removal Commands Initiated by the UEM console

Internal applications are often developed to perform enterprise-specific tasks. Abrupt removal of these applications can cause frustration and halt work. You can prevent the removal of important internal applications, by using the application removal protection. Application Removal Protection ensures that the system does not remove business-critical applications unless approved by the admin and holds the app removal commands based on the threshold values.

You can either use the default values or enter the limits that trigger the system to hold application removal commands. These actions stops the system from removing associated internal applications from devices. Until an admin acts on the held app removal commands, the system does not remove internal applications. In general, threshold values apply to bundle IDs and apply at a customer type organization group, and is inherited by the child organization groups. When setting threshold values and acting on them, consider these characteristics so that you can take informed actions on applications and have the permissions they need to act on the app removal commands. Because the system applies threshold values per bundle ID, it is possible for a single application to have varying names and still have the same bundle ID.

Note: Admins cannot override threshold values in the child organization groups. Admins’ placement in the organization group hierarchy controls their available roles and actions. Admins in child organization groups can act on the removal commands in their assigned organization groups. Admins in parent organization groups can edit the values and act on removal commands in the parent group and in the child organization groups.

Application removal protection system canvasses the application removal command queue for values that meet or exceed your threshold values. Several application or group state changes can trigger application removal commands. For example, application removal commands trigger when you edit your smart groups, publish applications, deactivate, or retire applications, delete applications and so on. Complete the following steps to configure application removal protection in an organization group at the customer level or below in the Workspace ONE UEM console.

  1. Navigate to Groups & Settings > All Settings > Apps > Workspace ONE > App Removal Protection.

    App Removal Protection

  2. Enter the following threshold settings:

    Setting Description
    Devices Affected Enter the maximum number of devices that can lose a critical application before the loss hinders the work of the enterprise.
    Within (minutes) Enter the maximum number of minutes that the system sends removal commands before the loss of a critical application hinders devices from performing business tasks.
    Email Template Select an email notification template and make customizations. The system includes the App Remove Limit Reached Notification template, which is specific to the app removal protection.
    Send Email to Enter email addresses to receive notifications about held removal commands so that the recipients can take actions in the app removal log.
  3. Save the settings.

Review App Removal log to act on the held App Removal Commands

You can use the App Removal Log page to continue to hold application removal commands, dismiss commands, or release the commands to devices. The command status in the console displays the application removal log that represents a phase of the protection process until an admin acts on the held commands, the system does not remove internal applications.

Complete the following steps to review the App Removal log to act on the held App Removal Commands:

  1. Navigate to Monitor > Reports and Analytics > Events > App Removal Log.

    App Removal Log

  2. Filter, sort, or browse to select data.

    • Filter results by Command Status list applications.
    • Sort by Bundle ID to select data.
    • Select an application.
    • You can select the Impacted Device Count link to browse the list of devices affected by actions. This action displays the App Removal Log Devices page that lists the device name of the devices. You can use the device name to navigate to the devices’ Details View.

      Status Description Cause
      Held for approval The protection system holds removal commands, and the system does not remove the associated internal application.
      The removal commands are in the command queue but the system cannot process them without admin approval.
      The system holds removal commands because the threshold values were met.
      Released to device The protection system sent the commands to remove applicable internal applications off devices. The system released the commands because an admin configured the release.
      Dismissed by admin The protection system purged the removal commands from the command queue.
      The system did not remove applicable internal applications off devices.
      The system purged the commands because an admin configured the dismissal.
  3. You can select Release or Dismiss.

    • The Release option sends the commands to devices and the system removes the internal application off devices.
    • The Dismiss option purges the removal commands from the queue and the system does not remove the internal application off devices.
  4. For dismissed commands, return to the internal applications area of the console and select the smart group assignments of the application for which you dismissed commands. Ensure that the internal application’s smart group assignments are still valid.If the smart group assignment is invalid and you do not select it, the system can remove the application when the device checks-in with the system.
check-circle-line exclamation-circle-line close-line
Scroll to top icon