Workspace ONE UEM allows you to upload paid public iOS applications and distribute them in those scenarios where it is not feasible to use Apple's Volume Purchase Program (VPP). Also for the iOS devices you can configure extra restrictions on the App Store functionality, including the App Store icon and installation of public apps.Workspace ONE UEM can distribute several OS versions, but iOS 9+ management does not require users to take extra steps. It is best to use the Apple VPP, if possible. The VPP can manage bulk public paid applications efficiently and offers several management options.

Compare Paid Public App Procedures

When you compare the steps necessary to push paid public iOS applications to devices, iOS has simplified the process. It allows Workspace ONE UEM to take management of an application previously installed on a device, and end users do not have to delete applications.

Note: Workspace ONE UEM cannot assume management of user-installed applications on iOS 8 and below.
Add Any Supported iOS Version as Paid Public App Add iOS 9+ Version as Paid Public App
Enable the paid public iOS applications process in the Workspace ONE UEM console. Enable the paid public iOS applications process in the Workspace ONE UEM console.
Add the public application to the Workspace ONE UEM console. Add any other management parameters like SDK features and enabling per-app VPN. Add the public application to the Workspace ONE UEM console and enable Make App MDM Managed if User Installed on the Deployment tab.

Add any other management parameters like SDK features and enabling per-app VPN.
(User) Purchase the application. (User) Purchase the application.

Apple installs the application automatically to the device after purchase.
(User) Delete the application installed by Apple. Not applicable
(User) Open the AirWatch Catalog and initiate the installation from Workspace ONE UEM to receive the managed version of the application. (User) Open the AirWatch Catalog and initiate the installation from Workspace ONE UEM to receive the managed version of the application.

Configure your Paid Public iOS Application in the UEM console Console

You can configure the deployment of the paid public iOS applications in the UEM console. Complete the following steps to configure the deployment of the paid public iOS applications in the UEM console.

  1. Navigate to Groups & Settings > All Settings > Apps > Workspace ONE > Paid Public Applications.
  2. Select Enabled, and then save the settings.

Assign your Paid Public Application based on the Organization Group

You can keep your VPP deployment and your paid public iOS applications in separate organization groups. You can also enable the paid public status option in the organization group where applicable devices are enrolled.

Ensure that you do not deploy the same paid public iOS application in the organization group that has VPP configured and that contains a service token (sToken). If you have the VPP configured in the organization group, use licenses from the sToken, which offers a greater management and control of the application.

Devices that receive application assignments from the closest organization group to them. Be aware of the organization group hierarchy and where you enable paid public iOS applications. If you assign the application in an organization group that has no effect on the device, installations can fail or the application can install on the wrong device.

Table 1. Example of a Paid Public Application Assignment Depending on the Organization Group
Organization Group Paid Public Status Device Enrolled Result
Parent Enabled No The device does not receive the managed paid public application and the system redirects the device to the store to install the application.
Child Disabled Yes

Upload your Paid Public Application to the UEM Console

You can upload your paid public iOS application from the app store to the UEM console to make it available in a catalog.

  1. Navigate to Resources > Applications > Native > Public, and select Add Application.
  2. Select Managed By to view the organization group from which the application uploads.
  3. Select the Platform.
  4. Enter a keyword in the Name text box to find the application in the app store.
  5. Select Next and use Select to pick the application from the app store result page.
  6. Configure options on the Details tab. Entering data on this tab is optional, but you can record data like the store URL for the application, supported models, and associated categories.
  7. Assign a Required Terms of Use for the application on the Terms of Use tab. This is optional.
  8. Select Save & Assign to make the application available to end users.
  9. Configure flexible deployment rules for the assignment of the applications.Only the on-demand push mode is available. It enables the user to initiate the installation so that the system does not use excessive bandwidth by automatically installing applications. It also gives the user time to buy the application and delete the initial version from the device.

Prevent Paid Public Application downloads from the App Store through Device Restriction

You can configure device restrictions to control what applications, hardware, and functionality your end users can access. You can use these restrictions to enhance productivity, protect end users and devices. Workspace ONE UEM supports native iOS restrictions and an in-house developed restriction that controls access to the app store.You can configure the Allow App Store icon on home screen restriction in the UEM console to hide the App Store. This restriction removes the icon from the Home Screen and end users cannot access the App Store. However, end users can still use MDM to install or update their apps, giving full application control to the administrator.

The Allow App Store icon on home screen restriction is available only for iOS 9+ supervised devices. In general, supervised devices give you more control over the devices you own and lets you set restrictions.Control the app store to restrict or allow device users to access the public applications available therein.

  1. Navigate to Devices > Profiles &Resources > Profiles > Add.
  2. Select Apple iOS.
  3. Configure the profile's General settings.
  4. Select the Restrictions payload from the list. You can select multiple restrictions as part of a single restrictions payload.
    Table 2. Descriptions of App Store Restriction Methods
    Restriction Configuration Description
    Allow App Store icon on Home screen

    This restriction is supported for all supervised iOS 9+ devices as it uses the latest technologies and can push applications through several systems.

    		 Deactivate Restrict the Apple App Store from being installed on the device so the device user cannot install public free applications using the App Store.

    However, push public free applications using Workspace ONE UEM, iTunes, or Apple Configurator.
    Activate Allow the Apple App Store on the device and the device user can install any public free applications using the App Store.
    Allow installing public apps This restriction is supported for all iOS 4-12 devices and supervised iOS 13+ devices. Deactivate Restrict the device user from using the Apple App Store.
    Activate Allow the Apple App Store on the device and the device user can install any public free applications using the App Store.
  5. Select Save & Publish to push the profile to devices.

Restrict your Device to only Install Assigned public Apps from the App Store

You can control from where end users install public applications by enabling Restricted Mode on Apple iOS devices. After enrollment, end users can access free public applications deployed to their catalogs, but they are unable to download free public applications from the App Store. Control from where end users install public applications by enabling Restricted Mode for Public iOS Applications. Restricted Mode restricts the device by allowing you to install only the assigned applications approved by the organization. Enabling the setting SEsends a restricted profile to Apple iOS devices. The presence of this restricted profile does not require an extra restriction profile with the Allow installing public apps option enabled to block the app store.

This restriction is the same as the iOS restriction Allow App Store icon on Home screen found in Devices > Profiles & Resources > Profiles. Workspace ONE UEM deploys the Restricted Mode option to devices and it blocks end users from the app store. Workspace ONE UEM can deploy the public applications, which ensures that your organization approves them.

  1. Navigate to Groups & Settings > All Settings > Apps > Workspace ONE > App Restrictions.
  2. Select Restricted Mode for Public iOS Applications.
  3. Click Save