Last Updated Mar 03, 2014 — App Management expert
App Management


Single App Mode, or “App Lock” is a new MDM feature in iOS7, available only on devices that have been marked as ‘supervised’ by the Apple Configurator, Bulk Enrollment Service or our own EASE platform. It is implemented as a special type of configuration profile containing the bundle identifier of the app to lock the device into. As we have gone forward with our implementation of this capability in our enterprise mobility platform, we have discovered a number of issues that would affect the actual implementation of the feature, such as it exists on iOS 7.0.6 – we thought we would share what we learned in the hopes that others can benefit from it. 1) “App Lock” is not a single atomic command. An MDM app install command must first be sent to the device to ensure the app exists on the device. Only once this app has completed installing can you then install the “Lock” configuration profile.

Attempting to specify a bundle identifier that is not present (or not finished installing) puts the device into an unusable state. As iOS attempts to parallelize MDM operations, sending the app install command followed directly by the configuration profile install command puts the device into this state – ManagedConfiguration attempts to enforce the lock profile before MobileInstallation has completed installing the app. As such you can currently only lock a device into single app mode for an app that is already installed. We are working on improving this overall experience in the near future. 2) Per Apple’s MDM spec, on un-enrollment the operating system should remove all managed apps & configuration profiles.

However, while the locked app is uninstalled successfully the profile specifying the lock is not removed. This leaves the device in the aforementioned broken state. To address this issue, we have added in EASE several control flow workarounds to ensure the removal functions as expected allowing single-click uninstall/unlock. 3) Even when the app lock profile is removed after the locked app, and everything is done in the correct order allowing plenty of time for the commands to be processed, backboard (the backend component of springboard) crashes spectacularly, albeit invisibly to the user.

As we expect changes and improvements to come with newer versions of iOS, some of these issues will likely be resolved. In the meantime, Apperian’s mobile application management (MAM) platform continues to support not only the native capabilities of the platform, but, as demonstrated by the changes we have already implemented for single-click uninstall/unlock, we focus on providing the best experience for administrators and users.

This post originally appeared on Carlos Montero-Luque’s “Apperian: From the Office of the CTO” blog.

Are you ready to scale your enterprise?


What's New In The World of

August 14, 2023

Streamlining Application Development and Deployment for the Financial Services Industry

Enhance financial services with tailored strategies: secure apps, testing, efficient release & monitoring. Read on to learn more!

Learn More
June 23, 2023

Governance and Compliance for DevOps at Scale

Implement a Software Chain of Custody in DevOps for compliance, traceability, and cost reduction. Gain visibility and automate processes with Release & Deploy.

Learn More
April 30, 2020

Mobile Application Management: A Forward View

With the immediate shift to remote workforces and mobile app usage, learn what IT teams must have in place for enterprise systems of mobile apps via a Mobile App Management (MAM) solution for IT…

Learn More