Single App Mode on iOS7

Single App Mode, or “App Lock” is a new MDM feature in iOS7, available only on devices that have been marked as ‘supervised’ by the Apple Configurator, Bulk Enrollment Service or our own EASE platform. It is implemented as a special type of configuration profile containing the bundle identifier of the app to lock the device into. As we have gone forward with our implementation of this capability in our enterprise mobility platform, we have discovered a number of issues that would affect the actual implementation of the feature, such as it exists on iOS 7.0.6 – we thought we would share what we learned in the hopes that others can benefit from it. 1) “App Lock” is not a single atomic command. An MDM app install command must first be sent to the device to ensure the app exists on the device. Only once this app has completed installing can you then install the “Lock” configuration profile.

Attempting to specify a bundle identifier that is not present (or not finished installing) puts the device into an unusable state. As iOS attempts to parallelize MDM operations, sending the app install command followed directly by the configuration profile install command puts the device into this state – ManagedConfiguration attempts to enforce the lock profile before MobileInstallation has completed installing the app. As such you can currently only lock a device into single app mode for an app that is already installed. We are working on improving this overall experience in the near future. 2) Per Apple’s MDM spec, on un-enrollment the operating system should remove all managed apps & configuration profiles.

However, while the locked app is uninstalled successfully the profile specifying the lock is not removed. This leaves the device in the aforementioned broken state. To address this issue, we have added in EASE several control flow workarounds to ensure the removal functions as expected allowing single-click uninstall/unlock. 3) Even when the app lock profile is removed after the locked app, and everything is done in the correct order allowing plenty of time for the commands to be processed, backboard (the backend component of springboard) crashes spectacularly, albeit invisibly to the user.

As we expect changes and improvements to come with newer versions of iOS, some of these issues will likely be resolved. In the meantime, Apperian’s mobile application management (MAM) platform continues to support not only the native capabilities of the platform, but, as demonstrated by the changes we have already implemented for single-click uninstall/unlock, we focus on providing the best experience for administrators and users.

This post originally appeared on Carlos Montero-Luque’s “Apperian: From the Office of the CTO” blog.