Skip to main content
App management icon

This post is from the Apperian blog and has not been updated since the original publish date.

Last Updated Mar 03, 2014 — App Management expert

Single App Mode on iOS7

App Management


Single App Mode, or “App Lock” is a new MDM feature in iOS7, available only on devices that have been marked as ‘supervised’ by the Apple Configurator, Bulk Enrollment Service or our own EASE platform. It is implemented as a special type of configuration profile containing the bundle identifier of the app to lock the device into. As we have gone forward with our implementation of this capability in our enterprise mobility platform, we have discovered a number of issues that would affect the actual implementation of the feature, such as it exists on iOS 7.0.6 - we thought we would share what we learned in the hopes that others can benefit from it. 1) “App Lock” is not a single atomic command. An MDM app install command must first be sent to the device to ensure the app exists on the device. Only once this app has completed installing can you then install the “Lock” configuration profile.

Attempting to specify a bundle identifier that is not present (or not finished installing) puts the device into an unusable state. As iOS attempts to parallelize MDM operations, sending the app install command followed directly by the configuration profile install command puts the device into this state – ManagedConfiguration attempts to enforce the lock profile before MobileInstallation has completed installing the app. As such you can currently only lock a device into single app mode for an app that is already installed. We are working on improving this overall experience in the near future. 2) Per Apple’s MDM spec, on un-enrollment the operating system should remove all managed apps & configuration profiles.

However, while the locked app is uninstalled successfully the profile specifying the lock is not removed. This leaves the device in the aforementioned broken state. To address this issue, we have added in EASE several control flow workarounds to ensure the removal functions as expected allowing single-click uninstall/unlock. 3) Even when the app lock profile is removed after the locked app, and everything is done in the correct order allowing plenty of time for the commands to be processed, backboard (the backend component of springboard) crashes spectacularly, albeit invisibly to the user.

As we expect changes and improvements to come with newer versions of iOS, some of these issues will likely be resolved. In the meantime, Apperian's mobile application management (MAM) platform continues to support not only the native capabilities of the platform, but, as demonstrated by the changes we have already implemented for single-click uninstall/unlock, we focus on providing the best experience for administrators and users.

This post originally appeared on Carlos Montero-Luque's "Apperian: From the Office of the CTO" blog.

More from the Blog

View more
Apr 30, 2020

Mobile Application Management: A Forward View

App Management
  IT Is Adapting in the Midst of the COVID-19 Pandemic The Coron ...
Read More
May 19, 2019

Sneak Peek: How Are IT Leaders Driving Mobile App Adoption?

App Management
Apperian conducted the The Mobile Enterprise Application Survey to fin ...
Read More
Jan 30, 2019

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

Application Security
What are the key considerations and components of DevSecOps? The in ...
Read More
Nov 19, 2018

Breaking Down the New California IoT Law

Application Security
Recently California passed legislation regarding the security of all I ...
Read More
Contact Us