Application Block/Allowlisting for iOS
This article describes GoTo Resolve MDM's application blocklist and allowlist configuration profiles for iOS that can be used to deny users from installing and launching configured applications.
- Available in iOS 9.3 and later.
- This feature is applicable to Supervised devices. The most convenient way to get devices into Supervised mode is to enroll them through the Apple Device Enrollment Program.
What does application blocklisting or allowlisting mean?
Application blocklisting (formerly known as blacklisting) means that the defined applications cannot be installed on a target device. If a blocklisted application is already installed, it is blocked and cannot be started. Blocklisted applications are removed from the home screen of the device.
Application allowlisting (formerly known as whitelisting) means that all applications, except the ones, explicitly defined, are blocked and their icons are removed from the home screen of your iOS device. The end-user can only install or use those applications that have explicitly been defined.
Application block/allowlisting also applies to the installed system applications, except for the Settings (on iPads & iPhones) and Phone (on iPhones) applications. If you wish to deny the user from using, for example, Mail, App Store, or Safari apps, add their identifiers (Bundle IDs) to the blocklist. Respectively, you must add system applications to the allowlist if you wish to allow users to use them, otherwise, they will be blocked. See the list of IDs for Apple's default apps here. Please note that these Bundle IDs are case-sensitive.
You can have multiple blocklist and allowlist profiles deployed to the device and the end result will be a union of the restrictions where deny rule (blocklist) is stronger than the allow rule (allowlist).
- You can narrow down a whitelist by deploying a blacklist that blocks some of the allowlisted apps.
- In case you deploy multiple allowlists, users can only use apps that are on both of the lists.
- If you deploy multiple blocklists, users cannot use any applications that are included in any of these lists.
- An allowlist consisting of one single application means that device users can only use the allowlisted app plus the built-in Settings and Phone apps. In other words, an allowlist profile can be used as a kiosk mode to effectively block unauthorized use of a device.
How to deploy an application blocklist or allowlist configuration to a device?
First, you need to create a new configuration profile and define the applications that are denied (blocklist) or allowed (allowlist). The process of creating application blocklist and allowlist configurations is identical, so we will only use the blocklist configuration as an example.
Start by navigating to Creating a configuration profile for more details.and start the Create configuration profile action from the page action menu. See
When creating the profile you have to define the denied applications. Applications are identified by application-specific bundle identifiers. Add applications by defining the bundle identifier (com.company.app), App Store ID (https://itunes.apple.com/us/app/miradore-online-client/id1052678054), or App Store URL (https://itunes.apple.com/us/app/miradore-online-client/id1052678054) of the application and click Add. You can add as many applications as you want. When you've added all the applications you want, press Next.
The layout of the screen may look different in the product.
Once the blocklist configuration profile has been created, administrators can deploy it to all supported iOS 9.3 devices that are Supervised. See more in Deploying a configuration profile for further information. After the profile has been successfully deployed, the defined applications can no longer be used or installed and their icons are removed from the home screen.
How to disable application blocklist/allowlist configurations?
Application blocklists and allowlists can be disabled by simply deleting the deployed configuration profile from the device. This can be done by opening the device page and clicking the trashcan icon in the Configuration profiles table. See Removing deployed configuration profiles for further information.
Frequently asked questions (FAQ)
- Can I block system applications?
- Yes you can. Just add application identifiers to the configuration. Notice that, you cannot block the Settings and Phone apps on iPhones.
- Can I block In-house applications?
- Yes you can. Just add application bundle identifiers to the configuration.
- Can I block App Store applications?
- Yes you can. Just add application bundle identifiers, store identifiers, or App store URLs to the configuration.
- Can I have multiple blocklists or allowlists installed?
- Yes you can. The end result will be a union of the restrictions where deny rule (blocklist) is stronger than the allow rule (allowlist).
- Can I deploy the application blocklist or allowlist profile to an unsupervised device?
- No you can't. You can restrict the use of applications only for Supervised devices running iOS 9.3 or later.
- Can I automate the deployment of app restrictions to newly enrolled devices?
- Yes. Add an application blocklist or allowlist configuration profile to a business policy. The business policy will ensure that the app restrictions are automatically enforced on the devices. See more About business policies.
- Can users remove applications even when they're blocked?
- Yes they can. Settings > General > Storage & ICloud Usage > Manage storage