This article describes Miradore’s application blacklist and whitelist configuration profiles for iOS that can be used by Enterprise Plan customers to deny users from installing and launching configured applications.
- Active Enterprise Plan subscription or trial
- Available in iOS 9.3 and later. Requires that devices are Supervised. The most convenient way to get devices into Supervised mode is to enroll them through the Apple Device Enrollment Program.
What does application blacklisting or whitelisting mean?
Application blacklisting means that the defined applications cannot be installed to a target device. If a blacklisted application is already installed, it is blocked and cannot be started. Blacklisted applications are removed from the home screen of the device.
Application whitelisting means that all applications, except the ones explicitly defined, are blocked and their icons are removed from the home screen of your iOS device. The end-user can only install or use those applications that have explicitly been defined.
Application black/whitelisting for iOS applies also to the installed system applications, except for the Settings application. If you wish to deny the user from using, for example, Mail, App Store or Safari apps, add their identifiers (Bundle IDs) to the lacklist. Respectively, you must add system applications to the whitelist if you wish to allow users to use them, otherwise they will be blocked. See is a list of IDs for Apple’s default apps from here. Please note, that these Bundle ID’s are case sensitive.
You can have multiple blacklist and whitelist profiles deployed to the device and the end result will be a union of the restrictions where deny rule (blacklist) is stronger than the allow rule (whitelist). For example:
- If you deploy a whitelist profile you can later on deny the use of certain apps allowed by it, by deploying a blacklist.
- If you deploy two whitelist profiles, only the ones allowed by both of the profiles will be allowed.
- If you deploy two blacklist profiles, all applications defined in either one of these are banned.
- If you deploy a whitelist profile with only one application the user can only use this application and the built-in Settings. In other words, a whitelist profile can be used like a kiosk mode to effectively block unauthorized use of a device.
How to deploy an application blacklist or whitelist configuration to a device
First you need to create a new configuration profile and define the applications that are denied (blacklist) or allowed (whitelist). The process of creating application blacklist and whitelist configurations is identical, so we will only use the blacklist configuration as an example.
Start by navigating to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. See Creating a configuration profile for more details.
When creating the profile you have to define the denied applications. Applications are identified by application specific bundle identifiers. Add applications by defining the bundle identifier (com.company.app), App Store ID (https://itunes.apple.com/us/app/miradore-online-client/id1052678054) or App Store URL (https://itunes.apple.com/us/app/miradore-online-client/id1052678054) of the application and click Add. You can add as many applications as you want. When you’ve added all the applications you want, press Next.
Once the blacklist configuration profile has been created, administrators can deploy it to all supported iOS 9.3 devices that are Supervised. See more in Deploying a configuration profile for further information. After the profile has been successfully deployed, the defined applications can no longer be used or installed and their icons are removed from the home screen.
How to disable application blacklist/whitelist configurations
Application blacklists and whitelists can be disabled by simply deleting the deployed configuration profile from the device. This can be done by opening the device page and clicking the trashcan icon in the Configuration profiles table. See Removing deployed configuration profiles for further information.
Frequently asked questions (FAQ)
Q. Can I block system applications?
A. Yes you can. Just add application identifiers to the configuration. Only the Settings application can’t be blocked.
Q. Can I block In-house applications?
A. Yes you can. Just add application bundle identifiers to the configuration.
Q. Can I block App Store applications?
A. Yes you can. Just add application bundle identifiers, store identifiers or App store URLs to the configuration.
Q. Can I have multiple blacklist or whitelist profiles installed?
A. Yes you can. The end result will be an union of the restrictions where deny rule (blacklist) is stronger than the allow rule (whitelist).
Q. Can I deploy application blacklist or whitelist profile to an unsupervised device?
A. No you can’t. Application restrictions are available in iOS 9.3 and later and require that devices are Supervised.
Q. How can I automate application blacklists and whitelists so that they are automatically deployed to enrolled devices.
A. Add application blacklist or whitelist configuration profile to a business policy, which ensures that profiles are automatically enforced to the device. See more About business policies.
Q. Can users remove applications even when they’re blocked.
A. Yes they can. Settings > General > Storage & ICloud Usage > Manage storage