The declaration to configure a managed app.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
App Store ID AppStoreID The App Store ID of the managed app that is downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
Bundle ID BundleID The bundle ID of the managed app that is downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
Manifest URL ManifestURL The URL of the manifest for the managed app that the device downloads from a web site. The manifest is returned as a `ManifestURL` property list.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
Available only in iOS and visionOS. | string | optional | — | ✗No | |
App Composed Identifier AppComposedIdentifier A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install.
The following rules apply when the device takes over management:
- If the `InstallBehavior.Install` key is set to `Required`, the device takes over management of the app.
- If the `InstallBehavior.Install` key is set to `Optional`, the device takes over management of the app when the user "installs" it using an MDM management app.
The format of the composed identifier is either "Bundle-ID (Team-ID)" or "Bundle-ID {Designated-Requirement}". For example, `com.example.app (ABCD1234)` for the team ID format, or `com.example.app {anchor apple generic}` for the designated requirement format. Management of the app occurs only if its code signature matches the composed identifier.
In macOS, only one of `AppStoreID`, `BundleID`, or `AppComposedIdentifier` needs to be present.
Available only in macOS. | string | optional | — | ✓Yes | macOS (26.0+) |
iOS App iOSApp If `true`, the device installs an iOS or iPadOS app that runs on a Mac with Apple Silicon. This is only used when the app is an App Store app.
Available only in macOS. | boolean | optional | false | ✓Yes | macOS (26.0+) |
Install Behavior InstallBehavior A dictionary that describes how and when to install the app. 4 subkeys | dictionary | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Install Install A string that specifies if the app needs to remain on the device at all times or if the user can freely install and remove it, which is one of the following values:
- `Optional`: The user can install and remove the app after the system activates the configuration.
- `Required`: The system installs the app after it activates the configuration. The user can't remove the app.
The system automatically installs apps on supervised devices. Otherwise, the device prompts the user to approve installation of the app. | string | optional | Optional | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ License License A dictionary that describes the app's license. 2 subkeys | dictionary | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ Assignment Assignment The type of license that the app uses for installation through the App Store, which is one of the following values:
- `Device`: The app has a device license.
- `User`: The app has a user license.
This key needs to be present for App Store apps, when either `AppStoreID` or `BundleID` are present in the configuration. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ VPP Type VPPType The type of VPP license that the app uses for installation through the App Store, which is one of the following values:
- `Device`: The app has a VPP device license.
- `User`: The app has a VPP user license.
This key needs to be present to install an app through the App Store. | string | optional | — | ✗No | |
└─ Version Version The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. This key is ignored if the app isn't an App Store app.
The following rules apply when the device applies or updates the configuration:
- If this key isn't present:
- If the app isn't present, the device installs the latest version.
- If the app is present, if allowed the device takes over management of the current version of the app.
- If this key is present:
- If the app isn't present, the device installs the app with the specified version.
- If an app with the same version is present, if allowed the device takes over management of that app.
- If an app with an older version is present, if allowed the device updates the app to the specified version and takes over management of it.
- If an app with a newer version is present, the device doesn't take over management of the app. The device reports an app status failure.
> Note:
> The device never installs an older version of the app over a newer version. | integer | optional | — | ✓Yes | iOS (26.0+)macOS (26.0+)visionOS (26.0+) |
└─ Allow Downloads Over Cellular AllowDownloadsOverCellular Indicates how the device uses a cellular network when it downloads the app for automatic install or update operations:
- `AlwaysOn`: The device downloads apps of any size using a cellular network.
- `AlwaysOff`: The device doesn't download apps using a cellular network. The device pauses the automatic install or update operation until a different network is active.
- `StoreSettings`: The device uses the settings for the corresponding store when downloading apps.
The device always uses the store settings to download apps when the install or update operation is user initiated.
Available only in iOS. | string | optional | StoreSettings | ✓Yes | iOS (26.0+) |
Update Behavior UpdateBehavior A dictionary that specifies how the device updates apps. 1 subkey | dictionary | optional | — | ✓Yes | iOS (26.0+)macOS (26.0+)visionOS (26.0+) |
└─ Automatic App Updates AutomaticAppUpdates Specifies whether the device automatically updates the app:
- `AlwaysOn`: The device automatically updates the app to the latest version. For App Store apps, the device periodically checks the store for updates. For Enterprise apps, the device periodically downloads the manifest file and compares it to the previous manifest file. If the device detects a change to the bundle version in the manifest, it downloads and updates the app.
- `AlwaysOff`: The device never automatically updates the app.
- `StoreSettings`: The device uses the settings for the corresponding store to determine when to automatically update the app. For Enterprise apps, this setting behaves the same as `AlwaysOff`.
When the `InstallBehavior.Version` key is specified, the device ignores this key and Automatic App Updates are disabled.
In macOS, the device ignores this setting if the `AppComposedIdentifier` key is set in the configuration. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
Include in Backup IncludeInBackup If `true`, backups contain the app and its data.
Available only in iOS and visionOS. | boolean | optional | true | ✗No | |
App Attributes Attributes A dictionary of values to associate with the app.
Available only in iOS and visionOS. 10 subkeys | dictionary | optional | — | ✗No | |
└─ Associated Domains AssociatedDomains An array of domain names to associate with the app. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ Domain Domain A domain to be associated with the app. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Associated Domains Enable Direct Downloads AssociatedDomainsEnableDirectDownloads If `true`, the system enables direct downloads for the `AssociatedDomains`. | boolean | optional | false | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Cellular Slice UUID CellularSliceUUID The cellular slice identifier, which can be the data network name (DNN) or app category. For DNN, encode the value as "DNN:name", where "name" is the carrier-provided DNN name. For app category, encode the value as "AppCategory:category", where "category" is a carrier-provided string such as "Enterprise1". | string | optional | — | ✗No | |
└─ Content Filter UUID ContentFilterUUID The UUID of the content filter to associate with the app. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ DNS Proxy UUID DNSProxyUUID The UUID of the DNS proxy to associate with the app. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Hideable Hideable If `false`, the system prevents the user from hiding the app. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen. | boolean | optional | true | ✓Yes | iOS (18.1+) |
└─ Lockable Lockable If `false`, the system prevents the user from locking the app. This also prevents the user from hiding the app. | boolean | optional | true | ✓Yes | iOS (18.1+) |
└─ Relay UUID RelayUUID The UUID of the relay to associate with the app. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Tap to Pay Screen Lock TapToPayScreenLock If `true`, the device automatically locks after every transaction that requires a customer's card PIN. If `false`, the user can choose the behavior. | boolean | optional | false | ✗No | |
└─ VPN UUID VPNUUID The UUID of the VPN to associate with the app. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
App Config AppConfig A dictionary of app config data and credentials.
Available only in iOS and visionOS. 4 subkeys | dictionary | optional | — | ✓Yes | iOS (18.4+) |
└─ App/Extension Config Data Asset Reference DataAssetReference Specifies the identifier of an asset declaration containing a reference to the app or extension config data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Password App/Extension Configs. Passwords Provides passwords to the managed app or extension. Each element in the array contains a password asset reference and an associated identifier which the app or extension uses to look up the password. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ PasswordAppConfigItem PasswordAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Password Identifier Identifier The app or extension uses this identifier to fetch the corresponding password using the `ManagedApp` framework. App developers define the values for these identifiers. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Asset Reference AssetReference Specifies the identifier of an asset declaration containing a username and password. The `ManagedApp` framework makes the password available to the app or extension. The `ManagedApp` framework ignores the username. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Identity App/Extension Configs. Identities Provides identities to the managed app or extension. Each element in the array contains an identity asset reference and an associated identifier which the app or extension uses to look up the identity. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ IdentityAppConfigItem IdentityAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Identity Identifier Identifier The app or extension uses this identifier to fetch the corresponding identity using the `ManagedApp` framework. App developers define the values for these identifiers. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Asset Reference AssetReference Specifies the identifier of an asset declaration containing an identity. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ Certificate App/Extension Configs. Certificates Provides certificates to the managed app or extension. Each element in the array contains a certificate asset reference and an associated identifier which the app or extension uses to look up the certificate. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ CertificateAppConfigItem CertificateAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Certificate Identifier Identifier The app or extension uses this identifier to fetch the corresponding certificate using the `ManagedApp` framework. App developers define the values for these identifiers. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ Asset Reference AssetReference Specifies the identifier of an asset declaration containing a certificate. | string | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
Extension Configs ExtensionConfigs A dictionary of extension config data and credentials.
Available only in iOS and visionOS. 1 subkey | dictionary | optional | — | ✓Yes | iOS (18.4+) |
└─ Extension Composed Identifier ANY A dictionary mapping extension composed identifiers to the extension config data and credentials. The expected format is "Identifier (TeamIdentifier)". 4 subkeys | dictionary | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ App/Extension Config Data Asset Reference DataAssetReference Specifies the identifier of an asset declaration containing a reference to the app or extension config data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. | string | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ Password App/Extension Configs. Passwords Provides passwords to the managed app or extension. Each element in the array contains a password asset reference and an associated identifier which the app or extension uses to look up the password. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ PasswordAppConfigItem PasswordAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 2 subkeys (deeply nested - 2 subkeys). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) | ||
└─ └─ Identity App/Extension Configs. Identities Provides identities to the managed app or extension. Each element in the array contains an identity asset reference and an associated identifier which the app or extension uses to look up the identity. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ IdentityAppConfigItem IdentityAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 2 subkeys (deeply nested - 2 subkeys). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) | ||
└─ └─ Certificate App/Extension Configs. Certificates Provides certificates to the managed app or extension. Each element in the array contains a certificate asset reference and an associated identifier which the app or extension uses to look up the certificate. 1 subkey | array | optional | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ CertificateAppConfigItem CertificateAppConfigItem A dictionary of values associated with a credential config. 2 subkeys | dictionary | required | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 2 subkeys (deeply nested - 2 subkeys). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (17.2+)macOS (26.0+)visionOS (2.4+) | ||
App Config MDMv1 Asset Reference LegacyAppConfigAssetReference The identifier of an asset declaration containing a reference to the app config data. The device provides the app config data to the app using the MDMv1 behavior. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType"
value set to match the data type.
Available only in iOS and visionOS. | string | optional | — | ✓Yes | iOS (18.4+) |
