Category filter

Best Practice Guide for iOS App Management

Digital adoption accompanied by endpoint mobility has changed the fundamentals of the business ecosystem. In a highly competitive market, compromising your business velocity to stay traditional will cost you both your business and your clients. However, embracing a fully-fledged digital business strategy without encompassing a mobility management solution can be lethal. It may lead to data leaks, security threats and misuse of company resources.

Hexnode is a cross-platform Unified Endpoint Management tool that assists organizations across all disciplines with their endpoint and workspace management needs. Hexnode accelerates basic managerial processes like device onboarding and configuration; and streamlines the security and management of the remotely deployed endpoints to drive business continuity and compliance.

Why app management?

Apps are an integral part of modern businesses. All businesses, irrespective of the size or industry, make use of apps for their routine operations. Apps in the business ecosystem are electronic alternatives to the pen and paper approach. For example, the app saves time and effort an employee spends on paperwork by enabling them to directly create an electronic data footprint, shunting a separate manual pen-paper data recording process. However, apps, if left unprecedented, can impact productivity and open a doorway to security threats. An endpoint mobility management solution like Hexnode UEM can be of assistance here. Hexnode delivers app management capabilities in addition to device, file and kiosk management capabilities for business and non-business organizations. The UEM houses a suite of app management configurations that helps IT admins in securing and managing public or proprietary organizational apps. Hexnode’s App Management includes the process of deploying, managing and monitoring apps and app data used for business operations.

Offering the right apps to the right users at the right time is one of the main challenges of an IT admin. Failure to do so will fatally impact the business operations. With Hexnode, you will never have to worry about manual app deployment and troubleshooting. Hexnode helps you see things more transparently –

Want to see all the apps installed on the device? By all means.

Which apps are managed by the organization? Easy, we will get you the list.

Want to block users from using non-approved apps? Sure, no worries!

The intricate management of the apps and data helps create a secure workspace for the employees with minimal productivity crises.

How Hexnode handles app management?

App management scopes app acquisition, installation, configuration, update, uninstallation, monitoring and more. Organizations use hundreds of apps to streamline their operations; this includes various apps spanning from simple Microsoft Office apps to complex purpose-specific apps. Organizations may sometimes use built-in apps like contacts, email, etc. and other sophisticated public and private apps to smoothen their day-to-day operations. The IT admin can manage and monitor the apps on all devices using the Hexnode UEM.

Organizations can use the Hexnode app inventory as their corporate in-house app repository from where the IT admins can handle all their business-related apps. You can add system, store, web, in-house, VPP, public and private apps to the app inventory. You can either deploy these apps individually or can group them together and deploy them as a single suite of work apps to the required target entity.

During deployment, you can either provide a catalog of apps from which the users can choose the apps they require, or you can proceed to directly install them on the devices with Hexnode. The catalog feature facilitates a corporate app repository for the end-users from where they can install the apps that are approved for them by the organization. If you choose to directly install the apps to the devices, you can choose the Install Application action or the Required Apps policy. Actions are one-time remote commands that are instantaneously executed on the end devices. On the contrary, the policies remain associated with the device and offer follow-up services such as app updates and missing app reinstallation without additional admin inputs. Hexnode also installs apps on supervised iOS devices silently; that is, app installation and its updates require no assistance from the end-users. From the user’s perspective, this means that apps can automatically appear among the installed apps without even lifting a finger.

Further, you can customize the operations and behavior of your app with app configuration. It requires you to upload an XML file in which the configurations are defined. Once the file is attached with the apps added to the Hexnode app repository, it will automatically be sent along with the UEM app deployment command to the target devices. Note that if the configurations are added after deploying the app, they will be sent as different management commands. In addition, you can set up an app-wise VPN for all apps built using the Cocoa framework. Moreover, you can streamline the compliance requirements of the organization by utilizing the app compliance clause, which marks your device as non-compliant if the organization-mandated apps are missing from the device. Also, you can receive real-time alerts when the devices fail to meet the compliance targets set by your organization.

If you do not want your users to access certain apps on the work devices, use the Blocklisting/Allowlisting policy in Hexnode. The blocklisting policy blocks access to those apps which are deemed unusable on the corporate devices, whereas allowlisting blocks access to all apps other than the allowlisted ones on the device. Web Content Filtering is also a similar feature in Hexnode, with which you can control the access to websites with the device browser.

Key Best Practices in app management

You may be able to manage your apps effectively without seeking assistance from endpoint or app management solutions. But have you considered the repercussions, say, how your IT operations impact the end-user experience and productivity? If this is not optimal or is not as you desired, an endpoint management solution like Hexnode can be of help. Hexnode helps you remotely manage and monitor your endpoint and deliver a secure mobile workspace for your employees in their hands.


iOS devices can be enrolled in Hexnode via a number of ways, including ABM/ASM, Apple Configurator, and Safari browser enrollment. However, if you wish to manage apps (install/update/uninstall) silently, without any device interaction, go for an enrollment method that grants device supervision.

Apple Business/School Manager enrollment and enrollment involving Apple Configurator can generate a supervision identity for the device. However, you can go with the non-supervised enrollment techniques if you do not want to make the whole process silent.

Note that Store App and user-assigned VPP app installation will not be silent on supervised devices if some App Store, iTunes or content restrictions are set up on the device, Learn More.


Deployment is the next thing that comes after setting up your app management policies. However, deployment planning has to be done at an earlier stage to reduce any troubles. Any managerial policies or actions in Hexnode can be associated with individual entities or a group. The available targeting options are users, devices, user groups, device groups and directory domains.

The organizational level policies can be easily delivered to all devices in the network by assigning them to a domain. Choose user/device assignment to deploy managerial commands specific to individual target entities.

If you want to deploy a particular group of apps to a specific group of individuals, the ideal choice for targeting would be a group assignment. For example, a set of educational apps for all students in class A, a suite of productivity apps for all specific department members, etc. Additionally, the smart grouping feature offers a dynamic array of devices whose member elements are updated in real-time with respect to their compliance with a set grouping criterion. This would help in easy target identification and is the best practice for app deployment. For instance, if you want to mandate per-app VPN on all devices outside the company building, create a dynamic group with geofencing criteria and associate the per-app VPN policy with the group.

App Inventory:

The Hexnode app inventory acts as the custom app repository for the organizations. The IT admins can add, remove, group, configure and deploy the required apps in the app inventory. In-house, web, enterprise, and VPP apps should be added to the app inventory for its management. Note that adding a store app to the app inventory is not mandatory if your sole requirement is deployment. However, the recommended best practice is to add all apps to the Hexnode app inventory before pushing it to the devices, as this would simplify app configuration and future management.

The VPP apps purchased (free or paid | public or private) from Apple Business/School Manager will be automatically added to the Hexnode app inventory via the VPP token sync. If you are a school planning to deploy apps to the students’ devices in bulk, plan and deploy the licenses before the commencement of the school season. This is usually a peak demand time, and VPP servers might take a long time to grant the licenses.

All VPP apps, including the free apps, are to be purchased for VPP deployment; while doing so, try to purchase only a few more than the required number, even if it’s free. As the number of app licenses increases, the VPP servers might take a long time to sync, slowing down your operations.

A VPP app license can be assigned to a user or a device. Hexnode supports the VPP user assignment on devices running a version lower than iOS 9. On all iOS devices running v9 or above, the VPP licenses will be associated with the device’s serial number, Learn More.

Apple’s App Store installs the store apps pushed to the devices via Hexnode. So, the app installation will be blocked if the App Store is blocked/hidden on the device. Also, to install an app via the App Store, an Apple ID should be signed in on the device. Whereas in the case of VPP apps, the app licenses will get assigned to the devices, and they will be directly installed without requiring an Apple ID. Also, license management is much easier with VPP. You can provision new licenses or revoke the already used licenses with a few simple clicks.

Almost every app that is used for work requires one or another type of setting up. Sometimes it is work account configuration, and sometimes it is blocking the notifications on the lock screen. Manual configuration of these settings calls for larger working hours, difficulties in maintaining physical documentations and more. Here is where AppConfig comes in; the IT admin can leverage this facility offered by the app developers to remotely set up the app with the help of an MDM. If the app supports remote configuration, you can use the app configuration feature to configure app-specific features if it is not already supported by Hexnode. Configuring app groups help you better organize the apps. You can create groups to organize apps by their use, targeted audience, department, etc. Groups help to manage tasks at scale. For instance, if you want to deploy five apps to all devices owned by the marketing, sales and customer service teams, you can create a single app group hosting all five apps. Then add the app group as a required app in the corresponding policy associated with each department instead of individually adding these apps in the policy.

In addition to remotely configuring the settings of each app on the device, you can also decide how the apps display notifications on your iOS devices through the feature ‘App Notifications’.

If your requirement is to provide an in-house custom app store for the users from where they can install the organization-approved apps, then the app catalog is the right fit for you. You can add apps or app groups to the catalog. Note that if App Store is disabled, store apps added to the catalog cannot be installed on the device.

App deployment and update:

Apps can be deployed using Hexnode either through the Install Application action or the Required Apps policy. Continued management of the app is availed through the policy. This includes automatic app updates, app configuration updates, missing app compliance and more.

If you are deploying a large number of applications to several devices, there arises a risk of network congestion. Stagger the app download to eliminate network overload. For instance, instead of deploying apps to all devices at a time, create multiple device groups and deploy the apps to these groups at separate intervals of time. Else, you can employ an app catalog as an efficient workaround for direct app deployment. This allows users to install apps at their discretion, bypassing the need to deploy all apps to all devices simultaneously.

App installation and update will be silent on supervised devices. Whereas on non-supervised devices, the user will be prompted to permit app install or update. Note that Store and VPP app updates are not silent in kiosk mode.

Apart from apps, you can also add certain websites as web clips on iOS devices. Web clips are shortcuts to web links that appear as app icons on the device’s home page. When opened, the website opens in the browser. Apart from websites, you can add PDFs, video files, email addresses, contacts, YouTube links, locations, etc., as web clips.

App Removal:

All managed apps on the iOS device can be remotely uninstalled using the UEM. The managed app is an app that can be managed and controlled by the organization. All apps installed via the UEM are automatically managed. You can uninstall individual apps from the Applications sub-tab inside the device details page of each enrolled device.

To remove a VPP app from the device, you can revoke the app license assigned to the device via Hexnode. Note that if you are revoking the app license, make sure to give sufficient notice to the users about the app removal.

If the apps that are to be removed is installed on the device via the required app policy in which the option “Remove apps from the device on policy removal” is enabled, the apps will be automatically uninstalled by removing the apps from the policy/Hexnode, by deleting policy or by disassociating the policy from the device. It is recommended to check the option “Remove apps from the device on policy removal” if you require to remove work apps from the device once you stop managing the device.

App Compliance:

It is a common practice to set up app compliance for an organization. The compliance configurations in Hexnode are in such a way that, Hexnode will mark the device as non-compliant when it fails to fulfill the compliance standards set by the organization. Additionally, admins can choose to send alerts to the concerned parties. These alerts will be automatically triggered upon device non-compliance and will be sent via email.

App Reporting:

Consolidated application reports will be automatically generated in the Hexnode portal and will be available for download to the admins. In addition, periodic reports can also be scheduled to be sent to the required personnel at specific intervals. The application reports in Hexnode include all the installed applications on the end-users devices (both MDM mandated and the user-installed) and the most popular apps (installed on the most number of devices) among your employees. Also, you can see the complete list of apps installed on each device by navigating to the Manage > Device > device name > Application tab.

Web content filtering:

Web content filtering for iOS enables you to block or grant access to specific websites on the Safari browser. While setting up the policy, make sure to enter valid URLs starting with “http://” or “https://”. Also, note that a given website may have different versions (for instance: mobile and desktop versions) and therefore have separate URLs; add each URL to the list to block or grant access. Additionally, the redirected URLs of a blocklisted website might not get blocked on the device, so make sure to blocklist all URLs, including the redirected URLs, to block complete access.

Network restrictions for apps:

Mobile application management in Hexnode can also be used in conjunction with the Network usage rules to restrain cellular data usage or data usage on roaming for certain applications on your target devices. This helps to manage app data usage on cellular data networks and control the employee data allowances.

Wrap Up

App management in Hexnode helps organizations deliver the right apps to the end-users without any hassle. Furthermore, app management, if efficiently handled, can enhance productivity and reduce security concerns. Hexnode helps your organization deliver the right apps to the right devices at the right time. The enterprise integrations with ABM and ASM make app purchases and distribution in bulk, a piece of cake.

This guide is meant to provide guidance on the best practices of iOS app deployment and, therefore, might not cover all probable use-cases and features.

  • How-to Guides