Restriction key for blocking third-party app marketplaces

Ilias el Matani

Introduction

The recent Apple iOS 17.4 update introduces third-party app marketplaces within the EU, offering alternatives to the Apple App Store and changing the app distribution landscape.

Restriction key (MDM)

In iOS 17.4 Apple introduces the allowMarketplaceAppInstallation restriction key, enabling the blocking of third-party app marketplaces on supervised devices. This is particularly relevant for maintaining security and compliance on devices managed through MDM solutions. This new feature requires that devices be under supervision to ensure tighter control over the installation of apps from sources outside the traditional Apple App Store.

VMware Workspace ONE UEM

The new key will be available in the Restrictions profile interface in the next Workspace ONE UEM release. This new Restrictions key will be located under Profiles > Restrictions > Device Functionality > “Allow app installation from alternative marketplaces”.

Enforce restriction using Intune

To implement the restrictions for third-party app marketplaces using Microsoft Intune:

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate through Devices -> iOS/iPadOS -> Configuration Profiles.
  3. Create a new custom profile.
  4. Fill in the profile details and upload the XML configuration to apply the allowMarketplaceAppInstallation setting, setting it to false.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadIdentifier</key>
      <string>com.example.restrictions.marketplaceBlock</string>
      <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>d6976a16-f567-46fe-87a4-bb8a68d45d40</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>allowMarketplaceAppInstallation</key>
            <false/>
            <key>ratingRegion</key>
            <string>NL</string>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>DMA Restrictions for MDM devices</string>
    <key>PayloadIdentifier</key>
    <string>com.example.restrictions.marketplaceBlock</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>d6976a16-f567-46fe-87a4-bb8a68d45d40</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
  1. Assign the profile to relevant devices.
  2. This process will help ensure that devices are protected from unauthorized app installations from third-party marketplaces.

Conclusion

Blocking alternative app marketplaces is essential for maintaining a secure and controlled mobile device environment.