App Management is one of the most complex tasks for IT administrators especially if the organization has a mobile-first workforce. In such a scenario, there arises a new problem - non-compliant apps installed on the devices. Non-compliant apps are those apps not distributed via MDM, while the corporate apps distributed via MDM are the managed apps. In such a scenario, the IT administrator must ensure these non-compliant apps do not access/share corporate data. Though there are several ways of achieving this using profiles, the most optimal solution for this is app blocklisting.
App blocklisting lets you select non-compliant apps and ensure these apps are removed in case they are installed or are prevented from being installed in the future. In the case of eligible devices, you can choose to either remove the apps instantly or notify the users and then remove it. For other devices, you can notify the users regarding the same.
Devices on which you can remove the apps automatically without user intervention are Eligible Devices. The list of devices is provided below:
|iOS||Device must be Supervised and running 9.3 or later versions.|
|Android||Device must be a Samsung device or must be provisioned as Profile Owner/Device Owner.|
|Windows||Device must be running Windows 10 or later versions.|
Blocklisting apps on the server
The advantage of MDM's app blocklisting is that it not only allows you to manage user-installed apps, it also lets you manage apps pre-installed on the device. Further, it also lets you send multiple mailers to the device users regarding the blocklisted app present on the device. Further, you can also integrate with ServiceDesk Plus(SDP) and ensure the Blocklist app alerts are raised as tickets in the SDP portal.
- Device administrator apps present on the devices cannot be blocklisted.
- If apps like the Huawei app are blocklisted, the system update option will not be shown on the device, as this app has a different package for system apps.
Understanding the Blocklist dashboard/settings
The Blocklist dashboard is the centralized location providing granular details regarding the blocklisted apps - right from the devices with a particular app to the list of blocklisted apps installed on a device. The dashboard data is populated based on the settings configured for the same. The high-level data view also provides you with the following:
|Discovered Apps||All the apps present on the device but not managed by MDM. This count is dependent on the Blocklist settings configured.|
|Managed Apps||Number of apps managed by MDM.|
|Blocklisted Apps||Number of apps blocklisted using MDM.|
|Devices with blocklisted Apps||Number of devices having at least one blocklisted app installed.|
Blocklist apps across the organization
In case your organization is worried about the installation of malicious apps, you would obviously want to disable it across the organization. You can do so by selecting an app or a set of apps and then Blocklist it for all managed devices. It also ensures any device enrolled after the app has been blocklisted, has the app automatically blocklisted.
Blocklist apps on specific devices/groups
In case you want to restrict non-compliant apps for all the contract employees, you can do so by choosing to Blocklist the apps only for the group containing the contract employees. Similarly, if you do not have a group of contract employees and they are present in multiple groups, you can choose to Blocklist the apps for specific devices as well.
Procedure to Blocklist apps
- On the MDM server, select Inventory from the top menu and select Apps from the left pane.
- You are shown the discovered apps view. To configure Blocklist settings, click on the Settings tab.
- Here, you can specify the types of apps you want to manage, with MDM letting you manage pre-installed apps(only for Android and Windows), user-installed apps and MDM-installed apps.
- The next step is to configure the action to be taken on identifying blocklisted apps on devices. You can choose to uninstall the apps instantly, notify users and then instantly uninstall or just notify the users. The first two options are applicable only for eligible devices. For other devices, even if these two options are selected, the apps are not removed but the users are be notified. Additionally, selecting either of the first two options prevents users from even installing the blocklisted apps. If you choose the option to just notify, you need to also provide the duration for which the mails are to be sent to the users, with a mail sent on a daily basis.
- Once done, click on Save to save the configured Blocklist settings. Once done, the Discovered Apps count shown at the top may change based on the settings configured.
- Click on the Devices tab to know device-level details of the apps installed, blocklisted apps and non-blocklisted apps.
- To Blocklist a particular app, you need to click on the Discovered Apps tab. Click on the ellipsis icon present under Action and click on Blocklist -> All devices or specific groups/devices or select the checkbox next to it and then click on the Blocklist App button and then select All devices or specific groups/devices. To Blocklist multiple apps at once, select all the apps and repeat the latter process. When you select groups, all the devices in the group have the app blocklisted as and when they are added to the group.
- Any app completely blocklisted has a red icon next to it, while a partially blocklisted app has a yellow icon next to it. For example, there are 10 devices and the app is blocklisted in every one of them, it is completely blocklisted. If it is blocklisted only on few devices, then it is considered partially blocklisted.
- To remove an app from a Blocklist, select the app(s) and click on Remove from Blocklist. For example, if you have blocklisted an app for five groups, you can choose to remove the app from Blocklist only for three groups, while it continues to be blocklisted on the other groups.
Points to Note
- If a device is moved from one group to another, the blocklisted apps corresponding to the new group are automatically associated with the device and the blocklisted apps corresponding to the older group are removed if need be. Also, you cannot Blocklist ME MDM app and in the case of iOS devices, you cannot disable the Phone app as well.
- Critical apps such as Google Play Services, Settings, and System UI should not be blocklisted as it might affect the functionality of other features.
- Apps with Device Administration privileges cannot be remotely uninstalled.