iOS Alternative App Stores? Not on My Supervised Devices!

The world of iOS app distribution is experiencing a shakeup, particularly in the European Union (EU). With the recent changes in iOS 17.4, users in the EU now have the ability to download and install alternative app stores on their iPhones and iPads. These app stores operate independently of the official Apple App Store, offering users a potentially wider range of app choices.

This change stems from the EU's Digital Markets Act (DMA) regulations, aimed at fostering fairer competition in the digital market. The DMA specifically targets large gatekeepers like Apple, requiring them to open their platforms to alternative app stores and loosen their control over app distribution.

While this change brings new possibilities for individual users, it raises significant concerns for organizations managing supervised iOS devices. Let's delve deeper into the potential risks and explore strategies to maintain control over your supervised device ecosystem.

The Looming Risks of Alternative App Stores on Supervised Devices

While the ability to explore alternative app stores might seem appealing to some users, it introduces several security and management challenges at enterprise level for managing supervised iOS devices. Here's why you should tread carefully:

1. Compromised Security:

• Unvetted Apps: Unlike the rigorously reviewed apps on the App Store, alternative stores might have less stringent vetting processes. This increases the risk of malicious apps infiltrating your device ecosystem, potentially compromising sensitive data and disrupting functionality.
• Side-loading Vulnerabilities: Supervised devices often restrict "sideloading" (installing apps from outside the App Store). Allowing alternative app stores potentially opens doors for bypassing these security measures, exposing devices to vulnerabilities and malware attacks.

2. Loss of Management Control:

• Bypassing App Policies: At enterprise level, you often implement whitelisting or blacklisting policies to control which apps can be installed on supervised devices. Allowing alternative app stores could render these policies ineffective, making it harder to enforce compliance and maintain control over the apps on your devices.
• Increased Management Complexity: With multiple app sources, managing device security and app installations becomes more complex. Organizations might need to adjust their Mobile Device Management (MDM) strategies and potentially invest in additional tools to effectively monitor and manage apps from alternative stores.

3. Compliance Concerns:

• Policy Violations: Allowing access to alternative app stores could potentially violate pre-existing policies and compliance requirements within your enterprise, especially those related to data security and app management.
• Regulatory Risks: Depending on your industry and regulations, allowing app installations from untrusted sources might pose additional compliance challenges regarding data security and user privacy.

Strategies to Fortify Your Supervised Device Ecosystem

The good news is that you have options to mitigate the risks associated with alternative app stores and maintain control over your supervised iOS devices. Here are some key strategies to consider:

1. Leverage MDM Capabilities:

• App Whitelisting and Blacklisting: Utilize your Mobile Device Management (MDM) solution to create comprehensive app whitelisting and blacklisting policies. This allows you to specify which apps are authorized for installation on your devices, effectively blocking unauthorized apps from both the App Store and alternative stores.
• App Distribution and Updates: Consider leveraging your MDM solution for secure app distribution and updates. This allows you to distribute pre-approved apps from a trusted source and manage updates centrally, ensuring devices only run authorized and secure app versions.

2. User Education and Awareness:

• Educate Users: Inform your users about the potential risks associated with downloading and installing apps from untrusted sources, including alternative app stores. This helps them understand the importance of adhering to your organization's app policies and avoiding unauthorized app installations.
• Clear Communication: Clearly communicate your organization's policies regarding app installations and the consequences of violating them. This reinforces the seriousness of the matter and encourages responsible device usage.

3. Continuous Monitoring and Evaluation:

• Regular Monitoring: Regularly monitor your supervised devices for unauthorized app installations using your MDM solution. This allows you to identify and address any potential security breaches promptly.
• Stay Informed: Keep yourself informed about the evolving landscape of alternative app stores and any potential security vulnerabilities associated with them. This allows you to proactively adapt your security measures and stay ahead of emerging threats.

4. Consider Alternative Approaches:

• App Distribution Alternatives: Explore alternative app distribution methods like private app stores or direct app deployment through MDM. These options allow you to distribute pre-approved apps securely within your organization, maintaining control over the app ecosystem without relying on the App Store.
• Consult with Security Experts: If you have complex compliance requirements or manage a large fleet of devices, consider consulting with security experts to develop a comprehensive strategy tailored to your specific needs and risk profile.

Enforcing Restrictions Using Intune

While the ability to block installation of alternative marketplace apps will be soon shipped with Microsoft Intune. You can still achieve this using a custom configuration profile (.mobileconfig) file to test it out.

• Sign in to the Microsoft Intune admin center.
• Select Devices -> iOS -> Configuration ->New Policy -> Create.

• Profile type -> Select Custom -> Select Create.

• In Basics, type the profile name & description
• Custom configuration profile name -> Enter a name for the policy
• Configuration profile file -> Browse to the configuration profile you created 

You can use the below xml file to prevent installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadIdentifier</key>
			<string>com.apple.applicationaccess.48963245-1DAE-8E53-0652-1AE00S0123Z01</string>
			<key>PayloadType</key>
			<string>com.apple.applicationaccess</string>
			<key>PayloadUUID</key>
			<string>30682134-6CEB-4B98-8950-6CC54F244C05</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>allowMarketplaceAppInstallation</key>
			<false/>
			<key>ratingRegion</key>
			<string>NL</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>DMA Restrictions</string>
	<key>PayloadIdentifier</key>
	<string>com.IRL.Alt Marketplace Restrictions</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>89Z13C98-02Y6-2468-7J5K-6F69D2H087HG</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Let's Verify

Conclusion

In conclusion, the advent of iOS 17.4 and the introduction of alternative app stores represent a significant pivot in the landscape of app distribution for users in the European Union. While this move heralds a new era of choice and flexibility, it simultaneously underscores a vital need for vigilance and proactive management in safeguarding supervised iOS devices within organizational environments.

The path forward is one of cautious optimism, armed with the knowledge and tools to navigate the complexities of this new digital landscape.