Lock an iOS device to an App using ZENworks


App Lock / Kiosk Mode / Single App Mode for mobile devices

Recently during a discussion on ZENworks 2017, many of our customers asked for an ability through which IT admins can lock down a mobile device (generally an iPad) to a single app. On further discussion, many use cases surfaced for this. Some of them are:

    • In schools/colleges during an examination, IT administrators are looking to lock down the tablets to a specific testing app. In another use case, in classrooms teachers want the students to be locked to a particular app (Say - Apple Schoolwork) during class lectures.
    • In retail industry, retail stores want to provide tablets to their employees for faster checkout and want it locked only to a particular App. Also, some retail stores want to set up tablets used for customer demos, which would be locked to a single app.
    • In health care, sometimes tablets used by doctors / nurses need to run only a specific app.
    • In trade shows where one may want to have hands on tablets locked to an app used for customer demos.

The more I discussed this, more use cases came to fore. As you are aware ZENworks 2017 provides a great way to manage your mobile devices. From first look, it seems that it is not possible to fulfill the above mentioned use cases with ZENworks 2017. However, if you look closely, ZENworks 2017 packages a powerful way to fulfill such use cases and many others.

iOS Profile Bundle in ZENworks 2017

In ZENworks 2017, you can create a special type of bundle called 'iOS Profile Bundle'. Using this bundle, you can deploy any configuration profile generated using Apple Configurator to iOS devices managed by ZENworks. And as you may have already guessed, one of these configuration profiles allows the devices to be locked to a single app.

In the past, when I have explained this capability to our customers, one of the responses is that being a Windows shop, people don't have access to a mac and thus to Apple Configurator (Some years ago, there used to be a Windows version of Apple Configurator, but it has been discontinued since then). So if you belong to one of such organizations, this cool solution contains a profile which you should be able to use with minor modifications.


There are a few pre-requisites you should meet:

    • You should be using ZENworks 2017 or later.
    • You can only apply App lock profile to a 'Supervised' iOS Device. You can check if device is 'Supervised' or not in Device info page of the device.
    • Also, the App you are planning to lock the device to, should already be installed on it.

App Lock Profile

Before we go ahead and create a bundle and deploy it, let's quickly examine the profile itself. The attached profile has been generated using Apple Configurator and can be used with very minor changes (as explained below). Extract the zip and the included file can be opened in any text editor. This profile has many parts, but I'll limit myself to things you should change. There are 2 sections you should consider changing:

    • App Information - The following is the section which determines which App device would be locked to:


      In the above example, the device would be locked to the app having the bundle identifier 'com.google.chrome.ios', which corresponds to the Google Chrome app. You can change this to bundle identifier of the app you are looking to lock the device to. This bundle identifier should not be confused with bundle name/GUID with-in ZENworks. This bundle identifier corresponds to an app's unique identity on App Store.

      Looking up bundle identifier - With the upcoming Update 3, you can create a bundle for the app with-in ZENworks and go to the bundle summary page, where this bundle identifier would be visible.

      If you don't feel like waiting for ZENworks 2017 Update 3, you can follow the steps mentioned in this link to retrieve the bundle identifier for the app of your choice.
    • Device Options - These options govern the device behavior and in what ways a user can interact with the device when it is locked to single app:


      In the above example, by specifying a <true/> value for DisableVolumeButtons, volume buttons on the device would be disabled. Similarly other values can be toggled. More detailed documentation on individual options can be found here. You can search for 'App Lock' in the pdf.

Creating an iOS Profile Bundle

Once you have your profile ready, it is a simple process to create an iOS Profile Bundle.

  1. In ZCC, launch the New Bundle wizard.
  2. Select Bundle Type as iOS Bundle, Bundle Category as iOS Profile
  3. In next page, provide Bundle Details
  4. On next page, upload the profile you have just edited
  5. Save the bundle
  6. At this point, you can publish this bundle just like any other ZENworks bundle and upon installation, it would lock the device to app you have specified.

Using System Variables

In some scenarios, you may want a different app for a different set of devices. In such cases, instead of using multiple bundles, you can create a single bundle and use ZENworks system variables to lock the device to an app. You can use a variable name like - say ${AppName} in place of com.google.chrome.ios in the profile. Then for a set of devices you can define a variable 'AppName' with the appropriate bundle identifier. ZENworks would resolve the variable and substitute it with the correct app identifier before deploying the profile.


With iOS profile bundle, ZENworks 2017 packages a powerful way to fulfill some of the most used cases for iOS devices. Locking a device to an app is one of many things you can accomplish. Using iOS profile bundles, it is possible to deploy certificates, VPN Configurations, Wi-Fi configurations, amongst other things, to devices.


How To-Best Practice
Comment List