Skip to main content

Apple Managed App Control Policy (iOS & iPadOS)

Updated today

The Apple Managed App Control Policy in Swif lets you control how data moves between:

  • Managed apps: Company-managed apps and accounts (deployed/configured by Swif MDM)

  • Unmanaged apps: Personal apps and accounts on the same device

This helps you prevent corporate data from leaking into personal apps, while still protecting employee privacy on BYOD devices.

Policy overview

  • Policy name in Swif: Apple Managed App Control Policy

  • Purpose:
    Control how managed apps can open documents, share data, and access contacts relative to unmanaged apps, and whether the Files app can connect to network drives.

  • Supported platforms:

    • iOS 7+

    • iPadOS 7+

  • Ownership types:

    • Company-owned devices

    • BYOD (personally-owned) devices

On BYOD, this policy is especially useful to confine work data to work apps while leaving personal apps and data unaffected.

Key settings and what they do

Below are the fields you’ll see when configuring the Apple Managed App Control Policy in Swif, with plain-language explanations and recommended use cases.

1. Allow Files Network Drive Access

Field name (internal): allowFilesNetworkDriveAccess
Minimum OS: iOS 7+, iPadOS 7+

What it controls
Controls whether users can connect to network drives from the Files app.

  • If set to true (allowed):
    Users can connect to network drives (for example, SMB shares) in the Files app.

  • If set to false (blocked):
    The system prevents connecting to network drives via the Files app.

When to allow it

  • Employees need to access on-prem file servers or network shares from iPhone/iPad.

  • You have proper access controls in place on the file servers.

When to block it

  • High-security environments where network drive access from mobile devices is not allowed.

  • You want to keep all corporate files inside specific managed apps (e.g., a managed file browser or DLP-enabled app) rather than system-level Files access.

2. Allow Open From Managed To Unmanaged

Field name (internal): allowOpenFromManagedToUnmanaged
Minimum OS: macOS 10.14+, iOS 12+, iPadOS 12+

What it controls
Controls whether documents in company-managed apps can be opened in personal (unmanaged) apps.

Think of this as: “Can work data leave managed apps?”

  • If set to true (allowed):
    Users can open work documents from managed apps (for example, a managed mail or file app) in personal apps like personal PDF viewers or note apps.

    • Corporate data can move into unmanaged apps.

  • If set to false (blocked):
    Documents in company-managed apps cannot be opened in personal apps.

    • Corporate data stays inside the managed app ecosystem.

Recommended setting

  • Most organizations should set this to false to prevent data exfiltration.

  • Only set to true if:

    • You have low data sensitivity, and

    • You explicitly want users to be able to use any personal app to open work files.

Important: If you set this to true, certain contact-related restrictions (below) no longer have effect. Apple treats data as already allowed to cross the managed/unmanaged boundary.

3. Allow Open From Unmanaged To Managed

Field name (internal): allowOpenFromUnmanagedToManaged
Minimum OS: iOS 9+, iPadOS 9+

What it controls
Controls whether documents in personal (unmanaged) apps can be opened in company-managed apps.

Think of this as: “Can personal data move into managed apps?”

  • If set to true (allowed):
    Users can open files originating from personal apps (e.g., personal email, personal cloud storage) in managed apps.

  • If set to false (blocked):
    Documents in personal apps cannot be opened in company-managed apps.

    • Personal data stays in personal apps only.

Why you might allow it

  • To let users bring personal documents into managed apps for editing or sharing within corporate systems.

  • When privacy rules require a clear separation but do not forbid personal → work flow.

Why you might block it

  • To keep corporate apps and their storage strictly for work-only data.

  • To avoid mixing personal content into corporate backups, logging, or retention systems.

Common pattern

  • Many organizations block managed → unmanaged (to protect corporate data)
    but allow unmanaged → managed (so users can move personal content into work when needed).

4. Allow Managed To Write Unmanaged Contacts

Field name (internal): allowManagedToWriteUnmanagedContacts
Minimum OS: iOS 9+, iPadOS 9+

What it controls
Controls whether managed apps are allowed to write contacts into unmanaged (personal) contacts accounts on the device.

  • If set to true (allowed):
    Managed apps can save or sync contacts into personal contact accounts (e.g., iCloud personal contacts).

  • If set to false (blocked):
    Managed apps cannot write contacts to personal accounts; contacts must remain in managed contact accounts only.

Important interaction

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
In other words, if you already allow managed data into unmanaged apps, Apple does not enforce this contacts separation.

When to allow it

  • You want employees to see work contacts in their personal phonebook (caller ID convenience).

  • Your risk tolerance allows corporate contact data to live in personal accounts.

When to block it

  • You want strict separation of corporate contacts from personal address books.

  • Regulatory/compliance requirements forbid copying corporate contacts into unmanaged systems (e.g., personal iCloud).

Typical secure configuration

  • allowOpenFromManagedToUnmanaged = false

  • allowManagedToWriteUnmanagedContacts = false

This keeps work contacts fully contained within managed accounts/apps.

5. Allow Unmanaged To Read Managed Contacts

Field name (internal): allowUnmanagedToReadManagedContacts
Minimum OS: iOS 9+, iPadOS 9+

What it controls
Controls whether personal (unmanaged) apps are allowed to read contacts from managed contacts accounts.

  • If set to true (allowed):
    Unmanaged apps can access managed contacts. This could, for example, let a personal messaging app read corporate contacts.

  • If set to false (blocked):
    Unmanaged apps cannot read managed contacts. Corporate contacts remain visible only to managed apps.

Important interaction

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect (Apple considers the data boundary already relaxed).

When to allow it

  • Very flexible environments where it’s acceptable for personal apps to see corporate contacts for usability reasons.

  • Scenarios where employees rely heavily on personal communication apps even for some work interactions.

When to block it

  • Security-focused environments where no personal app should be able to read corporate contact data.

  • To comply with data protection policies limiting access to customer/employee contact lists.

Typical secure configuration

  • allowOpenFromManagedToUnmanaged = false

  • allowUnmanagedToReadManagedContacts = false

This ensures personal apps cannot read or store managed contacts.

Example recommended configurations

Below are example “profiles” you can aim for when setting this policy in Swif.

A. Strong data loss prevention (DLP) for corporate data

  • Allow Files Network Drive Access: depends on your file server policy

  • Allow Open From Managed To Unmanaged: false

  • Allow Open From Unmanaged To Managed: true or false (your choice)

  • Allow Managed To Write Unmanaged Contacts: false

  • Allow Unmanaged To Read Managed Contacts: false

Outcome:

  • Corporate data stays within managed apps and managed accounts.

  • Contacts are fully contained in managed stores.

  • You can optionally allow personal → work document flow if you want.

B. Balanced BYOD experience (more flexibility, some protection)

  • Allow Files Network Drive Access: true

  • Allow Open From Managed To Unmanaged: false

  • Allow Open From Unmanaged To Managed: true

  • Allow Managed To Write Unmanaged Contacts: true (if allowed by policy)

  • Allow Unmanaged To Read Managed Contacts: false

Outcome:

  • Work data cannot freely leak into arbitrary personal apps.

  • Users can still move personal docs into work apps.

  • Work apps can write contacts into personal address books (for caller ID), but unmanaged apps cannot directly read corporate contact stores.

How this works with Swif MDM

When you assign the Apple Managed App Control Policy to a device or group:

  • Swif pushes an Apple configuration to the device that:

    • Classifies apps/accounts as managed or unmanaged

    • Enforces the data flow rules you configured

  • On company-owned devices, this can define strict corporate boundaries across the entire device.

  • On BYOD devices, it focuses on keeping corporate data inside the managed work container (managed apps and accounts), while respecting user privacy for personal apps.

Related Articles
Android Personal Usage Policy
Apple AirDrop Policy
Apple Bluetooth Policy
Apple Control Center Policy
Apple System Policy Control Policy
Did this answer your question?