Mobile Device Management MDM setup for corporate mobile app

Configuring Mobile Device Management (MDM) for Corporate Mobile Apps

MDM is not "install antivirus on a phone". It's a device management protocol controlled from a server that allows forced app installation, security policy enforcement, data deletion, and configuration control without user involvement. For a corporate mobile app, MDM integration is the difference between "employee can uninstall the app" and "app is always present on fleet devices".

Apple MDM Protocol and Managed Devices

Apple MDM is built on push-pull protocol: MDM server sends push notification via APNs (MDM topic), device "pulls" command from server, executes it, sends result back. All commands and responses are XML plist over HTTPS.

For a device to become managed:

• Supervised mode via Apple Configurator 2 or ABM (Apple Business Manager)—maximum control. Only Supervised devices support app deletion blocking, Silent Install without user consent, Single App Mode.
• User Enrollment (iOS 13+)—device belongs to employee (BYOD), MDM manages only Managed Apple ID zone. Apps can be force-installed in managed space; personal data inaccessible.

For corporate app on managed device, key MDM commands:

Managed App Configuration—mechanism for passing config to app via MDM without hardcoding. App reads dictionary from UserDefaults with suffix .managed:

let managedConfig = UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed")
let backendURL = managedConfig?["BackendURL"] as? String
let tenantID = managedConfig?["TenantID"] as? String

MDM server sends AppConfiguration plist on install or via separate InstallApplication command with ManifestURL. Employee doesn't see or change these parameters.

Android Enterprise: Work Profile and Fully Managed

Android Enterprise—analog to Apple MDM with more flexible deployment models.

Fully Managed Device (COBO—Corporate Owned Business Only). Device configured via DPC (Device Policy Controller) on initial boot: QR-scanning or NFC bump. DevicePolicyManager provides full control: app installation, network policies, forced VPN, hardware button blocking.

Work Profile (COPE/BYOD). Managed profile created next to personal space. Corporate apps—in Work Profile with separate launcher and portfolio icon. IT manages only Work Profile; personal data inaccessible.

Key class for Fully Managed—DevicePolicyManager:

val dpm = getSystemService(DEVICE_POLICY_SERVICE) as DevicePolicyManager
val adminComponent = ComponentName(this, DeviceAdminReceiver::class.java)

// Force package installation
dpm.setAlwaysOnVpnPackage(adminComponent, VPN_PACKAGE, true, null)

// Block uninstall
dpm.setUninstallBlocked(adminComponent, TARGET_PACKAGE, true)

// Managed Config for app
val bundle = Bundle().apply {
    putString("backend_url", "https://corp.example.com")
    putString("tenant_id", "CORP-001")
}
dpm.setApplicationRestrictions(adminComponent, TARGET_PACKAGE, bundle)

Choosing MDM Server

For homogeneous Apple fleet—Jamf. For Microsoft-centric infrastructure—Intune. For mixed fleet with on-premise requirement—MobileIron/Ivanti or Workspace ONE.

App Integration with MDM: What Developer Must Do

MDM manages device, but app must "know" its managed status:

• Check Managed App Configuration on launch and on UIApplicationWillEnterForeground.
• React to MDM Remote Wipe: clear Keychain, database, cache.
• Support openURL scheme for enrollment deeplink.
• If using MAM SDK (Intune App SDK, Workspace ONE SDK)—integrate for policy enforcement at app level, not just device level.

Setup Stages

Inventory devices → choose MDM platform → enrollment strategy (ABM, QR, manual) → create profiles and policies → VPP/Managed Google Play setup for apps → Managed App Configuration for corporate app → pilot group → rollout → compliance monitoring.

Timeline: basic MDM setup for existing device fleet—2–4 weeks. Full rollout with app integration, enrollment workflow, and IT training—6–10 weeks. Cost is calculated individually.