Key Points
- iOS Single App Mode locks supervised devices to one app, blocking access to the Home screen, settings, and other apps.
- Single App Mode requires supervised devices and MDM or Apple Configurator, ensuring full administrative control and preventing users from exiting or bypassing restrictions.
- Use Single App Mode for kiosks, EPOS, and exams (ASAM) with MDM for remote management, stronger security, and controlled device access.
iOS Single App Mode locks users to a single specified application on supervised devices. This differs from other restrictions like Guided Access that can be enabled and disabled by end-users on iOS, iPadOS, and tvOS devices.
This guide explains iOS Single App Mode, how it differs from Guided Access, and its practical uses and impact.
What is iOS Single App Mode?
When enabled on supervised devices running iOS, iPadOS, or tvOS, where full administrative control over the device is granted to mobile device management (MDM), Single App Mode locks the device to only running one app. This app cannot be exited, and users are prevented from accessing the Home screen, Control Center, and settings.
In addition to this, depending on whether an iPhone, iPad, or Apple TV device is in use, Single App mode can also be used to:
- Enable or disable touch, motion, and button inputs
- Configure auto-lock
- Turn on or off accessibility features like VoiceOver, Zoom, AssistiveTouch, and Speak Selection
Single App mode is enabled using the Apple Configurator or MDM, rather than being configured on the device itself.
Guided Access vs. Single App Mode
iOS Single App Mode and Guided Access are not the same thing, and are intended for different use cases.
Guided Access provides users with a way to temporarily lock down their own devices without administrative intervention. For example, a designer may want to lock their iPad to their design app or a demo website before handing it to their client to review work, preventing them from roaming around the device or accidentally seeing a notification. Guided Access can be enabled from the Settings app, and is exited using a passcode set by the user.
Single App mode gives administrators a way to completely lock down a device, giving access to only the specified app, and optionally restricting other features like inputs and accessibility. Single App mode cannot be exited by end users (even by rebooting), and requires that the device be supervised.
The Android OS provides similar functionality to Guided Access with App Pinning.
Understanding Autonomous Single App Mode
Autonomous Single App Mode (ASAM) allows apps specifically developed to enter and exit Single App Mode themselves. For example, an app used in exams may set itself as the single app on an iPad for the duration of an examination (so that students cannot use other apps to look up answers), then unlock itself at the end so that the examiner can use the device unrestricted.
This provides a mix of the functionality of Guided Access and Single App Mode, allowing apps to lock the device to the single app, and release it when appropriate, without users having to set up Guided Access or contact tech support to enable or disable Single App Mode manually.
Matching iOS restriction modes to use cases
It’s important to choose appropriately between Single App Mode and Guided Access for your use case. Not doing so can result in frustrated users, unnecessary IT support requests, or lead to device abuse, network infiltration, or data breaches.
iOS Single App Mode should be used wherever a device is outside your control: public kiosks, EPOS, and Apple TV-powered billboards are examples of this. A malicious user can use an unprotected device to gain access to your IT infrastructure or just cause trouble that requires the intervention of your tech team, wasting resources.
The physical security of devices is also key in these scenarios, and tools like Activation Lock or additional MDM security features should be enabled so that lost or stolen devices can be locked down and prevented from being used. Staff can be educated on the use of Kiosk Mode to temporarily protect devices while they are in customers’ hands or being used for presentations, to ensure a distraction-free environment.
Regardless of use case, you should have a strategy for configuring, managing, and securing mobile devices.
Operational and support considerations for supervised iOS devices
As devices in Single App Mode cannot be configured by end users, you should ensure streamlined processes are in place to reconfigure devices when required. Document the process of approving and exiting Single App mode for devices so that they can be readily repurposed, without risking unapproved parties being able to make a successful request. You should also use your MDM solution to ensure devices in Single App Mode are kept up-to-date, and that device recovery methods (both locally using Apple Configurator and remotely) are well tested so that devices don’t become inaccessible.
Remotely managing and securing iOS, iPadOS, and Apple TV devices at scale
Attempting to manually configure and manage Apple mobile devices, including iPhones and iPads, as well as Apple TV devices that may be in publicly accessible locations, is inefficient and adds significant overhead to IT operations, as well as presenting a significant security risk through unpatched and insufficiently locked-down devices.
NinjaOne MDM unifies iOS, Android, and Windows mobile device management, allowing you to remotely configure devices for Single App Mode and other restrictions, monitor for misuse, and lock them down if they go missing. Combined with powerful automation features and built-in documentation, support tickets can be automatically created and escalated if an issue with a device is detected, and Single App Mode and Guided Access recovery procedures can be documented for your tech team and users.
