How to Configure Automatic App Downloads Policy for iOS Devices Using Intune

Open your web browser and navigate to the Microsoft Intune admin center. Sign in with your administrative credentials that have device configuration permissions.

Once logged in, navigate to the device configuration section:

1. Click on Devices in the left navigation pane
2. Select Configuration profiles from the submenu
3. You'll see the existing configuration profiles dashboard

Start creating a new configuration profile specifically for iOS devices using the modern Settings catalog approach.

Click the Create profile button to open the profile creation wizard. Configure the platform and profile type:

1. Under Platform, select iOS/iPadOS from the dropdown
2. For Profile type, select Settings catalog (this is the current standard for iOS configuration as of 2026)
3. Click Create to proceed to the configuration wizard

The Settings catalog provides access to all available iOS configuration options through a searchable interface, replacing the older device restriction profiles.

Set up the basic information for your automatic app downloads policy to ensure proper identification and management.

In the Basics tab, configure the following fields:

• Name: Enter a descriptive name like iOS-Block-Automatic-App-Downloads or iOS-Allow-Automatic-App-Downloads
• Description: Add a clear description such as "Controls automatic app downloads on supervised iOS devices to prevent apps purchased on other Apple devices from auto-installing"
• Platform: Verify it shows iOS/iPadOS (should be pre-filled)

Use a consistent naming convention that includes the platform, policy type, and action for easier management in large environments.

Configure the specific setting that controls automatic app downloads on iOS devices through the Settings catalog interface.

In the Configuration settings tab:

1. Click Add settings to open the settings picker window
2. In the search bar, type Automatic App Download or navigate to the Restrictions category
3. Locate and select Allow Automatic App Download from the results
4. The setting will be added to your configuration profile

Configure the policy value based on your organization's requirements:

• True (default): Allows automatic app downloads from other Apple devices
• False: Blocks automatic app downloads (toggle the switch from right to left)

This setting only affects new app installations. Automatic updates for already-installed apps will continue to function regardless of this setting.

Set up scope tags to control which administrators can view and manage this policy, especially important in large organizations with delegated administration.

In the Scope tags tab:

1. Review the default scope tag assignment (typically "Default" for most organizations)
2. If your organization uses custom scope tags, click Select scope tags
3. Choose the appropriate scope tags that match your administrative boundaries
4. Common scope tags include department-specific tags like "IT-Department" or "Mobile-Device-Team"

Scope tags determine which Intune administrators can see and modify this policy. If you're unsure, leave the default scope tag selected.

Configure which devices or users will receive this automatic app download policy through Azure AD group assignments.

In the Assignments tab:

1. Click Add group under the "Included groups" section
2. Search for and select your target group (e.g., "Supervised-iOS-Devices" or "Corporate-iPads")
3. Choose the assignment type:
   • Available: Policy applies when devices check in
   • Required: Policy is enforced immediately (recommended for device configuration)
4. Optionally, add exclusion groups if certain devices should not receive this policy

Best practice is to assign device configuration policies to device groups rather than user groups for consistent application.

Perform a final review of all policy settings before deployment to ensure correct configuration and prevent issues.

In the Review + create tab, verify the following details:

• Profile name and description: Confirm they accurately describe the policy
• Platform: Should show iOS/iPadOS
• Settings: Verify "Allow Automatic App Download" shows your intended value (True/False)
• Assignments: Confirm the correct device groups are listed
• Scope tags: Verify appropriate administrative scope

Once you've confirmed all settings are correct, click Create to deploy the policy. The policy will be created and begin deploying to assigned devices.

Track the deployment status and ensure the policy is successfully applied to target devices through Intune's monitoring capabilities.

To monitor your policy deployment:

1. Navigate back to Devices > Configuration profiles
2. Search for and click on your newly created policy
3. Review the Device status section to see deployment progress:
   • Succeeded: Policy applied successfully
   • Error: Policy failed to apply (check device supervision status)
   • Pending: Policy deployment in progress
4. Click on individual devices to view detailed compliance information

Check the Device assignment status for specific error details if devices show failed deployment.

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
Get-MgDeviceManagementDeviceConfiguration | Where-Object {$_.DisplayName -eq "YourPolicyName"}

Allow 15-30 minutes for initial policy deployment to complete across all assigned devices.

Verify the automatic app download policy is working correctly by testing the behavior on assigned devices.

To test the policy effectiveness:

1. On a test device that received the policy, go to Settings > App Store
2. Check the App Downloads section:
   • If policy is set to False: The toggle should be grayed out and disabled
   • If policy is set to True: The toggle should be available for user control
3. Test with a secondary Apple device:
   • Download a free app on another device with the same Apple ID
   • Observe whether it automatically appears on the managed device

Document the test results and any unexpected behavior for your change management records.

# On the iOS device, check restriction status
# Settings > General > About > Certificate Trust Settings
# Look for your organization's MDM profile

The policy should prevent automatic downloads when set to False, while allowing user control when set to True.

Establish ongoing management procedures for the automatic app download policy and address common troubleshooting scenarios.

For policy modifications:

1. Navigate to Devices > Configuration profiles
2. Search for and select your policy
3. Click Properties to modify settings
4. Edit the configuration settings, assignments, or scope as needed
5. Save changes to trigger redeployment

Common troubleshooting steps:

• Policy not applying: Verify device supervision status and iOS version compatibility
• Settings grayed out: Check for conflicting policies or higher-priority restrictions
• Partial deployment: Review group membership and device enrollment status

To remove group assignments or delete the policy:

# PowerShell example to check policy assignments
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"
$policy = Get-MgDeviceManagementDeviceConfiguration -Filter "displayName eq 'YourPolicyName'"
Get-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $policy.Id