How the European Union’s Digital Markets Act impacts your iOS estate

Launching alongside iOS 17.4, Apple will be making changes to adhere to the European Union’s Digital Markets Act, which could have massive implications for your organization’s end users and the security of their devices.

March 5 2024 by

Luke Allen

European Union flag

What is the Digital Markets Act?

In 2022, the European Union (EU) introduced the Digital Markets Act (DMA), a regulatory framework aimed at ensuring fair competition in digital markets. It grants authorities the power to designate certain online platforms as “gatekeepers” and imposes obligations on them to prevent anti-competitive practices. The goal is to create a level playing field and foster innovation in the digital sector.

As a result, Apple must change their approach to several user experiences in iOS.

  • Apple will provide third-party app developers the opportunity to deliver applications to end users on iOS outside of the official App Store.
  • Developers will now be able to build and leverage alternative web browser engines.
  • After a user has upgraded their iPhone to iOS 17.4, the OS will display a new prompt the first time a user launches Safari. This prompt will provide users with an opportunity to set a default web browser for their device.

Apple is making significant changes to the way iOS users in European Union countries can gain access to third-party apps, and opening the door to truly new web browsing experiences. As a result, Apple will be introducing several new approaches to manage the security that is draped around these experiences. Here are some points to be aware of.

Users will only be able to gain access to alternative app marketplaces in EU countries.

There are 27 EU member countries, and to be able to access alternative app marketplaces your end user must be a member of one of them. If you’re trying to access alternative marketplaces from a device outside EU with a non-EU Apple ID, you are unable to access them today.

The United Kingdom is not impacted by the changes introduced in iOS 17.4.

My Apple Business Manager or Apple School Manager instance is based outside the EU. So that doesn’t matter to me, right?

Not necessarily. If you have users that are using Apple ID from those European countries, they will be able to access these features. Multinational education and enterprise organizations should consider these changes carefully.

What about iPadOS, tvOS, watchOS and visionOS?

These changes will only impact iOS, specifically, iOS 17.4 and greater.

What does the user experience feel like when trying to download apps from alternative app marketplaces?

End users will need to navigate to websites owned by marketplace developers (developers who have registered with Apple to be able to deploy third-party apps).

Once they have found an app they wish to download, they will need to manually approve the developer by opting to ‘Allow Marketplace’ from the Developer menu in the Settings app. Installed apps work in much the same way App Store apps work; they are sandboxed and will need user approval to request access to entitlements, such as the camera and microphone.

Alternative app marketplaces: security and privacy

In iOS 17.4 Apple will introduce alternative app marketplaces — App Stores that are hosted and operated by third-parties in Europe — and will be capable of delivering apps directly to iPhone from a source outside the App Store.

Apple has outlined some of the security risks involved with these changes on their website:

If not properly managed, alternative distribution poses increased privacy, safety, and security risks for users and developers. This includes risks from installing software from unknown developers that are not subject to the Apple Developer Program requirements, installing software that compromises system integrity with malware or other malicious code, the distribution of pirated software, exposure to illicit, objectionable, and harmful content due to lower content and moderation standards, and increased risks of scams, fraud, and abuse. Apple has less ability to address these risks, and to support and refund customers regarding these issues. Even with safeguards, many of these risks remain.

While these changes do open new avenues for risk and opportunities for bad actors to take advantage, Apple will still be providing a stringent level of security around alternative app marketplaces.

Notarization comes to iOS.

Notarization has historically been a security process that’s exclusive to macOS. Developers submit their apps to Apple for review, and if approved, Apple attaches a digital signature (notarization) to the app.

Notarization helps to ensure that the app isn’t changed or tampered with following review and before the app is deployed on an end user's device. This helps to ensure that the app is free of malicious code and provides a level of security for users when they download and run the software.

  • iOS notarization is purported to be more stringent than it has been for macOS in the past, with automated and human reviews being conducted against apps, required extra, detailed information from developers about how the app will run and explicit use of entitlements (e.g., my alternative marketplace app uses location data) so that Apple can investigate how this is used in practice.
  • All alternative marketplace apps must be signed by Apple to run on an iOS device.
  • The developer of an alternative marketplace app must have a legitimate developer account with Apple. This includes a verification process to root out spam and bad actors.
  • Apple can revoke developer certificates at any time for alternative marketplace apps, which will mean they cease to launch on iOS. In the event that any malware or bad practice is discovered in these apps, Apple can still intervene to protect users.
  • Developers must still adhere to rules set by Apple concerning the use and functionality of these apps.

Alternative web browser engines: security and privacy

Alternative browser engines is another iOS 17.4 change where EU Jamf admins should exercise vigilance.

Safari has shipped as the default browser on iOS since the launch of the original iPhone in 2007. While you have been able to download different browsers from the App Store for a long time on iOS, these browsers have still been underpinned by WebKit, the open-source web browsing engine that Apple uses for Safari.

Apple will now allow third-party developers the opportunity to deliver web browsers to users without the need to use WebKit as the browser engine; this doesn’t inherently raise any red flags, but it does mean that if your users opt to use an alternative web browser, all their browsing traffic is flowing through an application that is written by a third-party developer, which may be using closed-source proprietary code. This means that you lose visibility to how your data is being handled and are placing your trust in the developers running that application.

Historically most Jamf admins have never needed to concern themselves with the management of browsing experiences on iOS, but this may be an area where you should spend some attention to maintain device/user security and privacy going forward.

As with notarization, Apple is introducing new measures to govern these experiences and provide a safer experience for end users. Among them:

  • Alternative browser engine developers must commit to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities.
  • Developers must refrain from using frameworks or libraries that are no longer receiving security updates in response to vulnerabilities.
  • Prioritize vulnerability fixes over new feature development and deliver them within a reasonable timeframe. Apple suggests 30 days in most cases.

Manage and secure with Jamf

It is important to be mindful that while these changes are new for iOS, macOS has always allowed users to procure third-party apps and third-party browsers. iOS 17.4 contains consequential changes that represent new areas for risk in iOS deployments across Europe, but doesn’t mean that iOS is now an insecure, open platform.

Jamf has been in the business of helping customers to manage and secure iOS devices in education and enterprise organizations for many years and will continue that trend with iOS 17.4.

Managing alternative marketplace apps

Jamf Pro, Jamf School, and Jamf Now allow you to manage and block these changes with a combination of new and updated commands and restrictions, which will be available for Jamf customers the same day iOS 17.4 is released.

Restrictions changes

allowMarketplaceAppInstallation (New) - when set to false, iOS prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.

allowAppInstallation (Updated) - when set to false, iOS disables the App Store, and the system removes its icon from the Home screen. This also applies to alternative marketplace stores/apps.

allowAppRemoval (Updated) - when set to false, iOS disables the removal of apps from an iOS device, including alternative marketplace apps.

allowListedAppBundleIDs (Updated) - if present, will also apply to use of marketplace apps and marketplace-hosted apps.

blockedAppBundleIDs (Updated) - will also prevent use of marketplace apps and marketplace-hosted apps.

Commands changes

InstalledApplicationList now includes a DistributorIdentifier for marketplace apps and marketplace-hosted apps, whose value is set to the app's distributor ID.

InstallApplication cannot be used to install marketplace apps or marketplace-hosted apps. On device-enrolled devices, it can be used to take over management of such apps if they are already installed.

RemoveApplication can be used to remove a managed alternative marketplace app or marketplace-hosted app.

I’m not running the latest version of Jamf Pro. What now!?

Jamf is hosting two configuration profiles:

The links above will present you with two configuration profiles, one is signed by Jamf, the other is left unsigned. The functionality of the two profiles are identical, and only one profile needs to be deployed to manage the behavior in your environment. We have left one unsigned so that you can inspect the profile and edit it, if required.

The configuration profiles contain the key/value pairs required to be able to block alternative marketplace app installation (allowMarketplaceAppInstallation). Once downloaded, upload the signed or unsigned file into your Jamf instance. All you need to do is to scope it to your iOS devices, and remember, they must be running iOS 17.4.

At Jamf we are excited to see what opportunities can exist in these new spaces, but we are also mindful that these changes do represent a tangible new risk to users. These changes are going to be an attractive way for bad actors to gain access to confidential user/corporate data and find new ways to deliver malware to devices, and introduce other broader risks for both education and enterprise organizations in Europe.

If you want to discuss these implications more deeply, please reach out to your local Jamf representative and we will be happy to help.