Hello,
I’d like to clarify the technical limitations around app updates in an Apple School Manager (ASM) + MDM environment.
Environment • iOS/iPadOS devices supervised and managed via Apple School Manager • Apps are distributed via ASM (VPP / Custom App) and managed by MDM • Apps are App Store–signed (not Enterprise/In-House) • Some apps include NetworkExtension (VPN) functionality • Automatic app updates are enabled in MDM
Question
From a technical and platform-design perspective, is it possible to:
Deploy app updates for ASM/MDM-distributed App Store apps via a separate/custom update server, and trigger updates simultaneously across all managed devices, bypassing or supplementing the App Store update mechanism?
In other words: • Can an organization operate its own update server to push a new app version to all devices at once? • Or is App Store + iOS always the sole execution path for installing updated app binaries?
⸻
My current understanding (please correct if wrong)
Based on Apple documentation, it seems that: 1. App Store–distributed apps cannot self-update • Apps cannot download and install new binaries or replace themselves. • All executable code must be Apple-signed and installed by the system. 2. MDM can manage distribution and enable auto-update, but: • MDM cannot reliably trigger an immediate update for App Store apps. • Actual download/install timing is decided by iOS (device locked, charging, Wi-Fi, etc.). 3. Custom update servers • May be used for policy decisions (minimum allowed version, feature blocking), • But cannot be used to distribute or install updated app binaries on iOS. 4. For ASM-managed devices: • The only supported update execution path is: App Store → iOS → Managed App Update • Any “forced update” behavior must be implemented at the app logic level, not the installation level.
⸻
What I’m trying to confirm • Is there any supported MDM command, API, or mechanism that allows: • Centralized, immediate, one-shot updates of App Store apps across all ASM-managed devices? • Or is the above limitation fundamental by design, meaning: • Organizations must rely on iOS’s periodic auto-update behavior • And enforce version compliance only via app-side logic?
⸻
Why this matters
In large school deployments, delayed updates (due to device conditions or OS scheduling) can cause: • Version fragmentation • Inconsistent behavior across classrooms • Operational issues for VPN / security-related apps
Understanding whether this limitation is absolute or if there is a recommended Apple-supported workaround would be extremely helpful.
Thanks in advance for any clarification