March 28, 2025

Block risky and unwanted mobile apps with Omnissa

Last updated 03/28/2025
View Author Bio

Wendy Leung

Product Marketing Manager

Wendy Leung is a product marketing manager on the Security & Compliance solutions team at Omnissa. Wendy is a strategic thinker with a creative edge, working closely with product, sales, and field marketing teams to align on product positioning and messaging.

Read More From the Author

Man sitting in a restaurant and looking at his mobile phone.

Apps that are considered security risks on mobile devices continue to be big problems. According to Lookout’s Q3 2024 mobile threat report, ‘more than 106,000 malicious apps were detected on enterprise mobile devices, which can vary widely from trojan malware to sophisticated spyware’. State and federal governments have garnered the most headlines for their stance on unwanted apps, but malicious apps can pose a threat to many organizations who’s employees use mobile devices for their work.

Because these applications are a growing concern for business, IT teams are increasingly tasked with addressing these potential vulnerabilities. To bolster security, organizations need an effective strategy for blocking or removing risky mobile apps from devices that access an organization’s data. Although this may seem challenging to some, Omnissa Workspace ONE UEM administrators can easily manage and protect devices by blocking these apps.

Ways to block unwanted apps on managed devices

If you are an Omnissa Workspace ONE customer, you have two primary options to restrict unwanted apps on enrolled devices:

If you have Omnissa Workspace ONE Mobile Threat Defense powered by Lookout, all apps installed across enrolled devices are scanned for malicious code to protect sensitive company information. End users will get a notification explaining why the app is dangerous and how to fix the problem. Admins, using the Apps Explorer in the console can view all apps present across enrolled devices. The list is sorted by OS, app name, risk exposure, percentage of total enrolled devices running the app and more. You can configure policies and automated response actions to detect and act when an unwanted application is installed on a device in your fleet. Learn more about creating threat response actions here.
If you are not yet using Workspace ONE Mobile Threat Defense for advanced security protection, Workspace ONE UEM can assist you in approving or denying apps on your enrolled mobile devices with application groups, compliance policies, and device management.

Use Workspace ONE UEM to manage apps

With Workspace ONE UEM, you can manage application groups and compliance by creating collections of allowed, denied, or required applications for the various personas of users within your organization. Then, you can create compliance policies to identify any drift from baselines and to take action automatically. Documentation on this can be found here.

Next, blocking or restricting the app store for your device platform can prevent users from downloading unwanted apps.

For iOS devices

For iOS, you can block end user access to the Apple App Store with a restrictions profile as well as restrict a device to only install assigned public apps from the Apple App Store. You can also use restricted mode to allow installing free, public apps from the Workspace ONE Intelligent Hub but not from the Apple App Store. Documentation on how to apply these restrictions in Workspace ONE UEM are available here.

For unsupervised iOS devices, it is recommended that you use the Workspace ONE UEM compliance engine to enforce and configure security policies and automatically detect/respond to non-compliant devices. Learn more about enabling unmanaged enrollment for iOS devices here.

For Android devices

When managing Android devices, it is essential to understand the different device management modes for bring-your-own-device (BYOD) and corporate-owned personally enabled (COPE) use cases. A work profile is designed for bring-your-own-device (BYOD) use cases, allowing the organization to separate work apps and data from personal apps and data and assigning apps within the work profile on the device. In this mode, Workspace ONE UEM only has control over the work profile and cannot manage access to the Google Play Store in the device’s personal profile.

For COPE devices, work managed, or fully managed, devices are enrolled from an unprovisioned state (factory reset). In this mode, Workspace ONE UEM has full control over the apps shown in the Google Play Store on the device. Documentation on how to restrict installation of public apps in Workspace ONE UEM are available here.

Along with controlling allowed apps through the management mode of the Android device, configuration profiles in Workspace ONE UEM can help you manage applications on your devices.

The application control profile allows you to control approved applications and prevent uninstalling important apps. To learn more about or to configure an application control profile, please read the Omnissa documentation here.

Like iOS, an Android restrictions profile locks down the native functionality of Android devices. This includes removing access to the native app store for the platform. To create a restrictions profile that removes access to the Google Play Store, please refer to the Omnissa documentation here.

Secure your connected mobile fleet

Organizations may want to block specific applications on their end users’ devices for many reasons. Although the reasons may vary by industry, Workspace ONE UEM and Mobile Threat Defense have the tools to help you manage access to apps for your business.

In addition to protecting your mobile devices from unwanted apps, learn how prevalent mobile phishing is and how Workspace ONE Mobile Threat Defense can help secure your mobile fleet in this video.