App Store RejectionGuideline 5.5.1Mobile Device Management

Your App Is Trying to Manage Devices in Ways Apple Doesn't Allow

MDM profiles, device configuration capabilities, and certain VPN configurations are restricted to enterprise and specific approved use cases. Consumer apps that try to use these features will get rejected.

What Apple said

Your app attempts to install configuration profiles, use Mobile Device Management features, or modify device settings in ways not permitted by App Store guidelines. These capabilities are restricted to specific enterprise and managed device scenarios and cannot be distributed through the App Store to general consumers.

What this actually means

Apple tightly controls which apps can manage or configure iOS devices. MDM profiles, certificate installation, certain VPN configurations, and screen time management features are restricted to enterprise distribution, MDM providers, or Apple-approved categories. A consumer app that tries to use these capabilities will get rejected — even with legitimate intentions.

What Apple needs to see

  • Removal of any code that attempts to install configuration profiles, MDM certificates, or device management payloads
  • VPN functionality implemented only through the NetworkExtension framework with proper entitlement requests
  • A clear use case explanation in review notes if your app has a legitimate enterprise or parental control use case
  • Proper Apple developer program enrollment (Enterprise or specific category approval) if MDM is genuinely part of your use case
  1. 1Remove any code that attempts to open Safari to install .mobileconfig profiles or configuration payloads
  2. 2If your app genuinely needs VPN capability, apply for the correct entitlements through Apple's developer program and document your use case
  3. 3For parental control or screen time features, review Apple's Screen Time API which is the approved path for consumer apps
  4. 4Strip out any MDM SDK or mobile management library that isn't appropriate for your App Store distribution use case
  5. 5Consult Apple's enterprise developer documentation if your actual use case is B2B enterprise — there may be a legitimate path through Business Manager

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — $9

Common questions

I'm building an MDM app for enterprise — can I put it on the App Store?
Yes, with Apple's approval. MDM solutions can be on the App Store, but they require special entitlements and Apple's explicit approval. You'll need to apply through the appropriate developer program channel. This is not a standard app submission — contact Apple's enterprise developer relations team.
My VPN app got rejected under 5.5.1 — what's the issue?
VPN apps need the NetworkExtension entitlement, which requires Apple's approval. You must apply for it through your developer account. If you're using a third-party VPN SDK, verify it uses the approved NetworkExtension framework and not an older, unapproved method.
I want to build a parental control app — what APIs can I use?
Apple's Family Controls and Screen Time APIs are the approved frameworks for parental controls. They require a special entitlement that Apple grants after reviewing your use case. Don't attempt to build parental controls through profile installation or MDM — that path is rejected every time for consumer apps.