Skip to main content
This feature is available for macOS and Windows devices
Auto Apps are pre-packaged applications that you can deploy directly from the Iru Web App. Iru manages installation, updates, and configuration profiles automatically, so you can ensure applications remain compliant and up to date with minimal effort.
Auto apps deploy to the system, meaning they are installed for all users on the device. If a user has installed a version of the app in their own profile, it will not be updated or managed by the Auto Apps process.

What are Auto Apps?

Auto Apps are pre-packaged applications from software vendors that Iru Endpoint manages automatically. Instead of manually downloading, packaging, and deploying applications, you can select from a curated list of business applications that Iru maintains and updates.

How Auto Apps Work

Iru Endpoint maintains relationships with software vendors to provide pre-packaged, tested versions of popular business applications. When you deploy an Auto App, Iru handles the entire lifecycle:
  • Download and validation from the vendor’s official source
  • Automatic updates when new versions are released
  • Platform-specific configuration for macOS and Windows
  • Security validation including code signing verification
  • Profile management for required system permissions

Auto Apps Capabilities

Windows and macOS Auto Apps are listed as separate Library Items. You configure and assign each platform’s version independently (for example, a Chrome Auto App for Windows and a Chrome Auto App for macOS are two distinct Library Items). In the Iru Web App you configure:
  • Automated Updates — Iru enforces updates for these applications according to your configuration.
  • Label — Distinguish multiple instances of the same Auto App in the admin interface (e.g., by Blueprint or behavior).
  • Blueprint assignment — Control which devices or users receive the Auto App.
  • Installation methodContinuously enforce (install and keep up to date), Install on-demand from Self Service, or Update only (enforce updates only when the app is already installed).
  • Self Service — When the app can be offered in Self Service: category, Recommended placement, and customization such as custom name, description, and an optional support or documentation link on the item detail page.
  • Version enforcement — Choose whether updates are unmanaged, automatically enforced after release (with timeframe and time), or a minimum version is enforced with a deadline.
The exact UI, enforcement time behavior, and extra options differ by platform. The sections below call out those differences; for full step-by-step settings, see the platform-specific guides linked in each section.

macOS-Specific Capabilities

  • Background Items — Auto Apps automatically configure background processes.
  • Customizable Notifications — You can manage how notifications behave for each app.
  • Privacy Preferences Policy Control — Iru installs required profiles to ensure apps comply with privacy settings.
  • Rosetta 2 for Apple Silicon — If required, the Kandji Agent will install Rosetta 2 automatically.
  • System Extensions and Kernel Extensions — Required extensions are automatically approved.
For all macOS Auto App settings, see Understanding Auto App Settings for macOS.
For a full list of available Auto Apps, see the Library Items section of the Iru Web App.

Setting Up Auto Apps

1

Navigate to Library

Go to Library and select Add Library Item. For more information about the Library interface, see Library Overview.
2

Open Auto Apps

Click the Auto Apps category on the left.
3

Filter by platform

Use the Supported on filter at the top of the section to choose Mac or Windows.
4

Select Auto App

Search for and select the desired Auto App from the available options.
5

Configure Label

Optionally add a Label to distinguish multiple versions of the same app.
6

Assign to Blueprints

Select the Blueprint(s) to assign the Auto App to.

Installation Configuration

Configure how Auto Apps are deployed to devices:
  • Continuously Enforce - Automatically install and maintain the app
  • Install-on-demand from Self Service - Make available for users to install
  • Update Only - Only update existing installations

Self Service Configuration

When enabling Self Service availability, you can select a Category and customize the user experience.

Version Enforcement

Choose how updates are managed:
  • Do not manage updates - Let apps update through their own mechanisms
  • Automatically enforce new updates - Deploy updates as they become available
  • Manually enforce a minimum version - Set specific version requirements
When enforcing updates, configure the Enforcement timeframe and Time Zone. On macOS you select an Enforcement Time Zone (server-side); on Windows enforcement always uses each device’s local time. The tabs below cover platform-specific options; for full configuration steps, see Understanding Auto App Settings for macOS and Understanding Auto App Settings for Windows.

macOS-Specific Configuration

Notification Management

You can manage notification settings for Auto Apps on macOS. When managing notifications, users cannot change the settings you configure. When notification settings are modified, an updated Configuration Profile will not be redistributed until the next daily MDM check-in. To trigger an immediate check-in, run sudo update-mdm locally on the Mac.Notification Options:
  • Unmanaged - End users control notification settings for this app
  • Disallow notifications - Prevent users from turning notifications on
  • Allow notifications - Force notifications on with customization options
If an Auto App does not support notifications, you’ll see: “This application does not support notifications.”

Additional macOS Options

  • Add to Dock during install
  • Preinstall or Postinstall scripts
For all macOS Auto App settings and step-by-step configuration, see Understanding Auto App Settings for macOS.

Update Only Mode

Use Update Only when you don’t want Iru to deploy an app but still want to enforce updates for existing installations.
  • Updates apply if the app is already installed (based on matching Bundle ID for macOS and custom detection logic for Windows)
  • The app will not be newly installed by Iru
  • No configuration profiles (e.g., PPPC, System Extensions, Notifications) will be deployed for macOS

Considerations

Update Enforcement

When enforcement options are chosen and an application is below the required minimum version, setting the installation method to “Update Only” ensures that updates are applied to applications installed outside of Iru, as long as the Bundle ID (macOS) or the custom detection logic Iru uses for Windows matches. This setting will not install the app via Iru if it’s not already present; it will only keep the app up to date. Similarly, when enforcement options are selected and the application version is below the minimum enforced version, setting the installation method to Install on-demand from Self Service will also apply updates to applications installed outside of Iru, provided the Bundle ID on macOS or custom Windows detection logic matches.

Update Process

When a new update is released, it’s automatically cached on users’ devices immediately. You must select an Enforcement Time to determine when to enforce the update. The enforcement deadline can be based on either server-side time or local device time, depending on your selected Enforcement Time Zone.

macOS Update Process

After the app is successfully cached, if the app is running, users are notified of the pending installation. If the app is not running, Kandji Agent will update the app silently without requiring any user interaction.

Notifications

If Auto App updates are configured to be managed, they will automatically install a profile via MDM to allow the application to receive notifications.For enforcement timing and notification options, see Understanding Auto App Settings for macOS.

Adding Multiple Auto Apps to Your Library

Iru allows you to add the same Auto App to your Library multiple times. This feature is useful when configuring different settings for various Blueprints. For instance, you can set up an Auto App to automatically install on devices within one Blueprint while making it available in Self Service for another. When you configure the same Auto App multiple times, you can add a Label. This label helps distinguish each Auto App Library Item from others in your Library. These labels are not visible to end users but are displayed throughout the Iru admin interface.

Auto App Security Information

Auto Apps come directly from their respective software vendors. Iru ensures the fidelity of all updates by performing strict signature validations during download and packaging.

Code Signing Confirmation

  • We affirm that the application code is properly signed using an Apple-issued certificate.
  • We verify that the Apple-assigned Team Identifier matches the known identity of the registered developer.
  • We validate that the code signing identifier for the app bundle exactly matches the expected value.
  • We assess notarization to certify that there are no code-signing issues and that the software is free of known malicious content.

Signing Authority Validation

As part of our internal QA process, we confirm the signing authority for Auto Apps. This process establishes a chain of trust by ensuring that the app’s signing certificate was issued by Apple’s intermediate and root certificate authorities. It guarantees that the Auto App’s code signature precisely matches the developer’s name and identifier. These values, issued by Apple, cannot be spoofed or falsified.All Auto App installers are signed with valid Developer ID certificates issued by Apple under the registered Apple Developer program used by Gatekeeper. These certificates, issued either to Iru or a third-party vendor, establish a trust relationship that verifies the integrity of the installer.

User Experience

For details on how users interact with Auto Apps, see the User Experience with Auto Apps article.

Migrating from a Custom App

If you previously deployed an app as a Custom App, you can migrate to Auto Apps for better management and automatic updates. For more information about Custom Apps, see Custom Apps Overview.
1

Add Auto App

Add the Auto App to the same Blueprint.
2

Deploy Auto App

Deploy the Auto App. Iru will not overwrite an existing installation but will apply update enforcement if needed.
3

Remove Custom App

Delete or deactivate the Custom App item.
4

Clean up profiles

For macOS, remove any related System Extension or PPPC profiles. Auto Apps include required profiles automatically.

Requesting New Auto Apps

You can suggest new Auto Apps from the account menu. Suggested apps must not be available in the Mac App Store or Apple Business Manager and must be business or enterprise applications. For more details, see Submit Feature Requests & Ideas.
1

Open Organization

Click your name at the bottom of the left navigation, then select Organization.
2

Open Resources

Click the Resources tab.
3

Submit a request

Click the Auto App request button to submit your request.

Best Practices

Test Before Deployment

Test Auto Apps on a small group of devices before rolling out to your entire fleet.

Monitor Updates

Set up monitoring to track Auto App update deployments and any issues.

User Communication

Communicate with users about Auto App deployments and update schedules.

Version Management

Regularly review and update Auto App versions to ensure security and compatibility.

Understanding Auto App Settings for macOS

Configure version enforcement, notifications, and install options for Auto Apps on macOS

Understanding Auto App Settings for Windows

Configure installation, Self Service, and update enforcement for Auto Apps on Windows

User Experience with Auto Apps

What to expect when using Auto App updates and Self Service

Library Overview

Curate, create, and manage Library Items and add them to Blueprints

Submit Feature Requests & Ideas

Learn how to submit feature requests and ideas for Iru Endpoint

Custom Apps Overview

Deploy Custom Apps to managed devices