Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – Private Apps

In this post I will show a simple way to manage Private (Internal) Android Applications in Managed Play Store with WorkspaceONE UEM (AirWatch) using the Play Store Managed iFrame. This is important since it’s basically the only way to push Private apps to Android Enterprise Work Profile or COPE devices.

Android Enterprise is awesome, but some things may be quite confusing to existing Android Legacy customers. One such thing is managing Private apps (i.e. your own in-house APKs, ot pusblished in Play Store). Once you have moved to Android Enterprise you may find out that traditional way of adding APKs into Apps -> Native -> Private doesn’t work anymore – only Work Managed devices can see these apss, but not the Work Profile or COPE. So, what can we do?

Google’s approach to pushing private apps to Android Enteprise is via the Managed Play Store. Once added as Private, the apps will only be seen by your Enterprise and no one else. As a bonus, they will be checked by Google Play Protect, SafetyNet and other cool Google Security features, and will be available for all registration types: Work Profile, Work Managed and COPE.

As a downside, you have to dig deep into Google Play Privacy Policy to see if any of the proprietary data may leak (unlikely, but I’m neither Google nor lawyer – so buyer beware).

Additionally, up until December 2018 publishing an app in the Managed Play Store required lots of work (Google Developer account, $$, legal and setup hassle, learning Play Developer Console and waiting for up to 24 hours for it to show up)

Fortunately, now there is an easier way – using the Managed Google Play iFrame experience – the same used to publish Public apps.

Adding a Private app using Managed iFrame

First, start as if you were adding a Public Play Store app . I prefer the shortcut from the Console’s top menu;

WS1 UEM Console top menu has some useful shortcuts for adding stuff

Since we will be adding a our own app, we don’t need the name, even though it’s listed as mandatory 🙂 Just leave it empty and click Next.

Proceed as if adding a public app from the Play Store. Name is not necessary

Now the fun part. Once the Managed iFrame is displayed, the icons on the left contain a menu! I totally missed it until it was pointed out to me! Just hover over them.

The icons on the left side of the managed iFrame are a menu

But the fun goes on. My PC has 130% text scaling, which is why upon clicking “Private Apps” I could not find a way to actually upload an app. I had to zoom out to see the [+] button an the bottom… That is silly..

Once you click [+] you can upload and name your app. Here I’m just uploading one of my test APKs.

The challenge of this method (compared to simply pushing the APK via EMM) is that your app must adhere to all Play Store publishing rules, of which there are many. On the positive side, this means that your app will follow the Android App Best Practices and will not backfire in an unexpected way 🙂

Once you are done, you will see this. But the confusion doesn’t stop here. The app is “Not available yet” and there is no OK button. Only Cancel – what do we do now?

We wait. The app is being processed by the Play Store. Google promises max 10 minutes of wait time. Internet, however, reports occasional hiccups for up to 24hrs. Anyway, during this pause it is safe to close the iFrame and continue later.

Or you can click the app and edit the additional settings (description, category, screenshots, icon etc) using the Play Developer Console.

Clicking on Make Advanced Edits will take you to the Play Developer Console (which was automatically created for your Android Enterprise GoogleID)

Once the processing is done you can find and select your app in both Private and Public sections of the play store. Don’t worry – only your Enterprise can see it.

Once added, your app will also appear among the public apps
Internal apps are pre-approved. You only need to select them.

Similarly, the UEM console lists the app among other public apps (since it comes via Play Store, and not the direct API upload into the UEM console)

Now your private app is a Public app

On the device

Once pushed to the device, the app will appear in the Workspace ONE Hub/Agent/Catalog as well as in the Work Play Store. Here you can also see the Managed Google Play Collections feature in action, which I will cover separately due to some side effects of it. You can also see the app details, permissions etc. Some of them can be edited directly in the iFrame, some need to be edited in the Play Developer Console.

Click for a bigger image

Lessons learned

Basically, since now your Private apps come from the Play Store, they are (by definition) Public in EMM terms.

So, instead of uploading an APK into EMM console, you upload it into Play Store console via the Managed iFrame, wait for it to be processed and then manage it as another public app.

First time you do it it’s confusing as hell. Next time it’s a breeze, though – give it a try!

Up Next: see how to manage the Web apps and App Collections via the same iFrame.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

Up ↑

%d bloggers like this: