As more organizations migrate to Android Enterprise (in light of Device Admin deprecation), I get this question more and more often from customers, partners, colleagues and developers alike. The model of application publishing with Managed Play Store is different than it previously was with Internal Apps. While Google has official documentation, many people still stumble due to nuances in the doc, which are easy to overlook if you are not a developer. This post aims to address those difficulties and enable you to understand and demonstrate this feature to others.
Brief history of the problem
Previously publishing internal / private apps was easy: the app’s developer would give you an APK, you would upload it to the UEM console as the Internal App and push it to the devices. When a new version comes, you would use the “Add Version” functionality to upload the update and push it to the devices again. Simple!
The problem is, Internal Apps do not work with Android Enterprise Work Profile. It still works very well with Work Managed, but even with COPE the apps land in the personal half of the device. Basically, the only way to publish an app into a Work Profile is via the Managed (or public) Play Store.
Another issue is that many modern Android applications move to the App Bundle (.AAB) format, which is proprietary to Google Play Store and cannot be uploaded into ANY EMM as an Internal app.
Google made uploading private apps into Managed Play Store very easy via the iFrame, but there is a catch: the Package IDs (internal application names) of EVERY app across the ENTIRE (Public + all Managed partitions) Play Store must be unique. So the developer can no longer just give you an APK and say “go upload” – now they either have to have a special build with a special name just for you, or follow the “new and better” way of publishing their app into customer’s Managed Play Store themselves (with customer’s permission of course). This is exactly the flow that we will review – it is actually very simple!
Step 1. Customer: send the GPlay Organization ID to the developer
I have a Workspace ONE UEM sandbox integrated with Android Enterprise. The sandbox is fresh and there are no Private applications added to it yet. We want an enterprise app from another developer to appear here (well, guess what – they will not! Read on…)
Once integrated, we can log into https://play.google.com/work/adminsettings with the same account we used for the Android Enterprise integration (common mistake – personal account already logged in in Browser) and find the Organization ID there. This is what needs to be sent to the developer.
Step 2. Developer: add the Organization ID to the app distribution.
I have a GPlay Developer console, and I have a custom-developed app uploaded there.
I select the app and go to Store Presence -> Pricing and distribution. I can see there that my app is present on Managed Google Play (even though it is not published in the Public store – try searching for it there!). In the screenshot I have highlighted the important areas.
Scrolling down on this page, I see the section called “Managed Google Play”. I have already played here, so some options are pre-selected for me. Yours might be slightly different. Anyway, there’s only one button here to interact with…
Here I can add the Organization ID I have received from the customer and give it an optional name (doesn’t have to match the name of the customer’s org). As you can see, I already publish this app to some other orgs.
Once I click [Add], [Done] and [Submit Update] – the update goes to Google Play and after a while the gears churn and the app is fully published (Google says “a few hours”, for me it was faster, but I only tried twice)
Step 3. Customer: add, approve and assign as public app.
Once the app is released, it will be searchable in the Managed Play Store, you can find, approve and assign it as any other public app. There are a few important things to understand though:
- The app will be in Public apps – not in Private. Private apps are the apps YOU have uploaded yourself.
- You will not see app in the store until you explicitly search for the full name of it. For instance, just searching for MemEater will yield 0 results. I think this actually is a good decision – see below.
- Even though the app developer can publish to your org w/o your explicit permission (just need to know your ID), you still must approve the app. This combined with #2 means that you and your users are reasonably protected from potential spoofing and spamming scenarios.
That’s it really! Easy enough?
Version management for private apps.
Good thing about this publishing mechanism is that the UEM admins no longer have to upload and push new APKs into the console every time an update is released – the developer manages all that and you get the update notifications just like with public apps. But surely different customer have different update schedules – can we deal with that?
Well, version management is always a tough subject with Google Play. The GPlay ideology says that there may be only one version – the latest. Even when you want to downgrade, you need to push older app with a newer version code. On the road to progress – there is no way back! Or something like that…
Fortunately, the full GPlay Console (that the developers use) has a whole Release Management section with Production, Beta, Alpha and other tracks. Different tracks may contain different versions of the app and (with some limitations) targeted to different organization IDs.
When you assign an app in Workspace ONE (check out the new App Assignment UI) you may also configure which version of the app will this target group of devices/users receive: Release, Beta or Alpha.
Later in 2020 we should see and improvements to Managed Google Play (and subsequently to EMMs) specifically for App and Update Management, once they come out I will update the article with the expected new functionality.
There aren’t too many, really.
First, you can only use this method to target up to 100 organizations. Once you have more customers that that Google insists that you rebuild your app and publish it as a public app. On one side it makes sense. On the other, the app will have to conform to a much more rigorous set of standards, some of which are irrelevant (family friendliness) or detrimental (version numbers, usage of logos etc) to the Enterprise App use case. We will have to see how this develops. So far I know only of one customer who has > 20 apps.
Second, version management (especially, when the customers have different update schedules) is rather limited, but it should improve later this year. On this matter, my kind regards to Apple, who in their WWDC2020 session on Custom Apps (Apple’s counterpart of Managed Play Store) simply said “Coordinate your release schedule with customer’s rollout schedule)”. Oh well…
There are some more things, but I don’t want to touch them, since they are also bound to change later in 2020.
Is there anything else that I missed?
Summary and rurther information
Now you know how:
- As an EMM Admin, submit all relevant information to the developer so that they can publish an app in your Managed Play Store, and later add and use the app
- As a developer, explain to customer the process and requirements, and publish the app to their Managed Play Store
- As an Android Expert, explain to anyone around you how app publishing works (on a basic level, there is more) with Managed Play Store
Simple enough? Let me know in comments!