We know about the changes to Android 11 COPE, and how they affect the EMMs. One aspect that was slightly overlooked though, is what happens to Internal apps, which many organizations are still employing. We have recently released a KB, which caused a bit of panic between customers and colleagues. Let’s dive deeper and see whether we should be worried or not? TLDR: both.
Internal apps in the context of this post
Internal apps are the ones where you upload APKs directly into the EMM console, and then the EMM pushes the apps directly to your devices. The mechanism is ages old, kinda works, but less and less in newer versions of Android:
- They do not work with Work Profile (Android 5+)
- Within closed networks, the installations might fail (Android 8+)
- The newer Android Application Bundle format that (mandatory for Play beginning H2 2021) is not 1:1 backwards compatible with APKs used for Internal apps – things might break or dev will have to create additional builds.
- When using COPE (Android 8-10), the internal apps land on the personal side of the device
Thus, the days of internal apps are numbered, and the proposed replacement is the Managed Play Store. But the biggest issue was Internal Apps and COPE
Internal Apps and COPE8-10 and COPE11
As mentioned before, when using COPE (Android 8-10), the internal apps land on the personal side of the device. This causes confusion and makes them unable to communicate to the rest apps within the Work Profile, and thus COPE + Internal Apps = bad idea. Though I know that some use it, for example to specifically push the apps such as MTD or MFA to the personal side of the device. In my view this is “cheating” anyway, and can be solved by other means.
But with Android 11 it gets better – the COPE concept of Android 11 (Work Profiles on Company Owned Devices) leaves no space for internal apps at all! And since they are not supposed to exist on those devices – guess what happens?
What happens is that the user would get a system notification (generated by Android itself) which says “An account was deleted. Delete apps unassociated with any account.”
Now, that would be very good for business continuity, wouldn’t it?
How do I deal with that?
You have two choices:
- If you don’t care about Work Profile – move the devices to Fully Managed mode instead of COPE. In fact, Android 11 offers this option during upgrade (check if your EMM supports it first!).
- If you do care about Work Profile – move your apps to Managed Play Store, which I have already covered here. The re-uploading of in-house APKs is fairly simple. However, if you use 3rd party apps you may run in the “Package ID already exists” error. In this case you need to talk to the app’s developer and show them this article if they are new to Android Enterprise.
How it all ends (summary)
- Internal apps with COPE were a bad idea from the start
- Google cares about you, so you no longer can follow this bad idea 😊
- For the closed networks / rugged use cases you can still use the internal apps w/o issues on Fully Managed devices
- For everything else – Managed Play Store or die
- For those using MTD on the personal side of the device, conditional access and device compliance integration becomes ever more important
P.S. Managed Play Store has gotten MASSIVELY better this year with proper version and update control per app(!). It will be covered in one of the future posts.
What do you think? Will this affect you or your customers?