Adding in-house apps for Android

In-house apps are the internally-developed apps that are uploaded to Core. Core makes the apps available to Android devices based on labels that you assign to the apps and devices. You add in-house app to the App Catalog in the Core Admin Portal.

Upon upgrade to Android 11, the Mobile@Work client no longer supports in-house apps for devices that migrate from Work Profile mode to Managed Device with Work Profile (COPE) mode. This also applies to new Android 11 devices provisioned as Work Profile for Company Owned Device mode.

If your company needs time to figure out the migration plan for changing from Managed Device with Work Profile (COPE) mode to Work Profile for Company Owned Device mode, you can set the freeze firmware updates to Android 11 devices for up to 90 days. For more information, see "Setting the system update policy for Android devices" in the Core Device Management Guide for Android and Android Enterprise Devices.

If you are adding a new version of an existing app, see Adding new versions of an existing Android app.

App restrictions with in-house applications for Android

In Android Enterprise modes, applications are typically deployed through a channel using i-Frame provided by Google. In specific scenarios where the Core deployment is inside closed networks (Airgapped), there is no access to i-Frames. As a result, Google mobile services (GMS) applications need to be deployed as in-house applications. For information, see "Setting up Core with a closed network / AOSP deployment" in the Core Device Management Guide for Android and Android Enterprise Devices.

When the administrator downloads the app from Google Play Store or from Samsung and then uploads the app as an in-house app in Core, the administrator needs to configure the app restrictions that are available for the app. The administrator can create multiple app restrictions for the same app and distribute that app as an in-house application directly to Mobile@Work without using Google Play. Similar to multiple app restrictions of the Android Enterprise public app, the multiple app configurations can be managed via different labels.

This feature applies to any app that support app restrictions, including the Samsung Knox Service Plugin.

Note The Following:  

• When an app is associated to a closed network / AOSP (Android Open Source Project), an icon displays next to the app. For example, as an in-house app, the Email+ icon has the closed network icon added to it:

  

• In closed networks / AOSP deployments, all apps need to be uploaded as in-house apps using their .apks since there is no access to Google's application bundles.

• When importing an in-house app for a closed network / AOSP deployment, it is mandatory to have the Install this app for Android enterprise check box selected. Select Enable AOSP app restrictions to have the configuration settings / app restrictions for in-house apps display in the App view page in the App Catalog.

  You must have AOSP enabled (Services > Google > Enable registration of fully managed device in Non-GMS mode.)

• After setting the app restrictions, be sure to apply labels.

Adding in-house apps

Procedure 

1. Go to Apps > App Catalog.
2. Click to Add+open the app wizard.
3. Click In-house.

4. Click Browse and navigate to the in-house app (.apk) you want to upload.

   You cannot upload an in-house app that exceeds 2.15 GB.

5. Click Next.

   The app wizard examines the selected package to ensure that it meets requirements for in-house apps distributed for Android devices. If the package is acceptable, the next screen displays.

6. Use the following guidelines to complete the rest of the screens in the app wizard, clicking Next where applicable:

   Section	Item	Description
   General	Application Name	Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable.
   	Display Version	Displays the version number defined by the app developer. This is the version that displays to device users. This field is not editable.
   	Code Version	Displays the version defined for the package. This item is not editable.
   	Description	Enter any additional text that helps describe what the app is for. Users can see this text in Apps@Work.
   	Category	Select a category if you would like this app to be displayed in a specific group of apps on the device or add a new category. 1. Click Add New Category to define new categories. 2. Enter a category Name (up to 64 characters). 3. Enter a Description (up to 255 characters). 4. In the Category Icon section, click the Replace Icon button. 5. Browse and select an icon that will represent this Category. 6. Click Save.
   Apps@Work Catalog	Feature this App in the Apps@Work catalog	If check box is selected, this app appears in the Featured Apps tab in Apps@Work.
   	Featured Banner	Selecting the check box will display this app as part of the top banner on the Apps@Work Home page on end users' devices. The latest five apps will be picked to be part of Apps@Work Home page.
   	Allow app downloads over insecure networks	Select the check box if you are providing an Override URL (next field) that uses the HTTP URL scheme instead of HTTPS. Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Before you use an HTTP URL, make sure you understand the risks of using an insecure connection.
   	Override URL	If you are using an alternate source for downloading in-house apps, enter that URL here. The URL must point to the in-house app in its alternate location. Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Manual synchronization is required with the alternate HTTP server on which app are stored. See Override for in-house app URLs for the requirements for this configuration before using it.
   	App Icon	•Click the Replace Icon button to replace the icon.
   	Screenshots	•Click Upload to select and upload optional screenshot files in PNG, GIF, or JPG formats. The supported dimensions are 480x800 pixels and 480x854 pixels. We recommend PNG for best resizing. •To upload additional screenshots, click Upload. •To clear the field, click Remove.
   App Installation Settings	Require the user to install the latest version of the app in order to run it	Select the check box to ensure the user installs the latest version of this app. IMPORTANT: You must select this check box for the entries for each version of this same app in order for this feature to take effect. Clear the check box for all versions of this app to allow users to work with any version of this app. For more information, see Specify latest version required for a secure app.
   	Silent install for Mandatory Apps	This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices. •De-selecting the check box means the device user will need to manually install the app. •If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Core will send the request to Google and Google then forwards the request to the Android devices. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device.
   Per App VPN Settings	Per App VPN by Label Only	Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device. If there is no associated label between the VPN configuration and the device, Per App VPN will not be installed on the device. Clear this check box to assign the per App VPN based on the selections in the Per App VPN field, ignoring labels. Per app VPN is not supported for MAM-only Android devices.
   	License Required	The Selected VPNs column lists the VPN configuration that may be installed on the device, in priority order: •If Per App VPN by Label Only is selected, then the VPN configuration must be assigned to a label matching the device in order to be installed. The first VPN in the list that is also assigned to a label associated with the device has the highest priority. •If Per App VPN by Label Only is not selected, then the VPN configurations listed are in priority order and do not need to be assigned to a label matching the device.   To populate the Selected VPNs column, select the VPN configuration you created for per app VPN in the All VPNs column, and click the right arrow. You can select multiple per app VPN settings. To reorder the per app VPN configurations in the Selected VPNs column, drag the configuration names to the correct positions in the list. See “VPN settings” in the Core Device Management Guide for information on creating a per app VPN. Per app VPN is not supported for MAM-only Android devices.
   Android Enterprise (All Modes)	Install this app for Android enterprise	Selecting this check box displays additional fields for Android Enterprise app settings. You must be a Global Space administrator to use this setting. Select to enable public and private apps available to device users for download to Android devices. You can change the “Install this app for Android enterprise” setting for each app in the app’s details page at any time.
   	Silent install for work managed devices	This feature is specifically for private in-house Android Enterprise apps and applies only to devices that support silent installation. •Clearing the check box means the device user will need to manually install the app. •If this check box is selected, then the apps will be installed on the device according to the app constraints and time it takes to install. The app is installed when the device checks in with Core. User action is not required. If "Silent install for Mandatory Apps" is enabled along with "Silent install for work managed devices," then "Silent install for Mandatory Apps" will take precedence and the app will be installed on the device irrespective of the constraints set for the "Silent install for work managed devices" option. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. Silent install is not supported for MAM-only Android devices.   Additional settings can be made for silent installs of work managed devices. These settings are applicable for public and private apps. Prerequisite apps are pushed before dependent apps. •Auto Install Mode - Self hosted apps will not be auto installed. - Do not Auto Install - Auto Install Once - recommended by MobileIron. - Force Install (default) •Install Priority - You can prioritize downloading of specific apps before other apps. For example, prioritizing the download of Tunnel and Email apps before other non-critical apps. - Low - Medium (default) - High •Install only when connected to Wi-Fi - Default is de-selected. •Install only when charging - Default is de-selected. •Install only when Idle - Default is de-selected. For more information, see Silent install and uninstall of mandatory apps. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device.
   	Block Widget on Home Screen	If selected, the app cannot place widgets on the home screen on work profile devices. For example, calendar apps are not permitted to place calendar widgets on the home screen.
   	Block Uninstall	Select this feature to prevent the device user from uninstalling the app.
   	Quarantine app when device is quarantined	Required for: • Work Profile mode •Managed Device with Work Profile (COPE) mode on Android devices versions 8-10 •Work Profile on Company Owned Devices mode (Android 11 or newer versions) Selected by default, this field enables configured compliance actions to hide the app if a policy violation results in a quarantined device. A second step is required to enable this feature: configure a corresponding compliance action and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be used again. If this option is deselected, the app is available for usage, even when the device is quarantined. Note The Following:   •If you change the setting after the app is added, the changed setting will be applied to the app.
   	Auto Launch Application on Install	Select to have applications auto-launch and come to the foreground when installation is completed on the device. With registration, every installation of the app opens in the foreground. A typical use case would be for a security/VPN app that needs to be configured by the device user before the device can be protected. Applicable to : Any Android Enterprise application in the App Catalog Android devices 6.0 or newer versions Device Owner mode - Managed public, private and in-house apps Managed Device with Work Profile mode - Managed public and private apps within Work Profile; in-house apps on device Work Profile on Company Owned Device mode - Managed public and private apps within Work Profile
   	Enable AOSP app restrictions	De-selected by default. Select to enable configuration settings / app restrictions for in-house apps to display in the App view page of the App Catalog. You must have AOSP enabled (Services > Google > Enable registration of fully managed device in Non-GMS mode.) Applicable to: Work Managed Device mode Work Profile mode Managed Device with Work Profile mode Work Profile on Company Owned Device mode In order to distribute your app from Google Play store, you need to download APK Definition file and add the app license key to MobileIron Core.
   Delegated Permissions	Delegated Permissions	Expand this section to apply delegated permissions to this app. Applicable on managed devices. For more information, see Delegated permissions for in-house apps.
   	Configure third-party app runtime permissions	Select this check box to modify runtime permissions for other apps. Applicable to in-house and public / private apps for managed devices and Managed Devices with Work Profile (COPE) mode starting from Android 8. Applicable to public / private apps on managed profiles. Applicable to public / private apps on Work Profile for Company Owned Device mode starting from Android 11.
   	Hide and suspend third-party apps	Select this check box to delegate access to this app to have permission to hide and suspend apps. Applicable to in-house and public / private apps for managed devices and Managed Devices with Work Profile (COPE) mode starting from Android 8. Applicable to public / private apps on managed profiles. Applicable to public / private apps on Work Profile for Company Owned Device mode starting from Android 11.
   	Manage certificates	Select this check box to allow this app to have access to certificate APIs on the device. Applicable to in-house and public / private apps for managed devices and Managed Devices with Work Profile (COPE) mode starting from Android 8. Applicable to public / private apps on managed profiles. Applicable to public / private apps on Work Profile for Company Owned Device mode starting from Android 11.

7. Click Finish.

   The app displays in the App Catalog screen. The Source column displays the app as an in-house app.

8. In order to distribute your app from Google Play store, you need to download the APK Definition file and add the app license key to MobileIron Core.

Delegated permissions for in-house apps

For Android 8.0 and above devices, Mobile@Work allows delegation permissions for in-house apps in Managed Device with Work Profile (COPE) mode. See also Delegated permissions for Google Play apps

• For in-house Apps (Apps pushed by Core):
  • Apps are assigned to devices in Managed Device with Work Profile (COPE) mode and will be installed silently by Mobile@Work on the personal (device owner) side.
  • After the app is installed, delegated permissions are applied by Mobile@Work.
  • This is supported for Samsung and non-Samsung devices running Android 8.0 or newer versions.
• For In house Apps on Samsung Knox V3 devices (Android 8.0 and above):
  • Apps are assigned to device in Managed Device with Work Profile (COPE) mode and whitelisted for Knox V3 workspace.
  • Apps are silently installed by Mobile@Work on the personal (Device Owner) side and then immediately hidden and moved to the Knox V3 workspace (Managed Device with Work Profile (COPE) mode.)
  • At the time the app is moved into the Knox V3 workspace, delegated permissions are applied.

Installing regular in-house apps inside the Managed Device with Work Profile (COPE) mode is not supported.

Adding new versions of an existing Android app

When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the app's old version information or to adopt the information from the app's new version. This feature is applicable to Android in-house / private / self-hosted apps.

Procedure 

1. In the App Catalog, click the Add+ button.

   The Add App Wizard opens.

2. Click In-House.
3. Click Browse and navigate to the in-house Android or Android Enterprise app you want to upload.

4. Click Next.

   The An earlier version of this App exists page opens.

5. Select an option:

   • Another version of this App was previously uploaded. Reuse its description, icon and screenshot(s). If the Description, Icon or Screenshot fields of the new app are empty, then the system will populate those fields with information from the previous app version (default).
   • Upload a new description, icon or screen shot. Information related to the Description, Icon or Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied from the previous app version.

6. Click Next and finish configuring the new version of your app (see Adding your Android Enterprise private app using the app wizard in the Core Admin Portal.)

   Once finished, the new version displays in the App Catalog.