Adding in-house apps for Android
In-house apps are the internally-developed apps that are uploaded to Ivanti EPMM. Ivanti EPMM makes the apps available to Android devices based on labels that you assign to the apps and devices. You add in-house app to the App Catalog in the Ivanti EPMM Admin Portal.
Upon upgrade to Android 11, the Ivanti Mobile@Work client no longer supports in-house apps for devices that migrate from Company Owned Managed Profile (COMP) mode. This also applies to new Android 11 devices provisioned as Work Profile on Company Owned Device mode.
If your company needs time to figure out the migration plan for changing from Managed Device with Work Profile (COPE) mode to Work Profile on Company Owned Device mode, you can set the freeze firmware updates to Android 11 devices for up to 90 days. For more information, see "Setting the system update policy for Android devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
If you are adding a new version of an existing app, see Adding new versions of an existing Android app.
App restrictions with in-house applications for Android
In Android Enterprise modes, applications are typically deployed through a channel using i-Frame provided by Google. In specific scenarios where the Ivanti EPMM deployment is inside closed networks (Airgapped), there is no access to i-Frames. As a result, Google mobile services (GMS) applications need to be deployed as in-house applications. For information, see "Setting up Ivanti EPMM with a closed network / AOSP deployment" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
When the administrator downloads the app from Google Play Store or from Samsung and then uploads the app as an in-house app in Ivanti EPMM, the administrator needs to configure the app restrictions that are available for the app. The administrator can create multiple app restrictions for the same app and distribute that app as an in-house application directly to Ivanti Mobile@Work without using Google Play. Similar to multiple app restrictions of the Android Enterprise public app, the multiple app configurations can be managed via different labels.
This feature applies to any app that support app restrictions, including the Samsung Knox Service Plugin.
After setting the app restrictions, be sure to apply labels.
- For Ivanti EPMM 11.7.0.0 and below, in-house apps in Apps@Work are not visible for device users to see. These apps are only supported with Silent Install and are assigned to devices in Work Managed Device mode (DO), Managed Device with Work Profile (COPE) mode and Work Managed Device non-GMS (AOSP) mode.
- For Ivanti EPMM 11.8.0.0 +, in-house apps are available on Apps@Work even without the Silent Install option being selected. Device users can see all apps assigned to them in the Apps@Work catalog and is able to browse through the apps and download any app manually. Applicable to Work Managed Device (DO) mode, Managed Device with Work Profile (COPE) mode and Work Managed Device non-GMS (AOSP) mode.
The administrator must re-upload the In-house apps to have the App Restrictions and Permissions features available on their apps. It is recommended to delete the existing app before uploading a new version.
Closed network / AOSP
- In closed networks / AOSP deployments, all apps need to be uploaded as in-house apps using their .apks since there is no access to Google's application bundles.
- When importing an in-house app for a closed network / AOSP deployment, it is mandatory to have the Install this app for Android enterprise check box selected. Select Enable AOSP app restrictions to have the configuration settings / app restrictions for in-house apps display in the App view page in the App Catalog.
You must have AOSP enabled (Services > Google > Enable registration of fully managed device in Non-GMS mode.)
-
When an app is associated to a closed network / AOSP (Android Open Source Project), an icon displays next to the app. For example, as an in-house app, the Ivanti Email+ icon has the closed network icon added to it:
-
For Always-On VPN for AOSP for Android Enterprise devices, an additional step is to go into Services > Sentry, and add a new Standalone Sentry with a public certificate. For more information, see "Always-On VPN for AOSP for Android Enterprise devices" in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
Adding in-house apps
Procedure
- Go to Apps > App Catalog.
- Click to Add+open the app wizard.
- Click In-house.
-
Click Browse and navigate to the in-house app (.apk) you want to upload.
You cannot upload an in-house app that exceeds 2.15 GB.
-
Click Next.
The app wizard examines the selected package to ensure that it meets requirements for in-house apps distributed for Android devices. If the package is acceptable, the next screen displays.
-
Use the guidelines in the App Wizard Screen Information section, below, to complete the rest of the screens in the app wizard, clicking Next where applicable.
-
Click Finish.
The app displays in the App Catalog screen. The Source column displays the app as an in-house app.
-
In order to distribute your app from Google Play store, you need to download the APK Definition file and add the app license key to Ivanti EPMM.
App Wizard Screen Information
Following are the inputs for the App Wizard screens:
Table 1. General
|
Item |
Description |
|
Application Name |
Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable. |
|
Display Version |
Displays the version number defined by the app developer. This is the version that displays to device users. This field is not editable. |
|
Code Version |
Displays the version defined for the package. This item is not editable. |
|
Select a category if you would like this app to be displayed in a specific group of apps on the device or add a new category.
|
Table 2. Apps@Work Catalog
|
Item |
Description |
| Use Global App Config Settings Policy | Selecting the check box makes the policy settings take priority over the app settings if and only if the global policy is created and available for a particular device. Leaving the check box empty means the app's configuration settings will be used. For more information, see "Global App Config Settings policy" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. |
|
Hide this App from the Apps@Work catalog |
If check box is selected, this app will not display in the Featured Apps tab in Apps@Work. |
|
If check box is selected, this app appears in the Featured Apps tab in Apps@Work. |
|
|
Featured Banner |
Select to add the app to the featured banner at the top of the Apps@Work home screen on devices. The latest five apps will be picked to be part of Apps@Work Home page. Additional settings display:
When tapping the banner, device users see the details of the featured app. Add as many apps as you like to the featured banner, but the featured banner will only display the five most recent apps added to the featured banner. Apps in the featured banner are rotated every five seconds. |
|
Allow app downloads over insecure networks |
Select the check box if you are providing an Override URL (next field) that uses the HTTP URL scheme instead of HTTPS. Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Before you use an HTTP URL, make sure you understand the risks of using an insecure connection |
|
Override URL |
If you are using an alternate source for downloading in-house apps, enter that URL here. The URL must point to the in-house app in its alternate location. Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Manual synchronization is required with the alternate HTTP server on which app are stored. See Override for in-house app URLs for the requirements for this configuration before using it. When tapping the banner, device users see the details of the featured app. Add as many apps as you like to the featured banner, but the featured banner will only display the five most recent apps added to the featured banner. Apps in the featured banner are rotated every five seconds. |
|
App Icon |
Click the Replace Icon button to replace the icon. |
|
Screenshots |
|
Table 3. App Installation Settings
|
Item |
Description |
|
Silent install for Mandatory Apps |
This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices. De-selecting the check box means the device user will need to manually install the app. If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Ivanti EPMM will send the request to Google and Google then forwards the request to the Android devices. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device. |
|
Enforce conversion from unmanaged to managed app |
Every hour, Ivanti EPMM reviews the all the devices that had last checked-in for any unmanaged apps and, if applicable, sends the unmanaged to managed app conversion request to that device. If there is an unmanaged app installed on the device, device users will not immediately get the prompt for change management. |
Table 4. Per App VPN Settings
|
Item |
Description |
|
Per App VPN by Label Only |
Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device, then select one of the pre-configured Per-App VPN in the field below. If there is no associated label between the VPN configuration and the device, Per App VPN will not be installed on the device.
De-select this check box to assign the per App VPN based on the selections in the Per App VPN field, ignoring labels. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will change in future Ivanti EPMM releases and become selected by default. Ivanti does not recommend using Per App VPN with apps that utilize device spaces. Per app VPN is not supported for MAM-only Android devices. |
Table 5. Android Enterprise (All Modes)
|
Item |
Description |
|
Install this app for Android enterprise |
Selecting this check box displays additional fields for Android Enterprise app settings. You must be a Global Space administrator to use this setting. Select to enable public and private apps available to device users for download to Android devices. You can change the “Install this app for Android enterprise” setting for each app in the app’s details page at any time. |
|
Silent install for work managed devices |
This feature is specifically for private in-house Android Enterprise apps and applies only to devices that support silent installation. Clearing the check box means the device user will need to manually install the app. If this check box is selected, then the apps will be installed on the device according to the app constraints and time it takes to install. The app is installed when the device checks in with Ivanti EPMM. User action is not required. If "Silent install for Mandatory Apps" is enabled along with "Silent install for work managed devices," then "Silent install for Mandatory Apps" will take precedence and the app will be installed on the device irrespective of the constraints set for the "Silent install for work managed devices" option. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. Silent install is not supported for MAM-only Android devices. Additional settings can be made for silent installs of work managed devices. These settings are applicable for public and private apps. Prerequisite apps are pushed before dependent apps. Auto Install Mode - Self hosted apps will not be auto installed.
Install Priority - You can prioritize downloading of specific apps before other apps. For example, prioritizing the download of Tunnel and Email apps before other non-critical apps.
Install only when connected to Wi-Fi - Default is de-selected. Install only when charging - Default is de-selected. Install only when Idle - Default is de-selected. For more information, see Silent install and uninstall of mandatory apps. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device. |
|
Block Widget on Home Screen |
If selected, the app cannot place widgets on the home screen on work profile devices. For example, calendar apps are not permitted to place calendar widgets on the home screen. |
|
Block Uninstall |
Select this feature to prevent the device user from uninstalling the app. This is especially helpful for mandatory apps. |
|
Quarantine app when device is quarantined |
Required for:
Selected by default, this field enables configured compliance actions to hide the app if a policy violation results in a quarantined device. A second step is required to enable this feature: configure a corresponding compliance action and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be used again. If this option is deselected, the app is available for usage, even when the device is quarantined. If you change the setting after the app is added, the changed setting will be applied to the app. |
|
Auto Launch Application on Install |
Select to have applications auto-launch and come to the foreground when installation is completed on the device. With registration, every installation of the app opens in the foreground. A typical use case would be for a security/VPN app that needs to be configured by the device user before the device can be protected. Applicable to :
This functionality requires the Ivanti Mobile@Work app to be in the foreground and active for Work Profile mode and Work Profile on Company Owned Devices mode. |
| Enable app restrictions only for AOSP |
De-selected by default. Select to enable AOSP app restrictions for in-house apps to display in the App view page of the App Catalog. You must have AOSP enabled (Services > Google > Enable registration of fully managed device in Non-GMS mode.) Applicable to:
In order to distribute your app from Google Play store, you need to download APK Definition file and add the app license key to Ivanti EPMM. |
|
Enable app restrictions for Android Enterprise devices |
De-selected by default. Select to enable app restrictions for in-house Android Enterprise apps to display in the App view page of the App Catalog. Applicable to:
|
Table 6. Delegated Permissions
|
Item |
Description |
|
Delegated Permissions |
Expand this section to apply delegated permissions to this app. Applicable on managed devices. For more information, see Delegated permissions for in-house apps. |
|
Configure third-party app runtime permissions |
Select this check box to modify runtime permissions for other apps.
|
|
Hide and suspend third-party apps |
Select this check box to delegate access to this app to have permission to hide and suspend apps.
|
|
Manage certificates |
Select this check box to allow this app to have access to certificate APIs on the device.
|
|
Manage app configurations |
Select this check box to delegate app restrictions management. Applicable to public, private, and in-house apps. |
|
Manage blocking app uninstallation |
Select this check box to manage blocking/unblocking uninstallation of other apps. Applicable to public, private, and in-house apps. |
|
Manage enabling system apps |
Select this check box to delegate enabling system apps. Applicable to public, private, and in-house apps. |
|
Manage certificate selection |
Select this check box to grant key pair to app and revoke key pair to app. Once granted, the app will receive the private key alias. The Device Owner or Managed Profile Owner will no longer receive the private key alias. There can be at most one app that has this delegation. If another app already had delegated certificate selection access, it will lose the delegation when a new app is delegated. The delegated app call also grants keychain keys to other apps. Applicable to public, private, and in-house apps. This permission can only be granted by Device Owner or Managed Profile Owner. Example: Allowing apps to control when to prompt the device user to select the certificates. Useful for if you want to have your own certificate app instead of passing certificates through Ivanti EPMM. |
|
Manage retention of uninstalled apps |
Select this check box to keep uninstalled apps. Applicable to public, private, and in-house apps. |
|
Manage network log collection |
Select this check box to manage the network log collection. The delegated app will receive network logs and the device user will no longer receive the callback. There can be at most, one app that has this delegation. If another app already had delegated network logging access, it will lose the delegation when a new app is delegated. Applicable to public, private, and in-house apps. Device Owner can grant this access from Android 10+. Profile Owner of a managed profile can grant access from Android 12+. Example: If your company wants to collect network logs on their own and not through Ivanti EPMM. |
|
Manage security log collection |
Select this check box to manage the security log collection. The delegated app will receive security logs and the device user will no longer receive the callback. There can be at most, one app that has this delegation. If another app already had delegated security logging access, it will lose the delegation when a new app is delegated. Applicable to public, private, and in-house apps. This permission can only be granted by Device Owner or Managed Profile Owner. Example: If your company wants to collect security logs on their own and not through Ivanti EPMM. |
|
Manage installation of existing apps |
Select this check box to manage installation of other existing apps available on the device. Applicable to public, private, and in-house apps. |
Delegated permissions for in-house apps
For Android 8.0 and above devices, Ivanti Mobile@Work allows delegation permissions for in-house apps in Managed Device with Work Profile (COPE) mode. See also Delegated permissions for Google Play apps
- For in-house Apps (Apps pushed by Ivanti EPMM):
- After the app is installed, delegated permissions are applied by Ivanti Mobile@Work.
- This is supported for Samsung and non-Samsung devices running Android 8.0 or newer versions.
- For In house Apps on Samsung Knox V3 devices (Android 8.0 and above):
- Apps are assigned to device in Managed Device with Work Profile (COPE) mode and whitelisted for Knox V3 workspace.
- Apps are silently installed by Ivanti Mobile@Work on the personal (Device Owner) side and then immediately hidden and moved to the Knox V3 workspace (Managed Device with Work Profile (COPE) mode.)
- At the time the app is moved into the Knox V3 workspace, delegated permissions are applied.
Installing regular in-house apps inside the Managed Device with Work Profile (COPE) mode is not supported.
Adding new versions of an existing Android app
When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the app's old version information or to adopt the information from the app's new version. This feature is applicable to Android in-house / private / self-hosted apps.
Procedure
-
In the App Catalog, click the Add+ button.
The Add App Wizard opens.
- Click In-House.
- Click Browse and navigate to the in-house Android or Android Enterprise app you want to upload.
-
Click Next.
The An earlier version of this App exists page opens.
-
Select an option:
- Another version of this App was previously uploaded. Reuse its description, icon and screenshot(s). If the Description, Icon or Screenshot fields of the new app are empty, then the system will populate those fields with information from the previous app version (default).
- Upload a new description, icon or screen shot. Information related to the Description, Icon or Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied from the previous app version.
-
Click Next and finish configuring the new version of your app (see Adding your Android Enterprise private app using the app wizard .)
Once finished, the new version displays in the App Catalog.